mystic | 1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe
Size

1.1MB
MD5

2ec6e05eb510e491a168f8377725b43c
SHA1

180bf9be7944e5aa8190161ec34c00fa85000c7f
SHA256

1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16
SHA512

b957c1d3d6fb1618b8a408a4b9dd528f81970fcf63c435fadf02435a8c3837ff8cf9b5880d7d5a29028cafc4039eac03f18ff24109ff6adc8333c77ef02e2158
SSDEEP

12288:3JL65OW9gH1dNmfJ7VqgLEZqg4wcvg8S8rAtufCeRBmRAnU1aWFrWO6HA:ZLZW9gH1dNmfzqfZqgeIWAwWb6H

Score

10^/10

mystic stealer

Malware Config

Signatures

Detect Mystic stealer payload 6 IoCs

resource	yara_rule
behavioral1/memory/2244-3-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2244-4-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2244-5-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2244-7-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2244-9-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2244-11-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2876 set thread context of 2244	2876	1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2544	2244	WerFault.exe	28

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2244	2876	1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe	28
PID 2876 wrote to memory of 2244	2876	1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe	28
PID 2876 wrote to memory of 2244	2876	1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe	28
PID 2876 wrote to memory of 2244	2876	1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe	28
PID 2876 wrote to memory of 2244	2876	1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe	28
PID 2876 wrote to memory of 2244	2876	1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe	28
PID 2876 wrote to memory of 2244	2876	1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe	28
PID 2876 wrote to memory of 2244	2876	1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe	28
PID 2876 wrote to memory of 2244	2876	1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe	28
PID 2876 wrote to memory of 2244	2876	1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe	28
PID 2876 wrote to memory of 2244	2876	1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe	28
PID 2876 wrote to memory of 2244	2876	1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe	28
PID 2876 wrote to memory of 2244	2876	1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe	28
PID 2876 wrote to memory of 2244	2876	1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe	28
PID 2244 wrote to memory of 2544	2244	AppLaunch.exe	29
PID 2244 wrote to memory of 2544	2244	AppLaunch.exe	29
PID 2244 wrote to memory of 2544	2244	AppLaunch.exe	29
PID 2244 wrote to memory of 2544	2244	AppLaunch.exe	29
PID 2244 wrote to memory of 2544	2244	AppLaunch.exe	29
PID 2244 wrote to memory of 2544	2244	AppLaunch.exe	29
PID 2244 wrote to memory of 2544	2244	AppLaunch.exe	29

C:\Users\Admin\AppData\Local\Temp\1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe
"C:\Users\Admin\AppData\Local\Temp\1a58f07bcdc72061d1761d5b3a41ec5811006b2634d80240504ffafa01496e16.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 196
    3⤵
    - Program crash
    PID:2544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2244-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-1-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-2-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-3-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-4-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2244-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads