mystic | 9b80269950e0f1b633a8f97657fa8c4843d63cc1062890797edcbbcf58625520

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d55f431b8ea5ad86d41def5d797c360d619becd2b366e7210433952a81c4ac57.exe
Size

1.0MB
MD5

ec3305d183846a3c92c07d0053b41f3b
SHA1

4ea345e1ba5c1076a422310d48b1682ca2dcd56d
SHA256

d55f431b8ea5ad86d41def5d797c360d619becd2b366e7210433952a81c4ac57
SHA512

270a856c6522f0f683c64590393b286b825bcc39a99585417a125b3525451aa43bc7c5f9c7735d8504defafbd801e5632628245422859718656c3ab496eca76d
SSDEEP

24576:KyP7XiJUqJaiZXcZA3g6NQ8QdfCZiGKN8b7GAoCgnL+eT:RzmEmsZAQ6O8QdfWiGFgn

Score

10^/10

mystic redline smokeloader grome backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral16/memory/984-25-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral16/memory/984-26-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral16/memory/984-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral16/memory/1748-37-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 6 IoCs

pid	Process
1168	sh6qU78.exe
2160	Cu1rf31.exe
1196	1vF56wW4.exe
1568	2in5141.exe
2404	3dl21bJ.exe
1668	4zV625lJ.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Cu1rf31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d55f431b8ea5ad86d41def5d797c360d619becd2b366e7210433952a81c4ac57.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sh6qU78.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1196 set thread context of 1780	1196	1vF56wW4.exe	86
PID 1568 set thread context of 984	1568	2in5141.exe	91
PID 1668 set thread context of 1748	1668	4zV625lJ.exe	98

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3dl21bJ.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3dl21bJ.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3dl21bJ.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1780	AppLaunch.exe
1780	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	AppLaunch.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 1168	2588	d55f431b8ea5ad86d41def5d797c360d619becd2b366e7210433952a81c4ac57.exe	83
PID 2588 wrote to memory of 1168	2588	d55f431b8ea5ad86d41def5d797c360d619becd2b366e7210433952a81c4ac57.exe	83
PID 2588 wrote to memory of 1168	2588	d55f431b8ea5ad86d41def5d797c360d619becd2b366e7210433952a81c4ac57.exe	83
PID 1168 wrote to memory of 2160	1168	sh6qU78.exe	84
PID 1168 wrote to memory of 2160	1168	sh6qU78.exe	84
PID 1168 wrote to memory of 2160	1168	sh6qU78.exe	84
PID 2160 wrote to memory of 1196	2160	Cu1rf31.exe	85
PID 2160 wrote to memory of 1196	2160	Cu1rf31.exe	85
PID 2160 wrote to memory of 1196	2160	Cu1rf31.exe	85
PID 1196 wrote to memory of 1780	1196	1vF56wW4.exe	86
PID 1196 wrote to memory of 1780	1196	1vF56wW4.exe	86
PID 1196 wrote to memory of 1780	1196	1vF56wW4.exe	86
PID 1196 wrote to memory of 1780	1196	1vF56wW4.exe	86
PID 1196 wrote to memory of 1780	1196	1vF56wW4.exe	86
PID 1196 wrote to memory of 1780	1196	1vF56wW4.exe	86
PID 1196 wrote to memory of 1780	1196	1vF56wW4.exe	86
PID 1196 wrote to memory of 1780	1196	1vF56wW4.exe	86
PID 2160 wrote to memory of 1568	2160	Cu1rf31.exe	87
PID 2160 wrote to memory of 1568	2160	Cu1rf31.exe	87
PID 2160 wrote to memory of 1568	2160	Cu1rf31.exe	87
PID 1568 wrote to memory of 600	1568	2in5141.exe	89
PID 1568 wrote to memory of 600	1568	2in5141.exe	89
PID 1568 wrote to memory of 600	1568	2in5141.exe	89
PID 1568 wrote to memory of 1096	1568	2in5141.exe	90
PID 1568 wrote to memory of 1096	1568	2in5141.exe	90
PID 1568 wrote to memory of 1096	1568	2in5141.exe	90
PID 1568 wrote to memory of 984	1568	2in5141.exe	91
PID 1568 wrote to memory of 984	1568	2in5141.exe	91
PID 1568 wrote to memory of 984	1568	2in5141.exe	91
PID 1568 wrote to memory of 984	1568	2in5141.exe	91
PID 1568 wrote to memory of 984	1568	2in5141.exe	91
PID 1568 wrote to memory of 984	1568	2in5141.exe	91
PID 1568 wrote to memory of 984	1568	2in5141.exe	91
PID 1568 wrote to memory of 984	1568	2in5141.exe	91
PID 1568 wrote to memory of 984	1568	2in5141.exe	91
PID 1568 wrote to memory of 984	1568	2in5141.exe	91
PID 1168 wrote to memory of 2404	1168	sh6qU78.exe	92
PID 1168 wrote to memory of 2404	1168	sh6qU78.exe	92
PID 1168 wrote to memory of 2404	1168	sh6qU78.exe	92
PID 2588 wrote to memory of 1668	2588	d55f431b8ea5ad86d41def5d797c360d619becd2b366e7210433952a81c4ac57.exe	93
PID 2588 wrote to memory of 1668	2588	d55f431b8ea5ad86d41def5d797c360d619becd2b366e7210433952a81c4ac57.exe	93
PID 2588 wrote to memory of 1668	2588	d55f431b8ea5ad86d41def5d797c360d619becd2b366e7210433952a81c4ac57.exe	93
PID 1668 wrote to memory of 4348	1668	4zV625lJ.exe	97
PID 1668 wrote to memory of 4348	1668	4zV625lJ.exe	97
PID 1668 wrote to memory of 4348	1668	4zV625lJ.exe	97
PID 1668 wrote to memory of 1748	1668	4zV625lJ.exe	98
PID 1668 wrote to memory of 1748	1668	4zV625lJ.exe	98
PID 1668 wrote to memory of 1748	1668	4zV625lJ.exe	98
PID 1668 wrote to memory of 1748	1668	4zV625lJ.exe	98
PID 1668 wrote to memory of 1748	1668	4zV625lJ.exe	98
PID 1668 wrote to memory of 1748	1668	4zV625lJ.exe	98
PID 1668 wrote to memory of 1748	1668	4zV625lJ.exe	98
PID 1668 wrote to memory of 1748	1668	4zV625lJ.exe	98

