mystic | bbce009f7a7464be2100737b272bd6c2297a352957970f1bb28ba7c1c16e7851

Analysis

max time kernel
126s
max time network
131s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
05/10/2023, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbce009f7a7464be2100737b272bd6c2297a352957970f1bb28ba7c1c16e7851.exe
Size

1.7MB
MD5

9377b44e28343e05a83ecda016271780
SHA1

9667aa93126b95d00d2953988b1eb7efa2d7b7b0
SHA256

bbce009f7a7464be2100737b272bd6c2297a352957970f1bb28ba7c1c16e7851
SHA512

2a667f2ecdc71cacdce0814e2af406ed1613b150d7e2d795132d240105d9beeabe659b2f1f0bddad56d25c9b152bfc0a2a57a11c0b1dd1f09cfd74cd3f735094
SSDEEP

49152:09suHdb8t3oMg4g2XSHSwe27WC2p0ukEO0B+v98+8:YdbW3G41SywyC26CvB+v9W

Score

10^/10

mystic evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1412-73-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1412-76-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1412-77-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/1412-79-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1nb72gX2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1nb72gX2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1nb72gX2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1nb72gX2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1nb72gX2.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 6 IoCs

pid	Process
3916	qy7Qt25.exe
3484	Gw4AS70.exe
4376	JF3fC20.exe
4104	Pe6sP38.exe
5032	1nb72gX2.exe
4248	2yt67eI.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1nb72gX2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1nb72gX2.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bbce009f7a7464be2100737b272bd6c2297a352957970f1bb28ba7c1c16e7851.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	qy7Qt25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Gw4AS70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	JF3fC20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Pe6sP38.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4248 set thread context of 1412	4248	2yt67eI.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1184	4248	WerFault.exe	75
3488	1412	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5032	1nb72gX2.exe
5032	1nb72gX2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5032	1nb72gX2.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 3916	3048	bbce009f7a7464be2100737b272bd6c2297a352957970f1bb28ba7c1c16e7851.exe	70
PID 3048 wrote to memory of 3916	3048	bbce009f7a7464be2100737b272bd6c2297a352957970f1bb28ba7c1c16e7851.exe	70
PID 3048 wrote to memory of 3916	3048	bbce009f7a7464be2100737b272bd6c2297a352957970f1bb28ba7c1c16e7851.exe	70
PID 3916 wrote to memory of 3484	3916	qy7Qt25.exe	71
PID 3916 wrote to memory of 3484	3916	qy7Qt25.exe	71
PID 3916 wrote to memory of 3484	3916	qy7Qt25.exe	71
PID 3484 wrote to memory of 4376	3484	Gw4AS70.exe	72
PID 3484 wrote to memory of 4376	3484	Gw4AS70.exe	72
PID 3484 wrote to memory of 4376	3484	Gw4AS70.exe	72
PID 4376 wrote to memory of 4104	4376	JF3fC20.exe	73
PID 4376 wrote to memory of 4104	4376	JF3fC20.exe	73
PID 4376 wrote to memory of 4104	4376	JF3fC20.exe	73
PID 4104 wrote to memory of 5032	4104	Pe6sP38.exe	74
PID 4104 wrote to memory of 5032	4104	Pe6sP38.exe	74
PID 4104 wrote to memory of 5032	4104	Pe6sP38.exe	74
PID 4104 wrote to memory of 4248	4104	Pe6sP38.exe	75
PID 4104 wrote to memory of 4248	4104	Pe6sP38.exe	75
PID 4104 wrote to memory of 4248	4104	Pe6sP38.exe	75
PID 4248 wrote to memory of 1412	4248	2yt67eI.exe	76
PID 4248 wrote to memory of 1412	4248	2yt67eI.exe	76
PID 4248 wrote to memory of 1412	4248	2yt67eI.exe	76
PID 4248 wrote to memory of 1412	4248	2yt67eI.exe	76
PID 4248 wrote to memory of 1412	4248	2yt67eI.exe	76
PID 4248 wrote to memory of 1412	4248	2yt67eI.exe	76
PID 4248 wrote to memory of 1412	4248	2yt67eI.exe	76
PID 4248 wrote to memory of 1412	4248	2yt67eI.exe	76
PID 4248 wrote to memory of 1412	4248	2yt67eI.exe	76
PID 4248 wrote to memory of 1412	4248	2yt67eI.exe	76

