mystic | de0645a844faf35efae106a5eded7e6ac55077e6e2b8627f493014b106439c39

Analysis

max time kernel
149s
max time network
131s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
13-11-2023 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de0645a844faf35efae106a5eded7e6ac55077e6e2b8627f493014b106439c39.exe
Size

1.2MB
MD5

40fd33049bda52f89908650de8958d4f
SHA1

49e4ae354f0cd4e04dadb26450f98c562ea05a5b
SHA256

de0645a844faf35efae106a5eded7e6ac55077e6e2b8627f493014b106439c39
SHA512

ea77fb8e265e787cf0d4768bcbf4cf7bccea32e683840f0729bbd541ecf1251f428a9a63a910462a7f85966376480057bbf69323383c977b7544f7c49ddeb0be
SSDEEP

24576:cyA+cL6pjmzqsH2PBn93LZRWbeUmglGo7t7RJCa4HOEgjDQn8ZRW5ntMa:LLm+Q8Bn93LqbN7Yo7tdM2DBDui

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/1800-28-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/1800-33-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/1800-36-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 4 IoCs

pid	Process
4376	bU1kL14.exe
4280	ga4tJ13.exe
1948	cw3Wc31.exe
2740	2Id0045.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	de0645a844faf35efae106a5eded7e6ac55077e6e2b8627f493014b106439c39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	bU1kL14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ga4tJ13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	cw3Wc31.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2740 set thread context of 1800	2740	2Id0045.exe	76

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4400	1800	WerFault.exe	76

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 4376	3888	de0645a844faf35efae106a5eded7e6ac55077e6e2b8627f493014b106439c39.exe	71
PID 3888 wrote to memory of 4376	3888	de0645a844faf35efae106a5eded7e6ac55077e6e2b8627f493014b106439c39.exe	71
PID 3888 wrote to memory of 4376	3888	de0645a844faf35efae106a5eded7e6ac55077e6e2b8627f493014b106439c39.exe	71
PID 4376 wrote to memory of 4280	4376	bU1kL14.exe	72
PID 4376 wrote to memory of 4280	4376	bU1kL14.exe	72
PID 4376 wrote to memory of 4280	4376	bU1kL14.exe	72
PID 4280 wrote to memory of 1948	4280	ga4tJ13.exe	73
PID 4280 wrote to memory of 1948	4280	ga4tJ13.exe	73
PID 4280 wrote to memory of 1948	4280	ga4tJ13.exe	73
PID 1948 wrote to memory of 2740	1948	cw3Wc31.exe	74
PID 1948 wrote to memory of 2740	1948	cw3Wc31.exe	74
PID 1948 wrote to memory of 2740	1948	cw3Wc31.exe	74
PID 2740 wrote to memory of 1800	2740	2Id0045.exe	76
PID 2740 wrote to memory of 1800	2740	2Id0045.exe	76
PID 2740 wrote to memory of 1800	2740	2Id0045.exe	76
PID 2740 wrote to memory of 1800	2740	2Id0045.exe	76
PID 2740 wrote to memory of 1800	2740	2Id0045.exe	76
PID 2740 wrote to memory of 1800	2740	2Id0045.exe	76
PID 2740 wrote to memory of 1800	2740	2Id0045.exe	76
PID 2740 wrote to memory of 1800	2740	2Id0045.exe	76
PID 2740 wrote to memory of 1800	2740	2Id0045.exe	76
PID 2740 wrote to memory of 1800	2740	2Id0045.exe	76
PID 1948 wrote to memory of 1816	1948	cw3Wc31.exe	77
PID 1948 wrote to memory of 1816	1948	cw3Wc31.exe	77
PID 1948 wrote to memory of 1816	1948	cw3Wc31.exe	77

C:\Users\Admin\AppData\Local\Temp\de0645a844faf35efae106a5eded7e6ac55077e6e2b8627f493014b106439c39.exe
"C:\Users\Admin\AppData\Local\Temp\de0645a844faf35efae106a5eded7e6ac55077e6e2b8627f493014b106439c39.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bU1kL14.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bU1kL14.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ga4tJ13.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ga4tJ13.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cw3Wc31.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cw3Wc31.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Id0045.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Id0045.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 584
        7⤵
        Program crash
        
        PID:4400
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hb82Rp.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hb82Rp.exe
        5⤵
        
        PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bU1kL14.exe

Filesize
1018KB

MD5
24cdf112032922ad711774afe88bc034

SHA1
42725a982384ee8543ea16f35146e1374347624f

SHA256
38b94d785d788444f1b763ee222fde66cccbee991520cd7b249a33b2cb1a0081

SHA512
145e2cae70c33da17c95889017167b210fe34ab31a072ef8fb817b0081391009b2876ca6fadd0818c7603a6f14565d55b0be2fd9720963fe3095e43a003d69f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bU1kL14.exe

