mystic | c35b2a353f3f737fd5d522bda8150c7fe11a4c4773ad1702d174b480462784c6

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6f332f02aabba8a420db82ac6b2a3566d6384471d7dae236759ded20f8dde85.exe
Size

1.3MB
MD5

39f0a05d9cffc6b37a511894b059bc41
SHA1

3824f46d185556377f522fa71219a8cffd91e1a6
SHA256

b6f332f02aabba8a420db82ac6b2a3566d6384471d7dae236759ded20f8dde85
SHA512

e636d7bd05c3dea755dbc513f16799cb8f4104d8650df8d887ae283d2ef2a0e23699b819f96abd70a58f5447b094f5a14e8456aa982cc01e96154231b280246c
SSDEEP

24576:qyiD/od1RQ2QJvKWMY8INJwYVCTA+oYueiVPvZ11+7ebeyBDZ+yk1gaacvyZAhxG:xiL2RQ2QJv7bJsFoLnVPU7weyzuambqo

Score

10^/10

mystic redline smokeloader magia backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

magia

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral18/files/0x0007000000023430-54.dat	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1On31NB6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1On31NB6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	1On31NB6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1On31NB6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1On31NB6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1On31NB6.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral18/memory/3708-63-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 6 IoCs

pid	Process
1472	Qj3GX23.exe
3592	ee0yo00.exe
852	1On31NB6.exe
4804	2uI2487.exe
1648	3rj33fm.exe
4572	4QS842GM.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1On31NB6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1On31NB6.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b6f332f02aabba8a420db82ac6b2a3566d6384471d7dae236759ded20f8dde85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Qj3GX23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ee0yo00.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1648 set thread context of 3748	1648	3rj33fm.exe	97
PID 4572 set thread context of 3708	4572	4QS842GM.exe	103

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3992	sc.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3132	1648	WerFault.exe	95
640	4572	WerFault.exe	101

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
852	1On31NB6.exe
852	1On31NB6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	1On31NB6.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 1472	4064	b6f332f02aabba8a420db82ac6b2a3566d6384471d7dae236759ded20f8dde85.exe	84
PID 4064 wrote to memory of 1472	4064	b6f332f02aabba8a420db82ac6b2a3566d6384471d7dae236759ded20f8dde85.exe	84
PID 4064 wrote to memory of 1472	4064	b6f332f02aabba8a420db82ac6b2a3566d6384471d7dae236759ded20f8dde85.exe	84
PID 1472 wrote to memory of 3592	1472	Qj3GX23.exe	85
PID 1472 wrote to memory of 3592	1472	Qj3GX23.exe	85
PID 1472 wrote to memory of 3592	1472	Qj3GX23.exe	85
PID 3592 wrote to memory of 852	3592	ee0yo00.exe	86
PID 3592 wrote to memory of 852	3592	ee0yo00.exe	86
PID 3592 wrote to memory of 852	3592	ee0yo00.exe	86
PID 3592 wrote to memory of 4804	3592	ee0yo00.exe	94
PID 3592 wrote to memory of 4804	3592	ee0yo00.exe	94
PID 3592 wrote to memory of 4804	3592	ee0yo00.exe	94
PID 1472 wrote to memory of 1648	1472	Qj3GX23.exe	95
PID 1472 wrote to memory of 1648	1472	Qj3GX23.exe	95
PID 1472 wrote to memory of 1648	1472	Qj3GX23.exe	95
PID 1648 wrote to memory of 3748	1648	3rj33fm.exe	97
PID 1648 wrote to memory of 3748	1648	3rj33fm.exe	97
PID 1648 wrote to memory of 3748	1648	3rj33fm.exe	97
PID 1648 wrote to memory of 3748	1648	3rj33fm.exe	97
PID 1648 wrote to memory of 3748	1648	3rj33fm.exe	97
PID 1648 wrote to memory of 3748	1648	3rj33fm.exe	97
PID 4064 wrote to memory of 4572	4064	b6f332f02aabba8a420db82ac6b2a3566d6384471d7dae236759ded20f8dde85.exe	101
PID 4064 wrote to memory of 4572	4064	b6f332f02aabba8a420db82ac6b2a3566d6384471d7dae236759ded20f8dde85.exe	101
PID 4064 wrote to memory of 4572	4064	b6f332f02aabba8a420db82ac6b2a3566d6384471d7dae236759ded20f8dde85.exe	101
PID 4572 wrote to memory of 3708	4572	4QS842GM.exe	103
PID 4572 wrote to memory of 3708	4572	4QS842GM.exe	103
PID 4572 wrote to memory of 3708	4572	4QS842GM.exe	103
PID 4572 wrote to memory of 3708	4572	4QS842GM.exe	103
PID 4572 wrote to memory of 3708	4572	4QS842GM.exe	103
PID 4572 wrote to memory of 3708	4572	4QS842GM.exe	103
PID 4572 wrote to memory of 3708	4572	4QS842GM.exe	103
PID 4572 wrote to memory of 3708	4572	4QS842GM.exe	103