C:\Users\Admin\AppData\Local\Temp\bbce009f7a7464be2100737b272bd6c2297a352957970f1bb28ba7c1c16e7851.exe
"C:\Users\Admin\AppData\Local\Temp\bbce009f7a7464be2100737b272bd6c2297a352957970f1bb28ba7c1c16e7851.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qy7Qt25.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qy7Qt25.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gw4AS70.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gw4AS70.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JF3fC20.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JF3fC20.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pe6sP38.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pe6sP38.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4104
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nb72gX2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nb72gX2.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yt67eI.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yt67eI.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 568
        8⤵
        Program crash
        
        PID:3488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 560
        7⤵
        Program crash
        
        PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qy7Qt25.exe

Filesize
1.5MB

MD5
4f0f55d401773149798e50735cb84324

SHA1
a43f295bbf04e10b6406f06bbf0c2bc6b8e7da71

SHA256
912fc856b648058c742763a44a584c12866961a8ab62414a9091b10bc866605d

SHA512
49f79bde50372e53750bcc7fe1c21cd81af56a9b34657c3f1b8bd66101845b781286ac09cd9b5f7fa52392f301566e25ed38633ee306d3096ad7b7c437d66b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qy7Qt25.exe

Filesize
1.5MB

MD5
4f0f55d401773149798e50735cb84324

SHA1
a43f295bbf04e10b6406f06bbf0c2bc6b8e7da71

SHA256
912fc856b648058c742763a44a584c12866961a8ab62414a9091b10bc866605d

SHA512
49f79bde50372e53750bcc7fe1c21cd81af56a9b34657c3f1b8bd66101845b781286ac09cd9b5f7fa52392f301566e25ed38633ee306d3096ad7b7c437d66b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gw4AS70.exe

Filesize
1.4MB

MD5
b3a7493482d035a68fed4bfc9f5bf664

SHA1
290da5c2d1d8c7f2cc837d74cb29dca70984ca6c

SHA256
ab4e72ad574d7883ec3244333bd020bc3f7cd9d50e96ae7bb66f7389949e1a63

SHA512
48a17e9c0e18411a1a69eec58e3638f36486004ab498b03ec9f43ee1de9a45d15a42473e3cf68218e0dd7912126210ca961b1a1d919f19a9495f0dc001a6cba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gw4AS70.exe

Filesize
1.4MB

MD5
b3a7493482d035a68fed4bfc9f5bf664

SHA1
290da5c2d1d8c7f2cc837d74cb29dca70984ca6c

SHA256
ab4e72ad574d7883ec3244333bd020bc3f7cd9d50e96ae7bb66f7389949e1a63

SHA512
48a17e9c0e18411a1a69eec58e3638f36486004ab498b03ec9f43ee1de9a45d15a42473e3cf68218e0dd7912126210ca961b1a1d919f19a9495f0dc001a6cba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JF3fC20.exe

Filesize
1.2MB

MD5
655828caaf7fcb8dadb8df83e3ae790f

SHA1
49486ea1bb3cfc90450a232166abeb859e0a512b

SHA256
5859691a33c8eb90cd2304906116d94eb1eaa878849a0b01d1fbae71f59051ce

SHA512
39a9c4aab6fcf7509b457e749d78a3aa021d91e97e5e4ab8b13ae40e72de9d5a2140d52e899adc9f55417b1754cf2a16ba26e5fec5d056a8049977cc3acea6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\JF3fC20.exe

Filesize
1.2MB

MD5
655828caaf7fcb8dadb8df83e3ae790f

SHA1
49486ea1bb3cfc90450a232166abeb859e0a512b

SHA256
5859691a33c8eb90cd2304906116d94eb1eaa878849a0b01d1fbae71f59051ce

SHA512
39a9c4aab6fcf7509b457e749d78a3aa021d91e97e5e4ab8b13ae40e72de9d5a2140d52e899adc9f55417b1754cf2a16ba26e5fec5d056a8049977cc3acea6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pe6sP38.exe

Filesize
689KB

MD5
93cffc4accb1fb178f9fefb9b52887d6

SHA1
89e05d315daf69cab0be4c25f09535bd97b0fe20

SHA256
2f507d909a10e1ba970487741a7b32ce8d705a64bf7e5784ee8aae152db2c33b

SHA512
697c75bebe08c9605e0d0efcc9b6ea54886af4686c5b1d4230bd7ef63c2f054f073f727a93576baf2006b4b7ae543c52e19905e8496e1d7e696201f8950f4d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Pe6sP38.exe

