mystic | 9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53

Analysis

max time kernel
137s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a.exe
Size

657KB
MD5

01a84bc0f9662c85b3e51840340584e7
SHA1

f9b058a4d293cd4736466b97a75159823e2a0ac9
SHA256

16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a
SHA512

b78da685b4ac48bf111285dadd929e76f2282f50e66c31df783dc92c677d8c6d3ee5d64aa11b7d70102cf556565bdd29b6a7bbd0b88582115471d77ef73f193d
SSDEEP

12288:KMrhy90Dr/7bS2jGH0CwdYQS6QbyfFAF0oxJ5myPoOmIfb:TyanVGUCwd/S6QbyfFA75oOmGb

Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral3/memory/1008-21-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral3/memory/1008-19-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral3/memory/1008-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 4 IoCs

pid	Process
1184	Id1Tk83.exe
1252	1Tl75WE8.exe
928	2iu9448.exe
2252	3uE65Mj.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Id1Tk83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1252 set thread context of 4008	1252	1Tl75WE8.exe	86
PID 928 set thread context of 1008	928	2iu9448.exe	91

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3uE65Mj.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3uE65Mj.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3uE65Mj.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4008	AppLaunch.exe
4008	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4008	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 1184	4392	16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a.exe	84
PID 4392 wrote to memory of 1184	4392	16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a.exe	84
PID 4392 wrote to memory of 1184	4392	16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a.exe	84
PID 1184 wrote to memory of 1252	1184	Id1Tk83.exe	85
PID 1184 wrote to memory of 1252	1184	Id1Tk83.exe	85
PID 1184 wrote to memory of 1252	1184	Id1Tk83.exe	85
PID 1252 wrote to memory of 4008	1252	1Tl75WE8.exe	86
PID 1252 wrote to memory of 4008	1252	1Tl75WE8.exe	86
PID 1252 wrote to memory of 4008	1252	1Tl75WE8.exe	86
PID 1252 wrote to memory of 4008	1252	1Tl75WE8.exe	86
PID 1252 wrote to memory of 4008	1252	1Tl75WE8.exe	86
PID 1252 wrote to memory of 4008	1252	1Tl75WE8.exe	86
PID 1252 wrote to memory of 4008	1252	1Tl75WE8.exe	86
PID 1252 wrote to memory of 4008	1252	1Tl75WE8.exe	86
PID 1184 wrote to memory of 928	1184	Id1Tk83.exe	87
PID 1184 wrote to memory of 928	1184	Id1Tk83.exe	87
PID 1184 wrote to memory of 928	1184	Id1Tk83.exe	87
PID 928 wrote to memory of 4248	928	2iu9448.exe	90
PID 928 wrote to memory of 4248	928	2iu9448.exe	90
PID 928 wrote to memory of 4248	928	2iu9448.exe	90
PID 928 wrote to memory of 1008	928	2iu9448.exe	91
PID 928 wrote to memory of 1008	928	2iu9448.exe	91
PID 928 wrote to memory of 1008	928	2iu9448.exe	91
PID 928 wrote to memory of 1008	928	2iu9448.exe	91
PID 928 wrote to memory of 1008	928	2iu9448.exe	91
PID 928 wrote to memory of 1008	928	2iu9448.exe	91
PID 928 wrote to memory of 1008	928	2iu9448.exe	91
PID 928 wrote to memory of 1008	928	2iu9448.exe	91
PID 928 wrote to memory of 1008	928	2iu9448.exe	91
PID 928 wrote to memory of 1008	928	2iu9448.exe	91
PID 4392 wrote to memory of 2252	4392	16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a.exe	92
PID 4392 wrote to memory of 2252	4392	16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a.exe	92
PID 4392 wrote to memory of 2252	4392	16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a.exe	92

C:\Users\Admin\AppData\Local\Temp\16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a.exe
"C:\Users\Admin\AppData\Local\Temp\16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Id1Tk83.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Id1Tk83.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Tl75WE8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Tl75WE8.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4008
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2iu9448.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2iu9448.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4248
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1008
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3uE65Mj.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3uE65Mj.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3uE65Mj.exe

Filesize
30KB

MD5
02bf10f796901f77e15450a0ade88c5c

SHA1
370b1f21850f48c7118294254c4b0cccbe3d6ce6

SHA256
d1086600b1cb6172db50366e66a6884381d2f17f94a0c26c606243a9e39086ff

SHA512
effec019ccd580e58ddf3dace92794ad8f85fa6e22e1f1f8bf28bcd38f6ca01f24b4c70cc8575fcb6c29a7403a3b79b75354d2754451565d46cdd9fefa6b7bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Id1Tk83.exe

Filesize
533KB

MD5
987805bec721420c6dbae12d3fef4175

SHA1
180daf1addf6fbb464bc1600337ca9125a68e7ad

SHA256
0562354daac0af76f2fc26f6cb1b1c836dbc44897cd3c21b86f06ece5009624d

SHA512
94b528330591235178e77f24753da94c5afc451cf02e865dfd406e881e36a59dea3812a02731b9f02b79269cfa7a0f225eb35c64049bae1f14575db1900a24bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Tl75WE8.exe

Filesize
886KB

MD5
1d9d7a899796eeef436cd9bd87c3f80b

SHA1
022ca79920460943be3633016075272c4a990cfe

SHA256
ca9d570cd537a6c8f6b48c2c92a7c95e7ff837d3084f6e3c7803897a5a63fb95

SHA512
1e7d9b16e4690b59d7b7a281668ddc3a3fc5b8d51f50c92dbaef5ecee6e770fb531ac266eab83480b21e7f49fe863225eebe86b602d47f8523bde4e672ef041e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2iu9448.exe

Filesize
1.1MB

MD5
773e9b58999ac4f1a4f26929f85883e4

SHA1
46a9342c366ef802375e2d48d904227ac819b157

SHA256
fb4ed616baeaaf895b7aafbbb9595f00a883982fa4a08c17b03fda80e05936a7

SHA512
d63ba4f2a5746119d7cd5be602cb0f8797ddef0d1fe2effa997cef7b9f1ad03b5d2c34a19c03dec6e5b6498d0dfb51832e8cd7199633ef8170b85791e956b280

Download Submit
memory/1008-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2252-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4008-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download