mystic | 40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46

General

Target

40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe
Size

330KB
MD5

73337493b31c5c10d102c7d42153c864
SHA1

903d8ba2dab13ea55e0b6f13f607caff4df56aaa
SHA256

40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46
SHA512

7848c05fe05430d48556acc5c75ee5b2b33df29356e5f20e204fd69ae3b2fde3abb515220cb515b962ae533dea5de2f093af84d8c66f5daff6e865be58eba23e
SSDEEP

6144:KLy+bnr+fp0yN90QEE0ST8+kRAUXHx39ONZAQnJv8KW/4CMz5D+:9Mrny90pSTxymuQB8PAL+

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3248-7-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3248-8-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3248-9-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3248-11-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

5Qt9WY4.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation 5Qt9WY4.exe
Executes dropped EXE 2 IoCs

Processes:

4ty923ky.exe5Qt9WY4.exe

pid process

3024 4ty923ky.exe
2920 5Qt9WY4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	5Qt9WY4.exe

pid	process
3024	4ty923ky.exe
2920	5Qt9WY4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4ty923ky.exe

description pid process target process

PID 3024 set thread context of 3248 3024 4ty923ky.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4344 3248 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 3024 set thread context of 3248	3024	4ty923ky.exe	AppLaunch.exe

pid	pid_target	process	target process
4344	3248	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe4ty923ky.exe5Qt9WY4.exe

description	pid	process	target process
PID 3280 wrote to memory of 3024	3280	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	4ty923ky.exe
PID 3280 wrote to memory of 3024	3280	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	4ty923ky.exe
PID 3280 wrote to memory of 3024	3280	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	4ty923ky.exe
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	AppLaunch.exe
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	AppLaunch.exe
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	AppLaunch.exe
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	AppLaunch.exe
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	AppLaunch.exe
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	AppLaunch.exe
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	AppLaunch.exe
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	AppLaunch.exe
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	AppLaunch.exe
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	AppLaunch.exe
PID 3280 wrote to memory of 2920	3280	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	5Qt9WY4.exe
PID 3280 wrote to memory of 2920	3280	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	5Qt9WY4.exe
PID 3280 wrote to memory of 2920	3280	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	5Qt9WY4.exe
PID 2920 wrote to memory of 3700	2920	5Qt9WY4.exe	cmd.exe
PID 2920 wrote to memory of 3700	2920	5Qt9WY4.exe	cmd.exe
PID 2920 wrote to memory of 3700	2920	5Qt9WY4.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe
"C:\Users\Admin\AppData\Local\Temp\40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3280

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 540
4⤵
- Program crash
PID:4344

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
3⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3248 -ip 3248
1⤵
PID:2948

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe
Filesize
300KB

MD5
029cf82638b1154788b6282d98145bd2

SHA1
eeb8c589b10cdd5a74c59003b39b241e4e1a76a6

SHA256
58a01049db4cd0c261a020d67cfbf650879435720ab9815f40372046316a4709

SHA512
c768c11e940501e92785ad1989bc7905be585a3b3363ce4aa9ec7e20c1dce069185c68f2294a4b2c6e389bf9360ce68a2046b877d38aa3aa80853a15cd0a5435

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe
Filesize
73KB

MD5
b3ec308b68f91a6a792a9b150cf7447e

SHA1
c29903c1ccf07cb06147bee1990df0bf9c214561

SHA256
50221e85d5d46abd1682c85cdf175f0140521a3c3c90606136965c045a48490b

SHA512
8f25ec293fda40ac2e57033c73918ebbd6d45d991dc30fa442f611934b36fc78c00b877240aba0c131d4a058e8ec9fb506f9d4ea892cd508a51880d2849b186f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.bat
Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3248-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads