mystic | 2dae798f2fcb49ad5f375700dcbe54c08e9cc5c25fe542ebd7939aa5f5f023aa

Analysis

max time kernel
134s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52365e902526bb91828ec4b8904240033cb658cf61b7ec8ee9189f96d3e93e44.exe
Size

509KB
MD5

86209bb7bbbb6e6443b3cc605d1a600d
SHA1

bf9e70b3c3ee37060351788834fd1d0f03821003
SHA256

52365e902526bb91828ec4b8904240033cb658cf61b7ec8ee9189f96d3e93e44
SHA512

a353a2230aa9843739136d82b31af7dc4d4d3a16724e191db7141c05ab4007ff3bbb5892f13e0a13fecfd303f961123aa0574160b91d8ec6aebe5d6558c7ad75
SSDEEP

12288:5Mryy90jmtyrg1j6tr0lYNXHq0HXdyCZMU0QMR9:nyvyrhkYVK0H4is

Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral9/memory/1896-19-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral9/memory/1896-20-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral9/memory/1896-22-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 4 IoCs

Processes:

wc8CQ05.exe1ff11KX1.exe2wo7346.exe3cB63lq.exe

pid process

1048 wc8CQ05.exe
496 1ff11KX1.exe
4528 2wo7346.exe
3056 3cB63lq.exe

pid	process
1048	wc8CQ05.exe
496	1ff11KX1.exe
4528	2wo7346.exe
3056	3cB63lq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wc8CQ05.exe52365e902526bb91828ec4b8904240033cb658cf61b7ec8ee9189f96d3e93e44.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	wc8CQ05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	52365e902526bb91828ec4b8904240033cb658cf61b7ec8ee9189f96d3e93e44.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1ff11KX1.exe2wo7346.exe3cB63lq.exe

description	pid	process	target process
PID 496 set thread context of 4580	496	1ff11KX1.exe	AppLaunch.exe
PID 4528 set thread context of 1896	4528	2wo7346.exe	AppLaunch.exe
PID 3056 set thread context of 2976	3056	3cB63lq.exe	AppLaunch.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

788 496 WerFault.exe 1ff11KX1.exe
1360 4528 WerFault.exe 2wo7346.exe
4608 3056 WerFault.exe 3cB63lq.exe

pid	pid_target	process	target process
788	496	WerFault.exe	1ff11KX1.exe
1360	4528	WerFault.exe	2wo7346.exe
4608	3056	WerFault.exe	3cB63lq.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

4580 AppLaunch.exe
4580 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 4580 AppLaunch.exe

pid	process
4580	AppLaunch.exe
4580	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4580	AppLaunch.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

52365e902526bb91828ec4b8904240033cb658cf61b7ec8ee9189f96d3e93e44.exewc8CQ05.exe1ff11KX1.exe2wo7346.exe3cB63lq.exe

description	pid	process	target process
PID 3884 wrote to memory of 1048	3884	52365e902526bb91828ec4b8904240033cb658cf61b7ec8ee9189f96d3e93e44.exe	wc8CQ05.exe
PID 3884 wrote to memory of 1048	3884	52365e902526bb91828ec4b8904240033cb658cf61b7ec8ee9189f96d3e93e44.exe	wc8CQ05.exe
PID 3884 wrote to memory of 1048	3884	52365e902526bb91828ec4b8904240033cb658cf61b7ec8ee9189f96d3e93e44.exe	wc8CQ05.exe
PID 1048 wrote to memory of 496	1048	wc8CQ05.exe	1ff11KX1.exe
PID 1048 wrote to memory of 496	1048	wc8CQ05.exe	1ff11KX1.exe
PID 1048 wrote to memory of 496	1048	wc8CQ05.exe	1ff11KX1.exe
PID 496 wrote to memory of 4580	496	1ff11KX1.exe	AppLaunch.exe
PID 496 wrote to memory of 4580	496	1ff11KX1.exe	AppLaunch.exe
PID 496 wrote to memory of 4580	496	1ff11KX1.exe	AppLaunch.exe
PID 496 wrote to memory of 4580	496	1ff11KX1.exe	AppLaunch.exe
PID 496 wrote to memory of 4580	496	1ff11KX1.exe	AppLaunch.exe
PID 496 wrote to memory of 4580	496	1ff11KX1.exe	AppLaunch.exe
PID 496 wrote to memory of 4580	496	1ff11KX1.exe	AppLaunch.exe
PID 496 wrote to memory of 4580	496	1ff11KX1.exe	AppLaunch.exe
PID 1048 wrote to memory of 4528	1048	wc8CQ05.exe	2wo7346.exe
PID 1048 wrote to memory of 4528	1048	wc8CQ05.exe	2wo7346.exe
PID 1048 wrote to memory of 4528	1048	wc8CQ05.exe	2wo7346.exe
PID 4528 wrote to memory of 3196	4528	2wo7346.exe	AppLaunch.exe
PID 4528 wrote to memory of 3196	4528	2wo7346.exe	AppLaunch.exe
PID 4528 wrote to memory of 3196	4528	2wo7346.exe	AppLaunch.exe
PID 4528 wrote to memory of 1896	4528	2wo7346.exe	AppLaunch.exe
PID 4528 wrote to memory of 1896	4528	2wo7346.exe	AppLaunch.exe
PID 4528 wrote to memory of 1896	4528	2wo7346.exe	AppLaunch.exe
PID 4528 wrote to memory of 1896	4528	2wo7346.exe	AppLaunch.exe
PID 4528 wrote to memory of 1896	4528	2wo7346.exe	AppLaunch.exe
PID 4528 wrote to memory of 1896	4528	2wo7346.exe	AppLaunch.exe
PID 4528 wrote to memory of 1896	4528	2wo7346.exe	AppLaunch.exe
PID 4528 wrote to memory of 1896	4528	2wo7346.exe	AppLaunch.exe
PID 4528 wrote to memory of 1896	4528	2wo7346.exe	AppLaunch.exe
PID 4528 wrote to memory of 1896	4528	2wo7346.exe	AppLaunch.exe
PID 3884 wrote to memory of 3056	3884	52365e902526bb91828ec4b8904240033cb658cf61b7ec8ee9189f96d3e93e44.exe	3cB63lq.exe
PID 3884 wrote to memory of 3056	3884	52365e902526bb91828ec4b8904240033cb658cf61b7ec8ee9189f96d3e93e44.exe	3cB63lq.exe
PID 3884 wrote to memory of 3056	3884	52365e902526bb91828ec4b8904240033cb658cf61b7ec8ee9189f96d3e93e44.exe	3cB63lq.exe
PID 3056 wrote to memory of 2976	3056	3cB63lq.exe	AppLaunch.exe
PID 3056 wrote to memory of 2976	3056	3cB63lq.exe	AppLaunch.exe
PID 3056 wrote to memory of 2976	3056	3cB63lq.exe	AppLaunch.exe
PID 3056 wrote to memory of 2976	3056	3cB63lq.exe	AppLaunch.exe
PID 3056 wrote to memory of 2976	3056	3cB63lq.exe	AppLaunch.exe
PID 3056 wrote to memory of 2976	3056	3cB63lq.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\52365e902526bb91828ec4b8904240033cb658cf61b7ec8ee9189f96d3e93e44.exe
"C:\Users\Admin\AppData\Local\Temp\52365e902526bb91828ec4b8904240033cb658cf61b7ec8ee9189f96d3e93e44.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3884

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8CQ05.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8CQ05.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ff11KX1.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ff11KX1.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 556
4⤵
- Program crash
PID:788

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2wo7346.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2wo7346.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:3196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 68
4⤵
- Program crash
PID:1360

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3cB63lq.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3cB63lq.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Checks SCSI registry key(s)
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 152
3⤵
- Program crash
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 496 -ip 496
1⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4528 -ip 4528
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3056 -ip 3056
1⤵
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3cB63lq.exe
Filesize
145KB

MD5
fa5e9cddc5b75acc324c7130c2d6e6ea

SHA1
00d5d58969a342e9625c7ede1a4b1563fe5709d4

SHA256
665bb3a53c525ff4b912ab9d3bf1a336737f76a5c50384322e28e71090f3417e

SHA512
cad1e5d24aab048b3ee794770ce5f493d06d594382121198754945678d8671e6b644edaeab12187e67cce3b4f811dec89615121502d681e0a97d9881552e2fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc8CQ05.exe
Filesize
325KB

MD5
c0c4035b492b5debbe53b2865d0cd6be

SHA1
901328bfaad4224971fd21d8e42511c8faf03635

SHA256
f082e05c761a0b524770b72fe61c8a8fac60343acb1363e700f1307dbe111460

SHA512
9a624705f95f0a7c74671fb3cc4ab4b889a7e630e7eb20448f32040c3b04726da6120c8810e01e441814cdb1e6ceba64a5e96fb95db3f6ae6cd5f4a1e8a8464b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ff11KX1.exe
Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2wo7346.exe
Filesize
295KB

MD5
98a2508aeb2555e81f6d4c7c878a6d25

SHA1
96ac4d7e10ff53ad6752ef1392692d9307016625

SHA256
4d3ec5cc1cdbb7da0d219d83fb637e5d58b272f1f8cc68fa41f2759ddc21f3dd

SHA512
b9473b3f1430c7d3cf78b209b4a43eb398a6fa0a688f408a3ab8115b14b92c3bb7d9af549c3749d33a0b842a9bf8ccf8d70dde70bdee6666a4f160c1a58dd016

Download Submit
memory/1896-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1896-20-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1896-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2976-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4580-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4580-15-0x00000000741EE000-0x00000000741EF000-memory.dmp

Filesize
4KB

Download