mystic | ac90002ec144a6c8c89c45137265a202aeef6b583cef01223b622e10b4c4b797

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe
Size

649KB
MD5

da1f8161d2da254847077be0639de3af
SHA1

724b87665a36d7c8b83604a10500ace45e059d24
SHA256

982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b
SHA512

58e64891b8a04f2068b8ddcb33bb0b79cd16dd4307acbaefa845c8929ff16584e47677e2723203fca3fe17991fb32bdda0bc1ccf8b9a2c6448487fcbc8f8f057
SSDEEP

12288:sMrty909bwU8gmneOQiPy6Lb11YxkrgqyMX3fwSZYV:BygbpQzLXYhqx4R

Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral12/memory/4484-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral12/memory/4484-19-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral12/memory/4484-21-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 4 IoCs

Processes:

Og2fL64.exe1QT79cS6.exe2aE3170.exe3eG48uw.exe

pid process

64 Og2fL64.exe
1868 1QT79cS6.exe
3576 2aE3170.exe
3312 3eG48uw.exe

pid	process
64	Og2fL64.exe
1868	1QT79cS6.exe
3576	2aE3170.exe
3312	3eG48uw.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exeOg2fL64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Og2fL64.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1QT79cS6.exe2aE3170.exe

description	pid	process	target process
PID 1868 set thread context of 4352	1868	1QT79cS6.exe	AppLaunch.exe
PID 3576 set thread context of 4484	3576	2aE3170.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3eG48uw.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3eG48uw.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3eG48uw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3eG48uw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3eG48uw.exeAppLaunch.exe

pid	process
3312	3eG48uw.exe
3312	3eG48uw.exe
4352	AppLaunch.exe
4352	AppLaunch.exe
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360
3360

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3eG48uw.exe

pid process

3312 3eG48uw.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 4352 AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4352	AppLaunch.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exeOg2fL64.exe1QT79cS6.exe2aE3170.exe

description	pid	process	target process
PID 1972 wrote to memory of 64	1972	982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe	Og2fL64.exe
PID 1972 wrote to memory of 64	1972	982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe	Og2fL64.exe
PID 1972 wrote to memory of 64	1972	982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe	Og2fL64.exe
PID 64 wrote to memory of 1868	64	Og2fL64.exe	1QT79cS6.exe
PID 64 wrote to memory of 1868	64	Og2fL64.exe	1QT79cS6.exe
PID 64 wrote to memory of 1868	64	Og2fL64.exe	1QT79cS6.exe
PID 1868 wrote to memory of 2880	1868	1QT79cS6.exe	AppLaunch.exe
PID 1868 wrote to memory of 2880	1868	1QT79cS6.exe	AppLaunch.exe
PID 1868 wrote to memory of 2880	1868	1QT79cS6.exe	AppLaunch.exe
PID 1868 wrote to memory of 4352	1868	1QT79cS6.exe	AppLaunch.exe
PID 1868 wrote to memory of 4352	1868	1QT79cS6.exe	AppLaunch.exe
PID 1868 wrote to memory of 4352	1868	1QT79cS6.exe	AppLaunch.exe
PID 1868 wrote to memory of 4352	1868	1QT79cS6.exe	AppLaunch.exe
PID 1868 wrote to memory of 4352	1868	1QT79cS6.exe	AppLaunch.exe
PID 1868 wrote to memory of 4352	1868	1QT79cS6.exe	AppLaunch.exe
PID 1868 wrote to memory of 4352	1868	1QT79cS6.exe	AppLaunch.exe
PID 1868 wrote to memory of 4352	1868	1QT79cS6.exe	AppLaunch.exe
PID 64 wrote to memory of 3576	64	Og2fL64.exe	2aE3170.exe
PID 64 wrote to memory of 3576	64	Og2fL64.exe	2aE3170.exe
PID 64 wrote to memory of 3576	64	Og2fL64.exe	2aE3170.exe
PID 3576 wrote to memory of 1380	3576	2aE3170.exe	AppLaunch.exe
PID 3576 wrote to memory of 1380	3576	2aE3170.exe	AppLaunch.exe
PID 3576 wrote to memory of 1380	3576	2aE3170.exe	AppLaunch.exe
PID 3576 wrote to memory of 4468	3576	2aE3170.exe	AppLaunch.exe
PID 3576 wrote to memory of 4468	3576	2aE3170.exe	AppLaunch.exe
PID 3576 wrote to memory of 4468	3576	2aE3170.exe	AppLaunch.exe
PID 3576 wrote to memory of 4484	3576	2aE3170.exe	AppLaunch.exe
PID 3576 wrote to memory of 4484	3576	2aE3170.exe	AppLaunch.exe
PID 3576 wrote to memory of 4484	3576	2aE3170.exe	AppLaunch.exe
PID 3576 wrote to memory of 4484	3576	2aE3170.exe	AppLaunch.exe
PID 3576 wrote to memory of 4484	3576	2aE3170.exe	AppLaunch.exe
PID 3576 wrote to memory of 4484	3576	2aE3170.exe	AppLaunch.exe
PID 3576 wrote to memory of 4484	3576	2aE3170.exe	AppLaunch.exe
PID 3576 wrote to memory of 4484	3576	2aE3170.exe	AppLaunch.exe
PID 3576 wrote to memory of 4484	3576	2aE3170.exe	AppLaunch.exe
PID 3576 wrote to memory of 4484	3576	2aE3170.exe	AppLaunch.exe
PID 1972 wrote to memory of 3312	1972	982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe	3eG48uw.exe
PID 1972 wrote to memory of 3312	1972	982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe	3eG48uw.exe
PID 1972 wrote to memory of 3312	1972	982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe	3eG48uw.exe

