mystic | ac90002ec144a6c8c89c45137265a202aeef6b583cef01223b622e10b4c4b797

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

122d65cff91cdb1f9a418aade39cb9c3809ca653f37aff626317f9d139f10a20.exe
Size

1.0MB
MD5

5a1a022c71bc2351593c4966c2ccf734
SHA1

288565784651e25d609b8eaaa58bc070c2592173
SHA256

122d65cff91cdb1f9a418aade39cb9c3809ca653f37aff626317f9d139f10a20
SHA512

a2ab1e5026bd2ce1378ca61b0411ac16b9a71d68847fa050880d2e3b3b7e13bcfc56a345d387cd0762f26572690edab699f25cd8c5a924e6b074fc89e85f6ad0
SSDEEP

24576:2y7gwCfl/HQGn1VVZS0fb1Cgda4m820gPOd7Jk1nf:F7id/HQq1DZDj11d6uKu721n

Score

10^/10

mystic redline smokeloader grome backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/3176-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral2/memory/3176-26-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral2/memory/3176-25-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/3496-37-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 6 IoCs

pid	Process
3096	lQ4zX07.exe
1276	dW0rP81.exe
1920	1CB14QZ1.exe
2088	2TN5064.exe
2868	3Ug53KV.exe
5052	4FC075LT.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	122d65cff91cdb1f9a418aade39cb9c3809ca653f37aff626317f9d139f10a20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	lQ4zX07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	dW0rP81.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1920 set thread context of 2236	1920	1CB14QZ1.exe	87
PID 2088 set thread context of 3176	2088	2TN5064.exe	91
PID 5052 set thread context of 3496	5052	4FC075LT.exe	95

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2156	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Ug53KV.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Ug53KV.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Ug53KV.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2236	AppLaunch.exe
2236	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	AppLaunch.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 3096	2556	122d65cff91cdb1f9a418aade39cb9c3809ca653f37aff626317f9d139f10a20.exe	83
PID 2556 wrote to memory of 3096	2556	122d65cff91cdb1f9a418aade39cb9c3809ca653f37aff626317f9d139f10a20.exe	83
PID 2556 wrote to memory of 3096	2556	122d65cff91cdb1f9a418aade39cb9c3809ca653f37aff626317f9d139f10a20.exe	83
PID 3096 wrote to memory of 1276	3096	lQ4zX07.exe	84
PID 3096 wrote to memory of 1276	3096	lQ4zX07.exe	84
PID 3096 wrote to memory of 1276	3096	lQ4zX07.exe	84
PID 1276 wrote to memory of 1920	1276	dW0rP81.exe	86
PID 1276 wrote to memory of 1920	1276	dW0rP81.exe	86
PID 1276 wrote to memory of 1920	1276	dW0rP81.exe	86
PID 1920 wrote to memory of 2236	1920	1CB14QZ1.exe	87
PID 1920 wrote to memory of 2236	1920	1CB14QZ1.exe	87
PID 1920 wrote to memory of 2236	1920	1CB14QZ1.exe	87
PID 1920 wrote to memory of 2236	1920	1CB14QZ1.exe	87
PID 1920 wrote to memory of 2236	1920	1CB14QZ1.exe	87
PID 1920 wrote to memory of 2236	1920	1CB14QZ1.exe	87
PID 1920 wrote to memory of 2236	1920	1CB14QZ1.exe	87
PID 1920 wrote to memory of 2236	1920	1CB14QZ1.exe	87
PID 1276 wrote to memory of 2088	1276	dW0rP81.exe	89
PID 1276 wrote to memory of 2088	1276	dW0rP81.exe	89
PID 1276 wrote to memory of 2088	1276	dW0rP81.exe	89
PID 2088 wrote to memory of 3176	2088	2TN5064.exe	91
PID 2088 wrote to memory of 3176	2088	2TN5064.exe	91
PID 2088 wrote to memory of 3176	2088	2TN5064.exe	91
PID 2088 wrote to memory of 3176	2088	2TN5064.exe	91
PID 2088 wrote to memory of 3176	2088	2TN5064.exe	91
PID 2088 wrote to memory of 3176	2088	2TN5064.exe	91
PID 2088 wrote to memory of 3176	2088	2TN5064.exe	91
PID 2088 wrote to memory of 3176	2088	2TN5064.exe	91
PID 2088 wrote to memory of 3176	2088	2TN5064.exe	91
PID 2088 wrote to memory of 3176	2088	2TN5064.exe	91
PID 3096 wrote to memory of 2868	3096	lQ4zX07.exe	92
PID 3096 wrote to memory of 2868	3096	lQ4zX07.exe	92
PID 3096 wrote to memory of 2868	3096	lQ4zX07.exe	92
PID 2556 wrote to memory of 5052	2556	122d65cff91cdb1f9a418aade39cb9c3809ca653f37aff626317f9d139f10a20.exe	93
PID 2556 wrote to memory of 5052	2556	122d65cff91cdb1f9a418aade39cb9c3809ca653f37aff626317f9d139f10a20.exe	93
PID 2556 wrote to memory of 5052	2556	122d65cff91cdb1f9a418aade39cb9c3809ca653f37aff626317f9d139f10a20.exe	93
PID 5052 wrote to memory of 5028	5052	4FC075LT.exe	94
PID 5052 wrote to memory of 5028	5052	4FC075LT.exe	94
PID 5052 wrote to memory of 5028	5052	4FC075LT.exe	94
PID 5052 wrote to memory of 3496	5052	4FC075LT.exe	95
PID 5052 wrote to memory of 3496	5052	4FC075LT.exe	95
PID 5052 wrote to memory of 3496	5052	4FC075LT.exe	95
PID 5052 wrote to memory of 3496	5052	4FC075LT.exe	95
PID 5052 wrote to memory of 3496	5052	4FC075LT.exe	95
PID 5052 wrote to memory of 3496	5052	4FC075LT.exe	95
PID 5052 wrote to memory of 3496	5052	4FC075LT.exe	95
PID 5052 wrote to memory of 3496	5052	4FC075LT.exe	95

C:\Users\Admin\AppData\Local\Temp\122d65cff91cdb1f9a418aade39cb9c3809ca653f37aff626317f9d139f10a20.exe
"C:\Users\Admin\AppData\Local\Temp\122d65cff91cdb1f9a418aade39cb9c3809ca653f37aff626317f9d139f10a20.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lQ4zX07.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lQ4zX07.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW0rP81.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW0rP81.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1CB14QZ1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1CB14QZ1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1920
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2TN5064.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2TN5064.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:3176
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Ug53KV.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Ug53KV.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:2868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4FC075LT.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4FC075LT.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:5028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3496

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4FC075LT.exe

Filesize
1.1MB

MD5
1fef4579f4d08ec4f3d627c3f225a7c3

SHA1
201277b41015ca5b65c5a84b9e9b8079c5dcf230

SHA256
c950de6308893200f558c1d2413fa4b5bce9a9102d8b8d96a658edd8064bcf52

SHA512
9a76150ee8ac69208d82759e8bdb598dff86ee0990153a515c9cb3d92311e099e996daf52c06deb35216fa241e5acb496c1cbee91fb1c8cedc5fc51571dffe4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lQ4zX07.exe

Filesize
642KB

MD5
1aad5cf57ecb4b9013d670222401aaf1

SHA1
e0812aec123dc37840bfca58fb2469c5c11c8bb5

SHA256
54574122444cdcd30de735198cd2374c61a5533c92aad244b9108d1763291fd6

SHA512
f262441ed8ae051ba04a6904740c686a257db42ac0fbf8443a687cb18197a5791b6514feb10af74f2e7c3bf8e0df38f58cad3c57ad6407db8dced8be87ff36bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Ug53KV.exe

Filesize
30KB

MD5
1dd636d794ebd0e7a3c6cddb2a590f46

SHA1
603f0ec45831a09e5ac1102a55c32504ef90b987

SHA256
4f5dee1ebc83cbc0ae7d848bd7bcf478ac4888e9e9beaae7ae0299fd4358c33a

SHA512
76bb5b3469093579b6899c3c9375b76225a002c9b035992c2f06bdd2592e8b7d661a339358ea87ee1340a882d5c246514696bd43d69761bb70e45536275c72b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dW0rP81.exe

Filesize
518KB

MD5
5d8beb770cb7255d657288b43ae583a0

SHA1
6e9fa1f19efad7f3df98078cb5e7c63f3e14b80f

SHA256
ead72b906fc78c0b6180ada15a081247fa9842458028e43a31110b1f052e1a20

SHA512
2f481c9819f658961a81e01bcb871a025796166a65b97e7e0b3d186c83396f9715e4d5ac8784a48046a7ed008c6a6b3367a7793ec73c5a9ba39ef1d9bfb31ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1CB14QZ1.exe

Filesize
874KB

MD5
9eee364499677bcd3f52ac655db1097b

SHA1
d65d31912b259e60c71af9358b743f3e137c8936

SHA256
1ba694e249e4faca92ccce8670b5d6e2a5e6ac0d1f523220a91f75aab3d78155

SHA512
1364dece0df02e181c2feb9a3b9e559662945991d3919ae0c1db2fcc091de3ceb349dcf4e4921b904e265263e6a2cca9c83a6a914ca9544850f8d2bb2fe41678

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2TN5064.exe

Filesize
1.1MB

MD5
7e88670e893f284a13a2d88af7295317

SHA1
4bc0d76245e9d6ca8fe69daa23c46b2b8f770f1a

SHA256
d5e9e8612572f4586bc94b4475503558b7c4cd9329d3ade5b86f45018957deb9

SHA512
01541840ee2aa44de1f5f41bee31409560c481c10ed07d854239c0c9bdb648c86857a6a83a907e23f3b2865043b175689aa5f4f13fd0fd5f5444756b9ddfcdc2

Download Submit
memory/2236-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2868-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2868-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3176-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3176-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3176-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3496-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3496-38-0x0000000007830000-0x0000000007DD4000-memory.dmp

Filesize
5.6MB

Download
memory/3496-39-0x0000000007380000-0x0000000007412000-memory.dmp

Filesize
584KB

Download
memory/3496-40-0x00000000027C0000-0x00000000027CA000-memory.dmp

Filesize
40KB

Download
memory/3496-41-0x0000000008400000-0x0000000008A18000-memory.dmp

Filesize
6.1MB

Download
memory/3496-42-0x0000000007DE0000-0x0000000007EEA000-memory.dmp

Filesize
1.0MB

Download
memory/3496-43-0x00000000075B0000-0x00000000075C2000-memory.dmp

Filesize
72KB

Download
memory/3496-44-0x0000000007620000-0x000000000765C000-memory.dmp

Filesize
240KB

Download
memory/3496-45-0x0000000007660000-0x00000000076AC000-memory.dmp

Filesize
304KB

Download