mystic | 2bad6266bb92dfb65118daa800722b4963c277a6afa373276a82629fa3e239bd

Analysis

max time kernel
127s
max time network
132s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
04/10/2023, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bad6266bb92dfb65118daa800722b4963c277a6afa373276a82629fa3e239bd.exe
Size

1.7MB
MD5

03c816d0255991a47f1521df26194efe
SHA1

eb3d4d8d70bb44e7d5dc07fb15753b7f8d743a72
SHA256

2bad6266bb92dfb65118daa800722b4963c277a6afa373276a82629fa3e239bd
SHA512

ccc4e49e96519a8069c08ba327eb15ffa241e8434275da87c3a833e348721ccd7a25e84034ec6e7816a9d2e4ffef26ac1172d877399f8707ad2a981e1d109632
SSDEEP

49152:P3ePTNGpziNoM9Zk6/99e5vUkYyDh4jkJRi:GPxnNzD1X+UkYUCkJ

Score

10^/10

mystic evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3512-73-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3512-76-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3512-77-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3512-79-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1Qn58jI4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1Qn58jI4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1Qn58jI4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1Qn58jI4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1Qn58jI4.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 6 IoCs

pid	Process
5088	xy0TU63.exe
1016	Ll7LW51.exe
4248	uP9oh20.exe
4444	WQ8Il38.exe
3644	1Qn58jI4.exe
3988	2YO22WX.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1Qn58jI4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1Qn58jI4.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ll7LW51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	uP9oh20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	WQ8Il38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2bad6266bb92dfb65118daa800722b4963c277a6afa373276a82629fa3e239bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	xy0TU63.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3988 set thread context of 3512	3988	2YO22WX.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4204	3988	WerFault.exe	75
4536	3512	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3644	1Qn58jI4.exe
3644	1Qn58jI4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	1Qn58jI4.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 5088	2916	2bad6266bb92dfb65118daa800722b4963c277a6afa373276a82629fa3e239bd.exe	70
PID 2916 wrote to memory of 5088	2916	2bad6266bb92dfb65118daa800722b4963c277a6afa373276a82629fa3e239bd.exe	70
PID 2916 wrote to memory of 5088	2916	2bad6266bb92dfb65118daa800722b4963c277a6afa373276a82629fa3e239bd.exe	70
PID 5088 wrote to memory of 1016	5088	xy0TU63.exe	71
PID 5088 wrote to memory of 1016	5088	xy0TU63.exe	71
PID 5088 wrote to memory of 1016	5088	xy0TU63.exe	71
PID 1016 wrote to memory of 4248	1016	Ll7LW51.exe	72
PID 1016 wrote to memory of 4248	1016	Ll7LW51.exe	72
PID 1016 wrote to memory of 4248	1016	Ll7LW51.exe	72
PID 4248 wrote to memory of 4444	4248	uP9oh20.exe	73
PID 4248 wrote to memory of 4444	4248	uP9oh20.exe	73
PID 4248 wrote to memory of 4444	4248	uP9oh20.exe	73
PID 4444 wrote to memory of 3644	4444	WQ8Il38.exe	74
PID 4444 wrote to memory of 3644	4444	WQ8Il38.exe	74
PID 4444 wrote to memory of 3644	4444	WQ8Il38.exe	74
PID 4444 wrote to memory of 3988	4444	WQ8Il38.exe	75
PID 4444 wrote to memory of 3988	4444	WQ8Il38.exe	75
PID 4444 wrote to memory of 3988	4444	WQ8Il38.exe	75
PID 3988 wrote to memory of 3512	3988	2YO22WX.exe	76
PID 3988 wrote to memory of 3512	3988	2YO22WX.exe	76
PID 3988 wrote to memory of 3512	3988	2YO22WX.exe	76
PID 3988 wrote to memory of 3512	3988	2YO22WX.exe	76
PID 3988 wrote to memory of 3512	3988	2YO22WX.exe	76
PID 3988 wrote to memory of 3512	3988	2YO22WX.exe	76
PID 3988 wrote to memory of 3512	3988	2YO22WX.exe	76
PID 3988 wrote to memory of 3512	3988	2YO22WX.exe	76
PID 3988 wrote to memory of 3512	3988	2YO22WX.exe	76
PID 3988 wrote to memory of 3512	3988	2YO22WX.exe	76

C:\Users\Admin\AppData\Local\Temp\2bad6266bb92dfb65118daa800722b4963c277a6afa373276a82629fa3e239bd.exe
"C:\Users\Admin\AppData\Local\Temp\2bad6266bb92dfb65118daa800722b4963c277a6afa373276a82629fa3e239bd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xy0TU63.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xy0TU63.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ll7LW51.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ll7LW51.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uP9oh20.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uP9oh20.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WQ8Il38.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WQ8Il38.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4444
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qn58jI4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qn58jI4.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2YO22WX.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2YO22WX.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 568
        8⤵
        Program crash
        
        PID:4536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 568
        7⤵
        Program crash
        
        PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xy0TU63.exe

Filesize
1.5MB

MD5
a1ecfc32888c5a7673efeb29c361c68f

SHA1
b687381728b6d3fca357db6053a04568be295d21

SHA256
b5b7662e80aea81b2c6e9f6064487d8bed090c589eb40df185b85fbba3508c56

SHA512
d35fb396583b9947ac3101524ac7303377d1d4f98224cc75ca5fdb58120a2932f141c7920a0e7714d3cde97b8d9e347653c374d6d8dbf7499ab2aa8424b79554

