mystic | c35b2a353f3f737fd5d522bda8150c7fe11a4c4773ad1702d174b480462784c6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

864fdfc64cf28ad02bb956d55c2a2ce062a178c9a8ca6100f6534277ceedd3f0.exe
Size

748KB
MD5

373acbf2f3d1e2fa28f3961311d1187e
SHA1

60d6c0fb97f5673c96fe13b94e7eb446ae72bce4
SHA256

864fdfc64cf28ad02bb956d55c2a2ce062a178c9a8ca6100f6534277ceedd3f0
SHA512

1867a971cdf2238ec530a79a23530b7ebd6209ae2e2f64b9fdf6925199275f4586bbea177a25453c6b05d5961452ab702c3283149dff9c6c1368bf4f5d1f3b52
SSDEEP

12288:iMrzy90aQ+AopvrmaEUEWnwXlhUxEBYjYejzaREccnzS+pqbXrM3K9MML9+5DMWr:ZyFQ+/TmJ+WlhUmBmaREr2+peXrM3hMI

Score

10^/10

mystic smokeloader backdoor persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral15/files/0x0007000000023456-24.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral15/memory/3588-15-0x0000000002400000-0x0000000002420000-memory.dmp	net_reactor
behavioral15/memory/3588-18-0x0000000004AD0000-0x0000000004AEE000-memory.dmp	net_reactor

Executes dropped EXE 4 IoCs

pid	Process
3448	Ep2UD72.exe
3588	1CV54Te8.exe
5056	2AN3412.exe
4372	3kC81fm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	864fdfc64cf28ad02bb956d55c2a2ce062a178c9a8ca6100f6534277ceedd3f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ep2UD72.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4372 set thread context of 3584	4372	3kC81fm.exe	99

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3588	1CV54Te8.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 3448	4816	864fdfc64cf28ad02bb956d55c2a2ce062a178c9a8ca6100f6534277ceedd3f0.exe	82
PID 4816 wrote to memory of 3448	4816	864fdfc64cf28ad02bb956d55c2a2ce062a178c9a8ca6100f6534277ceedd3f0.exe	82
PID 4816 wrote to memory of 3448	4816	864fdfc64cf28ad02bb956d55c2a2ce062a178c9a8ca6100f6534277ceedd3f0.exe	82
PID 3448 wrote to memory of 3588	3448	Ep2UD72.exe	83
PID 3448 wrote to memory of 3588	3448	Ep2UD72.exe	83
PID 3448 wrote to memory of 3588	3448	Ep2UD72.exe	83
PID 3448 wrote to memory of 5056	3448	Ep2UD72.exe	95
PID 3448 wrote to memory of 5056	3448	Ep2UD72.exe	95
PID 3448 wrote to memory of 5056	3448	Ep2UD72.exe	95
PID 4816 wrote to memory of 4372	4816	864fdfc64cf28ad02bb956d55c2a2ce062a178c9a8ca6100f6534277ceedd3f0.exe	97
PID 4816 wrote to memory of 4372	4816	864fdfc64cf28ad02bb956d55c2a2ce062a178c9a8ca6100f6534277ceedd3f0.exe	97
PID 4816 wrote to memory of 4372	4816	864fdfc64cf28ad02bb956d55c2a2ce062a178c9a8ca6100f6534277ceedd3f0.exe	97
PID 4372 wrote to memory of 3584	4372	3kC81fm.exe	99
PID 4372 wrote to memory of 3584	4372	3kC81fm.exe	99
PID 4372 wrote to memory of 3584	4372	3kC81fm.exe	99
PID 4372 wrote to memory of 3584	4372	3kC81fm.exe	99
PID 4372 wrote to memory of 3584	4372	3kC81fm.exe	99
PID 4372 wrote to memory of 3584	4372	3kC81fm.exe	99

C:\Users\Admin\AppData\Local\Temp\864fdfc64cf28ad02bb956d55c2a2ce062a178c9a8ca6100f6534277ceedd3f0.exe
"C:\Users\Admin\AppData\Local\Temp\864fdfc64cf28ad02bb956d55c2a2ce062a178c9a8ca6100f6534277ceedd3f0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ep2UD72.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ep2UD72.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1CV54Te8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1CV54Te8.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3588
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2AN3412.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2AN3412.exe
    3⤵
    - Executes dropped EXE
    PID:5056
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3kC81fm.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3kC81fm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Checks SCSI registry key(s)
    PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3kC81fm.exe

Filesize
973KB

MD5
5dc4be46727c1853e63ebdd240ec9bd9

SHA1
6265b41bbecbb96cf666d2b4cbd6f209f44d7a2d

SHA256
1df63e2de3adac7ff425c75b3f649078fd7a8e0008e5063bd290adb1cdba2446

SHA512
59828cba7af9fb26c6717eb3e655eec07f732ec92d3ec0cce7ed2df1acf6095dec2d97cdbbd3591ed96c08cb2adcff12c31534a93b48757ff8976c0a4233062b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ep2UD72.exe

Filesize
365KB

MD5
b4b291a06efa31cca8a55b9adacb51f3

SHA1
dc9b361e4cd90806a8abf506fb54f1736f829a57

SHA256
9d99c9baa1a26560beb8eebed445235556b55c013cf144fe9d27d39c856534b0

SHA512
8785a67c72e77039b3d0c636ed6092d5259eacc06a7869949ed019191bd16c02bae8743eb06f623063f6cc617f71e318646bdafeaf143a8ca241cad2fa5f327c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1CV54Te8.exe

Filesize
195KB

MD5
7f726f7dac36a27880ea545866534dda

SHA1
a644a86f8ffe8497101eb2c8ef69b859fb51119d

SHA256
7d8062c6ae88e04ecadb6f8eb85e1d77caba2cb70fed241f04454fd5d70ced2a

SHA512
8d8216a173bf1b498e5bf6d9292b05cd27b913c3203e296d55b169a1980bc38d8589bdb3e88a685a238183a60b8e86049cf280dd47143445c1ba5b6d287c2775

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2AN3412.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
memory/3584-29-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3588-18-0x0000000004AD0000-0x0000000004AEE000-memory.dmp

Filesize
120KB

Download
memory/3588-16-0x0000000073F90000-0x0000000074740000-memory.dmp

Filesize
7.7MB

Download
memory/3588-19-0x0000000005220000-0x00000000052B2000-memory.dmp

Filesize
584KB

Download
memory/3588-20-0x0000000073F90000-0x0000000074740000-memory.dmp

Filesize
7.7MB

Download
memory/3588-22-0x0000000073F90000-0x0000000074740000-memory.dmp

Filesize
7.7MB

Download
memory/3588-17-0x0000000004C70000-0x0000000005214000-memory.dmp

Filesize
5.6MB

Download
memory/3588-15-0x0000000002400000-0x0000000002420000-memory.dmp

Filesize
128KB

Download
memory/3588-14-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads