mystic | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

169827445a78f6e1cde6f851fe18dbe8b5850a2768cb303f453ceaacfe59d6fd.exe
Size

1.1MB
MD5

fb7f64bb0a4554798853318043392040
SHA1

4c81df15636106a1cedc43f0435443c9b1547f2e
SHA256

169827445a78f6e1cde6f851fe18dbe8b5850a2768cb303f453ceaacfe59d6fd
SHA512

56028f73d5d98c0915462996be04b5a7ebdffbbb7188618e2ec2825ebe0b95cfa1b1fc36192b0ca6af9a60b15e285d515c4c91398d0e5bd45241c7d3ff41cbe0
SSDEEP

24576:cy1c2oUIaB6nHyAA91U3UyIXZdYnVFrNcnoKfaxBS1SAE:L1mUpDt92nlqnLynSUA

Score

10^/10

mystic redline smokeloader supera backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

supera

77.91.124.82:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2wt1255.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

1Vq68aN7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1Vq68aN7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1Vq68aN7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1Vq68aN7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1Vq68aN7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1Vq68aN7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1Vq68aN7.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4556-33-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 6 IoCs

Processes:

up5fE40.exezT5Uk80.exe1Vq68aN7.exe2wt1255.exe3te52BN.exe4Jo121AH.exe

pid process

5020 up5fE40.exe
3880 zT5Uk80.exe
3232 1Vq68aN7.exe
4540 2wt1255.exe
4048 3te52BN.exe
3120 4Jo121AH.exe

pid	process
5020	up5fE40.exe
3880	zT5Uk80.exe
3232	1Vq68aN7.exe
4540	2wt1255.exe
4048	3te52BN.exe
3120	4Jo121AH.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

1Vq68aN7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	1Vq68aN7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1Vq68aN7.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

169827445a78f6e1cde6f851fe18dbe8b5850a2768cb303f453ceaacfe59d6fd.exeup5fE40.exezT5Uk80.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	169827445a78f6e1cde6f851fe18dbe8b5850a2768cb303f453ceaacfe59d6fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	up5fE40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zT5Uk80.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3te52BN.exe4Jo121AH.exe

description	pid	process	target process
PID 4048 set thread context of 3792	4048	3te52BN.exe	AppLaunch.exe
PID 3120 set thread context of 4556	3120	4Jo121AH.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1Vq68aN7.exe

pid process

3232 1Vq68aN7.exe
3232 1Vq68aN7.exe
3232 1Vq68aN7.exe
3232 1Vq68aN7.exe

pid	process
3232	1Vq68aN7.exe
3232	1Vq68aN7.exe
3232	1Vq68aN7.exe
3232	1Vq68aN7.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

169827445a78f6e1cde6f851fe18dbe8b5850a2768cb303f453ceaacfe59d6fd.exeup5fE40.exezT5Uk80.execmd.exe3te52BN.exe4Jo121AH.exe

