mystic | c35b2a353f3f737fd5d522bda8150c7fe11a4c4773ad1702d174b480462784c6

Analysis

max time kernel
129s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:26

Target

6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467.exe
Size

378KB
MD5

99cbd861f83a58b6f9e44032d4809098
SHA1

a3830e857406f1fb963bf090a46daaf88b06e27e
SHA256

6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467
SHA512

6b4088070017f838f07115d3aca431447ad78f001bedb26637b1bdd14e312d246d986fb35bbdbf39a7c8cb0d38ffb11773814264dec3ba06f2b6ca444c8505d6
SSDEEP

6144:f49SP92pCryG4kfjSGwEi56AOLGFIramMeulPZbsrww0D:f49Q2wryNSoF8apeul1sED

Score

10^/10

mystic stealer

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral8/memory/4264-0-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral8/memory/4264-3-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral8/memory/4264-2-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral8/memory/4264-1-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1092 set thread context of 4264	1092	6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467.exe	84

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3576	1092	WerFault.exe	82

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 4264	1092	6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467.exe	84
PID 1092 wrote to memory of 4264	1092	6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467.exe	84
PID 1092 wrote to memory of 4264	1092	6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467.exe	84
PID 1092 wrote to memory of 4264	1092	6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467.exe	84
PID 1092 wrote to memory of 4264	1092	6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467.exe	84
PID 1092 wrote to memory of 4264	1092	6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467.exe	84
PID 1092 wrote to memory of 4264	1092	6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467.exe	84
PID 1092 wrote to memory of 4264	1092	6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467.exe	84
PID 1092 wrote to memory of 4264	1092	6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467.exe	84
PID 1092 wrote to memory of 4264	1092	6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467.exe	84

C:\Users\Admin\AppData\Local\Temp\6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467.exe
"C:\Users\Admin\AppData\Local\Temp\6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 164
  2⤵
  - Program crash
  PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1092 -ip 1092
1⤵
PID:1992

memory/4264-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4264-3-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4264-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4264-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download