mystic | ddc6b496a8a25762ee7b933f47107c5553187f5846568bf68b67dd8d5f4a7548

Analysis

max time kernel
137s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdbb9a49cd039fc64f0cf2a64961e3168c0210a03dc0283c09dcd5f5d1b00ce7.exe
Size

1.1MB
MD5

d0d105a2196b197a7117daf301d63dc0
SHA1

a909a59c09dd6cf89b34745d28e049ae0f7539c6
SHA256

fdbb9a49cd039fc64f0cf2a64961e3168c0210a03dc0283c09dcd5f5d1b00ce7
SHA512

d8ca188bc8188244a5aa6a11b13e35bbb887f00ee79da4933bc13325fb044fa30d8f2ca23e6b99498511c12900553d86d453c2cdcac0d5f2a209199eb6a592fc
SSDEEP

24576:/yWI9E/hFi5iDdQgzLH+TV/60X2KyLPoGLrEhJcYQuUS:KWthFi5iDyTV/60X2FdfE7guU

Score

10^/10

mystic redline smokeloader plost backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

plost

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral21/memory/4800-25-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral21/memory/4800-26-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral21/memory/4800-28-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral21/memory/2376-37-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 6 IoCs

pid	Process
2836	ac9Eq08.exe
4988	Nk2Qz99.exe
2124	1KM16kE8.exe
2560	2pa4107.exe
3604	3cn85hT.exe
1584	4CZ548OE.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fdbb9a49cd039fc64f0cf2a64961e3168c0210a03dc0283c09dcd5f5d1b00ce7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ac9Eq08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Nk2Qz99.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2124 set thread context of 1772	2124	1KM16kE8.exe	95
PID 2560 set thread context of 4800	2560	2pa4107.exe	97
PID 1584 set thread context of 2376	1584	4CZ548OE.exe	101

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3cn85hT.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3cn85hT.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3cn85hT.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1772	AppLaunch.exe
1772	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1772	AppLaunch.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 2836	4636	fdbb9a49cd039fc64f0cf2a64961e3168c0210a03dc0283c09dcd5f5d1b00ce7.exe	91
PID 4636 wrote to memory of 2836	4636	fdbb9a49cd039fc64f0cf2a64961e3168c0210a03dc0283c09dcd5f5d1b00ce7.exe	91
PID 4636 wrote to memory of 2836	4636	fdbb9a49cd039fc64f0cf2a64961e3168c0210a03dc0283c09dcd5f5d1b00ce7.exe	91
PID 2836 wrote to memory of 4988	2836	ac9Eq08.exe	92
PID 2836 wrote to memory of 4988	2836	ac9Eq08.exe	92
PID 2836 wrote to memory of 4988	2836	ac9Eq08.exe	92
PID 4988 wrote to memory of 2124	4988	Nk2Qz99.exe	93
PID 4988 wrote to memory of 2124	4988	Nk2Qz99.exe	93
PID 4988 wrote to memory of 2124	4988	Nk2Qz99.exe	93
PID 2124 wrote to memory of 1772	2124	1KM16kE8.exe	95
PID 2124 wrote to memory of 1772	2124	1KM16kE8.exe	95
PID 2124 wrote to memory of 1772	2124	1KM16kE8.exe	95
PID 2124 wrote to memory of 1772	2124	1KM16kE8.exe	95
PID 2124 wrote to memory of 1772	2124	1KM16kE8.exe	95
PID 2124 wrote to memory of 1772	2124	1KM16kE8.exe	95
PID 2124 wrote to memory of 1772	2124	1KM16kE8.exe	95
PID 2124 wrote to memory of 1772	2124	1KM16kE8.exe	95
PID 4988 wrote to memory of 2560	4988	Nk2Qz99.exe	96
PID 4988 wrote to memory of 2560	4988	Nk2Qz99.exe	96
PID 4988 wrote to memory of 2560	4988	Nk2Qz99.exe	96
PID 2560 wrote to memory of 4800	2560	2pa4107.exe	97
PID 2560 wrote to memory of 4800	2560	2pa4107.exe	97
PID 2560 wrote to memory of 4800	2560	2pa4107.exe	97
PID 2560 wrote to memory of 4800	2560	2pa4107.exe	97
PID 2560 wrote to memory of 4800	2560	2pa4107.exe	97
PID 2560 wrote to memory of 4800	2560	2pa4107.exe	97
PID 2560 wrote to memory of 4800	2560	2pa4107.exe	97
PID 2560 wrote to memory of 4800	2560	2pa4107.exe	97
PID 2560 wrote to memory of 4800	2560	2pa4107.exe	97
PID 2560 wrote to memory of 4800	2560	2pa4107.exe	97
PID 2836 wrote to memory of 3604	2836	ac9Eq08.exe	98
PID 2836 wrote to memory of 3604	2836	ac9Eq08.exe	98
PID 2836 wrote to memory of 3604	2836	ac9Eq08.exe	98
PID 4636 wrote to memory of 1584	4636	fdbb9a49cd039fc64f0cf2a64961e3168c0210a03dc0283c09dcd5f5d1b00ce7.exe	99
PID 4636 wrote to memory of 1584	4636	fdbb9a49cd039fc64f0cf2a64961e3168c0210a03dc0283c09dcd5f5d1b00ce7.exe	99
PID 4636 wrote to memory of 1584	4636	fdbb9a49cd039fc64f0cf2a64961e3168c0210a03dc0283c09dcd5f5d1b00ce7.exe	99
PID 1584 wrote to memory of 2376	1584	4CZ548OE.exe	101
PID 1584 wrote to memory of 2376	1584	4CZ548OE.exe	101
PID 1584 wrote to memory of 2376	1584	4CZ548OE.exe	101
PID 1584 wrote to memory of 2376	1584	4CZ548OE.exe	101
PID 1584 wrote to memory of 2376	1584	4CZ548OE.exe	101
PID 1584 wrote to memory of 2376	1584	4CZ548OE.exe	101
PID 1584 wrote to memory of 2376	1584	4CZ548OE.exe	101
PID 1584 wrote to memory of 2376	1584	4CZ548OE.exe	101

C:\Users\Admin\AppData\Local\Temp\fdbb9a49cd039fc64f0cf2a64961e3168c0210a03dc0283c09dcd5f5d1b00ce7.exe
"C:\Users\Admin\AppData\Local\Temp\fdbb9a49cd039fc64f0cf2a64961e3168c0210a03dc0283c09dcd5f5d1b00ce7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ac9Eq08.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ac9Eq08.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nk2Qz99.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nk2Qz99.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1KM16kE8.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1KM16kE8.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pa4107.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pa4107.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4800
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3cn85hT.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3cn85hT.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:3604
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4CZ548OE.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4CZ548OE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4084,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4008 /prefetch:8
1⤵
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4CZ548OE.exe

Filesize
1.1MB

MD5
255441ee48916fb136815f7bec0e1fdd

SHA1
709cb425c46f45c11c0da8777fdbc17ec321c545

SHA256
8f8d8ea94c5904ce6c401f2c20a0b75bf027375d4210266c75559b764408b7df

SHA512
0e90708c47e1d9c30b4ccd26ff53ecbf0718a6a17db980413eb9e3e8d469b4dd376d5c32222d40a545760f696fff00997c34c735823f269487e2af7f2b1e6f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ac9Eq08.exe

Filesize
655KB

MD5
d34412dc76febfa78ffb20eff31320bb

SHA1
a4a4f435f74a0d1e78e06617b2217791acf3d4e6

SHA256
ece68a1a24d3957a3d082f98d11d6445f9a64dbe4600e64e4d7e75f9987938a5

SHA512
60f323569dece1171af98ad8e6e3d535d2297c65366487194651ae760a31e8bc3871cda3135d03c68b2427949c5f9bf8349600833861c29580ec4ff535fb0969

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3cn85hT.exe

Filesize
31KB

MD5
314fa0836479755b541b458a7c348818

SHA1
e19844a55994fe5b8b89eb9615b1b97f92836025

SHA256
b4514de3acdd6e051b3bb0aa10353c14310c726bb338a007ab9d46b3843341a7

SHA512
eb8d39b7cfe1b1a847549518b14b4ea85b98ec40bdfce423239560e48aee4cd6ea7f393ee81c916ab7aaa19024dfb33211c1991759a1a54f9a89afca0e98afd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nk2Qz99.exe

Filesize
531KB

MD5
bc0e05647c5c5bd6a1a32e7aa0912c41

SHA1
7777647195d23f4ed750cfefb039d3bbda8b3e21

SHA256
f38e5c90e98ed0f6de4b1e4391cddce2f65fccb3b907affcd4bc1722ce4ac91c

SHA512
ab09c7bb30727101ce3ec20c335790c85d45749defbb61fc6068beedeb66f5098b3eb9080566538fa0a1544646ff0291a4b02d16a4390906878fbce599597cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1KM16kE8.exe

Filesize
920KB

MD5
e2b545422d316655e1250858c36bce15

SHA1
f1df0f6935aeb8620d48c2420ea039e3d666e089

SHA256
bfe3f603c9d75955795cc0b108e2f66ea3732a19a852f128748681df5e0fee29

SHA512
ca889af21c3b809a0312d360048ca7f8034c2cae7a88c30c37988c04e722cb70a185c88c9dafab97a4ccb1a8c7b72a9204bbb9354f16e6bd21fb6fac59e45d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pa4107.exe

Filesize
1.1MB

MD5
159be5e709827faa7b7330c0a9715ba7

SHA1
bcf867153bb5c7fb5b496fef84a03e2332dffb6b

SHA256
a84306c3f03020389a40bfb036dbd4d0e99314e53f506d1752c469b3f782dcda

SHA512
910e287f272e4cbbebf8be3d6b51503e909c61bbfb5c9611f7ae0d2e69561198780a3581302fa3e1b3670a3a0857e1a5734ceb498e6c0c5ed2444ea3e7a79245

Download Submit
memory/1772-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2376-44-0x00000000076C0000-0x00000000076FC000-memory.dmp

Filesize
240KB

Download
memory/2376-43-0x0000000007650000-0x0000000007662000-memory.dmp

Filesize
72KB

Download
memory/2376-45-0x0000000007700000-0x000000000774C000-memory.dmp

Filesize
304KB

Download
memory/2376-42-0x0000000007790000-0x000000000789A000-memory.dmp

Filesize
1.0MB

Download
memory/2376-41-0x0000000008530000-0x0000000008B48000-memory.dmp

Filesize
6.1MB

Download
memory/2376-37-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2376-38-0x0000000007960000-0x0000000007F04000-memory.dmp

Filesize
5.6MB

Download
memory/2376-39-0x0000000007450000-0x00000000074E2000-memory.dmp

Filesize
584KB

Download
memory/2376-40-0x0000000004910000-0x000000000491A000-memory.dmp

Filesize
40KB

Download
memory/3604-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3604-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4800-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download