mystic | 3767bd9b929fb47ae3b158c424044d32b3c87ffb6efc8eb109dc1df9f3d9b053

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dd3d7aef156b5db3c5785a7d818ed1c4109c841ee63bb99312915840d12c030.exe
Size

426KB
MD5

1cfcc52c462884921efcd71d2964a590
SHA1

f0950b2f31f492d57dd07e1070419b2a8d376166
SHA256

2dd3d7aef156b5db3c5785a7d818ed1c4109c841ee63bb99312915840d12c030
SHA512

cae2b703fd2e337c19f905d30112f379c1c5c2fe0f8bdf9a24076671ea1af71a6e2b82e142c20d5b364517600789ad0ca46d365140fffb9f218fdd61ac80eb6b
SSDEEP

12288:YMrGy90/Ij9NkhgKBXQFaFGcfr6fuKAnuTZMp:eyiIj9TKXQFaFG2r6f9AmOp

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral3/memory/1700-7-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral3/memory/1700-11-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral3/memory/1700-13-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral3/memory/1700-10-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
Executes dropped EXE 2 IoCs

Processes:

11xp7655.exe12jb238.exe

pid process

5220 11xp7655.exe
5104 12jb238.exe

pid	process
5220	11xp7655.exe
5104	12jb238.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2dd3d7aef156b5db3c5785a7d818ed1c4109c841ee63bb99312915840d12c030.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2dd3d7aef156b5db3c5785a7d818ed1c4109c841ee63bb99312915840d12c030.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

11xp7655.exe

description pid process target process

PID 5220 set thread context of 1700 5220 11xp7655.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

452 1700 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 5220 set thread context of 1700	5220	11xp7655.exe	AppLaunch.exe

pid	pid_target	process	target process
452	1700	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

2dd3d7aef156b5db3c5785a7d818ed1c4109c841ee63bb99312915840d12c030.exe11xp7655.exe

description	pid	process	target process
PID 2108 wrote to memory of 5220	2108	2dd3d7aef156b5db3c5785a7d818ed1c4109c841ee63bb99312915840d12c030.exe	11xp7655.exe
PID 2108 wrote to memory of 5220	2108	2dd3d7aef156b5db3c5785a7d818ed1c4109c841ee63bb99312915840d12c030.exe	11xp7655.exe
PID 2108 wrote to memory of 5220	2108	2dd3d7aef156b5db3c5785a7d818ed1c4109c841ee63bb99312915840d12c030.exe	11xp7655.exe
PID 5220 wrote to memory of 1700	5220	11xp7655.exe	AppLaunch.exe
PID 5220 wrote to memory of 1700	5220	11xp7655.exe	AppLaunch.exe
PID 5220 wrote to memory of 1700	5220	11xp7655.exe	AppLaunch.exe
PID 5220 wrote to memory of 1700	5220	11xp7655.exe	AppLaunch.exe
PID 5220 wrote to memory of 1700	5220	11xp7655.exe	AppLaunch.exe
PID 5220 wrote to memory of 1700	5220	11xp7655.exe	AppLaunch.exe
PID 5220 wrote to memory of 1700	5220	11xp7655.exe	AppLaunch.exe
PID 5220 wrote to memory of 1700	5220	11xp7655.exe	AppLaunch.exe
PID 5220 wrote to memory of 1700	5220	11xp7655.exe	AppLaunch.exe
PID 5220 wrote to memory of 1700	5220	11xp7655.exe	AppLaunch.exe
PID 2108 wrote to memory of 5104	2108	2dd3d7aef156b5db3c5785a7d818ed1c4109c841ee63bb99312915840d12c030.exe	12jb238.exe
PID 2108 wrote to memory of 5104	2108	2dd3d7aef156b5db3c5785a7d818ed1c4109c841ee63bb99312915840d12c030.exe	12jb238.exe
PID 2108 wrote to memory of 5104	2108	2dd3d7aef156b5db3c5785a7d818ed1c4109c841ee63bb99312915840d12c030.exe	12jb238.exe

C:\Users\Admin\AppData\Local\Temp\2dd3d7aef156b5db3c5785a7d818ed1c4109c841ee63bb99312915840d12c030.exe
"C:\Users\Admin\AppData\Local\Temp\2dd3d7aef156b5db3c5785a7d818ed1c4109c841ee63bb99312915840d12c030.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11xp7655.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11xp7655.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 540
4⤵
- Program crash
PID:452

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12jb238.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12jb238.exe
2⤵
- Executes dropped EXE
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1700 -ip 1700
1⤵
PID:4160

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\11xp7655.exe
Filesize
369KB

MD5
ca09344fbf4a1dbaffe18eb4a00a931a

SHA1
81d5ed2e00d4d297cda4882641e957eb75d9f9a9

SHA256
6113e109ebd9701ce5c91d223394bf22a027534a4dc46f654afabe53efd16c35

SHA512
c8663715e54d8618464aa2f1edfa3b4d1a6deac744d6fa39a5656937610bdd5af9c9ae6b405a329dc0b965c983330e875f691e2b5c7b9a891cd0bc013df6187f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\12jb238.exe
Filesize
408KB

MD5
1027a27916c1340828d23a53d93358b5

SHA1
66cc85c589f8c9ce0bcf4e8f8588233c3885dbcc

SHA256
173e31ff7b01259106f4ab3434aaf97a3ded33bb675ae8d737d9a696821b106f

SHA512
0e6bddad66d784ca200106ef62b51be245da066f3b7b93292a9153c602b9842ca31b9c2f73b66a99ccfb0591fa205fd56ba931eb4f06c9b9f54f264016e045d0

Download Submit
memory/1700-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-10-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download