mystic | 914615fc2a86a1a3aa8a108084dd30cc54e8b935b2f14f7def84c51a049c95c2

Analysis

max time kernel
135s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b7a61dc3f4d8e760c0fc26e93a4fdc49438eea43c70dc3927c7f99f2ab42d51.exe
Size

646KB
MD5

e2db11b377767c7ba56c9431f36b58da
SHA1

3bec05b3db7568098f0f4bdcdb7d9d21ade87395
SHA256

1b7a61dc3f4d8e760c0fc26e93a4fdc49438eea43c70dc3927c7f99f2ab42d51
SHA512

c5ba5b4cdd5ceccd93d5f4a90145c31e907a8e7b3f4eafadfc5e1fa235f576031047302e94be9161f95e9ef1e006fa74b99bf4735336a85662a5fce79f3b6e1b
SSDEEP

12288:OMray90FFVjBHc0CmRuetVkt10YiPzUR0H7J0nT:gy6FVj2EuetVe1RE2T

Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral4/memory/2388-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral4/memory/2388-19-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral4/memory/2388-21-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 4 IoCs

pid	Process
3376	eg6pa69.exe
956	1Cn18FE0.exe
1292	2KH0743.exe
60	3AD04UT.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1b7a61dc3f4d8e760c0fc26e93a4fdc49438eea43c70dc3927c7f99f2ab42d51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	eg6pa69.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 956 set thread context of 4364	956	1Cn18FE0.exe	86
PID 1292 set thread context of 2388	1292	2KH0743.exe	94

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3AD04UT.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3AD04UT.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3AD04UT.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4364	AppLaunch.exe
4364	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4364	AppLaunch.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 3376	5092	1b7a61dc3f4d8e760c0fc26e93a4fdc49438eea43c70dc3927c7f99f2ab42d51.exe	83
PID 5092 wrote to memory of 3376	5092	1b7a61dc3f4d8e760c0fc26e93a4fdc49438eea43c70dc3927c7f99f2ab42d51.exe	83
PID 5092 wrote to memory of 3376	5092	1b7a61dc3f4d8e760c0fc26e93a4fdc49438eea43c70dc3927c7f99f2ab42d51.exe	83
PID 3376 wrote to memory of 956	3376	eg6pa69.exe	84
PID 3376 wrote to memory of 956	3376	eg6pa69.exe	84
PID 3376 wrote to memory of 956	3376	eg6pa69.exe	84
PID 956 wrote to memory of 4144	956	1Cn18FE0.exe	85
PID 956 wrote to memory of 4144	956	1Cn18FE0.exe	85
PID 956 wrote to memory of 4144	956	1Cn18FE0.exe	85
PID 956 wrote to memory of 4364	956	1Cn18FE0.exe	86
PID 956 wrote to memory of 4364	956	1Cn18FE0.exe	86
PID 956 wrote to memory of 4364	956	1Cn18FE0.exe	86
PID 956 wrote to memory of 4364	956	1Cn18FE0.exe	86
PID 956 wrote to memory of 4364	956	1Cn18FE0.exe	86
PID 956 wrote to memory of 4364	956	1Cn18FE0.exe	86
PID 956 wrote to memory of 4364	956	1Cn18FE0.exe	86
PID 956 wrote to memory of 4364	956	1Cn18FE0.exe	86
PID 3376 wrote to memory of 1292	3376	eg6pa69.exe	87
PID 3376 wrote to memory of 1292	3376	eg6pa69.exe	87
PID 3376 wrote to memory of 1292	3376	eg6pa69.exe	87
PID 1292 wrote to memory of 4896	1292	2KH0743.exe	91
PID 1292 wrote to memory of 4896	1292	2KH0743.exe	91
PID 1292 wrote to memory of 4896	1292	2KH0743.exe	91
PID 1292 wrote to memory of 1088	1292	2KH0743.exe	92
PID 1292 wrote to memory of 1088	1292	2KH0743.exe	92
PID 1292 wrote to memory of 1088	1292	2KH0743.exe	92
PID 1292 wrote to memory of 1044	1292	2KH0743.exe	93
PID 1292 wrote to memory of 1044	1292	2KH0743.exe	93
PID 1292 wrote to memory of 1044	1292	2KH0743.exe	93
PID 1292 wrote to memory of 2388	1292	2KH0743.exe	94
PID 1292 wrote to memory of 2388	1292	2KH0743.exe	94
PID 1292 wrote to memory of 2388	1292	2KH0743.exe	94
PID 1292 wrote to memory of 2388	1292	2KH0743.exe	94
PID 1292 wrote to memory of 2388	1292	2KH0743.exe	94
PID 1292 wrote to memory of 2388	1292	2KH0743.exe	94
PID 1292 wrote to memory of 2388	1292	2KH0743.exe	94
PID 1292 wrote to memory of 2388	1292	2KH0743.exe	94
PID 1292 wrote to memory of 2388	1292	2KH0743.exe	94
PID 1292 wrote to memory of 2388	1292	2KH0743.exe	94
PID 5092 wrote to memory of 60	5092	1b7a61dc3f4d8e760c0fc26e93a4fdc49438eea43c70dc3927c7f99f2ab42d51.exe	95
PID 5092 wrote to memory of 60	5092	1b7a61dc3f4d8e760c0fc26e93a4fdc49438eea43c70dc3927c7f99f2ab42d51.exe	95
PID 5092 wrote to memory of 60	5092	1b7a61dc3f4d8e760c0fc26e93a4fdc49438eea43c70dc3927c7f99f2ab42d51.exe	95

