mystic | ac90002ec144a6c8c89c45137265a202aeef6b583cef01223b622e10b4c4b797

Analysis

max time kernel
129s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe
Size

649KB
MD5

da1f8161d2da254847077be0639de3af
SHA1

724b87665a36d7c8b83604a10500ace45e059d24
SHA256

982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b
SHA512

58e64891b8a04f2068b8ddcb33bb0b79cd16dd4307acbaefa845c8929ff16584e47677e2723203fca3fe17991fb32bdda0bc1ccf8b9a2c6448487fcbc8f8f057
SSDEEP

12288:sMrty909bwU8gmneOQiPy6Lb11YxkrgqyMX3fwSZYV:BygbpQzLXYhqx4R

Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral12/memory/4316-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral12/memory/4316-21-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral12/memory/4316-19-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 4 IoCs

pid	Process
3960	Og2fL64.exe
1400	1QT79cS6.exe
4652	2aE3170.exe
2100	3eG48uw.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Og2fL64.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1400 set thread context of 3972	1400	1QT79cS6.exe	86
PID 4652 set thread context of 4316	4652	2aE3170.exe	88

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3eG48uw.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3eG48uw.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3eG48uw.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3972	AppLaunch.exe
3972	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3972	AppLaunch.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 3960	1988	982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe	84
PID 1988 wrote to memory of 3960	1988	982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe	84
PID 1988 wrote to memory of 3960	1988	982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe	84
PID 3960 wrote to memory of 1400	3960	Og2fL64.exe	85
PID 3960 wrote to memory of 1400	3960	Og2fL64.exe	85
PID 3960 wrote to memory of 1400	3960	Og2fL64.exe	85
PID 1400 wrote to memory of 3972	1400	1QT79cS6.exe	86
PID 1400 wrote to memory of 3972	1400	1QT79cS6.exe	86
PID 1400 wrote to memory of 3972	1400	1QT79cS6.exe	86
PID 1400 wrote to memory of 3972	1400	1QT79cS6.exe	86
PID 1400 wrote to memory of 3972	1400	1QT79cS6.exe	86
PID 1400 wrote to memory of 3972	1400	1QT79cS6.exe	86
PID 1400 wrote to memory of 3972	1400	1QT79cS6.exe	86
PID 1400 wrote to memory of 3972	1400	1QT79cS6.exe	86
PID 3960 wrote to memory of 4652	3960	Og2fL64.exe	87
PID 3960 wrote to memory of 4652	3960	Og2fL64.exe	87
PID 3960 wrote to memory of 4652	3960	Og2fL64.exe	87
PID 4652 wrote to memory of 4316	4652	2aE3170.exe	88
PID 4652 wrote to memory of 4316	4652	2aE3170.exe	88
PID 4652 wrote to memory of 4316	4652	2aE3170.exe	88
PID 4652 wrote to memory of 4316	4652	2aE3170.exe	88
PID 4652 wrote to memory of 4316	4652	2aE3170.exe	88
PID 4652 wrote to memory of 4316	4652	2aE3170.exe	88
PID 4652 wrote to memory of 4316	4652	2aE3170.exe	88
PID 4652 wrote to memory of 4316	4652	2aE3170.exe	88
PID 4652 wrote to memory of 4316	4652	2aE3170.exe	88
PID 4652 wrote to memory of 4316	4652	2aE3170.exe	88
PID 1988 wrote to memory of 2100	1988	982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe	89
PID 1988 wrote to memory of 2100	1988	982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe	89
PID 1988 wrote to memory of 2100	1988	982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe	89

C:\Users\Admin\AppData\Local\Temp\982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe
"C:\Users\Admin\AppData\Local\Temp\982c3849f2e88644dd45e489219e2fa85fc8e40c0842ae8fbd06b1bdf7d2382b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Og2fL64.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Og2fL64.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1QT79cS6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1QT79cS6.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3972
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2aE3170.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2aE3170.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3eG48uw.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3eG48uw.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3eG48uw.exe

Filesize
31KB

MD5
d77da392b448a0ef2d762ea1949701fe

SHA1
1c19112cd021718f4e91935b36a0e52ab9a90f01

SHA256
2bad4638a77a2de79a8276eade6f2290d50e12a2108a42691fe5480b93dfcc78

SHA512
a9c8784987462762c3446d1e10192c319dbbb36bbc3b8896404dcd0672f12e7972faddf302f063ff78ef09e59357121d64348df3fa4493bdfe329e23c893b884

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Og2fL64.exe

Filesize
525KB

MD5
0b8cf07d4ef5f9e8f89f8d25779ae803

SHA1
ff24d8a994e79271c77b0b53a5f83f5ae0cf1a8e

SHA256
ee8dbd2bfb384bf37b66d7a6a0b29396d04f8c14f436af5534ffe96c4da794c4

SHA512
b39b3d52383e1134de9d970af144480a8eee1d6196ec556b5c8d8db64c2ef836635e6b30fbfe7fa805699356a618196703df153d7afcbcb039f0e344511f3e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1QT79cS6.exe

Filesize
869KB

MD5
80a9de9b48ff7886bd279790ff115b31

SHA1
5b8bc7e85f804e0ddd7e3f6fe80d8a19273dd9dc

SHA256
02ddf810cbefbfba291dc436c0145cddb979726501fa53cf0cd940817c61b9d4

SHA512
35e94c7b66f56b609be25511546bb38f73dec4de4a8c876b614b7e1f643e2065dc2a2efed107f92d0df28e36860a16986521e5ce9c2f781004fd57abf47068ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2aE3170.exe

Filesize
1.0MB

MD5
5248ac08e25309f143f7e90d8147e778

SHA1
35d1b321c1003a1bda2db4ea6c0ed1abb19549cf

SHA256
b66a3ca092b5f46a3862fb073dfea1b55a6f495cecb588e7342b1d6e27eef49b

SHA512
12699c32ae6a98c6f231b44c9357ebcc4aaf14cb66121a09a3735a9a7ffaecc5a48c23f2fb723adad8969483ec65c650207e62e27c69a3328b9bf5e4c009a151

Download Submit
memory/2100-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2100-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3972-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4316-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download