mystic | ddc6b496a8a25762ee7b933f47107c5553187f5846568bf68b67dd8d5f4a7548

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d47818e79d8f9acc3caa85a2d99191ec3eff5843f379ecb9acf5e8610da5279.exe
Size

1.3MB
MD5

11728981fb1adc2e63a6b2d6fcde146e
SHA1

fa4e657cc1864bc8b3ce2becd08754443c554ce3
SHA256

2d47818e79d8f9acc3caa85a2d99191ec3eff5843f379ecb9acf5e8610da5279
SHA512

a4773eac380244c47c6bbd70fd55b93ae3c84d1c9ae72d7872ed33bee50fa60d6fb57588a8a2e91a4ebe7dee61e6df9370eb884a08f2922cf35b3f47cc6fe04b
SSDEEP

24576:gyoY+pehFeujvFIrFR2g9sJIHynJ6UwcOJHdaK5jBpqY:noY8eBOrFR2R2HyJ6RcOZdaK5

Score

10^/10

mystic redline smokeloader magia backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

magia

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2hV1305.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

1by86Ir5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1by86Ir5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1by86Ir5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1by86Ir5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1by86Ir5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1by86Ir5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	1by86Ir5.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral5/memory/3696-63-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 6 IoCs

Processes:

aN8cu72.exejM2MJ15.exe1by86Ir5.exe2hV1305.exe3dS49FM.exe4pK492br.exe

pid process

4892 aN8cu72.exe
3168 jM2MJ15.exe
4084 1by86Ir5.exe
3564 2hV1305.exe
1900 3dS49FM.exe
832 4pK492br.exe

pid	process
4892	aN8cu72.exe
3168	jM2MJ15.exe
4084	1by86Ir5.exe
3564	2hV1305.exe
1900	3dS49FM.exe
832	4pK492br.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

1by86Ir5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1by86Ir5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1by86Ir5.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2d47818e79d8f9acc3caa85a2d99191ec3eff5843f379ecb9acf5e8610da5279.exeaN8cu72.exejM2MJ15.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2d47818e79d8f9acc3caa85a2d99191ec3eff5843f379ecb9acf5e8610da5279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	aN8cu72.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	jM2MJ15.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3dS49FM.exe4pK492br.exe

description	pid	process	target process
PID 1900 set thread context of 1204	1900	3dS49FM.exe	AppLaunch.exe
PID 832 set thread context of 3696	832	4pK492br.exe	AppLaunch.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3576 1900 WerFault.exe 3dS49FM.exe
4652 832 WerFault.exe 4pK492br.exe

pid	pid_target	process	target process
3576	1900	WerFault.exe	3dS49FM.exe
4652	832	WerFault.exe	4pK492br.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1by86Ir5.exe

pid process

4084 1by86Ir5.exe
4084 1by86Ir5.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1by86Ir5.exe

description pid process

Token: SeDebugPrivilege 4084 1by86Ir5.exe

pid	process
4084	1by86Ir5.exe
4084	1by86Ir5.exe

description	pid	process
Token: SeDebugPrivilege	4084	1by86Ir5.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

2d47818e79d8f9acc3caa85a2d99191ec3eff5843f379ecb9acf5e8610da5279.exeaN8cu72.exejM2MJ15.exe3dS49FM.exe4pK492br.exe

description	pid	process	target process
PID 4296 wrote to memory of 4892	4296	2d47818e79d8f9acc3caa85a2d99191ec3eff5843f379ecb9acf5e8610da5279.exe	aN8cu72.exe
PID 4296 wrote to memory of 4892	4296	2d47818e79d8f9acc3caa85a2d99191ec3eff5843f379ecb9acf5e8610da5279.exe	aN8cu72.exe
PID 4296 wrote to memory of 4892	4296	2d47818e79d8f9acc3caa85a2d99191ec3eff5843f379ecb9acf5e8610da5279.exe	aN8cu72.exe
PID 4892 wrote to memory of 3168	4892	aN8cu72.exe	jM2MJ15.exe
PID 4892 wrote to memory of 3168	4892	aN8cu72.exe	jM2MJ15.exe
PID 4892 wrote to memory of 3168	4892	aN8cu72.exe	jM2MJ15.exe
PID 3168 wrote to memory of 4084	3168	jM2MJ15.exe	1by86Ir5.exe
PID 3168 wrote to memory of 4084	3168	jM2MJ15.exe	1by86Ir5.exe
PID 3168 wrote to memory of 4084	3168	jM2MJ15.exe	1by86Ir5.exe
PID 3168 wrote to memory of 3564	3168	jM2MJ15.exe	2hV1305.exe
PID 3168 wrote to memory of 3564	3168	jM2MJ15.exe	2hV1305.exe
PID 3168 wrote to memory of 3564	3168	jM2MJ15.exe	2hV1305.exe
PID 4892 wrote to memory of 1900	4892	aN8cu72.exe	3dS49FM.exe
PID 4892 wrote to memory of 1900	4892	aN8cu72.exe	3dS49FM.exe
PID 4892 wrote to memory of 1900	4892	aN8cu72.exe	3dS49FM.exe
PID 1900 wrote to memory of 1204	1900	3dS49FM.exe	AppLaunch.exe
PID 1900 wrote to memory of 1204	1900	3dS49FM.exe	AppLaunch.exe
PID 1900 wrote to memory of 1204	1900	3dS49FM.exe	AppLaunch.exe
PID 1900 wrote to memory of 1204	1900	3dS49FM.exe	AppLaunch.exe
PID 1900 wrote to memory of 1204	1900	3dS49FM.exe	AppLaunch.exe
PID 1900 wrote to memory of 1204	1900	3dS49FM.exe	AppLaunch.exe
PID 4296 wrote to memory of 832	4296	2d47818e79d8f9acc3caa85a2d99191ec3eff5843f379ecb9acf5e8610da5279.exe	4pK492br.exe
PID 4296 wrote to memory of 832	4296	2d47818e79d8f9acc3caa85a2d99191ec3eff5843f379ecb9acf5e8610da5279.exe	4pK492br.exe
PID 4296 wrote to memory of 832	4296	2d47818e79d8f9acc3caa85a2d99191ec3eff5843f379ecb9acf5e8610da5279.exe	4pK492br.exe
PID 832 wrote to memory of 3696	832	4pK492br.exe	AppLaunch.exe
PID 832 wrote to memory of 3696	832	4pK492br.exe	AppLaunch.exe
PID 832 wrote to memory of 3696	832	4pK492br.exe	AppLaunch.exe
PID 832 wrote to memory of 3696	832	4pK492br.exe	AppLaunch.exe
PID 832 wrote to memory of 3696	832	4pK492br.exe	AppLaunch.exe
PID 832 wrote to memory of 3696	832	4pK492br.exe	AppLaunch.exe
PID 832 wrote to memory of 3696	832	4pK492br.exe	AppLaunch.exe
PID 832 wrote to memory of 3696	832	4pK492br.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\2d47818e79d8f9acc3caa85a2d99191ec3eff5843f379ecb9acf5e8610da5279.exe
"C:\Users\Admin\AppData\Local\Temp\2d47818e79d8f9acc3caa85a2d99191ec3eff5843f379ecb9acf5e8610da5279.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4296