C:\Users\Admin\AppData\Local\Temp\1b7a61dc3f4d8e760c0fc26e93a4fdc49438eea43c70dc3927c7f99f2ab42d51.exe
"C:\Users\Admin\AppData\Local\Temp\1b7a61dc3f4d8e760c0fc26e93a4fdc49438eea43c70dc3927c7f99f2ab42d51.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eg6pa69.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eg6pa69.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Cn18FE0.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Cn18FE0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4144
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4364
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2KH0743.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2KH0743.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4896
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2388
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3AD04UT.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3AD04UT.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3AD04UT.exe

Filesize
30KB

MD5
ce91f8bb990fc9f9e2d2a1743a9afe9d

SHA1
3bc028b461b81f01b2b39bf6236fc815cc963dcc

SHA256
10b857c9d78e392a5fe60221c60d369e4fa959f85334f45f94ae1a37ebcac8f3

SHA512
f7a2bd324e365316697a141e2bd7966e6fdae87642d240455855cb3ee420cd8ef28509bb5d2c2c1b9322226b244376eed354fedb56dc39405321e83a70b85141

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eg6pa69.exe

Filesize
522KB

MD5
91cd1f2b0ef4f882bcd29b1c00216e87

SHA1
ce0e1183fb7bc9461f5b71601f065ac0699b6da3

SHA256
3cd4ad151a459690669e1a76179e2b8e578f0b1d28ef84a640cee089b636d12a

SHA512
425a3564f87f595d92ed33d6c6c0a0ed4076e6154a1ff7852f812eeac0774604395535ae33355b06a543d8f21a13d2ca086b3b22286c024b263358a61436901c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Cn18FE0.exe

Filesize
886KB

MD5
743dfd32eda71cc753130e5381575b55

SHA1
dec0edf128c9d7874ef64a8bb80691523ef87303

SHA256
73d7e9558a6971d49b740f7a98f78f768c775027ac7302f146b366a96175dc3c

SHA512
5423499a52ef975ac51e1b31e4b96049cee96aa78ba9d1e64c7a82c91d4a1cdf51ec4b23be98ccf61147908c4d8673523d95f6072e6130b77099aa15375d5975

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2KH0743.exe

Filesize
1.1MB

MD5
a8323aabbf7b579c33dc80ab9197f4f1

SHA1
1a85d2590664ab9a29f0c35d30fa62e23fa75b52

SHA256
86dc8bca3662d1a5bcee01642d241ef0bf7c42b50dc57c45820449184a2dc7b0

SHA512
61c0bf7a19355c10f8bee1dab5961e8bebfe021f67d4db7faf739af06f3dd2a3e335086f93fa355be0c8ce84a32d1c71d336cf06235ba07538d748cee4c44058

Download Submit
memory/60-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/60-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2388-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download