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xy0TU63.exe

Filesize
1.5MB

MD5
a1ecfc32888c5a7673efeb29c361c68f

SHA1
b687381728b6d3fca357db6053a04568be295d21

SHA256
b5b7662e80aea81b2c6e9f6064487d8bed090c589eb40df185b85fbba3508c56

SHA512
d35fb396583b9947ac3101524ac7303377d1d4f98224cc75ca5fdb58120a2932f141c7920a0e7714d3cde97b8d9e347653c374d6d8dbf7499ab2aa8424b79554

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ll7LW51.exe

Filesize
1.4MB

MD5
034de3977c6561a51156466b27de195a

SHA1
773502d238f113da86285db1729fd6597375301c

SHA256
e068b08fa79983b3e5b9885724ad69b6a11848b4e1cee56a0c69cb4e13159c37

SHA512
6fac84aa2f142c6dbb46bd9e494e25fadc3fdf43e8850dbee2e1d998f3aee37687a20de252429850cfb76e0a4b9a47533d5be81eae4661b5d49d630b1f774e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ll7LW51.exe

Filesize
1.4MB

MD5
034de3977c6561a51156466b27de195a

SHA1
773502d238f113da86285db1729fd6597375301c

SHA256
e068b08fa79983b3e5b9885724ad69b6a11848b4e1cee56a0c69cb4e13159c37

SHA512
6fac84aa2f142c6dbb46bd9e494e25fadc3fdf43e8850dbee2e1d998f3aee37687a20de252429850cfb76e0a4b9a47533d5be81eae4661b5d49d630b1f774e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uP9oh20.exe

Filesize
1.2MB

MD5
352820cbaf5832540e78b40ee1c1a800

SHA1
370a851e0d875123fae6f8dba864519e8b4246be

SHA256
11fb843646364cdf9596123bd7b359ac4e967f74a345defa5a3010993d54ad42

SHA512
56d59f20ba3bbafe426e3b3d9b7c5d1cb82b269bf2291466fd66e61becaefaf882bdfcc8c0f9c2a1d9358dbf593952900ebeedea578c317b36c03ac306bb4df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uP9oh20.exe

Filesize
1.2MB

MD5
352820cbaf5832540e78b40ee1c1a800

SHA1
370a851e0d875123fae6f8dba864519e8b4246be

SHA256
11fb843646364cdf9596123bd7b359ac4e967f74a345defa5a3010993d54ad42

SHA512
56d59f20ba3bbafe426e3b3d9b7c5d1cb82b269bf2291466fd66e61becaefaf882bdfcc8c0f9c2a1d9358dbf593952900ebeedea578c317b36c03ac306bb4df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WQ8Il38.exe

Filesize
688KB

MD5
64d2751c6261cc9932f8a17f124f9cb4

SHA1
efab9139481493b4bc14a3dfce8a656e1c9c4e49

SHA256
c39cd3bfa7010e36cf5268d3944da68d74d377d3e6e0d3edc6a7cc234ba78361

SHA512
e082558f5906b596159cbf7a225be5a8591621fb6c3f106b1122807f89f4f574860674ff72ddd5a9448598dae7d26e9dbaa0508e529428afa8376107edef9df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WQ8Il38.exe

Filesize
688KB

MD5
64d2751c6261cc9932f8a17f124f9cb4

SHA1
efab9139481493b4bc14a3dfce8a656e1c9c4e49

SHA256
c39cd3bfa7010e36cf5268d3944da68d74d377d3e6e0d3edc6a7cc234ba78361

SHA512
e082558f5906b596159cbf7a225be5a8591621fb6c3f106b1122807f89f4f574860674ff72ddd5a9448598dae7d26e9dbaa0508e529428afa8376107edef9df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qn58jI4.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qn58jI4.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2YO22WX.exe

Filesize
1.8MB

MD5
ae4dca17d034f75431b7a5028c98eb10

SHA1
5240c286c8914ff35f4603c0aed2e08d428bc0f5

SHA256
9187542fcf290223921aed08193766c4d84405969b506d455bb9c15f2e99a46a

SHA512
ee4dae66f155fa2bba6d3b69766cc3065d76d789cd1598fcd3a2a7f503e3be55a214cd6a30104478b339a7ce3ea38f3e8f177dbb0badc35de854a205b24133b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2YO22WX.exe

Filesize
1.8MB

MD5
ae4dca17d034f75431b7a5028c98eb10

SHA1
5240c286c8914ff35f4603c0aed2e08d428bc0f5

SHA256
9187542fcf290223921aed08193766c4d84405969b506d455bb9c15f2e99a46a

SHA512
ee4dae66f155fa2bba6d3b69766cc3065d76d789cd1598fcd3a2a7f503e3be55a214cd6a30104478b339a7ce3ea38f3e8f177dbb0badc35de854a205b24133b9

Download Submit
memory/3512-79-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3512-77-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3512-76-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3512-73-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3644-46-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/3644-64-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/3644-42-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/3644-48-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/3644-50-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/3644-52-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/3644-54-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/3644-56-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/3644-58-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/3644-60-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/3644-62-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/3644-44-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/3644-66-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/3644-67-0x0000000073090000-0x000000007377E000-memory.dmp

Filesize
6.9MB

Download
memory/3644-69-0x0000000073090000-0x000000007377E000-memory.dmp

Filesize
6.9MB

Download
memory/3644-40-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/3644-39-0x0000000004A80000-0x0000000004A96000-memory.dmp

Filesize
88KB

Download
memory/3644-38-0x0000000004A80000-0x0000000004A9C000-memory.dmp

Filesize
112KB

Download
memory/3644-37-0x0000000004B20000-0x000000000501E000-memory.dmp

Filesize
5.0MB

Download
memory/3644-36-0x00000000022C0000-0x00000000022DE000-memory.dmp

Filesize
120KB

Download
memory/3644-35-0x0000000073090000-0x000000007377E000-memory.dmp

Filesize
6.9MB

Download