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aN8cu72.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aN8cu72.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4892

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jM2MJ15.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jM2MJ15.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1by86Ir5.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1by86Ir5.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2hV1305.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2hV1305.exe
4⤵
- Executes dropped EXE
PID:3564

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3dS49FM.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3dS49FM.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Checks SCSI registry key(s)
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 616
4⤵
- Program crash
PID:3576

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4pK492br.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4pK492br.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 596
3⤵
- Program crash
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1900 -ip 1900
1⤵
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 832 -ip 832
1⤵
PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4pK492br.exe
Filesize
1.8MB

MD5
fb617d002d8e639ce3b846a599ff11d9

SHA1
d2cedf0c68096175c558b167bdf8ae36cd35b745

SHA256
6a707af2d1e3fadc607d5feeb1c107d0b0de255f3e5773a2713f9dea6e7b6dff

SHA512
83f9f3e4e0331a98568999463e697d7a7f0f2b3aa8054f2190b04d6c5699e04443e7db7af31342e5b9730d610997f153206342349433000b520f638ba9e5f5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aN8cu72.exe
Filesize
840KB

MD5
97fab7e69268dafac9d44f2d90bbedea

SHA1
9c75e418e7e528d49089f0e37391e3de12c21679

SHA256
0f6232cef5511fdc3b92fb32ceef7c112c8a7f45ac431123971b5953c4796829

SHA512
8c0c1de29ebd6f819616068c4c7f16d45ad14dd195836723fb8cfd8cebd726d48e1fb5dc62fbc695a79f0f05d9c73b7aca38abd01ecde23b160fb23c1a437ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3dS49FM.exe
Filesize
1.6MB

MD5
4024e24f433e1864343b04f2dc769a1b

SHA1
08f9ed5f8d347f7cc3e9fa7b9bd444bba7450cc8

SHA256
07a08ecb2baa3b75ed7ad4770c2c70ecd32a777ae5ba0b915edb4c1dfff4a5d5

SHA512
fc88d5701f44d1108136e2b26ac0b9ca24f15ca207ffce809fe6f0d139a206c9899a55674344a7283d0ffff1d42a08884ab5d7609b852ae958334b14e7abea26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jM2MJ15.exe
Filesize
362KB

MD5
6d6d9ccc69c3975792e297253b04f5ab

SHA1
c56afe9a5b08bf9ce492d9d54390f7c28da76f60

SHA256
1de7b097aa63309ab3baca6076374e0121e3bb250e01e51118b32cc0647e428b

SHA512
9ccd2e40f02e6d8bbff419a561516e2c9cf3c67a7031a9949ec59eb49dda89319428ca4d4e77b199837f3082cbc3d49dd468ba65100841a2269b5fdfaf59121a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1by86Ir5.exe
Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2hV1305.exe
Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
memory/1204-59-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3696-67-0x0000000007660000-0x000000000776A000-memory.dmp

Filesize
1.0MB

Download
memory/3696-66-0x0000000008450000-0x0000000008A68000-memory.dmp

Filesize
6.1MB

Download
memory/3696-65-0x0000000004810000-0x000000000481A000-memory.dmp

Filesize
40KB

Download
memory/3696-64-0x0000000007370000-0x0000000007402000-memory.dmp

Filesize
584KB

Download
memory/3696-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3696-68-0x0000000007550000-0x0000000007562000-memory.dmp

Filesize
72KB

Download
memory/3696-69-0x00000000075B0000-0x00000000075EC000-memory.dmp

Filesize
240KB

Download
memory/3696-70-0x00000000075F0000-0x000000000763C000-memory.dmp

Filesize
304KB

Download
memory/4084-51-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4084-43-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4084-33-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4084-27-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4084-31-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4084-24-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4084-37-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4084-39-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4084-41-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4084-35-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4084-45-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4084-48-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4084-49-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4084-29-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4084-25-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4084-23-0x0000000004990000-0x00000000049AC000-memory.dmp

Filesize
112KB

Download
memory/4084-22-0x0000000004AC0000-0x0000000005064000-memory.dmp

Filesize
5.6MB

Download
memory/4084-21-0x00000000048D0000-0x00000000048EE000-memory.dmp

Filesize
120KB

Download