mystic | 9874024432d4a4dc4017d0ebf9773eaea78b9aea747dfbe995938af4b572eb38

Analysis

max time kernel
92s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e.exe
Size

365KB
MD5

79f59ae0253a9b026394312258c0c593
SHA1

95431db03a7664e976dda7e9bec80b3ea4003bf2
SHA256

7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e
SHA512

e25e0003ad22c25c59129b94173ee9c6490c60c3f6da14c5768232868b3d82781d574e1422a37b5f783c6a1a289672b559c7200bf820ff3ad31210be376f8e3d
SSDEEP

6144:Kyy+bnr+zp0yN90QEe99MHVGA8MjIEcmhUg99BYjYeUzfbuSEE:WMrry90Wk84XlhUq9BYjYeUzTOE

Score

10^/10

mystic persistence stealer

Malware Config

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2pE7539.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral14/memory/3152-8-0x00000000023D0000-0x00000000023F0000-memory.dmp	net_reactor
behavioral14/memory/3152-11-0x0000000004990000-0x00000000049AE000-memory.dmp	net_reactor

Executes dropped EXE 2 IoCs

Processes:

1SK23Qm9.exe2pE7539.exe

pid process

3152 1SK23Qm9.exe
980 2pE7539.exe

pid	process
3152	1SK23Qm9.exe
980	2pE7539.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1SK23Qm9.exe

description pid process

Token: SeDebugPrivilege 3152 1SK23Qm9.exe

description	pid	process
Token: SeDebugPrivilege	3152	1SK23Qm9.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e.exe

description	pid	process	target process
PID 4112 wrote to memory of 3152	4112	7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e.exe	1SK23Qm9.exe
PID 4112 wrote to memory of 3152	4112	7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e.exe	1SK23Qm9.exe
PID 4112 wrote to memory of 3152	4112	7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e.exe	1SK23Qm9.exe
PID 4112 wrote to memory of 980	4112	7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e.exe	2pE7539.exe
PID 4112 wrote to memory of 980	4112	7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e.exe	2pE7539.exe
PID 4112 wrote to memory of 980	4112	7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e.exe	2pE7539.exe

C:\Users\Admin\AppData\Local\Temp\7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e.exe
"C:\Users\Admin\AppData\Local\Temp\7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4112

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1SK23Qm9.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1SK23Qm9.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2pE7539.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2pE7539.exe
2⤵
- Executes dropped EXE
PID:980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1SK23Qm9.exe
Filesize
195KB

MD5
7f726f7dac36a27880ea545866534dda

SHA1
a644a86f8ffe8497101eb2c8ef69b859fb51119d

SHA256
7d8062c6ae88e04ecadb6f8eb85e1d77caba2cb70fed241f04454fd5d70ced2a

SHA512
8d8216a173bf1b498e5bf6d9292b05cd27b913c3203e296d55b169a1980bc38d8589bdb3e88a685a238183a60b8e86049cf280dd47143445c1ba5b6d287c2775

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2pE7539.exe
Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
memory/3152-7-0x000000007426E000-0x000000007426F000-memory.dmp

Filesize
4KB

Download
memory/3152-8-0x00000000023D0000-0x00000000023F0000-memory.dmp

Filesize
128KB

Download
memory/3152-9-0x0000000074260000-0x0000000074A10000-memory.dmp

Filesize
7.7MB

Download
memory/3152-11-0x0000000004990000-0x00000000049AE000-memory.dmp

Filesize
120KB

Download
memory/3152-10-0x0000000004AA0000-0x0000000005044000-memory.dmp

Filesize
5.6MB

Download
memory/3152-12-0x0000000074260000-0x0000000074A10000-memory.dmp

Filesize
7.7MB

Download
memory/3152-13-0x00000000049B0000-0x0000000004A42000-memory.dmp

Filesize
584KB

Download
memory/3152-14-0x0000000074260000-0x0000000074A10000-memory.dmp

Filesize
7.7MB

Download
memory/3152-16-0x0000000074260000-0x0000000074A10000-memory.dmp

Filesize
7.7MB

Download