mystic | e19e97a334ecb39058fd976080222a46cc2159e34c85df371a9eaf0088ee80eb

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fe4c883d2d7c8f09c5eab45d00c85339660191140f68cf11bd29f978582386d.exe
Size

657KB
MD5

e5378c7aa769f854c35881601795a469
SHA1

432909c18905de39981e27c964001c5b4a6cffdf
SHA256

1fe4c883d2d7c8f09c5eab45d00c85339660191140f68cf11bd29f978582386d
SHA512

b7139f53ba8edd52293f4c6c0bf8920a67cbe9ab0288d7d651c44174a91d6a303966690471790e1db8a392540fa6b17a63533355ed7ebf7c48252632638d4019
SSDEEP

12288:JMr4y90+oZ51RZwEqDEd5lrMeAj5RWQRYJ7w6orKSKLzaRUT:Ryy5bnqYdrMH7WQj6on2aRUT

Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral7/memory/2328-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral7/memory/2328-19-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral7/memory/2328-21-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 4 IoCs

pid	Process
4372	ms6Zu56.exe
4944	1LJ98sP4.exe
536	2fC2723.exe
1852	3MR16TH.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1fe4c883d2d7c8f09c5eab45d00c85339660191140f68cf11bd29f978582386d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ms6Zu56.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4944 set thread context of 4880	4944	1LJ98sP4.exe	85
PID 536 set thread context of 2328	536	2fC2723.exe	90

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3MR16TH.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3MR16TH.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3MR16TH.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4880	AppLaunch.exe
4880	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4880	AppLaunch.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 4372	64	1fe4c883d2d7c8f09c5eab45d00c85339660191140f68cf11bd29f978582386d.exe	83
PID 64 wrote to memory of 4372	64	1fe4c883d2d7c8f09c5eab45d00c85339660191140f68cf11bd29f978582386d.exe	83
PID 64 wrote to memory of 4372	64	1fe4c883d2d7c8f09c5eab45d00c85339660191140f68cf11bd29f978582386d.exe	83
PID 4372 wrote to memory of 4944	4372	ms6Zu56.exe	84
PID 4372 wrote to memory of 4944	4372	ms6Zu56.exe	84
PID 4372 wrote to memory of 4944	4372	ms6Zu56.exe	84
PID 4944 wrote to memory of 4880	4944	1LJ98sP4.exe	85
PID 4944 wrote to memory of 4880	4944	1LJ98sP4.exe	85
PID 4944 wrote to memory of 4880	4944	1LJ98sP4.exe	85
PID 4944 wrote to memory of 4880	4944	1LJ98sP4.exe	85
PID 4944 wrote to memory of 4880	4944	1LJ98sP4.exe	85
PID 4944 wrote to memory of 4880	4944	1LJ98sP4.exe	85
PID 4944 wrote to memory of 4880	4944	1LJ98sP4.exe	85
PID 4944 wrote to memory of 4880	4944	1LJ98sP4.exe	85
PID 4372 wrote to memory of 536	4372	ms6Zu56.exe	86
PID 4372 wrote to memory of 536	4372	ms6Zu56.exe	86
PID 4372 wrote to memory of 536	4372	ms6Zu56.exe	86
PID 536 wrote to memory of 2328	536	2fC2723.exe	90
PID 536 wrote to memory of 2328	536	2fC2723.exe	90
PID 536 wrote to memory of 2328	536	2fC2723.exe	90
PID 536 wrote to memory of 2328	536	2fC2723.exe	90
PID 536 wrote to memory of 2328	536	2fC2723.exe	90
PID 536 wrote to memory of 2328	536	2fC2723.exe	90
PID 536 wrote to memory of 2328	536	2fC2723.exe	90
PID 536 wrote to memory of 2328	536	2fC2723.exe	90
PID 536 wrote to memory of 2328	536	2fC2723.exe	90
PID 536 wrote to memory of 2328	536	2fC2723.exe	90
PID 64 wrote to memory of 1852	64	1fe4c883d2d7c8f09c5eab45d00c85339660191140f68cf11bd29f978582386d.exe	91
PID 64 wrote to memory of 1852	64	1fe4c883d2d7c8f09c5eab45d00c85339660191140f68cf11bd29f978582386d.exe	91
PID 64 wrote to memory of 1852	64	1fe4c883d2d7c8f09c5eab45d00c85339660191140f68cf11bd29f978582386d.exe	91

C:\Users\Admin\AppData\Local\Temp\1fe4c883d2d7c8f09c5eab45d00c85339660191140f68cf11bd29f978582386d.exe
"C:\Users\Admin\AppData\Local\Temp\1fe4c883d2d7c8f09c5eab45d00c85339660191140f68cf11bd29f978582386d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:64
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms6Zu56.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms6Zu56.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LJ98sP4.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LJ98sP4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4880
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2fC2723.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2fC2723.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2328
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3MR16TH.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3MR16TH.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3MR16TH.exe

Filesize
30KB

MD5
5ff1b48b7c4fedd441832e662b193294

SHA1
cd5e5b1dea51f156a85602a285cb7b6f3e7b9a01

SHA256
60bf0a75a0e646afd2c00cfddfe0669fe2abab1bce4c54f64eebf390fefee6bb

SHA512
76335507cf748defdbf2cb33e10988bdb2cbb99ff37b369ac0a2670f6aeae3ac298338ced9a3fce5aec9f5634f3449e134201d5282cd6a81bd3852e0e0f475b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms6Zu56.exe

Filesize
533KB

MD5
fa6002a4f70722651e6d5efa859bebc8

SHA1
7c058ce7d310eed4e586096ef34bc073a5c23326

SHA256
3d2e5e93724c91f2a46f9b850a2e078b1148b35c2a6197b27a2b64a7c09efc58

SHA512
60e0165abe7f25d8fea036214f893fa98b018d62901b3d756b30fd6a212ab2b77b53b87418238c95d6ae37bf202155229baaf5353cbf461882abbd84ea211420

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1LJ98sP4.exe

Filesize
886KB

MD5
4c17b3e7891cc0dc445b98bad579b862

SHA1
1de1ed5f59adc00d54f7c814c3bcd0bb261bc6a1

SHA256
a01380704805f5b177b41a649ed781b170c9ce6c373bba2b15f4a19249966655

SHA512
ddc9b44d0e32fd382dd3c3418a9c077b3b7ebf41502bf5e072fc4f4d5708cb098362cc8832919c07ad50c5422d78fa7917b2715a3d065c5d231683911d29be7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2fC2723.exe

Filesize
1.1MB

MD5
9166cc8f3a785f3656868acc335f08e4

SHA1
b364d709678ca87e8a2073dc0e92305ce8ba7f06

SHA256
ae866155e9d507d7aade0f698005dd0e9531bd650a005b6ad0d9b51889e12a2e

SHA512
d73c74dc2dd6754973ab5634cdaa8094ac88a78cf74a6512a6fb77ef97bc07e790cd83fea113f53acf7288409f297042e649ce5758b5bce2aeba2bbf65ae567e

Download Submit
memory/1852-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1852-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2328-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download