mystic | 133ffd208590757b718612dcae6f0628cbd20c703cf6069d0a28e3995f41ed18

Analysis

max time kernel
131s
max time network
135s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
06-10-2023 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

133ffd208590757b718612dcae6f0628cbd20c703cf6069d0a28e3995f41ed18.exe
Size

1.2MB
MD5

4a0dad2ecc14ef6780ebf2993471d081
SHA1

6b4ac1a844b67cca49063c2603617bac7fb49c56
SHA256

133ffd208590757b718612dcae6f0628cbd20c703cf6069d0a28e3995f41ed18
SHA512

8d54c44a114844228004795e122c70b751ac6320dd031c0e21142b4990e2d0b83a828375aeef8ce43e6088f5e618dfcc6aa84f146dc732366e27838e39b10d45
SSDEEP

24576:UyAwzcK8W3xgdqLaDpi1psNKpUORsDUMuWa2:jAwzcKUq4iTsKUORsAMR

Score

10^/10

mystic evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4368-73-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4368-76-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4368-77-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4368-79-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1ay17Wm5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1ay17Wm5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1ay17Wm5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1ay17Wm5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1ay17Wm5.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 6 IoCs

pid	Process
3936	bp3fr10.exe
4360	BY3EU16.exe
4136	lQ7kk34.exe
2084	Wl4cL12.exe
1744	1ay17Wm5.exe
1212	2gA59AF.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1ay17Wm5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1ay17Wm5.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	lQ7kk34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Wl4cL12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	133ffd208590757b718612dcae6f0628cbd20c703cf6069d0a28e3995f41ed18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	bp3fr10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	BY3EU16.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1212 set thread context of 4368	1212	2gA59AF.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4468	1212	WerFault.exe	74
3008	4368	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1744	1ay17Wm5.exe
1744	1ay17Wm5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	1ay17Wm5.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 3936	4276	133ffd208590757b718612dcae6f0628cbd20c703cf6069d0a28e3995f41ed18.exe	69
PID 4276 wrote to memory of 3936	4276	133ffd208590757b718612dcae6f0628cbd20c703cf6069d0a28e3995f41ed18.exe	69
PID 4276 wrote to memory of 3936	4276	133ffd208590757b718612dcae6f0628cbd20c703cf6069d0a28e3995f41ed18.exe	69
PID 3936 wrote to memory of 4360	3936	bp3fr10.exe	70
PID 3936 wrote to memory of 4360	3936	bp3fr10.exe	70
PID 3936 wrote to memory of 4360	3936	bp3fr10.exe	70
PID 4360 wrote to memory of 4136	4360	BY3EU16.exe	71
PID 4360 wrote to memory of 4136	4360	BY3EU16.exe	71
PID 4360 wrote to memory of 4136	4360	BY3EU16.exe	71
PID 4136 wrote to memory of 2084	4136	lQ7kk34.exe	72
PID 4136 wrote to memory of 2084	4136	lQ7kk34.exe	72
PID 4136 wrote to memory of 2084	4136	lQ7kk34.exe	72
PID 2084 wrote to memory of 1744	2084	Wl4cL12.exe	73
PID 2084 wrote to memory of 1744	2084	Wl4cL12.exe	73
PID 2084 wrote to memory of 1744	2084	Wl4cL12.exe	73
PID 2084 wrote to memory of 1212	2084	Wl4cL12.exe	74
PID 2084 wrote to memory of 1212	2084	Wl4cL12.exe	74
PID 2084 wrote to memory of 1212	2084	Wl4cL12.exe	74
PID 1212 wrote to memory of 4368	1212	2gA59AF.exe	76
PID 1212 wrote to memory of 4368	1212	2gA59AF.exe	76
PID 1212 wrote to memory of 4368	1212	2gA59AF.exe	76
PID 1212 wrote to memory of 4368	1212	2gA59AF.exe	76
PID 1212 wrote to memory of 4368	1212	2gA59AF.exe	76
PID 1212 wrote to memory of 4368	1212	2gA59AF.exe	76
PID 1212 wrote to memory of 4368	1212	2gA59AF.exe	76
PID 1212 wrote to memory of 4368	1212	2gA59AF.exe	76
PID 1212 wrote to memory of 4368	1212	2gA59AF.exe	76
PID 1212 wrote to memory of 4368	1212	2gA59AF.exe	76

C:\Users\Admin\AppData\Local\Temp\133ffd208590757b718612dcae6f0628cbd20c703cf6069d0a28e3995f41ed18.exe
"C:\Users\Admin\AppData\Local\Temp\133ffd208590757b718612dcae6f0628cbd20c703cf6069d0a28e3995f41ed18.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bp3fr10.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bp3fr10.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BY3EU16.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BY3EU16.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4360
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lQ7kk34.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lQ7kk34.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4136
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wl4cL12.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wl4cL12.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ay17Wm5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ay17Wm5.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gA59AF.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gA59AF.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 188
        8⤵
        Program crash
        
        PID:3008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 584
        7⤵
        Program crash
        
        PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bp3fr10.exe

Filesize
1.1MB

MD5
b5592aeef53f0ce82710bc50a269e3b5

SHA1
efc4dcbefe93a718a63b050a83c55c33a0879f5e

SHA256
80f9ca480dea25b556a4ca98204f7d2beb08c75beb2af041004e8077dd041440

SHA512
107c8e8056eacf5439c280fec434171606c46fd1f478a60924dd2ab935391d24e3df6eeb644e072ecd27b544219d45aa5754b5e12211f99a906c5d21a07a33a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bp3fr10.exe

Filesize
1.1MB

MD5
b5592aeef53f0ce82710bc50a269e3b5

SHA1
efc4dcbefe93a718a63b050a83c55c33a0879f5e

SHA256
80f9ca480dea25b556a4ca98204f7d2beb08c75beb2af041004e8077dd041440

SHA512
107c8e8056eacf5439c280fec434171606c46fd1f478a60924dd2ab935391d24e3df6eeb644e072ecd27b544219d45aa5754b5e12211f99a906c5d21a07a33a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BY3EU16.exe

Filesize
929KB

MD5
2378c24a080ab9cfe3c8282bbbb19e59

SHA1
694383806b6f8b8b0f6ce1f95c162715f68eff95

SHA256
aa04b4d95073a621152610718609f2ed0bb7a3c6f38614b764fc54a262b7c2eb

SHA512
381ebe9faa310cb5d5dec7b868af080ef274abdc487d80e0e28613877e6fc7922941d6a76bb79da18a85de64728b5301c2e3d40065fa3f50fc539301d18dadc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BY3EU16.exe

Filesize
929KB

MD5
2378c24a080ab9cfe3c8282bbbb19e59

SHA1
694383806b6f8b8b0f6ce1f95c162715f68eff95

SHA256
aa04b4d95073a621152610718609f2ed0bb7a3c6f38614b764fc54a262b7c2eb

SHA512
381ebe9faa310cb5d5dec7b868af080ef274abdc487d80e0e28613877e6fc7922941d6a76bb79da18a85de64728b5301c2e3d40065fa3f50fc539301d18dadc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lQ7kk34.exe

Filesize
747KB

MD5
0fb8c13af8c8e8a614e03dd8a1e56757

SHA1
ae030f8d7548d34acab381103a1a76e92f709456

SHA256
86090a4dd5b9d6d63a4e4c759759d4327f7e499d7c17fe292ea2c48382adb70f

SHA512
e56188c8b7eb07a3d146b8285176e1e3da2830ace9b72ac10eb5e93de73812658a9dac4208f6eba913e2faac118b6cb09fdced471ed876729e62b65e208140d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lQ7kk34.exe

Filesize
747KB

MD5
0fb8c13af8c8e8a614e03dd8a1e56757

SHA1
ae030f8d7548d34acab381103a1a76e92f709456

SHA256
86090a4dd5b9d6d63a4e4c759759d4327f7e499d7c17fe292ea2c48382adb70f

SHA512
e56188c8b7eb07a3d146b8285176e1e3da2830ace9b72ac10eb5e93de73812658a9dac4208f6eba913e2faac118b6cb09fdced471ed876729e62b65e208140d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wl4cL12.exe

Filesize
452KB

MD5
affa2b62197fec8314641eef1ddfdbcf

SHA1
4e8dc18f554d7ffe4213d8fb5ccccaca85692ef8

SHA256
8e171d90527bb1bd8c178101ba8af61e628dc5d33e78fdc375c9bd28d9697e57

SHA512
d17c9bc0509147b4331b0252f79b8eea6b6da1730f02852023f68f98ed944ada217866389d129c931e6b0c37736b296e3d025a79f3b4c83eab24d0fa59ea7cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Wl4cL12.exe

Filesize
452KB

MD5
affa2b62197fec8314641eef1ddfdbcf

SHA1
4e8dc18f554d7ffe4213d8fb5ccccaca85692ef8

SHA256
8e171d90527bb1bd8c178101ba8af61e628dc5d33e78fdc375c9bd28d9697e57

SHA512
d17c9bc0509147b4331b0252f79b8eea6b6da1730f02852023f68f98ed944ada217866389d129c931e6b0c37736b296e3d025a79f3b4c83eab24d0fa59ea7cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ay17Wm5.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ay17Wm5.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gA59AF.exe

Filesize
378KB

MD5
4f01fd1e914c720f0f5622626c8b30db

SHA1
23e56399bd48195b46a7e2000c216bee5b36cad3

SHA256
d00ce7267f57d26ba197af32a4f1277088bfafbc6e8d8d2c929bc8e091cf932d

SHA512
1aa390fad92978d768645c5352ad9e07ce20a7bf09a351ee5003c7c72823bc447e2c7e1455a4eeb86566a3bcb8e3ee3fbb62251d06ebfeecc86270bbffaf77f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gA59AF.exe

Filesize
378KB

MD5
4f01fd1e914c720f0f5622626c8b30db

SHA1
23e56399bd48195b46a7e2000c216bee5b36cad3

SHA256
d00ce7267f57d26ba197af32a4f1277088bfafbc6e8d8d2c929bc8e091cf932d

SHA512
1aa390fad92978d768645c5352ad9e07ce20a7bf09a351ee5003c7c72823bc447e2c7e1455a4eeb86566a3bcb8e3ee3fbb62251d06ebfeecc86270bbffaf77f1

Download Submit
memory/1744-46-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/1744-60-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/1744-39-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/1744-40-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/1744-42-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/1744-44-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/1744-37-0x0000000004AA0000-0x0000000004F9E000-memory.dmp

Filesize
5.0MB

Download
memory/1744-48-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/1744-50-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/1744-52-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/1744-54-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/1744-56-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/1744-58-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/1744-38-0x0000000002490000-0x00000000024AC000-memory.dmp

Filesize
112KB

Download
memory/1744-62-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/1744-64-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/1744-66-0x0000000002490000-0x00000000024A6000-memory.dmp

Filesize
88KB

Download
memory/1744-67-0x0000000073400000-0x0000000073AEE000-memory.dmp

Filesize
6.9MB

Download
memory/1744-69-0x0000000073400000-0x0000000073AEE000-memory.dmp

Filesize
6.9MB

Download
memory/1744-35-0x0000000002180000-0x000000000219E000-memory.dmp

Filesize
120KB

Download
memory/1744-36-0x0000000073400000-0x0000000073AEE000-memory.dmp

Filesize
6.9MB

Download
memory/4368-73-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4368-76-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4368-77-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4368-79-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download