C:\Users\Admin\AppData\Local\Temp\d55f431b8ea5ad86d41def5d797c360d619becd2b366e7210433952a81c4ac57.exe
"C:\Users\Admin\AppData\Local\Temp\d55f431b8ea5ad86d41def5d797c360d619becd2b366e7210433952a81c4ac57.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sh6qU78.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sh6qU78.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cu1rf31.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cu1rf31.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1vF56wW4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1vF56wW4.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1196
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2in5141.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2in5141.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:600
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1096
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:984
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3dl21bJ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3dl21bJ.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:2404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4zV625lJ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4zV625lJ.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4348
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4zV625lJ.exe

Filesize
1.1MB

MD5
839d6ee7929d77264cad929a1c458518

SHA1
eda80d0179735f94a0a12dd695b1499358c79d52

SHA256
58483db7aa73c1b600b8aada090c948c0aa9ab3eae95b11a2d1b39fc66adfbec

SHA512
d5feee9229fc1c4a0c59cdcc9a528c10147337fdabd6a79253b652682cc8e962739c787aed4933d73b3c44fab9ef37a01f52bf1642868ce2b70b01e1b70d82ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sh6qU78.exe

Filesize
648KB

MD5
13879bbd40c4c43549fe263871b5292c

SHA1
a260939baca340eecbf2cac61cfe81f7cb352081

SHA256
32f456a242d807cd3789b219f062f4a503f3474ab718e2254075a711b8bad5f1

SHA512
dc17152db8d244eac433bd44e1146737fa7c533740d9b24cba23af61f7af33247d1215ae413bbfdf74f05324083cccb44012b32a64182d0d4e4eb198f6248e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3dl21bJ.exe

Filesize
31KB

MD5
669f7cda993046b9094aa5364da5e812

SHA1
0fb18910569664fc3885b45d5d972ff2670d8c51

SHA256
b925b6e1452138e2afbb9423b7118bc57a598ce1f564b4fb074a8dd164c4973b

SHA512
d461e14e8a2065066de86a0d6d31859b9398fcf9a8965df68fd079ec1840abb93b6aae80a6bfb3110dbdce1792f94faeccdafe0224b1d793925689fe526adca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cu1rf31.exe

Filesize
523KB

MD5
e135e0bf2d56e6f65c82289bf50206bc

SHA1
71573541076e78198b2afe5791fc45150a483f33

SHA256
3340bbc2b32033ef7fa598c7115af46899fef83023238d6973588fed75590ba2

SHA512
282188fef1b86339c9ee9cf327fe4941fff75afbc97b37f58e68ce988611d525ef4f25203215ea9bc454e3370ead16dcc4dd3c732772ea42e612950401400b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1vF56wW4.exe

Filesize
874KB

MD5
5ccae1462fd952afda3d907edba30087

SHA1
b4bcf39ff81545eceefc583026d413c2d2874c86

SHA256
d4b91e03d41777b39a4100d85d828d41bf86c16a9793b3118d13ca735cd5bbdf

SHA512
49e985072053c3f674814b086df8697d729c8d61cee6e24d17bc2bcf9152ccaa4282460566c51c312d00b9eec28dedf7084c406958714a65cc03467c0dbc4823

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2in5141.exe

Filesize
1.1MB

MD5
01644e62872c964b07669fee1dd4980c

SHA1
e7dae02fc8cbb221102d8af9ebc4673f91a34151

SHA256
2997783a760389f11f29ad5bcf91514efb0169a22db13a90b557737926991550

SHA512
98aa5afd1b23f3d02bc3da9de465faba105bef913b51f9624017e0d73bf9201160d9b50ad1240360c902f2747f7d34f5bcdad423b578e5ba93b3dc8933da32c9

Download Submit
memory/984-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/984-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/984-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-40-0x00000000029E0000-0x00000000029EA000-memory.dmp

Filesize
40KB

Download
memory/1748-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1748-38-0x0000000007B80000-0x0000000008124000-memory.dmp

Filesize
5.6MB

Download
memory/1748-39-0x00000000076D0000-0x0000000007762000-memory.dmp

Filesize
584KB

Download
memory/1748-41-0x0000000008750000-0x0000000008D68000-memory.dmp

Filesize
6.1MB

Download
memory/1748-42-0x0000000007A20000-0x0000000007B2A000-memory.dmp

Filesize
1.0MB

Download
memory/1748-43-0x00000000078C0000-0x00000000078D2000-memory.dmp

Filesize
72KB

Download
memory/1748-44-0x0000000007950000-0x000000000798C000-memory.dmp

Filesize
240KB

Download
memory/1748-45-0x0000000007990000-0x00000000079DC000-memory.dmp

Filesize
304KB

Download
memory/1780-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2404-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2404-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download