Filesize
689KB

MD5
93cffc4accb1fb178f9fefb9b52887d6

SHA1
89e05d315daf69cab0be4c25f09535bd97b0fe20

SHA256
2f507d909a10e1ba970487741a7b32ce8d705a64bf7e5784ee8aae152db2c33b

SHA512
697c75bebe08c9605e0d0efcc9b6ea54886af4686c5b1d4230bd7ef63c2f054f073f727a93576baf2006b4b7ae543c52e19905e8496e1d7e696201f8950f4d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nb72gX2.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1nb72gX2.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yt67eI.exe

Filesize
1.8MB

MD5
26f8906597cb24ad6405d3eaf8f0cfaf

SHA1
ad15b461037c4fcd3fb0fdf7f205fee39ba22739

SHA256
d925cc567f479df2297eb1732234ab08d59a06fef61a0d976d2798bd6c260a43

SHA512
a8064b4c3c06c6437d84dba0f6685d2c10edae647143f5fec12620a62289b9bacc00303f346b9739c62ceddd1f220ce3c9a745388e0819a1ae0262bab08838a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2yt67eI.exe

Filesize
1.8MB

MD5
26f8906597cb24ad6405d3eaf8f0cfaf

SHA1
ad15b461037c4fcd3fb0fdf7f205fee39ba22739

SHA256
d925cc567f479df2297eb1732234ab08d59a06fef61a0d976d2798bd6c260a43

SHA512
a8064b4c3c06c6437d84dba0f6685d2c10edae647143f5fec12620a62289b9bacc00303f346b9739c62ceddd1f220ce3c9a745388e0819a1ae0262bab08838a8

Download Submit
memory/1412-79-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1412-77-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1412-76-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1412-73-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5032-46-0x00000000024B0000-0x00000000024C6000-memory.dmp

Filesize
88KB

Download
memory/5032-64-0x00000000024B0000-0x00000000024C6000-memory.dmp

Filesize
88KB

Download
memory/5032-42-0x00000000024B0000-0x00000000024C6000-memory.dmp

Filesize
88KB

Download
memory/5032-48-0x00000000024B0000-0x00000000024C6000-memory.dmp

Filesize
88KB

Download
memory/5032-50-0x00000000024B0000-0x00000000024C6000-memory.dmp

Filesize
88KB

Download
memory/5032-52-0x00000000024B0000-0x00000000024C6000-memory.dmp

Filesize
88KB

Download
memory/5032-54-0x00000000024B0000-0x00000000024C6000-memory.dmp

Filesize
88KB

Download
memory/5032-56-0x00000000024B0000-0x00000000024C6000-memory.dmp

Filesize
88KB

Download
memory/5032-58-0x00000000024B0000-0x00000000024C6000-memory.dmp

Filesize
88KB

Download
memory/5032-60-0x00000000024B0000-0x00000000024C6000-memory.dmp

Filesize
88KB

Download
memory/5032-62-0x00000000024B0000-0x00000000024C6000-memory.dmp

Filesize
88KB

Download
memory/5032-44-0x00000000024B0000-0x00000000024C6000-memory.dmp

Filesize
88KB

Download
memory/5032-66-0x00000000024B0000-0x00000000024C6000-memory.dmp

Filesize
88KB

Download
memory/5032-67-0x0000000073880000-0x0000000073F6E000-memory.dmp

Filesize
6.9MB

Download
memory/5032-69-0x0000000073880000-0x0000000073F6E000-memory.dmp

Filesize
6.9MB

Download
memory/5032-40-0x00000000024B0000-0x00000000024C6000-memory.dmp

Filesize
88KB

Download
memory/5032-39-0x00000000024B0000-0x00000000024C6000-memory.dmp

Filesize
88KB

Download
memory/5032-38-0x00000000024B0000-0x00000000024CC000-memory.dmp

Filesize
112KB

Download
memory/5032-37-0x0000000004B30000-0x000000000502E000-memory.dmp

Filesize
5.0MB

Download
memory/5032-35-0x0000000002170000-0x000000000218E000-memory.dmp

Filesize
120KB

Download
memory/5032-36-0x0000000073880000-0x0000000073F6E000-memory.dmp

Filesize
6.9MB

Download