mystic | 3366934fd27fb24f71b0785f360d15c44ce18225d69e0b944d2a743b247b862d

Analysis

max time kernel
102s
max time network
113s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
04-10-2023 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3366934fd27fb24f71b0785f360d15c44ce18225d69e0b944d2a743b247b862d.exe
Size

1.7MB
MD5

5beb0c5583fad02dc696e61d91071dc2
SHA1

070ae8f1ea96076208b7cb635fb3d9964c849b30
SHA256

3366934fd27fb24f71b0785f360d15c44ce18225d69e0b944d2a743b247b862d
SHA512

42caa0d748fba450926602481e2d473fcf45f2f35c354d0e3792212fe021c94619f08fcddd39bb0a1f457968da727df06217784ea30d220d13b975b31f9e1474
SSDEEP

49152:VAlzXjrB6QMyMnTWtjIPErIHW2TCacIGQh:ylzTrwkMTWtgmjQ

Score

10^/10

mystic evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2912-73-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2912-76-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2912-77-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/2912-79-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1zQ33Fu0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1zQ33Fu0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1zQ33Fu0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1zQ33Fu0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1zQ33Fu0.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 6 IoCs

pid	Process
4204	rp6Mc03.exe
208	Si7vJ31.exe
96	qe3Wi30.exe
3716	gI7jU10.exe
4420	1zQ33Fu0.exe
1436	2pO03WF.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1zQ33Fu0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1zQ33Fu0.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Si7vJ31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	qe3Wi30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	gI7jU10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3366934fd27fb24f71b0785f360d15c44ce18225d69e0b944d2a743b247b862d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	rp6Mc03.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1436 set thread context of 2912	1436	2pO03WF.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2852	1436	WerFault.exe	75
3544	2912	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4420	1zQ33Fu0.exe
4420	1zQ33Fu0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4420	1zQ33Fu0.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 4204	2744	3366934fd27fb24f71b0785f360d15c44ce18225d69e0b944d2a743b247b862d.exe	70
PID 2744 wrote to memory of 4204	2744	3366934fd27fb24f71b0785f360d15c44ce18225d69e0b944d2a743b247b862d.exe	70
PID 2744 wrote to memory of 4204	2744	3366934fd27fb24f71b0785f360d15c44ce18225d69e0b944d2a743b247b862d.exe	70
PID 4204 wrote to memory of 208	4204	rp6Mc03.exe	71
PID 4204 wrote to memory of 208	4204	rp6Mc03.exe	71
PID 4204 wrote to memory of 208	4204	rp6Mc03.exe	71
PID 208 wrote to memory of 96	208	Si7vJ31.exe	72
PID 208 wrote to memory of 96	208	Si7vJ31.exe	72
PID 208 wrote to memory of 96	208	Si7vJ31.exe	72
PID 96 wrote to memory of 3716	96	qe3Wi30.exe	73
PID 96 wrote to memory of 3716	96	qe3Wi30.exe	73
PID 96 wrote to memory of 3716	96	qe3Wi30.exe	73
PID 3716 wrote to memory of 4420	3716	gI7jU10.exe	74
PID 3716 wrote to memory of 4420	3716	gI7jU10.exe	74
PID 3716 wrote to memory of 4420	3716	gI7jU10.exe	74
PID 3716 wrote to memory of 1436	3716	gI7jU10.exe	75
PID 3716 wrote to memory of 1436	3716	gI7jU10.exe	75
PID 3716 wrote to memory of 1436	3716	gI7jU10.exe	75
PID 1436 wrote to memory of 2912	1436	2pO03WF.exe	76
PID 1436 wrote to memory of 2912	1436	2pO03WF.exe	76
PID 1436 wrote to memory of 2912	1436	2pO03WF.exe	76
PID 1436 wrote to memory of 2912	1436	2pO03WF.exe	76
PID 1436 wrote to memory of 2912	1436	2pO03WF.exe	76
PID 1436 wrote to memory of 2912	1436	2pO03WF.exe	76
PID 1436 wrote to memory of 2912	1436	2pO03WF.exe	76
PID 1436 wrote to memory of 2912	1436	2pO03WF.exe	76
PID 1436 wrote to memory of 2912	1436	2pO03WF.exe	76
PID 1436 wrote to memory of 2912	1436	2pO03WF.exe	76

C:\Users\Admin\AppData\Local\Temp\3366934fd27fb24f71b0785f360d15c44ce18225d69e0b944d2a743b247b862d.exe
"C:\Users\Admin\AppData\Local\Temp\3366934fd27fb24f71b0785f360d15c44ce18225d69e0b944d2a743b247b862d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rp6Mc03.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rp6Mc03.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Si7vJ31.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Si7vJ31.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qe3Wi30.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qe3Wi30.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:96
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI7jU10.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI7jU10.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3716
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zQ33Fu0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zQ33Fu0.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pO03WF.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pO03WF.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 568
        8⤵
        Program crash
        
        PID:3544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 588
        7⤵
        Program crash
        
        PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rp6Mc03.exe

Filesize
1.5MB

MD5
aea2d3d36d89288af6497090a9cf374a

SHA1
c484a0f9c122e5cfa98a569e231b63d27f8c3f70

SHA256
232d2781cf0a3119604488e9c390b8cf0e4948ce1a9b4f7ba90db4c2d8ae4ae5

SHA512
2c2c7af8cdf88ac752ffe2933b51ad472d53516d8ec39ca827456f318a967fe058a7371313c9c405101cdb4075a23f482cee9e63c09d54ae966092f4eac89c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rp6Mc03.exe

