mystic | 5ddcb2d54a68d43d740791a408c842be01784123bab7b158ef44e525220650d1

Analysis

max time kernel
186s
max time network
304s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
09/10/2023, 04:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5ddcb2d54a68d43d740791a408c842be01784123bab7b158ef44e525220650d1.exe
Size

1.1MB
MD5

b4dbfafc61561eb0cba635f1da979d7e
SHA1

ba3c953f699da66eaa311d603532c96b411ac48c
SHA256

5ddcb2d54a68d43d740791a408c842be01784123bab7b158ef44e525220650d1
SHA512

d58433d93db2574d32ef41a7c8fa8c5aef983b7228f037a363b02bf1e7037ef45b3a2ee19db0f437ca1b5c106e0a4dc915147c199b2674efbf1773833df62690
SSDEEP

24576:8yf/aWDXzY9LqmQxBPFEO8e0mD34hMqjvwlHm:r3aeDY9emQxBKRe0YZqjIl

Score

10^/10

mystic evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4328-66-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4328-69-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4328-70-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4328-72-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1YM03Gy7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1YM03Gy7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1YM03Gy7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1YM03Gy7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1YM03Gy7.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic

Executes dropped EXE 5 IoCs

pid	Process
2732	qV2GS81.exe
3280	MA5sd60.exe
3028	Ji6ux84.exe
2996	1YM03Gy7.exe
3764	2Dy8992.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1YM03Gy7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1YM03Gy7.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5ddcb2d54a68d43d740791a408c842be01784123bab7b158ef44e525220650d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	qV2GS81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	MA5sd60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ji6ux84.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3764 set thread context of 4328	3764	2Dy8992.exe	77

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3556	3764	WerFault.exe	74
3104	4328	WerFault.exe	77

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2996	1YM03Gy7.exe
2996	1YM03Gy7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	1YM03Gy7.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2732	2464	5ddcb2d54a68d43d740791a408c842be01784123bab7b158ef44e525220650d1.exe	70
PID 2464 wrote to memory of 2732	2464	5ddcb2d54a68d43d740791a408c842be01784123bab7b158ef44e525220650d1.exe	70
PID 2464 wrote to memory of 2732	2464	5ddcb2d54a68d43d740791a408c842be01784123bab7b158ef44e525220650d1.exe	70
PID 2732 wrote to memory of 3280	2732	qV2GS81.exe	71
PID 2732 wrote to memory of 3280	2732	qV2GS81.exe	71
PID 2732 wrote to memory of 3280	2732	qV2GS81.exe	71
PID 3280 wrote to memory of 3028	3280	MA5sd60.exe	72
PID 3280 wrote to memory of 3028	3280	MA5sd60.exe	72
PID 3280 wrote to memory of 3028	3280	MA5sd60.exe	72
PID 3028 wrote to memory of 2996	3028	Ji6ux84.exe	73
PID 3028 wrote to memory of 2996	3028	Ji6ux84.exe	73
PID 3028 wrote to memory of 2996	3028	Ji6ux84.exe	73
PID 3028 wrote to memory of 3764	3028	Ji6ux84.exe	74
PID 3028 wrote to memory of 3764	3028	Ji6ux84.exe	74
PID 3028 wrote to memory of 3764	3028	Ji6ux84.exe	74
PID 3764 wrote to memory of 4968	3764	2Dy8992.exe	76
PID 3764 wrote to memory of 4968	3764	2Dy8992.exe	76
PID 3764 wrote to memory of 4968	3764	2Dy8992.exe	76
PID 3764 wrote to memory of 4328	3764	2Dy8992.exe	77
PID 3764 wrote to memory of 4328	3764	2Dy8992.exe	77
PID 3764 wrote to memory of 4328	3764	2Dy8992.exe	77
PID 3764 wrote to memory of 4328	3764	2Dy8992.exe	77
PID 3764 wrote to memory of 4328	3764	2Dy8992.exe	77
PID 3764 wrote to memory of 4328	3764	2Dy8992.exe	77
PID 3764 wrote to memory of 4328	3764	2Dy8992.exe	77
PID 3764 wrote to memory of 4328	3764	2Dy8992.exe	77
PID 3764 wrote to memory of 4328	3764	2Dy8992.exe	77
PID 3764 wrote to memory of 4328	3764	2Dy8992.exe	77

C:\Users\Admin\AppData\Local\Temp\5ddcb2d54a68d43d740791a408c842be01784123bab7b158ef44e525220650d1.exe
"C:\Users\Admin\AppData\Local\Temp\5ddcb2d54a68d43d740791a408c842be01784123bab7b158ef44e525220650d1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qV2GS81.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qV2GS81.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MA5sd60.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MA5sd60.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ji6ux84.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ji6ux84.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1YM03Gy7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1YM03Gy7.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Dy8992.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Dy8992.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3764
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4968
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 188
        7⤵
        Program crash
        
