mystic | 40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46

Resubmissions

05-04-2024 07:57

240405-js9mjaeh5y 10

10-11-2023 04:48

231110-fe873ada44 10

Analysis

max time kernel
51s
max time network
62s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe
Size

330KB
MD5

73337493b31c5c10d102c7d42153c864
SHA1

903d8ba2dab13ea55e0b6f13f607caff4df56aaa
SHA256

40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46
SHA512

7848c05fe05430d48556acc5c75ee5b2b33df29356e5f20e204fd69ae3b2fde3abb515220cb515b962ae533dea5de2f093af84d8c66f5daff6e865be58eba23e
SSDEEP

6144:KLy+bnr+fp0yN90QEE0ST8+kRAUXHx39ONZAQnJv8KW/4CMz5D+:9Mrny90pSTxymuQB8PAL+

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3248-7-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3248-8-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3248-9-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/3248-11-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	5Qt9WY4.exe

Executes dropped EXE 2 IoCs

pid	Process
3024	4ty923ky.exe
2920	5Qt9WY4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3024 set thread context of 3248	3024	4ty923ky.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4344	3248	WerFault.exe	89

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 3024	3280	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	87
PID 3280 wrote to memory of 3024	3280	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	87
PID 3280 wrote to memory of 3024	3280	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	87
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	89
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	89
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	89
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	89
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	89
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	89
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	89
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	89
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	89
PID 3024 wrote to memory of 3248	3024	4ty923ky.exe	89
PID 3280 wrote to memory of 2920	3280	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	93
PID 3280 wrote to memory of 2920	3280	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	93
PID 3280 wrote to memory of 2920	3280	40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe	93
PID 2920 wrote to memory of 3700	2920	5Qt9WY4.exe	99
PID 2920 wrote to memory of 3700	2920	5Qt9WY4.exe	99
PID 2920 wrote to memory of 3700	2920	5Qt9WY4.exe	99

C:\Users\Admin\AppData\Local\Temp\40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe
"C:\Users\Admin\AppData\Local\Temp\40c83fd2fe671b3d0c79e15c6aea427042d50fe7ca29435a38feb0685e8d1b46.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 540
      4⤵
      Program crash
      PID:4344
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
    3⤵
    PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3248 -ip 3248
1⤵
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ty923ky.exe

Filesize
300KB

MD5
029cf82638b1154788b6282d98145bd2

SHA1
eeb8c589b10cdd5a74c59003b39b241e4e1a76a6

SHA256
58a01049db4cd0c261a020d67cfbf650879435720ab9815f40372046316a4709

SHA512
c768c11e940501e92785ad1989bc7905be585a3b3363ce4aa9ec7e20c1dce069185c68f2294a4b2c6e389bf9360ce68a2046b877d38aa3aa80853a15cd0a5435

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Qt9WY4.exe

Filesize
73KB

MD5
b3ec308b68f91a6a792a9b150cf7447e

SHA1
c29903c1ccf07cb06147bee1990df0bf9c214561

SHA256
50221e85d5d46abd1682c85cdf175f0140521a3c3c90606136965c045a48490b

SHA512
8f25ec293fda40ac2e57033c73918ebbd6d45d991dc30fa442f611934b36fc78c00b877240aba0c131d4a058e8ec9fb506f9d4ea892cd508a51880d2849b186f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.bat

Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
memory/3248-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3248-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads