mystic | 164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053

Analysis

max time kernel
112s
max time network
115s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
07/10/2023, 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053.exe
Size

1.1MB
MD5

e7f29032f3b99cd587505f3878836186
SHA1

fa11c85f1e661d93f4abc3ec8c1a776bcd8dea8a
SHA256

164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053
SHA512

f7a9e7e8dc787871c6284b22a39bda8472356440e38e79b192e7bc50185de5409ac6fbe11457889fbaf237b92843dbe846f67aba2524ef4d0e9c4898e234936c
SSDEEP

24576:VyWhQIAjgtadq7GPJ6xnIPMqRaCJmrk4Yu5AvQMrFJ:wWFAjitYJwI1gCJjPu5AI

Score

10^/10

mystic evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/4576-66-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4576-69-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4576-70-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/4576-72-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1RJ79nC7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1RJ79nC7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1RJ79nC7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1RJ79nC7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1RJ79nC7.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 5 IoCs

pid	Process
3528	uQ6fx10.exe
1336	It8Bs50.exe
360	In9DE33.exe
920	1RJ79nC7.exe
4292	2hJ3214.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1RJ79nC7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1RJ79nC7.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	uQ6fx10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	It8Bs50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	In9DE33.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4292 set thread context of 4576	4292	2hJ3214.exe	76

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1400	4292	WerFault.exe	74
3248	4576	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
920	1RJ79nC7.exe
920	1RJ79nC7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	920	1RJ79nC7.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 3528	4252	164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053.exe	70
PID 4252 wrote to memory of 3528	4252	164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053.exe	70
PID 4252 wrote to memory of 3528	4252	164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053.exe	70
PID 3528 wrote to memory of 1336	3528	uQ6fx10.exe	71
PID 3528 wrote to memory of 1336	3528	uQ6fx10.exe	71
PID 3528 wrote to memory of 1336	3528	uQ6fx10.exe	71
PID 1336 wrote to memory of 360	1336	It8Bs50.exe	72
PID 1336 wrote to memory of 360	1336	It8Bs50.exe	72
PID 1336 wrote to memory of 360	1336	It8Bs50.exe	72
PID 360 wrote to memory of 920	360	In9DE33.exe	73
PID 360 wrote to memory of 920	360	In9DE33.exe	73
PID 360 wrote to memory of 920	360	In9DE33.exe	73
PID 360 wrote to memory of 4292	360	In9DE33.exe	74
PID 360 wrote to memory of 4292	360	In9DE33.exe	74
PID 360 wrote to memory of 4292	360	In9DE33.exe	74
PID 4292 wrote to memory of 4576	4292	2hJ3214.exe	76
PID 4292 wrote to memory of 4576	4292	2hJ3214.exe	76
PID 4292 wrote to memory of 4576	4292	2hJ3214.exe	76
PID 4292 wrote to memory of 4576	4292	2hJ3214.exe	76
PID 4292 wrote to memory of 4576	4292	2hJ3214.exe	76
PID 4292 wrote to memory of 4576	4292	2hJ3214.exe	76
PID 4292 wrote to memory of 4576	4292	2hJ3214.exe	76
PID 4292 wrote to memory of 4576	4292	2hJ3214.exe	76
PID 4292 wrote to memory of 4576	4292	2hJ3214.exe	76
PID 4292 wrote to memory of 4576	4292	2hJ3214.exe	76

C:\Users\Admin\AppData\Local\Temp\164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053.exe
"C:\Users\Admin\AppData\Local\Temp\164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:360
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4292
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 568
        7⤵
        Program crash
        
        PID:3248
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 212
        6⤵
        Program crash
        
        PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe

Filesize
990KB

MD5
2fb7beb720c0473999af5c13f0e0c565

SHA1
a0dd87c1dac6e94544f632a7058feb87fc44e510

SHA256
9fe3268ddf21544a41f5da9860a62dc8ea927f37a5ce817a7f8918b1fec2436a

SHA512
27dfaaa7eb74ac0841c6a46061f05744be6bca16eaa569e5bd83ae1f957bca3ddce6d0e6d8ab3ed251e8a9393f0159e09cd8a1784a6db09913d660a5f250ac5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe

Filesize
990KB

MD5
2fb7beb720c0473999af5c13f0e0c565

SHA1
a0dd87c1dac6e94544f632a7058feb87fc44e510

SHA256
9fe3268ddf21544a41f5da9860a62dc8ea927f37a5ce817a7f8918b1fec2436a

SHA512
27dfaaa7eb74ac0841c6a46061f05744be6bca16eaa569e5bd83ae1f957bca3ddce6d0e6d8ab3ed251e8a9393f0159e09cd8a1784a6db09913d660a5f250ac5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe

Filesize
696KB

MD5
fd26daf07ff629f52e5bce288bd760cb

SHA1
abbcfe1a49d1aee2b575a2076d02631c6aea7210

SHA256
f8c9b40cce4f22b3bb440369e5f59a709fc64ac1606ee904df15453472e7099e

SHA512
d047c24dceb751d83e53eebe64573f2289eec677d1ae4312600b0084db009b1e8356746971a935d9e225d2493ca506cb8740313611498063f34c44ab13915730

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe

Filesize
696KB

MD5
fd26daf07ff629f52e5bce288bd760cb

SHA1
abbcfe1a49d1aee2b575a2076d02631c6aea7210

SHA256
f8c9b40cce4f22b3bb440369e5f59a709fc64ac1606ee904df15453472e7099e

SHA512
d047c24dceb751d83e53eebe64573f2289eec677d1ae4312600b0084db009b1e8356746971a935d9e225d2493ca506cb8740313611498063f34c44ab13915730

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe

Filesize
452KB

MD5
1eb6aa8674c547a3f0a5786e985a6d2e

SHA1
86c7f53dd032ffc5cef5bda714b1cf3c2fc3eca3

SHA256
e4bc9d516cb00d7926811e95cfc6bb15e85a257d2254d0fb061358c8fddc171a

SHA512
7e26f39d87892c6a562990087183ebc5c9ef19cc939ea7a47a98e98299addb30cbe167521898bc711cc117ed5395c21334f047ec4fd3502e46041457db7cc272

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe

Filesize
452KB

MD5
1eb6aa8674c547a3f0a5786e985a6d2e

SHA1
86c7f53dd032ffc5cef5bda714b1cf3c2fc3eca3

SHA256
e4bc9d516cb00d7926811e95cfc6bb15e85a257d2254d0fb061358c8fddc171a

SHA512
7e26f39d87892c6a562990087183ebc5c9ef19cc939ea7a47a98e98299addb30cbe167521898bc711cc117ed5395c21334f047ec4fd3502e46041457db7cc272

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
memory/920-39-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/920-53-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/920-32-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/920-33-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/920-35-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/920-37-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/920-30-0x0000000004B60000-0x000000000505E000-memory.dmp

Filesize
5.0MB

Download
memory/920-41-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/920-43-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/920-45-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/920-47-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/920-49-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/920-51-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/920-31-0x0000000002440000-0x000000000245C000-memory.dmp

Filesize
112KB

Download
memory/920-55-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/920-57-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/920-59-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/920-60-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/920-62-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/920-28-0x0000000001FF0000-0x000000000200E000-memory.dmp

Filesize
120KB

Download
memory/920-29-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/4576-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4576-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4576-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4576-72-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download