mystic | d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d

Analysis

max time kernel
124s
max time network
131s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
04/10/2023, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d.exe
Size

1.8MB
MD5

ca07658115cc668cb217bacd366736bc
SHA1

83e70e91f433cdb77b7a13f1c6b57c874e0a890b
SHA256

d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d
SHA512

0912639d64d00219de05071460846be2a38e86e49605f8f82579582a993103eea078249a1cc12356afdb5a01e729f1e4d756105e97f372e69426fe9bd8994a1c
SSDEEP

49152:BuXyYB6Ag5uJO/7RA+soZYXtCO9qWHm3:NYw1RhYdCC0

Score

10^/10

mystic evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3172-66-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3172-69-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3172-70-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3172-72-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1dy85Rf0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1dy85Rf0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1dy85Rf0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1dy85Rf0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1dy85Rf0.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 5 IoCs

pid	Process
3044	Xz0TB19.exe
2532	zg5Vl09.exe
1168	vD1Ij09.exe
524	1dy85Rf0.exe
4400	2pw5130.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1dy85Rf0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1dy85Rf0.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Xz0TB19.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zg5Vl09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	vD1Ij09.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4400 set thread context of 3172	4400	2pw5130.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4688	4400	WerFault.exe	74
4908	3172	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
524	1dy85Rf0.exe
524	1dy85Rf0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	524	1dy85Rf0.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 3044	1528	d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d.exe	70
PID 1528 wrote to memory of 3044	1528	d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d.exe	70
PID 1528 wrote to memory of 3044	1528	d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d.exe	70
PID 3044 wrote to memory of 2532	3044	Xz0TB19.exe	71
PID 3044 wrote to memory of 2532	3044	Xz0TB19.exe	71
PID 3044 wrote to memory of 2532	3044	Xz0TB19.exe	71
PID 2532 wrote to memory of 1168	2532	zg5Vl09.exe	72
PID 2532 wrote to memory of 1168	2532	zg5Vl09.exe	72
PID 2532 wrote to memory of 1168	2532	zg5Vl09.exe	72
PID 1168 wrote to memory of 524	1168	vD1Ij09.exe	73
PID 1168 wrote to memory of 524	1168	vD1Ij09.exe	73
PID 1168 wrote to memory of 524	1168	vD1Ij09.exe	73
PID 1168 wrote to memory of 4400	1168	vD1Ij09.exe	74
PID 1168 wrote to memory of 4400	1168	vD1Ij09.exe	74
PID 1168 wrote to memory of 4400	1168	vD1Ij09.exe	74
PID 4400 wrote to memory of 3532	4400	2pw5130.exe	75
PID 4400 wrote to memory of 3532	4400	2pw5130.exe	75
PID 4400 wrote to memory of 3532	4400	2pw5130.exe	75
PID 4400 wrote to memory of 3172	4400	2pw5130.exe	76
PID 4400 wrote to memory of 3172	4400	2pw5130.exe	76
PID 4400 wrote to memory of 3172	4400	2pw5130.exe	76
PID 4400 wrote to memory of 3172	4400	2pw5130.exe	76
PID 4400 wrote to memory of 3172	4400	2pw5130.exe	76
PID 4400 wrote to memory of 3172	4400	2pw5130.exe	76
PID 4400 wrote to memory of 3172	4400	2pw5130.exe	76
PID 4400 wrote to memory of 3172	4400	2pw5130.exe	76
PID 4400 wrote to memory of 3172	4400	2pw5130.exe	76
PID 4400 wrote to memory of 3172	4400	2pw5130.exe	76

C:\Users\Admin\AppData\Local\Temp\d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d.exe
"C:\Users\Admin\AppData\Local\Temp\d5575d0469bb88aa7204a9b8d9d60a81fefef6834726b9394e811a70ee2ca57d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xz0TB19.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xz0TB19.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zg5Vl09.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zg5Vl09.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vD1Ij09.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vD1Ij09.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dy85Rf0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dy85Rf0.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:524
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2pw5130.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2pw5130.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4400
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3532
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 568
        7⤵
        Program crash
        
        PID:4908
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 188
        6⤵
        Program crash
        
        PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xz0TB19.exe

Filesize
1.7MB

MD5
fb21f672183102f0141907d9eecfa5ec

SHA1
547cf25aa9097d793cfd21e9c25a1997828b6ffb

SHA256
7e810b5a28c1178854bb1392ba8ffe6c117081e5501449b23af95bd29ece1706

SHA512
309e098338d0cbe106c3a002b3f0aa41b3ebcb8b6dc67930d9d2c58861e0302f61bb01ee92a8b5eda9e75999248e5edda67e83ac5d025de1b070d1c6da7dd632

