mystic | a0dabc41d478db7e38c5977266f010eb0ad5c057d2b6e4b252804b3ea438eaee

Analysis

max time kernel
188s
max time network
300s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
05/10/2023, 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0dabc41d478db7e38c5977266f010eb0ad5c057d2b6e4b252804b3ea438eaee.exe
Size

1.5MB
MD5

22303254dd64ae1cd2e51680eb091fb3
SHA1

309cdeb0bf3701d9affc8b6f656484edf9d1a662
SHA256

a0dabc41d478db7e38c5977266f010eb0ad5c057d2b6e4b252804b3ea438eaee
SHA512

dacb2504c433051ffee63370072077496a6fee132f7e6f63f3d4a698b4d098f7067ae2af1de6fea69b68e4af8d83d1bf927e6187ff682fd35cf9b14bbf577cee
SSDEEP

24576:8yUxmOfOhMckUbE9PVUB2OiU8V3UM8LEEk9tmFiV4QHd4ywYFBpXkt8M6oVf:rUxmOfONYVUQOh8kETQiVv95wgBpXmI

Score

10^/10

mystic evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4456-66-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4456-69-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4456-70-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4456-72-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1yF97fb7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1yF97fb7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1yF97fb7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1yF97fb7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1yF97fb7.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 5 IoCs

pid	Process
4344	WP0sT21.exe
4492	hj5KQ50.exe
4844	gg5Ip43.exe
2616	1yF97fb7.exe
2112	2ji8517.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1yF97fb7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1yF97fb7.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	gg5Ip43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a0dabc41d478db7e38c5977266f010eb0ad5c057d2b6e4b252804b3ea438eaee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	WP0sT21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	hj5KQ50.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2112 set thread context of 4456	2112	2ji8517.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4672	2112	WerFault.exe	74
4860	4456	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2616	1yF97fb7.exe
2616	1yF97fb7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	1yF97fb7.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 4344	3968	a0dabc41d478db7e38c5977266f010eb0ad5c057d2b6e4b252804b3ea438eaee.exe	70
PID 3968 wrote to memory of 4344	3968	a0dabc41d478db7e38c5977266f010eb0ad5c057d2b6e4b252804b3ea438eaee.exe	70
PID 3968 wrote to memory of 4344	3968	a0dabc41d478db7e38c5977266f010eb0ad5c057d2b6e4b252804b3ea438eaee.exe	70
PID 4344 wrote to memory of 4492	4344	WP0sT21.exe	71
PID 4344 wrote to memory of 4492	4344	WP0sT21.exe	71
PID 4344 wrote to memory of 4492	4344	WP0sT21.exe	71
PID 4492 wrote to memory of 4844	4492	hj5KQ50.exe	72
PID 4492 wrote to memory of 4844	4492	hj5KQ50.exe	72
PID 4492 wrote to memory of 4844	4492	hj5KQ50.exe	72
PID 4844 wrote to memory of 2616	4844	gg5Ip43.exe	73
PID 4844 wrote to memory of 2616	4844	gg5Ip43.exe	73
PID 4844 wrote to memory of 2616	4844	gg5Ip43.exe	73
PID 4844 wrote to memory of 2112	4844	gg5Ip43.exe	74
PID 4844 wrote to memory of 2112	4844	gg5Ip43.exe	74
PID 4844 wrote to memory of 2112	4844	gg5Ip43.exe	74
PID 2112 wrote to memory of 4940	2112	2ji8517.exe	76
PID 2112 wrote to memory of 4940	2112	2ji8517.exe	76
PID 2112 wrote to memory of 4940	2112	2ji8517.exe	76
PID 2112 wrote to memory of 4456	2112	2ji8517.exe	77
PID 2112 wrote to memory of 4456	2112	2ji8517.exe	77
PID 2112 wrote to memory of 4456	2112	2ji8517.exe	77
PID 2112 wrote to memory of 4456	2112	2ji8517.exe	77
PID 2112 wrote to memory of 4456	2112	2ji8517.exe	77
PID 2112 wrote to memory of 4456	2112	2ji8517.exe	77
PID 2112 wrote to memory of 4456	2112	2ji8517.exe	77
PID 2112 wrote to memory of 4456	2112	2ji8517.exe	77
PID 2112 wrote to memory of 4456	2112	2ji8517.exe	77
PID 2112 wrote to memory of 4456	2112	2ji8517.exe	77

C:\Users\Admin\AppData\Local\Temp\a0dabc41d478db7e38c5977266f010eb0ad5c057d2b6e4b252804b3ea438eaee.exe
"C:\Users\Admin\AppData\Local\Temp\a0dabc41d478db7e38c5977266f010eb0ad5c057d2b6e4b252804b3ea438eaee.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WP0sT21.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WP0sT21.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hj5KQ50.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hj5KQ50.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gg5Ip43.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gg5Ip43.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yF97fb7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yF97fb7.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ji8517.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ji8517.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4940
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 568
        7⤵
        Program crash
        
        PID:4860
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 144
        6⤵
        Program crash
        
        PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WP0sT21.exe

Filesize
1.4MB

MD5
a3d4cf9af8aa5bad24aa7ec052d3f414

SHA1
28c0148bd6896b6dc7d64a8d2464711ff4316df8

SHA256
75a2dc1e755fa3d089c1cf6ebccc69fb7b871c73ffaad997c07def8e8486dab5

SHA512
b0b8e32239ea369f7ef0c109004a4a995f2afa082e980d09a7aaa65f66823af159e2f4a9a5a3d165f0b9df0891efb248a31c28dc3c7e62b56377a01568a845e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WP0sT21.exe

Filesize
1.4MB

MD5
a3d4cf9af8aa5bad24aa7ec052d3f414

SHA1
28c0148bd6896b6dc7d64a8d2464711ff4316df8

SHA256
75a2dc1e755fa3d089c1cf6ebccc69fb7b871c73ffaad997c07def8e8486dab5

SHA512
b0b8e32239ea369f7ef0c109004a4a995f2afa082e980d09a7aaa65f66823af159e2f4a9a5a3d165f0b9df0891efb248a31c28dc3c7e62b56377a01568a845e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hj5KQ50.exe

Filesize
985KB

MD5
eedad3082e30fe11291b79a6df09a065

SHA1
c28cc5912ca15d0ca34d69c84c81ac411539def2

SHA256
695e8becfdf74889614582b530031b9820b2e8c40431c1134eb3c825ad34548e

SHA512
1d279ff743d66e59eaf0934147ff519e0924239ca04785c1b21918c4630db0e98f0847feae1741bbe2008db0d5aae808d820cf4e556e42308ee591ca19a6d319

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hj5KQ50.exe

Filesize
985KB

MD5
eedad3082e30fe11291b79a6df09a065

SHA1
c28cc5912ca15d0ca34d69c84c81ac411539def2

SHA256
695e8becfdf74889614582b530031b9820b2e8c40431c1134eb3c825ad34548e

SHA512
1d279ff743d66e59eaf0934147ff519e0924239ca04785c1b21918c4630db0e98f0847feae1741bbe2008db0d5aae808d820cf4e556e42308ee591ca19a6d319

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gg5Ip43.exe

Filesize
598KB

MD5
41875389295c0f10da6dd81bfa503a80

SHA1
74292d3571fb8a0a572ba66a0506056e66b520c0

SHA256
2bb107cf8943c7f0d705aa02680c38e0850ef5c249d74a0d69df87f0ac04939b

SHA512
ffd7018b0ff3f93c5352e1695ad3a33bf404f6ac4303288e279fad37f79b6c6487839c1b7fa36bf8f9f916f85feb54be0ea66c7f04326d2621fe2c7f437e4de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gg5Ip43.exe

Filesize
598KB

MD5
41875389295c0f10da6dd81bfa503a80

SHA1
74292d3571fb8a0a572ba66a0506056e66b520c0

SHA256
2bb107cf8943c7f0d705aa02680c38e0850ef5c249d74a0d69df87f0ac04939b

SHA512
ffd7018b0ff3f93c5352e1695ad3a33bf404f6ac4303288e279fad37f79b6c6487839c1b7fa36bf8f9f916f85feb54be0ea66c7f04326d2621fe2c7f437e4de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yF97fb7.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1yF97fb7.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ji8517.exe

Filesize
1.4MB

MD5
9b45c734f07328a3ac53e6551a95e81f

SHA1
6b29d75bd0fadc0f66ac5d67226eb9c5c1b231b0

SHA256
3ef336a57f333d3a60a1b61a44fb13d82a0f71705190f703836a9ce243c3eeeb

SHA512
817fe5e892875129897779586293c71ac01b74682458daa76b9db701b91b1a5db6b04bb79a7ca26c216c5042a17e4e6c582d5a26cdab0eb37e200b791e7574b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ji8517.exe

Filesize
1.4MB

MD5
9b45c734f07328a3ac53e6551a95e81f

SHA1
6b29d75bd0fadc0f66ac5d67226eb9c5c1b231b0

SHA256
3ef336a57f333d3a60a1b61a44fb13d82a0f71705190f703836a9ce243c3eeeb

SHA512
817fe5e892875129897779586293c71ac01b74682458daa76b9db701b91b1a5db6b04bb79a7ca26c216c5042a17e4e6c582d5a26cdab0eb37e200b791e7574b6

Download Submit
memory/2616-39-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2616-53-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2616-32-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2616-33-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2616-35-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2616-37-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2616-30-0x0000000004D00000-0x00000000051FE000-memory.dmp

Filesize
5.0MB

Download
memory/2616-41-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2616-43-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2616-45-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2616-47-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2616-49-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2616-51-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2616-31-0x0000000002400000-0x000000000241C000-memory.dmp

Filesize
112KB

Download
memory/2616-55-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2616-57-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2616-59-0x0000000002400000-0x0000000002416000-memory.dmp

Filesize
88KB

Download
memory/2616-60-0x00000000736A0000-0x0000000073D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2616-62-0x00000000736A0000-0x0000000073D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2616-28-0x0000000002380000-0x000000000239E000-memory.dmp

Filesize
120KB

Download
memory/2616-29-0x00000000736A0000-0x0000000073D8E000-memory.dmp

Filesize
6.9MB

Download
memory/4456-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4456-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4456-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4456-72-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download