Filesize
1018KB

MD5
24cdf112032922ad711774afe88bc034

SHA1
42725a982384ee8543ea16f35146e1374347624f

SHA256
38b94d785d788444f1b763ee222fde66cccbee991520cd7b249a33b2cb1a0081

SHA512
145e2cae70c33da17c95889017167b210fe34ab31a072ef8fb817b0081391009b2876ca6fadd0818c7603a6f14565d55b0be2fd9720963fe3095e43a003d69f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ga4tJ13.exe

Filesize
892KB

MD5
9d7250fd4fe8a66bbc83b33062543e60

SHA1
5f79dceba434d37128b04b5fa91061b55d4ddedb

SHA256
43a428dba78fc05ffbd723bc0bceb084d0323d7d4f0cc3e4485cf9396c8eb156

SHA512
8e09c271021012aa7a67cbb1d3dcb545b23dc6d887e2fcc7a9a64daf1ab07f46901a5bfca7ed612b88b3bfc4771d7dfbf6e419bc03da229de04cc139d9486fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ga4tJ13.exe

Filesize
892KB

MD5
9d7250fd4fe8a66bbc83b33062543e60

SHA1
5f79dceba434d37128b04b5fa91061b55d4ddedb

SHA256
43a428dba78fc05ffbd723bc0bceb084d0323d7d4f0cc3e4485cf9396c8eb156

SHA512
8e09c271021012aa7a67cbb1d3dcb545b23dc6d887e2fcc7a9a64daf1ab07f46901a5bfca7ed612b88b3bfc4771d7dfbf6e419bc03da229de04cc139d9486fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cw3Wc31.exe

Filesize
429KB

MD5
cb8a2e8c05d4fdec863af485013214f7

SHA1
758284af8682257652514b2bbf73d2fae9dfc8b7

SHA256
64eca4832cce6b4b576470411817c82553f895fa28e664b9648e00849a5058f2

SHA512
0d113b5f334ccba8308850e7f46dc73fc431540bb50facf53afcfd188dfcf0c73bdbb1d10b2bf597dad8fd6aa6f613e1ae9ceeff357f8b1ddd9f85649b0637ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cw3Wc31.exe

Filesize
429KB

MD5
cb8a2e8c05d4fdec863af485013214f7

SHA1
758284af8682257652514b2bbf73d2fae9dfc8b7

SHA256
64eca4832cce6b4b576470411817c82553f895fa28e664b9648e00849a5058f2

SHA512
0d113b5f334ccba8308850e7f46dc73fc431540bb50facf53afcfd188dfcf0c73bdbb1d10b2bf597dad8fd6aa6f613e1ae9ceeff357f8b1ddd9f85649b0637ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Id0045.exe

Filesize
376KB

MD5
f44be6936e4ef08f72d38a39bab90c0f

SHA1
512834caf00588f7fc72f95091c9b2616c075606

SHA256
e60064c033258dc907a7e3b3e01c38a209db9f9b59e37959a31eb638bbf9f06a

SHA512
980c44da09df81a9e8f924e881dfe3d45d5c2d8c179f97c1506049c1568f8dde6a04b507d31742ea3cfbab7a98b54669f8497a6e029ee0d40c7f739a6d15b6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Id0045.exe

Filesize
376KB

MD5
f44be6936e4ef08f72d38a39bab90c0f

SHA1
512834caf00588f7fc72f95091c9b2616c075606

SHA256
e60064c033258dc907a7e3b3e01c38a209db9f9b59e37959a31eb638bbf9f06a

SHA512
980c44da09df81a9e8f924e881dfe3d45d5c2d8c179f97c1506049c1568f8dde6a04b507d31742ea3cfbab7a98b54669f8497a6e029ee0d40c7f739a6d15b6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hb82Rp.exe

Filesize
149KB

MD5
ce8e97fd8b6ded48a1a79f77774c2479

SHA1
28326919c3d03acce2dece8d44028ba8548d000f

SHA256
a6ee22b066cc79f46401dd668adb13a25fb18ffb75c6721d4aa629083036a3d7

SHA512
1e258b25ee6ee99249283da0b59a6a5f00ef30ce2fd009c18f0d1244d6eb4efd18e6b232bbf13360e0b2c7e367ff8efe9967864927c81333267b972088614e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3hb82Rp.exe

Filesize
405KB

MD5
bdeecb0a18ac84ce44c23ee3dd489c3f

SHA1
25d437ca01b9e1227ce6ff005273143ecb4fc867

SHA256
da603a45ac9e5359531ac25feef59a8a020e02aa05c8f057b8d8d055a410d78c

SHA512
22545bf3e7da9b890b18099ebb00af4fff890fed825051691db78af1da3ceffabe615dcc682849ceb9d8dc6630413ddfab0f65b84b6c27e043a0e8d17de71f3d

Download Submit
memory/1800-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads