mystic | 69efe3b6a8ad6254d5fd656d61ee25bbbc98b60d13a57cdc4cc8d7925e07b8a2

General

Target

69efe3b6a8ad6254d5fd656d61ee25bbbc98b60d13a57cdc4cc8d7925e07b8a2.exe
Size

881KB
MD5

ccdbef9ceb6aa4f45646f12a5d66f221
SHA1

75f6db77f19728cbdc843ce334c52a63539edc89
SHA256

69efe3b6a8ad6254d5fd656d61ee25bbbc98b60d13a57cdc4cc8d7925e07b8a2
SHA512

664b431b7494cdcc532159d912b49b4eda3dfc70e5c4f411cef56972ef5a0541b92af706203335e13620e77460f9dd6261c860d912f821006a2ca1ed9f24d6cf
SSDEEP

24576:8yKZcm9TDC1ngg6wA9phx46J645y9UhCQ:rKz9qRggkDUdY

Score

10^/10

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/168-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/168-19-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/168-20-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/168-22-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 3 IoCs

pid	Process
4204	ch4Mx52.exe
4488	11kK4325.exe
3596	12pj050.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	69efe3b6a8ad6254d5fd656d61ee25bbbc98b60d13a57cdc4cc8d7925e07b8a2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ch4Mx52.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4488 set thread context of 168	4488	11kK4325.exe	75

Program crash 1 IoCs

pid	pid_target	Process	procid_target
548	168	WerFault.exe	75

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 4204	3068	69efe3b6a8ad6254d5fd656d61ee25bbbc98b60d13a57cdc4cc8d7925e07b8a2.exe	71
PID 3068 wrote to memory of 4204	3068	69efe3b6a8ad6254d5fd656d61ee25bbbc98b60d13a57cdc4cc8d7925e07b8a2.exe	71
PID 3068 wrote to memory of 4204	3068	69efe3b6a8ad6254d5fd656d61ee25bbbc98b60d13a57cdc4cc8d7925e07b8a2.exe	71
PID 4204 wrote to memory of 4488	4204	ch4Mx52.exe	72
PID 4204 wrote to memory of 4488	4204	ch4Mx52.exe	72
PID 4204 wrote to memory of 4488	4204	ch4Mx52.exe	72
PID 4488 wrote to memory of 340	4488	11kK4325.exe	74
PID 4488 wrote to memory of 340	4488	11kK4325.exe	74
PID 4488 wrote to memory of 340	4488	11kK4325.exe	74
PID 4488 wrote to memory of 168	4488	11kK4325.exe	75
PID 4488 wrote to memory of 168	4488	11kK4325.exe	75
PID 4488 wrote to memory of 168	4488	11kK4325.exe	75
PID 4488 wrote to memory of 168	4488	11kK4325.exe	75
PID 4488 wrote to memory of 168	4488	11kK4325.exe	75
PID 4488 wrote to memory of 168	4488	11kK4325.exe	75
PID 4488 wrote to memory of 168	4488	11kK4325.exe	75
PID 4488 wrote to memory of 168	4488	11kK4325.exe	75
PID 4488 wrote to memory of 168	4488	11kK4325.exe	75
PID 4488 wrote to memory of 168	4488	11kK4325.exe	75
PID 4204 wrote to memory of 3596	4204	ch4Mx52.exe	76
PID 4204 wrote to memory of 3596	4204	ch4Mx52.exe	76
PID 4204 wrote to memory of 3596	4204	ch4Mx52.exe	76

C:\Users\Admin\AppData\Local\Temp\69efe3b6a8ad6254d5fd656d61ee25bbbc98b60d13a57cdc4cc8d7925e07b8a2.exe
"C:\Users\Admin\AppData\Local\Temp\69efe3b6a8ad6254d5fd656d61ee25bbbc98b60d13a57cdc4cc8d7925e07b8a2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ch4Mx52.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ch4Mx52.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11kK4325.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11kK4325.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:340
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 168 -s 568
        5⤵
        Program crash
        
        PID:548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12pj050.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12pj050.exe
    3⤵
    - Executes dropped EXE
    PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ch4Mx52.exe

Filesize
420KB

MD5
5881043ec40d99dabd0332a1dcf12f1c

SHA1
6a65ee3f6d839b1671dc1cb746d420110d7ce315

SHA256
88b33c4785042275d127531e387083c671c6c348f8b59ebbb9ec48e240fbf1f6

SHA512
409e27a94140431257482fad93c37a6e6f5edb5363c8033678aa61a47f524c81fb4ad917dbef14510058400fbcc23e1c48963d8ec009b7601b613a37f252338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ch4Mx52.exe

Filesize
420KB

MD5
5881043ec40d99dabd0332a1dcf12f1c

SHA1
6a65ee3f6d839b1671dc1cb746d420110d7ce315

SHA256
88b33c4785042275d127531e387083c671c6c348f8b59ebbb9ec48e240fbf1f6

SHA512
409e27a94140431257482fad93c37a6e6f5edb5363c8033678aa61a47f524c81fb4ad917dbef14510058400fbcc23e1c48963d8ec009b7601b613a37f252338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11kK4325.exe

Filesize
369KB

MD5
924fa0c13c5f44d24e431a8668859e91

SHA1
3318aaefe7657fed40b6d88721cd6fbe7ea6975c

SHA256
5706f43e94cb75c8923f6b16dd9eac83cacb9dda59f870961f8486d09a819a1a

SHA512
35614151818324f908dca518a99fcab7e447aa0f7e97cd79340d3b8cbbeb481c4edcbe807df236d49fcdd17833a0046afb507793d7fae0939bf8e196d2610bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11kK4325.exe

Filesize
369KB

MD5
924fa0c13c5f44d24e431a8668859e91

SHA1
3318aaefe7657fed40b6d88721cd6fbe7ea6975c

SHA256
5706f43e94cb75c8923f6b16dd9eac83cacb9dda59f870961f8486d09a819a1a

SHA512
35614151818324f908dca518a99fcab7e447aa0f7e97cd79340d3b8cbbeb481c4edcbe807df236d49fcdd17833a0046afb507793d7fae0939bf8e196d2610bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12pj050.exe

Filesize
408KB

MD5
6dc61d6cb624874513de03a75992223b

SHA1
95b604c815187fbbf16d80b9737391d7d68c891f

SHA256
7007dc6edb598a758bad211a3fc62054e79ad0f2286f5432856f8f7ce114d586

SHA512
7b95ffc49c705fe65bd6b7139389083ffd7567db3877fab93554a48be405a8b3f02fa142a6f1c6ac15c26d0f87480915d69922049f3fb415060e340ffe7fa79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12pj050.exe

Filesize
408KB

MD5
6dc61d6cb624874513de03a75992223b

SHA1
95b604c815187fbbf16d80b9737391d7d68c891f

SHA256
7007dc6edb598a758bad211a3fc62054e79ad0f2286f5432856f8f7ce114d586

SHA512
7b95ffc49c705fe65bd6b7139389083ffd7567db3877fab93554a48be405a8b3f02fa142a6f1c6ac15c26d0f87480915d69922049f3fb415060e340ffe7fa79b

Download Submit
memory/168-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/168-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/168-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/168-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads