mystic | ddc6b496a8a25762ee7b933f47107c5553187f5846568bf68b67dd8d5f4a7548

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dc4ebbe254d4cbc8e93064098173786d7ed5aa42b3c8d4abb55678e250a4b36.exe
Size

628KB
MD5

c0c6272b565328e812a8c7cea5d676c3
SHA1

47bfb96cc291735edbd66b7cbd703e0e2aa981f2
SHA256

7dc4ebbe254d4cbc8e93064098173786d7ed5aa42b3c8d4abb55678e250a4b36
SHA512

65936efbfb6716abb04dde0c30d560080fd84654c040785a7e2c2369130aa821132f1488940adc980f66652cb864d444a542d95320d8abdd8776f1dfd5116c5c
SSDEEP

12288:MMrjy90HGqS2YZGj2whVmWX/q1LGHa9Db+3Mr89bwBUT:/yb2D2sVmWPmLGHH3MreyUT

Score

10^/10

mystic smokeloader backdoor persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral12/memory/4920-27-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral12/memory/4920-30-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral12/memory/4920-28-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral12/memory/3620-20-0x0000000000D50000-0x0000000000D70000-memory.dmp	net_reactor
behavioral12/memory/3620-22-0x0000000002810000-0x000000000282E000-memory.dmp	net_reactor

Executes dropped EXE 4 IoCs

Processes:

du0FN18.exe1bI69hf7.exe2KN4523.exe3bz38Gf.exe

pid process

1964 du0FN18.exe
2488 1bI69hf7.exe
316 2KN4523.exe
2300 3bz38Gf.exe

pid	process
1964	du0FN18.exe
2488	1bI69hf7.exe
316	2KN4523.exe
2300	3bz38Gf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7dc4ebbe254d4cbc8e93064098173786d7ed5aa42b3c8d4abb55678e250a4b36.exedu0FN18.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7dc4ebbe254d4cbc8e93064098173786d7ed5aa42b3c8d4abb55678e250a4b36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	du0FN18.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1bI69hf7.exe2KN4523.exe3bz38Gf.exe

description	pid	process	target process
PID 2488 set thread context of 3620	2488	1bI69hf7.exe	AppLaunch.exe
PID 316 set thread context of 4920	316	2KN4523.exe	AppLaunch.exe
PID 2300 set thread context of 2404	2300	3bz38Gf.exe	AppLaunch.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2444 2488 WerFault.exe 1bI69hf7.exe
460 316 WerFault.exe 2KN4523.exe
4888 2300 WerFault.exe 3bz38Gf.exe

pid	pid_target	process	target process
2444	2488	WerFault.exe	1bI69hf7.exe
460	316	WerFault.exe	2KN4523.exe
4888	2300	WerFault.exe	3bz38Gf.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 3620 AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	3620	AppLaunch.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

7dc4ebbe254d4cbc8e93064098173786d7ed5aa42b3c8d4abb55678e250a4b36.exedu0FN18.exe1bI69hf7.exe2KN4523.exe3bz38Gf.exe

description	pid	process	target process
PID 3212 wrote to memory of 1964	3212	7dc4ebbe254d4cbc8e93064098173786d7ed5aa42b3c8d4abb55678e250a4b36.exe	du0FN18.exe
PID 3212 wrote to memory of 1964	3212	7dc4ebbe254d4cbc8e93064098173786d7ed5aa42b3c8d4abb55678e250a4b36.exe	du0FN18.exe
PID 3212 wrote to memory of 1964	3212	7dc4ebbe254d4cbc8e93064098173786d7ed5aa42b3c8d4abb55678e250a4b36.exe	du0FN18.exe
PID 1964 wrote to memory of 2488	1964	du0FN18.exe	1bI69hf7.exe
PID 1964 wrote to memory of 2488	1964	du0FN18.exe	1bI69hf7.exe
PID 1964 wrote to memory of 2488	1964	du0FN18.exe	1bI69hf7.exe
PID 2488 wrote to memory of 3620	2488	1bI69hf7.exe	AppLaunch.exe
PID 2488 wrote to memory of 3620	2488	1bI69hf7.exe	AppLaunch.exe
PID 2488 wrote to memory of 3620	2488	1bI69hf7.exe	AppLaunch.exe
PID 2488 wrote to memory of 3620	2488	1bI69hf7.exe	AppLaunch.exe
PID 2488 wrote to memory of 3620	2488	1bI69hf7.exe	AppLaunch.exe
PID 2488 wrote to memory of 3620	2488	1bI69hf7.exe	AppLaunch.exe
PID 2488 wrote to memory of 3620	2488	1bI69hf7.exe	AppLaunch.exe
PID 2488 wrote to memory of 3620	2488	1bI69hf7.exe	AppLaunch.exe
PID 2488 wrote to memory of 3620	2488	1bI69hf7.exe	AppLaunch.exe
PID 1964 wrote to memory of 316	1964	du0FN18.exe	2KN4523.exe
PID 1964 wrote to memory of 316	1964	du0FN18.exe	2KN4523.exe
PID 1964 wrote to memory of 316	1964	du0FN18.exe	2KN4523.exe
PID 316 wrote to memory of 1788	316	2KN4523.exe	AppLaunch.exe
PID 316 wrote to memory of 1788	316	2KN4523.exe	AppLaunch.exe
PID 316 wrote to memory of 1788	316	2KN4523.exe	AppLaunch.exe
PID 316 wrote to memory of 2844	316	2KN4523.exe	AppLaunch.exe
PID 316 wrote to memory of 2844	316	2KN4523.exe	AppLaunch.exe
PID 316 wrote to memory of 2844	316	2KN4523.exe	AppLaunch.exe
PID 316 wrote to memory of 4920	316	2KN4523.exe	AppLaunch.exe
PID 316 wrote to memory of 4920	316	2KN4523.exe	AppLaunch.exe
PID 316 wrote to memory of 4920	316	2KN4523.exe	AppLaunch.exe
PID 316 wrote to memory of 4920	316	2KN4523.exe	AppLaunch.exe
PID 316 wrote to memory of 4920	316	2KN4523.exe	AppLaunch.exe
PID 316 wrote to memory of 4920	316	2KN4523.exe	AppLaunch.exe
PID 316 wrote to memory of 4920	316	2KN4523.exe	AppLaunch.exe
PID 316 wrote to memory of 4920	316	2KN4523.exe	AppLaunch.exe
PID 316 wrote to memory of 4920	316	2KN4523.exe	AppLaunch.exe
PID 316 wrote to memory of 4920	316	2KN4523.exe	AppLaunch.exe
PID 3212 wrote to memory of 2300	3212	7dc4ebbe254d4cbc8e93064098173786d7ed5aa42b3c8d4abb55678e250a4b36.exe	3bz38Gf.exe
PID 3212 wrote to memory of 2300	3212	7dc4ebbe254d4cbc8e93064098173786d7ed5aa42b3c8d4abb55678e250a4b36.exe	3bz38Gf.exe
PID 3212 wrote to memory of 2300	3212	7dc4ebbe254d4cbc8e93064098173786d7ed5aa42b3c8d4abb55678e250a4b36.exe	3bz38Gf.exe
PID 2300 wrote to memory of 2404	2300	3bz38Gf.exe	AppLaunch.exe
PID 2300 wrote to memory of 2404	2300	3bz38Gf.exe	AppLaunch.exe
PID 2300 wrote to memory of 2404	2300	3bz38Gf.exe	AppLaunch.exe
PID 2300 wrote to memory of 2404	2300	3bz38Gf.exe	AppLaunch.exe
PID 2300 wrote to memory of 2404	2300	3bz38Gf.exe	AppLaunch.exe
PID 2300 wrote to memory of 2404	2300	3bz38Gf.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\7dc4ebbe254d4cbc8e93064098173786d7ed5aa42b3c8d4abb55678e250a4b36.exe
"C:\Users\Admin\AppData\Local\Temp\7dc4ebbe254d4cbc8e93064098173786d7ed5aa42b3c8d4abb55678e250a4b36.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3212

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\du0FN18.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\du0FN18.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1bI69hf7.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1bI69hf7.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 552
4⤵
- Program crash
PID:2444

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2KN4523.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2KN4523.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 592
4⤵
- Program crash
PID:460

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3bz38Gf.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3bz38Gf.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Checks SCSI registry key(s)
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 148
3⤵
- Program crash
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2488 -ip 2488
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 316 -ip 316
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2300 -ip 2300
1⤵
PID:3356

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3bz38Gf.exe
Filesize
145KB

MD5
a0fa1a3d5b63449f70b1bd626ae6e7fc

SHA1
e7280f12fa5b570c3dbd1a21cc6f317ce40b6bb7

SHA256
0bf46903bd866ef85fe5a391639b1c9888b53913ce2e37f56a69ad02b4e15b93

SHA512
d486312351c1573d64b39221b6e6a716020304057244769aa74904b0dc7a7e6f0d9174d607b7e84ceeb1cafc0e1145dc1fb2a974a659da7c058ac269f53cd3de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\du0FN18.exe
Filesize
444KB

MD5
aa61a3cd164b2fa2f88c2d0a955ff94a

SHA1
31f6ce582226abd4c20dec32aa4594d377e8ac57

SHA256
a6c66037dfa253bcf8a254d37350aed7c32b36f6a854949354fa08f60922cf24

SHA512
f58f34d35ee4a97a050b1071f5eaeaf6c3c3adea992788ce35c3199b06f5933ed15febb5aa5e61b4fb68d0d55f6a0ff2e96c9aea25297dba9124fa293f366bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1bI69hf7.exe
Filesize
306KB

MD5
cffbf89be9b8ebbba9a11ea60f0be22e

SHA1
86269fe003ca2411781daf149ea2d8b91503c663

SHA256
824399351186817a2c12df4e401bcae384ce66add003c01e4a3a8e25e48b7b62

SHA512
3690bdca96918ae9ed0baa7d564d0edbdc83ec996c126ff3fb88a160046b14b1de22043fc39e8bdb25f6d96f5cc866ebf58afe30506ba502dfa83a8a5ae4a273

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2KN4523.exe
Filesize
295KB

MD5
542b4a3030dfa0a861ba6f782d6a6d0a

SHA1
ca71dbaac51113c3a6e77f04da2cf80af02b8905

SHA256
64844b2cdddd028c9f44f65658aa599cc805e33583e9da6a13decb55f5233fa6

SHA512
305c5073d28cb5fa0b85cba10ff854f81e51b4be194108b3dfc2a924811f3ec2889b69eaf24a4757a28de1f9d534edb2e5093384543a0c35fad9b06c6ad8e0ff

Download Submit
memory/2404-34-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3620-21-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/3620-19-0x00000000746AE000-0x00000000746AF000-memory.dmp

Filesize
4KB

Download
memory/3620-20-0x0000000000D50000-0x0000000000D70000-memory.dmp

Filesize
128KB

Download
memory/3620-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-22-0x0000000002810000-0x000000000282E000-memory.dmp

Filesize
120KB

Download
memory/3620-23-0x0000000005030000-0x00000000050C2000-memory.dmp

Filesize
584KB

Download
memory/3620-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3620-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4920-27-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4920-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4920-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download