description	pid	process	target process
PID 4264 wrote to memory of 5020	4264	169827445a78f6e1cde6f851fe18dbe8b5850a2768cb303f453ceaacfe59d6fd.exe	up5fE40.exe
PID 4264 wrote to memory of 5020	4264	169827445a78f6e1cde6f851fe18dbe8b5850a2768cb303f453ceaacfe59d6fd.exe	up5fE40.exe
PID 4264 wrote to memory of 5020	4264	169827445a78f6e1cde6f851fe18dbe8b5850a2768cb303f453ceaacfe59d6fd.exe	up5fE40.exe
PID 5020 wrote to memory of 3880	5020	up5fE40.exe	zT5Uk80.exe
PID 5020 wrote to memory of 3880	5020	up5fE40.exe	zT5Uk80.exe
PID 5020 wrote to memory of 3880	5020	up5fE40.exe	zT5Uk80.exe
PID 3880 wrote to memory of 3232	3880	zT5Uk80.exe	1Vq68aN7.exe
PID 3880 wrote to memory of 3232	3880	zT5Uk80.exe	1Vq68aN7.exe
PID 4020 wrote to memory of 3392	4020	cmd.exe	regini.exe
PID 4020 wrote to memory of 3392	4020	cmd.exe	regini.exe
PID 3880 wrote to memory of 4540	3880	zT5Uk80.exe	2wt1255.exe
PID 3880 wrote to memory of 4540	3880	zT5Uk80.exe	2wt1255.exe
PID 3880 wrote to memory of 4540	3880	zT5Uk80.exe	2wt1255.exe
PID 5020 wrote to memory of 4048	5020	up5fE40.exe	3te52BN.exe
PID 5020 wrote to memory of 4048	5020	up5fE40.exe	3te52BN.exe
PID 5020 wrote to memory of 4048	5020	up5fE40.exe	3te52BN.exe
PID 4048 wrote to memory of 3792	4048	3te52BN.exe	AppLaunch.exe
PID 4048 wrote to memory of 3792	4048	3te52BN.exe	AppLaunch.exe
PID 4048 wrote to memory of 3792	4048	3te52BN.exe	AppLaunch.exe
PID 4048 wrote to memory of 3792	4048	3te52BN.exe	AppLaunch.exe
PID 4048 wrote to memory of 3792	4048	3te52BN.exe	AppLaunch.exe
PID 4048 wrote to memory of 3792	4048	3te52BN.exe	AppLaunch.exe
PID 4264 wrote to memory of 3120	4264	169827445a78f6e1cde6f851fe18dbe8b5850a2768cb303f453ceaacfe59d6fd.exe	4Jo121AH.exe
PID 4264 wrote to memory of 3120	4264	169827445a78f6e1cde6f851fe18dbe8b5850a2768cb303f453ceaacfe59d6fd.exe	4Jo121AH.exe
PID 4264 wrote to memory of 3120	4264	169827445a78f6e1cde6f851fe18dbe8b5850a2768cb303f453ceaacfe59d6fd.exe	4Jo121AH.exe
PID 3120 wrote to memory of 4556	3120	4Jo121AH.exe	AppLaunch.exe
PID 3120 wrote to memory of 4556	3120	4Jo121AH.exe	AppLaunch.exe
PID 3120 wrote to memory of 4556	3120	4Jo121AH.exe	AppLaunch.exe
PID 3120 wrote to memory of 4556	3120	4Jo121AH.exe	AppLaunch.exe
PID 3120 wrote to memory of 4556	3120	4Jo121AH.exe	AppLaunch.exe
PID 3120 wrote to memory of 4556	3120	4Jo121AH.exe	AppLaunch.exe
PID 3120 wrote to memory of 4556	3120	4Jo121AH.exe	AppLaunch.exe
PID 3120 wrote to memory of 4556	3120	4Jo121AH.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\169827445a78f6e1cde6f851fe18dbe8b5850a2768cb303f453ceaacfe59d6fd.exe
"C:\Users\Admin\AppData\Local\Temp\169827445a78f6e1cde6f851fe18dbe8b5850a2768cb303f453ceaacfe59d6fd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\up5fE40.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\up5fE40.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zT5Uk80.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zT5Uk80.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vq68aN7.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vq68aN7.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2wt1255.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2wt1255.exe
      4⤵
      Executes dropped EXE
      PID:4540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3te52BN.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3te52BN.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Checks SCSI registry key(s)
      PID:3792
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4Jo121AH.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4Jo121AH.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c regini "C:\Users\Admin\AppData\Roaming\random_1716458224.txt"
1⤵
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\system32\regini.exe
  regini "C:\Users\Admin\AppData\Roaming\random_1716458224.txt"
  2⤵
  PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4Jo121AH.exe