Filesize
1.5MB

MD5
aea2d3d36d89288af6497090a9cf374a

SHA1
c484a0f9c122e5cfa98a569e231b63d27f8c3f70

SHA256
232d2781cf0a3119604488e9c390b8cf0e4948ce1a9b4f7ba90db4c2d8ae4ae5

SHA512
2c2c7af8cdf88ac752ffe2933b51ad472d53516d8ec39ca827456f318a967fe058a7371313c9c405101cdb4075a23f482cee9e63c09d54ae966092f4eac89c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Si7vJ31.exe

Filesize
1.4MB

MD5
079fd09e8b59ef8e29f0c0d02f411dcd

SHA1
eb58543faeea641aacd45b24aa82cb245d4d315c

SHA256
39254aa822b619a22037b699a9e458e8c539707e67e2f2a3c52aaf1a4798c0f8

SHA512
bb1df66086b7ea24254e99afcfbeb3c09164593b901dcdf8771e38cbf7411da348bed864675732ad8d014e426429359c23570543b11c60c37f636e135a1d46e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Si7vJ31.exe

Filesize
1.4MB

MD5
079fd09e8b59ef8e29f0c0d02f411dcd

SHA1
eb58543faeea641aacd45b24aa82cb245d4d315c

SHA256
39254aa822b619a22037b699a9e458e8c539707e67e2f2a3c52aaf1a4798c0f8

SHA512
bb1df66086b7ea24254e99afcfbeb3c09164593b901dcdf8771e38cbf7411da348bed864675732ad8d014e426429359c23570543b11c60c37f636e135a1d46e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qe3Wi30.exe

Filesize
1.2MB

MD5
8d94e9d8950f45a7d9c6cd723da1f9b1

SHA1
ed9cc53b983de54f5ccbb4ea5e9f533815500c2a

SHA256
6df12e7a81519f948668f277d47272dccc9a4d0df7c5fb79d7c1d563dd81402f

SHA512
430d8124fe858f1d09f7c0663d45d126b60bca2d9930e3c6287494f185836411cd1f22fdcceeff018aaaacfa080c9389c77885324bc9ec3b9ffb9aac1b939ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qe3Wi30.exe

Filesize
1.2MB

MD5
8d94e9d8950f45a7d9c6cd723da1f9b1

SHA1
ed9cc53b983de54f5ccbb4ea5e9f533815500c2a

SHA256
6df12e7a81519f948668f277d47272dccc9a4d0df7c5fb79d7c1d563dd81402f

SHA512
430d8124fe858f1d09f7c0663d45d126b60bca2d9930e3c6287494f185836411cd1f22fdcceeff018aaaacfa080c9389c77885324bc9ec3b9ffb9aac1b939ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI7jU10.exe

Filesize
688KB

MD5
8132189eff6243a9b2863a35cc0f5cce

SHA1
511ce866e972930494dce92efbb18995806ee001

SHA256
60de697479afa127f902d58cc73e44d595122eb4948a9a9197bc429447770e19

SHA512
411475d935dd55b3961e0c13617a3a6cc7210375abc8063ede17e9e4f7e424cc7f180aedfac577fcf163b4cadad3636788b2704db47cfeb1d9673353f54218b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\gI7jU10.exe

Filesize
688KB

MD5
8132189eff6243a9b2863a35cc0f5cce

SHA1
511ce866e972930494dce92efbb18995806ee001

SHA256
60de697479afa127f902d58cc73e44d595122eb4948a9a9197bc429447770e19

SHA512
411475d935dd55b3961e0c13617a3a6cc7210375abc8063ede17e9e4f7e424cc7f180aedfac577fcf163b4cadad3636788b2704db47cfeb1d9673353f54218b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zQ33Fu0.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zQ33Fu0.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pO03WF.exe

Filesize
1.8MB

MD5
bd032be5afa292fc8ed69763de8eb291

SHA1
6ed592304dd4a21ef621dd3ff3de57801a7e1c9c

SHA256
c4e722f57977f3c8a94cadc754675ddd632db29d038b99bcae4122da7ec4b4cf

SHA512
85d43e140ff20a8c084929b4916f7ab23d614280eb5985bbf33e67d1499ef7348f92c44fd6a34b118db1afe3842800075715d7541590724a9efe8258ab688a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2pO03WF.exe

Filesize
1.8MB

MD5
bd032be5afa292fc8ed69763de8eb291

SHA1
6ed592304dd4a21ef621dd3ff3de57801a7e1c9c

SHA256
c4e722f57977f3c8a94cadc754675ddd632db29d038b99bcae4122da7ec4b4cf

SHA512
85d43e140ff20a8c084929b4916f7ab23d614280eb5985bbf33e67d1499ef7348f92c44fd6a34b118db1afe3842800075715d7541590724a9efe8258ab688a75

Download Submit
memory/2912-79-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2912-77-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2912-76-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2912-73-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4420-46-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4420-64-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4420-42-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4420-48-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4420-50-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4420-52-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4420-54-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4420-56-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4420-58-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4420-60-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4420-62-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4420-44-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4420-66-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4420-67-0x00000000736F0000-0x0000000073DDE000-memory.dmp

Filesize
6.9MB

Download
memory/4420-69-0x00000000736F0000-0x0000000073DDE000-memory.dmp

Filesize
6.9MB

Download
memory/4420-40-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4420-39-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4420-38-0x00000000023E0000-0x00000000023FC000-memory.dmp

Filesize
112KB

Download
memory/4420-37-0x0000000004A90000-0x0000000004F8E000-memory.dmp

Filesize
5.0MB

Download
memory/4420-36-0x00000000736F0000-0x0000000073DDE000-memory.dmp

Filesize
6.9MB

Download
memory/4420-35-0x0000000002120000-0x000000000213E000-memory.dmp

Filesize
120KB

Download