        PID:3104
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 580
        6⤵
        Program crash
        
        PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qV2GS81.exe

Filesize
991KB

MD5
b10a3a760a85c282c73e04dbbb295ca6

SHA1
e025560255c010c54b5a24d594c550b3ced825d2

SHA256
38103a356a43a1af4dc06179a11477b2db2901bdfd7c276423c80efcf46f5c52

SHA512
6d7e41f80521c43028f8c8b7259b478b47768e0fb77241258eab5c13b46f205cf5ba3acce05bf086623cf6358758567a49f3f63d50b1a406b744ae5c31c9ca95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qV2GS81.exe

Filesize
991KB

MD5
b10a3a760a85c282c73e04dbbb295ca6

SHA1
e025560255c010c54b5a24d594c550b3ced825d2

SHA256
38103a356a43a1af4dc06179a11477b2db2901bdfd7c276423c80efcf46f5c52

SHA512
6d7e41f80521c43028f8c8b7259b478b47768e0fb77241258eab5c13b46f205cf5ba3acce05bf086623cf6358758567a49f3f63d50b1a406b744ae5c31c9ca95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MA5sd60.exe

Filesize
696KB

MD5
0f62f896edf7c0f7b0eacc881f7feceb

SHA1
cb193fb660821253e53576b87a73ad66826ebf4d

SHA256
5d95f476419d3a3135715f2eed0aa6de69b130436772d29100fd7870a2c450f4

SHA512
0f178a9db103b9edef4ef7f52b0ca300afd5b176efb7128b26e0bc3c1b40228ccf0b169d7f5bcfe6c9da142e309bfa7531326268a99283f135128f861f572403

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MA5sd60.exe

Filesize
696KB

MD5
0f62f896edf7c0f7b0eacc881f7feceb

SHA1
cb193fb660821253e53576b87a73ad66826ebf4d

SHA256
5d95f476419d3a3135715f2eed0aa6de69b130436772d29100fd7870a2c450f4

SHA512
0f178a9db103b9edef4ef7f52b0ca300afd5b176efb7128b26e0bc3c1b40228ccf0b169d7f5bcfe6c9da142e309bfa7531326268a99283f135128f861f572403

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ji6ux84.exe

Filesize
452KB

MD5
0e63141d5ce2cdbe3cfa56810c106c96

SHA1
f9765f17d0e7ca780171de3a46ea1fd91fbe7c53

SHA256
b09dbcffe47e3b7a5d70f1e5006cdcb5559c563e048c86269be045f66fa7a9ed

SHA512
c780468ff56e6840d276bf3b57396791003429626f02822adafabd501458331d26fb9061a1cf4d03673c24ae7a92e1b9f060f27af54e20d1803f90088a2250b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ji6ux84.exe

Filesize
452KB

MD5
0e63141d5ce2cdbe3cfa56810c106c96

SHA1
f9765f17d0e7ca780171de3a46ea1fd91fbe7c53

SHA256
b09dbcffe47e3b7a5d70f1e5006cdcb5559c563e048c86269be045f66fa7a9ed

SHA512
c780468ff56e6840d276bf3b57396791003429626f02822adafabd501458331d26fb9061a1cf4d03673c24ae7a92e1b9f060f27af54e20d1803f90088a2250b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1YM03Gy7.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1YM03Gy7.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Dy8992.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Dy8992.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
memory/2996-39-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2996-53-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2996-32-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2996-33-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2996-35-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2996-37-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2996-30-0x0000000004970000-0x0000000004E6E000-memory.dmp

Filesize
5.0MB

Download
memory/2996-41-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2996-43-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2996-45-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2996-47-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2996-49-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2996-51-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2996-31-0x0000000004930000-0x000000000494C000-memory.dmp

Filesize
112KB

Download
memory/2996-55-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2996-57-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2996-59-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/2996-60-0x0000000072AB0000-0x000000007319E000-memory.dmp

Filesize
6.9MB

Download
memory/2996-62-0x0000000072AB0000-0x000000007319E000-memory.dmp

Filesize
6.9MB

Download
memory/2996-29-0x0000000072AB0000-0x000000007319E000-memory.dmp

Filesize
6.9MB

Download
memory/2996-28-0x00000000048C0000-0x00000000048DE000-memory.dmp

Filesize
120KB

Download
memory/4328-66-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4328-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4328-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4328-72-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download