mystic | d929db0b4de9bed4c0750ad10440c81484f64e1f308689c0c56cdbe1bfe63b39

Analysis

max time kernel
141s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebff69daab03914f10326e4e3ec464c00bfa9568723a75f80d74a19f1ac9dc05.exe
Size

1.0MB
MD5

1f3bfca89128252b6de8c902012971bc
SHA1

3a96d92e2d30c786e55434238ef987bedc1381c0
SHA256

ebff69daab03914f10326e4e3ec464c00bfa9568723a75f80d74a19f1ac9dc05
SHA512

b0b72f05bd8532806f39445c403adb3018609d4cc3db870f6a0314452272c0dc23885a708acb5c1cc25fb191451cd14fcd66288c63af78b77f53e2096fc18153
SSDEEP

24576:7yTRVpYQYJaiLEA8vrRIBOsE3BcTpa4q+qlfApDerAV8:uTRVpRieIBOfcTpqhJGGA

Score

10^/10

mystic smokeloader backdoor persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral22/memory/4548-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral22/memory/4548-39-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral22/memory/4548-37-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral22/memory/4896-28-0x0000000002370000-0x0000000002390000-memory.dmp	net_reactor
behavioral22/memory/4896-30-0x00000000049A0000-0x00000000049BE000-memory.dmp	net_reactor

Executes dropped EXE 7 IoCs

Processes:

uG2IM55.exelY4IV92.exerL9nw79.exe1cF59QS7.exe2KE4633.exe3nE33bm.exe4ik113DR.exe

pid process

1100 uG2IM55.exe
1012 lY4IV92.exe
3036 rL9nw79.exe
4896 1cF59QS7.exe
4888 2KE4633.exe
4680 3nE33bm.exe
2700 4ik113DR.exe

pid	process
1100	uG2IM55.exe
1012	lY4IV92.exe
3036	rL9nw79.exe
4896	1cF59QS7.exe
4888	2KE4633.exe
4680	3nE33bm.exe
2700	4ik113DR.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ebff69daab03914f10326e4e3ec464c00bfa9568723a75f80d74a19f1ac9dc05.exeuG2IM55.exelY4IV92.exerL9nw79.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ebff69daab03914f10326e4e3ec464c00bfa9568723a75f80d74a19f1ac9dc05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	uG2IM55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	lY4IV92.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	rL9nw79.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2KE4633.exe3nE33bm.exe

description	pid	process	target process
PID 4888 set thread context of 4548	4888	2KE4633.exe	AppLaunch.exe
PID 4680 set thread context of 2076	4680	3nE33bm.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1cF59QS7.exe

description pid process

Token: SeDebugPrivilege 4896 1cF59QS7.exe

description	pid	process
Token: SeDebugPrivilege	4896	1cF59QS7.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

ebff69daab03914f10326e4e3ec464c00bfa9568723a75f80d74a19f1ac9dc05.exeuG2IM55.exelY4IV92.exerL9nw79.exe2KE4633.exe3nE33bm.exe