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xz0TB19.exe

Filesize
1.7MB

MD5
fb21f672183102f0141907d9eecfa5ec

SHA1
547cf25aa9097d793cfd21e9c25a1997828b6ffb

SHA256
7e810b5a28c1178854bb1392ba8ffe6c117081e5501449b23af95bd29ece1706

SHA512
309e098338d0cbe106c3a002b3f0aa41b3ebcb8b6dc67930d9d2c58861e0302f61bb01ee92a8b5eda9e75999248e5edda67e83ac5d025de1b070d1c6da7dd632

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zg5Vl09.exe

Filesize
1.1MB

MD5
897a6c7114c8b76f2616a2f5a5e99a73

SHA1
23e08d0cb39e8ceed59463941717730da4dc3851

SHA256
6c0b5ab90decba958b9e7d7413a58c4419c1e901b2d4bd9ae434c80ae60a4595

SHA512
5d7281c0a853cf70a0528df9783df942052af021a345fd37906edc785a1cd65ae03a6016eff6af63edccf19861a8ff1450857d33012033cf31bfbc4b9c4dc050

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zg5Vl09.exe

Filesize
1.1MB

MD5
897a6c7114c8b76f2616a2f5a5e99a73

SHA1
23e08d0cb39e8ceed59463941717730da4dc3851

SHA256
6c0b5ab90decba958b9e7d7413a58c4419c1e901b2d4bd9ae434c80ae60a4595

SHA512
5d7281c0a853cf70a0528df9783df942052af021a345fd37906edc785a1cd65ae03a6016eff6af63edccf19861a8ff1450857d33012033cf31bfbc4b9c4dc050

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vD1Ij09.exe

Filesize
689KB

MD5
7a89084157d7e8165a35f0a1f0392d0e

SHA1
5d8f6f810315730c68d678e8250e5486e8d5e42d

SHA256
764158e48ff7093a7dc5798ff90c1d92571f75b1c47506bea5926692b47a15f5

SHA512
2920f96be6bd291130a2b39b5ba2c8ed8065a77d32e2f05155d292cdb3389bf703253a63aa61825c6f4acf62d4957ca8cac47ea72dbeac8185bb1386002a3258

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vD1Ij09.exe

Filesize
689KB

MD5
7a89084157d7e8165a35f0a1f0392d0e

SHA1
5d8f6f810315730c68d678e8250e5486e8d5e42d

SHA256
764158e48ff7093a7dc5798ff90c1d92571f75b1c47506bea5926692b47a15f5

SHA512
2920f96be6bd291130a2b39b5ba2c8ed8065a77d32e2f05155d292cdb3389bf703253a63aa61825c6f4acf62d4957ca8cac47ea72dbeac8185bb1386002a3258

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dy85Rf0.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1dy85Rf0.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2pw5130.exe

Filesize
1.8MB

MD5
40b5f6383751db38a4ace28c0f245a7f

SHA1
4786b073c39e46dd772e1d4b5e1e8bc3d6b6cee3

SHA256
c13b36dd7e9f13d7d7be8848b7b20f881420ab027d3d4255734b4e58045b60a8

SHA512
b487f839cf5c9743bafbb60fd3f55ca725f557da445b22fb5660720c36d3fa7aa19cc83adbbe2188ae32fed147378a76e11a193da11e5e0d641dd3207a3a1ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2pw5130.exe

Filesize
1.8MB

MD5
40b5f6383751db38a4ace28c0f245a7f

SHA1
4786b073c39e46dd772e1d4b5e1e8bc3d6b6cee3

SHA256
c13b36dd7e9f13d7d7be8848b7b20f881420ab027d3d4255734b4e58045b60a8

SHA512
b487f839cf5c9743bafbb60fd3f55ca725f557da445b22fb5660720c36d3fa7aa19cc83adbbe2188ae32fed147378a76e11a193da11e5e0d641dd3207a3a1ace

Download Submit
memory/524-39-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/524-55-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/524-32-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/524-33-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/524-35-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/524-37-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/524-30-0x0000000004BA0000-0x000000000509E000-memory.dmp

Filesize
5.0MB

Download
memory/524-43-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/524-41-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/524-51-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/524-49-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/524-53-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/524-47-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/524-31-0x0000000004A70000-0x0000000004A8C000-memory.dmp

Filesize
112KB

Download
memory/524-45-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/524-57-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/524-59-0x0000000004A70000-0x0000000004A86000-memory.dmp

Filesize
88KB

Download
memory/524-60-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/524-62-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/524-29-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/524-28-0x0000000002450000-0x000000000246E000-memory.dmp

Filesize
120KB

Download
memory/3172-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3172-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3172-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3172-72-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download