C:\Users\Admin\AppData\Local\Temp\982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe
"C:\Users\Admin\AppData\Local\Temp\982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Og2fL64.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Og2fL64.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:64

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1QT79cS6.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1QT79cS6.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2aE3170.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2aE3170.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:4468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3eG48uw.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3eG48uw.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3980 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:4124

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3eG48uw.exe
Filesize
31KB

MD5
d77da392b448a0ef2d762ea1949701fe

SHA1
1c19112cd021718f4e91935b36a0e52ab9a90f01

SHA256
2bad4638a77a2de79a8276eade6f2290d50e12a2108a42691fe5480b93dfcc78

SHA512
a9c8784987462762c3446d1e10192c319dbbb36bbc3b8896404dcd0672f12e7972faddf302f063ff78ef09e59357121d64348df3fa4493bdfe329e23c893b884

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Og2fL64.exe
Filesize
525KB

MD5
0b8cf07d4ef5f9e8f89f8d25779ae803

SHA1
ff24d8a994e79271c77b0b53a5f83f5ae0cf1a8e

SHA256
ee8dbd2bfb384bf37b66d7a6a0b29396d04f8c14f436af5534ffe96c4da794c4

SHA512
b39b3d52383e1134de9d970af144480a8eee1d6196ec556b5c8d8db64c2ef836635e6b30fbfe7fa805699356a618196703df153d7afcbcb039f0e344511f3e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1QT79cS6.exe
Filesize
869KB

MD5
80a9de9b48ff7886bd279790ff115b31

SHA1
5b8bc7e85f804e0ddd7e3f6fe80d8a19273dd9dc

SHA256
02ddf810cbefbfba291dc436c0145cddb979726501fa53cf0cd940817c61b9d4

SHA512
35e94c7b66f56b609be25511546bb38f73dec4de4a8c876b614b7e1f643e2065dc2a2efed107f92d0df28e36860a16986521e5ce9c2f781004fd57abf47068ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2aE3170.exe
Filesize
1.0MB

MD5
5248ac08e25309f143f7e90d8147e778

SHA1
35d1b321c1003a1bda2db4ea6c0ed1abb19549cf

SHA256
b66a3ca092b5f46a3862fb073dfea1b55a6f495cecb588e7342b1d6e27eef49b

SHA512
12699c32ae6a98c6f231b44c9357ebcc4aaf14cb66121a09a3735a9a7ffaecc5a48c23f2fb723adad8969483ec65c650207e62e27c69a3328b9bf5e4c009a151

Download Submit
memory/3312-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3312-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3360-26-0x0000000002FF0000-0x0000000003006000-memory.dmp

Filesize
88KB

Download
memory/4352-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4484-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download