description	pid	process	target process
PID 2912 wrote to memory of 1100	2912	ebff69daab03914f10326e4e3ec464c00bfa9568723a75f80d74a19f1ac9dc05.exe	uG2IM55.exe
PID 2912 wrote to memory of 1100	2912	ebff69daab03914f10326e4e3ec464c00bfa9568723a75f80d74a19f1ac9dc05.exe	uG2IM55.exe
PID 2912 wrote to memory of 1100	2912	ebff69daab03914f10326e4e3ec464c00bfa9568723a75f80d74a19f1ac9dc05.exe	uG2IM55.exe
PID 1100 wrote to memory of 1012	1100	uG2IM55.exe	lY4IV92.exe
PID 1100 wrote to memory of 1012	1100	uG2IM55.exe	lY4IV92.exe
PID 1100 wrote to memory of 1012	1100	uG2IM55.exe	lY4IV92.exe
PID 1012 wrote to memory of 3036	1012	lY4IV92.exe	rL9nw79.exe
PID 1012 wrote to memory of 3036	1012	lY4IV92.exe	rL9nw79.exe
PID 1012 wrote to memory of 3036	1012	lY4IV92.exe	rL9nw79.exe
PID 3036 wrote to memory of 4896	3036	rL9nw79.exe	1cF59QS7.exe
PID 3036 wrote to memory of 4896	3036	rL9nw79.exe	1cF59QS7.exe
PID 3036 wrote to memory of 4896	3036	rL9nw79.exe	1cF59QS7.exe
PID 3036 wrote to memory of 4888	3036	rL9nw79.exe	2KE4633.exe
PID 3036 wrote to memory of 4888	3036	rL9nw79.exe	2KE4633.exe
PID 3036 wrote to memory of 4888	3036	rL9nw79.exe	2KE4633.exe
PID 4888 wrote to memory of 4548	4888	2KE4633.exe	AppLaunch.exe
PID 4888 wrote to memory of 4548	4888	2KE4633.exe	AppLaunch.exe
PID 4888 wrote to memory of 4548	4888	2KE4633.exe	AppLaunch.exe
PID 4888 wrote to memory of 4548	4888	2KE4633.exe	AppLaunch.exe
PID 4888 wrote to memory of 4548	4888	2KE4633.exe	AppLaunch.exe
PID 4888 wrote to memory of 4548	4888	2KE4633.exe	AppLaunch.exe
PID 4888 wrote to memory of 4548	4888	2KE4633.exe	AppLaunch.exe
PID 4888 wrote to memory of 4548	4888	2KE4633.exe	AppLaunch.exe
PID 4888 wrote to memory of 4548	4888	2KE4633.exe	AppLaunch.exe
PID 4888 wrote to memory of 4548	4888	2KE4633.exe	AppLaunch.exe
PID 1012 wrote to memory of 4680	1012	lY4IV92.exe	3nE33bm.exe
PID 1012 wrote to memory of 4680	1012	lY4IV92.exe	3nE33bm.exe
PID 1012 wrote to memory of 4680	1012	lY4IV92.exe	3nE33bm.exe
PID 4680 wrote to memory of 3940	4680	3nE33bm.exe	AppLaunch.exe
PID 4680 wrote to memory of 3940	4680	3nE33bm.exe	AppLaunch.exe
PID 4680 wrote to memory of 3940	4680	3nE33bm.exe	AppLaunch.exe
PID 4680 wrote to memory of 832	4680	3nE33bm.exe	AppLaunch.exe
PID 4680 wrote to memory of 832	4680	3nE33bm.exe	AppLaunch.exe
PID 4680 wrote to memory of 832	4680	3nE33bm.exe	AppLaunch.exe
PID 4680 wrote to memory of 1816	4680	3nE33bm.exe	AppLaunch.exe
PID 4680 wrote to memory of 1816	4680	3nE33bm.exe	AppLaunch.exe
PID 4680 wrote to memory of 1816	4680	3nE33bm.exe	AppLaunch.exe
PID 4680 wrote to memory of 2076	4680	3nE33bm.exe	AppLaunch.exe
PID 4680 wrote to memory of 2076	4680	3nE33bm.exe	AppLaunch.exe
PID 4680 wrote to memory of 2076	4680	3nE33bm.exe	AppLaunch.exe
PID 4680 wrote to memory of 2076	4680	3nE33bm.exe	AppLaunch.exe
PID 4680 wrote to memory of 2076	4680	3nE33bm.exe	AppLaunch.exe
PID 4680 wrote to memory of 2076	4680	3nE33bm.exe	AppLaunch.exe
PID 1100 wrote to memory of 2700	1100	uG2IM55.exe	4ik113DR.exe
PID 1100 wrote to memory of 2700	1100	uG2IM55.exe	4ik113DR.exe
PID 1100 wrote to memory of 2700	1100	uG2IM55.exe	4ik113DR.exe

C:\Users\Admin\AppData\Local\Temp\ebff69daab03914f10326e4e3ec464c00bfa9568723a75f80d74a19f1ac9dc05.exe
"C:\Users\Admin\AppData\Local\Temp\ebff69daab03914f10326e4e3ec464c00bfa9568723a75f80d74a19f1ac9dc05.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uG2IM55.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uG2IM55.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lY4IV92.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lY4IV92.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL9nw79.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL9nw79.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1cF59QS7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1cF59QS7.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2KE4633.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2KE4633.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nE33bm.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nE33bm.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:3940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Checks SCSI registry key(s)
PID:2076

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ik113DR.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ik113DR.exe
3⤵
- Executes dropped EXE
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uG2IM55.exe
Filesize
898KB

MD5
150c007d5eefa3d9c3c779d833323a00

SHA1
b9f5c6fc673154eefd06299cb5af022f18193107

SHA256
f95fcd562d164a66052add082911b74df982423e19e4dcb48a153f15b7b4b082

SHA512
29fa977f1927affdb4d7b78a1d5adaf959d552db46285a008aa73ab6976e3dca8c899113518a2a14bfe0361064abbde8dcbe12be921057a3a113b0e95483c190

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ik113DR.exe
Filesize
361KB

MD5
16613ce7ef9be2c93d25b9d04c1ed958

SHA1
70b15fe2d1cc653ffa495b41d0dee1f9acf0ad43

SHA256
ce800f1a497ba831a8424146f2b22ca5fb494997778f3ea7792552fa20ce866c

SHA512
de90ba8ef3f594169f34e5f6f1b4e6696fa7d1d7b6f963626b50848c83e2ef9f761862ec702926c6015c8cb8e4e4a742aeac9ba3f92217ba283831c38fdd0ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lY4IV92.exe
Filesize
648KB

MD5
f3640147495d8bd242247bb219075a44

SHA1
19f66de43b7441284ed323740c028c48bce9e40e

SHA256
e3a942e9cea16aaf2dcadc318ef30c5dca801d0c29be5c6d13be4337f6951d76

SHA512
36ae5cfff7e9026dcf3f1bb9665e02ef06c017a1e9f73d9034fbdec16ffff4852a84ed1821a7dbeb1cfa6ef3c06e752728cdcda833f542779d42a78c6d0efdc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nE33bm.exe
Filesize
170KB

MD5
89561b3b9dbb7d548247e07d0ab9d38c

SHA1
1a961b8b92e90ef22902685ed8f14fcb0f7888aa

SHA256
9508b92daa6e1b96dcc70228a36efaedabc3543b01336bb9e10f71dcce8a0273

SHA512
9b05417d42680948a62530bfb889c959cff04ed8c02259464d00e0960326807f716aa096acb19a2435340b310c3389ccc58fccf690961ee82d408c7ef46ff02c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rL9nw79.exe
Filesize
448KB

MD5
b27738cddbdc71b0d6c17ddf4acf51aa

SHA1
f1efe34713d260e91e8c7e51d3804871219b860f

SHA256
190c748a3878e8037bf4e10e5b0911708d8a36504c243e2a9f7a7e0572926e0f

SHA512
16671a266f4813a85da4ba8cf55912b0b1921371117cc2009a3f4f601deacef9dee4d9c1fd9a8398edfe2be09efd739d27d071520bf84c143a70b2072b0cb43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1cF59QS7.exe
Filesize
201KB

MD5
a07f1de1c9774d5a490b599e98a87928

SHA1
2e89540d18db9fc57132372abad292db56697b22

SHA256
4d39a22a2ac96eba80c0f05c8f198a8f62d49ec226a658ca9a4026f96a7799bb

SHA512
9d2366b0e427dde753c065430ae26ece060b70df1e6369e178a945e83efa0aec72e5d6ed236d41c09e342ec7f5040173d1d7edb46e3d1fe5877b60263747fb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2KE4633.exe
Filesize
320KB

MD5
f2e2698326d362023b54a615aa3c82d3

SHA1
032030dce1cbab97e1ec12d875a7c022897c30e3

SHA256
c828c094ca802f33ffd51dcaca196288808cfc4fdffadfcd24003ca6a50bcd59

SHA512
9adf9f160b74244acb64bb01a80bccc69e48093f0b529f0e1194df17a05b6de33b78d06a02e8f6eb2a09c4b7e49523dd5a915697e320b298f8e863031908c000

Download Submit
memory/2076-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4548-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4548-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4548-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4896-31-0x0000000005080000-0x0000000005112000-memory.dmp

Filesize
584KB

Download
memory/4896-30-0x00000000049A0000-0x00000000049BE000-memory.dmp

Filesize
120KB

Download
memory/4896-29-0x0000000004AD0000-0x0000000005074000-memory.dmp

Filesize
5.6MB

Download
memory/4896-28-0x0000000002370000-0x0000000002390000-memory.dmp

Filesize
128KB

Download