Filesize
1.1MB

MD5
46dbd580227b00765a18083aac46e470

SHA1
761b97f5a0daf6438840605e9fb16abca730029e

SHA256
7c74641c93f629a64652756f6fbd9509213278726bac411df8689a2f9320fbc1

SHA512
6849d9ddad41e15d2d00f41e5c33311aefe595530d6b589bdf6e651eb951ba607fc55a542911d398ecccf5776f80e30a86a3c61e4e84a03260b9abd829553907

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\up5fE40.exe

Filesize
721KB

MD5
52ce68206fcd51e63b2ff30b17232f89

SHA1
f11db1add6e13ede917136f0bf243a30ac1b38c0

SHA256
941b66b9da7df14bc4991425e7d102f824dd260a7f81a2dc7c8fec90c5c4802d

SHA512
61452be125be4e8f28f0c7260612fe787be847456769a25cb4ee41412275866be15dfe724a95f47d6f35a76f8beb4c9446c27e23724a5813ef830820fd8ecd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3te52BN.exe

Filesize
916KB

MD5
ce47a3b4899f1b2fd44fcf4d180e95eb

SHA1
f0883be11201f037f84ce0e6f6a22b57619029fd

SHA256
c89bc9c2b39a93064315a5bf21a71d1cd4a65fe02b0a8c5857aedc904af1f54c

SHA512
ecdb570b261091cc56fa4090654940dba0b8cf748b043651711c9aa002acbf6574d4f8e0ec94405bf29658cde37f6d750ef093c64bea2ba4e15dc99cc93b2422

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zT5Uk80.exe

Filesize
354KB

MD5
7d78a2ce92215276949f3b902c8818fa

SHA1
0fb9767a9195a5aa4b5a9b35b05dfb88632387f9

SHA256
fd47d692a2a088780068a896ac93cd1f8c800178a221316df09576c70c0b8bab

SHA512
504391f8d402ef86dc61d8acc07a4004574c098f05076e67b9f35e1628a04155e5514e41e868ecd3b83830e3e387076605118e516df0d6c7a3351ae3ba296486

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vq68aN7.exe

Filesize
265KB

MD5
15fe972bcfd9189d826083838645b850

SHA1
d2bf7fee68e358fa71b942b8ae92e483536abf86

SHA256
ec739f26f487bcc65718bb8c28a5e3adf817a18e01952bd888f618a57c1e61d4

SHA512
30f7c8daa78ba9bb32d5dca56440fd9b1d36336f496521920ab41737787c1c8e0bcdd714b72249e0ab52908d7918afcaf9e0b3f5ba2a8a2888e9adb538810cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2wt1255.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Roaming\random_1716458224.txt

Filesize
78B

MD5
2d245696c73134b0a9a2ac296ea7c170

SHA1
f234419d7a09920a46ad291b98d7dca5a11f0da8

SHA256
ed83e1f6850e48029654e9829cbf6e2cdff82f55f61d1449f822e448f75e8930

SHA512
af0b981ef20aa94aff080fbd2030556fe47c4cc563885b162e604f72bc70c4a0eee4ee57ce4ea8964e6363a32ba34f8bee933db30d3d61392c42299621a4fc79

Download Submit
memory/3792-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4556-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-34-0x0000000007740000-0x0000000007CE4000-memory.dmp

Filesize
5.6MB

Download
memory/4556-35-0x0000000007290000-0x0000000007322000-memory.dmp

Filesize
584KB

Download
memory/4556-36-0x0000000002810000-0x000000000281A000-memory.dmp

Filesize
40KB

Download
memory/4556-37-0x0000000008310000-0x0000000008928000-memory.dmp

Filesize
6.1MB

Download
memory/4556-38-0x0000000007630000-0x000000000773A000-memory.dmp

Filesize
1.0MB

Download
memory/4556-39-0x00000000073C0000-0x00000000073D2000-memory.dmp

Filesize
72KB

Download
memory/4556-40-0x0000000007560000-0x000000000759C000-memory.dmp

Filesize
240KB

Download
memory/4556-41-0x00000000075A0000-0x00000000075EC000-memory.dmp

Filesize
304KB

Download