C:\Users\Admin\AppData\Local\Temp\b6f332f02aabba8a420db82ac6b2a3566d6384471d7dae236759ded20f8dde85.exe
"C:\Users\Admin\AppData\Local\Temp\b6f332f02aabba8a420db82ac6b2a3566d6384471d7dae236759ded20f8dde85.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qj3GX23.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qj3GX23.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ee0yo00.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ee0yo00.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1On31NB6.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1On31NB6.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:852
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2uI2487.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2uI2487.exe
      4⤵
      Executes dropped EXE
      PID:4804
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3rj33fm.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3rj33fm.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Checks SCSI registry key(s)
      PID:3748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 156
      4⤵
      Program crash
      PID:3132
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4QS842GM.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4QS842GM.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 156
    3⤵
    - Program crash
    PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1648 -ip 1648
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4572 -ip 4572
1⤵
PID:4584

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4QS842GM.exe

Filesize
1.8MB

MD5
2ef596caf586a00ad41681d9a05492b2

SHA1
c1cefbe81175c03b729d96e081d2517d3d1d2923

SHA256
007691b15b20a5cebbb44ac795914335d6870f94d19b76f2e630a74c10a3eb79

SHA512
b122be68aaf80a0d797bb6859c9f02e07f40bcb592afcd56751f67fbea7233621c13106f0470afb75f7a23a0818e10bd88ce8fe17fa1d6a170b87aeaddcc7827

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Qj3GX23.exe

Filesize
840KB

MD5
4ac64322286cdd76fc76d93a3493340f

SHA1
96d9009b6da81a00a1dc09c5c71a8109f728807a

SHA256
b7b797be20763b334a908922a8b46c61a7fc31cd2c0f1d526b51a6cd4ad34bd2

SHA512
34f8cbc5f632bc661e1bad5da2f5264ce20655b246f0eca262086a60798156a98d4553856a743a056c2c38babe8575f5780125081b80259990abd227fa5f0bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3rj33fm.exe

Filesize
1.6MB

MD5
f8821d06da1c3c9703408c7025e4688a

SHA1
8e975dae15234da1527cb677fbfd3b3156d5d0ff

SHA256
603bcf0d4d324f35293e8fda18f89039c8f13447abc32c5af35a574e0c95c976

SHA512
76800c612ab4ba3e9c1390328629c2a19b9ba73d8d46ba567b240be9cb1f036e50bc9e22eb770171ac41c94cb9577d94ac3b484352f8cc2ffd209acd843be3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ee0yo00.exe

Filesize
362KB

MD5
2a4e996e527c6f9fbf5e397c07ca2fc5

SHA1
ad4a837471ba5dd5a9874cc8b8e9640e86986edd

SHA256
bdc980bf53888e65880916f953a981fe7d4661e9ab9563601180b272c4a309a0

SHA512
5b6d6ef9f0ad07c277770d9b130e70c0dc389c536da976fa65d8a315bbfa7125ce6959b9b77836b5df25f917d47cca26909cf2f1735ca91da10529a0c65f42a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1On31NB6.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2uI2487.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
memory/852-51-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/852-27-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/852-24-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/852-50-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/852-47-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/852-46-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/852-43-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/852-41-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/852-39-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/852-37-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/852-33-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/852-31-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/852-29-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/852-35-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/852-25-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/852-23-0x0000000004990000-0x00000000049AC000-memory.dmp

Filesize
112KB

Download
memory/852-22-0x0000000004A50000-0x0000000004FF4000-memory.dmp

Filesize
5.6MB

Download
memory/852-21-0x00000000021A0000-0x00000000021BE000-memory.dmp

Filesize
120KB

Download
memory/3708-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3708-64-0x0000000007AF0000-0x0000000007B82000-memory.dmp

Filesize
584KB

Download
memory/3708-65-0x0000000002F80000-0x0000000002F8A000-memory.dmp

Filesize
40KB

Download
memory/3708-66-0x0000000008BD0000-0x00000000091E8000-memory.dmp

Filesize
6.1MB

Download
memory/3708-67-0x0000000007E30000-0x0000000007F3A000-memory.dmp

Filesize
1.0MB

Download
memory/3708-68-0x0000000007D20000-0x0000000007D32000-memory.dmp

Filesize
72KB

Download
memory/3708-69-0x0000000007D80000-0x0000000007DBC000-memory.dmp

Filesize
240KB

Download
memory/3708-70-0x0000000007DC0000-0x0000000007E0C000-memory.dmp

Filesize
304KB

Download
memory/3748-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download