mystic | 914615fc2a86a1a3aa8a108084dd30cc54e8b935b2f14f7def84c51a049c95c2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b52c912b9847cdf65a1dcf4bf8c550affc88bb7a8d9de2f77219a62d75890ea3.exe
Size

644KB
MD5

060f37cf5b6aff670a7c992f5e114da5
SHA1

0170cda8cb424a2871c20395bc071a5ad9c17c76
SHA256

b52c912b9847cdf65a1dcf4bf8c550affc88bb7a8d9de2f77219a62d75890ea3
SHA512

86767cd3e35d22ed5b65212fec073c96907122e7ea21499db61b0f9ab4cf1c62b22afe3732a0eb63b3f83107c1b90e7a502eee9075ec3728ccacf4bc9e0f73c5
SSDEEP

12288:gMr/y90CD0wEl4tQEwEvJDIqpoM85W0KC6VBBAvNOc:PyPiGQEBN3pkR6VBBAlOc

Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral13/memory/1300-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral13/memory/1300-21-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral13/memory/1300-19-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 4 IoCs

pid	Process
4516	yt6ry37.exe
4576	1pr24hM0.exe
2036	2vO9219.exe
2084	3wj24mo.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b52c912b9847cdf65a1dcf4bf8c550affc88bb7a8d9de2f77219a62d75890ea3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	yt6ry37.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4576 set thread context of 4908	4576	1pr24hM0.exe	85
PID 2036 set thread context of 1300	2036	2vO9219.exe	90

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3036	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3wj24mo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3wj24mo.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3wj24mo.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4908	AppLaunch.exe
4908	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	AppLaunch.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 4516	3036	b52c912b9847cdf65a1dcf4bf8c550affc88bb7a8d9de2f77219a62d75890ea3.exe	83
PID 3036 wrote to memory of 4516	3036	b52c912b9847cdf65a1dcf4bf8c550affc88bb7a8d9de2f77219a62d75890ea3.exe	83
PID 3036 wrote to memory of 4516	3036	b52c912b9847cdf65a1dcf4bf8c550affc88bb7a8d9de2f77219a62d75890ea3.exe	83
PID 4516 wrote to memory of 4576	4516	yt6ry37.exe	84
PID 4516 wrote to memory of 4576	4516	yt6ry37.exe	84
PID 4516 wrote to memory of 4576	4516	yt6ry37.exe	84
PID 4576 wrote to memory of 4908	4576	1pr24hM0.exe	85
PID 4576 wrote to memory of 4908	4576	1pr24hM0.exe	85
PID 4576 wrote to memory of 4908	4576	1pr24hM0.exe	85
PID 4576 wrote to memory of 4908	4576	1pr24hM0.exe	85
PID 4576 wrote to memory of 4908	4576	1pr24hM0.exe	85
PID 4576 wrote to memory of 4908	4576	1pr24hM0.exe	85
PID 4576 wrote to memory of 4908	4576	1pr24hM0.exe	85
PID 4576 wrote to memory of 4908	4576	1pr24hM0.exe	85
PID 4516 wrote to memory of 2036	4516	yt6ry37.exe	86
PID 4516 wrote to memory of 2036	4516	yt6ry37.exe	86
PID 4516 wrote to memory of 2036	4516	yt6ry37.exe	86
PID 2036 wrote to memory of 1300	2036	2vO9219.exe	90
PID 2036 wrote to memory of 1300	2036	2vO9219.exe	90
PID 2036 wrote to memory of 1300	2036	2vO9219.exe	90
PID 2036 wrote to memory of 1300	2036	2vO9219.exe	90
PID 2036 wrote to memory of 1300	2036	2vO9219.exe	90
PID 2036 wrote to memory of 1300	2036	2vO9219.exe	90
PID 2036 wrote to memory of 1300	2036	2vO9219.exe	90
PID 2036 wrote to memory of 1300	2036	2vO9219.exe	90
PID 2036 wrote to memory of 1300	2036	2vO9219.exe	90
PID 2036 wrote to memory of 1300	2036	2vO9219.exe	90
PID 3036 wrote to memory of 2084	3036	b52c912b9847cdf65a1dcf4bf8c550affc88bb7a8d9de2f77219a62d75890ea3.exe	91
PID 3036 wrote to memory of 2084	3036	b52c912b9847cdf65a1dcf4bf8c550affc88bb7a8d9de2f77219a62d75890ea3.exe	91
PID 3036 wrote to memory of 2084	3036	b52c912b9847cdf65a1dcf4bf8c550affc88bb7a8d9de2f77219a62d75890ea3.exe	91

C:\Users\Admin\AppData\Local\Temp\b52c912b9847cdf65a1dcf4bf8c550affc88bb7a8d9de2f77219a62d75890ea3.exe
"C:\Users\Admin\AppData\Local\Temp\b52c912b9847cdf65a1dcf4bf8c550affc88bb7a8d9de2f77219a62d75890ea3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yt6ry37.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yt6ry37.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pr24hM0.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pr24hM0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4908
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vO9219.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vO9219.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1300
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3wj24mo.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3wj24mo.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:2084

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3wj24mo.exe

Filesize
30KB

MD5
b9203201cad4c3615a3a3ef8e2b635b2

SHA1
dbe34599f13bf38065c9d7d28187d292797c1501

SHA256
78b26c49f6a4245967019789c210df244207f03cf06d9c755ad1f7ec755fe19e

SHA512
4fca02e86a642bb5eb754ca6c9e6ddf65adb674821a0c174f90a336bc2fd5b0fad81ba5addef4e1a178cdb0fa25f46a047c25815896512f4a095b2b184512b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yt6ry37.exe

Filesize
519KB

MD5
ccee3fe74515bd21212affedad8e7c82

SHA1
5ac20e7842c780d7ae95f4f1e96ce89e3a487ffc

SHA256
88ffb5c4f2190f0e892f508a89fde1e607028521661fb7ebfb52ef3c8ce5231c

SHA512
9fd6fad55bd5e6269ccb1553c18671d5f33d6ce3c85a006a7708006ad6a41aad8c727dbddc7cb5bdeab07a3ac20ed57c02cac295eb0c28362fc6aaac9c587f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pr24hM0.exe

Filesize
878KB

MD5
c0a19646dc267c4eafd338489576c807

SHA1
38835c038cecf85ef91d71df449d581d2847ccb6

SHA256
f61175a4045ce6a4c2752bf6b0fa6842f2de37b64a564e052c00959cc3854d92

SHA512
09c6b4c55059d1e9b3baf5bc45a5e237403d12144464cbdf92e4e70e0ca9ad1571e430b6dc608af8354182f3f97bbd5207403694e49bf0b054f84ca413b23525

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vO9219.exe

Filesize
1.1MB

MD5
bb21358a78e1d17f6480c37258ca0ed9

SHA1
21c2db242e20277f14d3bdd94af0a58e1e5614b9

SHA256
85200ea96b5a8aaa73920a9df9a0e9acf33057ee43283b3c514a6153ad43111a

SHA512
50ddf1c452c155859cc2e4e29068522bf2e7179c57d6d23057a4b388ee92a5f0ca9a0f4797172d1cf00816f4b7acc854aa7f6e5b71bff7511cd18d73fc663d03

Download Submit
memory/1300-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2084-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4908-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download