mystic | cc5e37d73955fc0316a074c4b20f0296dee40952f8d275b2c6c6eb4eb0947059

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe
Size

508KB
MD5

08f93718f532a5b6806992822abd5319
SHA1

bf256764f2a7e66ce6043af9a36558d8ebfae3c2
SHA256

0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179
SHA512

01731396c4eddfca44f4421e74fff0c6a9551f87fcf4f6799e5a001ec1872cb398ffd66aaadc09bb92cedc47cb9e193b635f36d82a067d70a448764c47650801
SSDEEP

12288:tMr7y90cskbQBr9Sm/zFAUl4RI27Senp1/oGjhvC:SytQBHzFFs3/oGtC

Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3960-22-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral2/memory/3960-21-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral2/memory/3960-19-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 4 IoCs

Processes:

GS3jc24.exe1FT75fe4.exe2NR7454.exe3Pm23bi.exe

pid process

2820 GS3jc24.exe
5028 1FT75fe4.exe
4568 2NR7454.exe
4188 3Pm23bi.exe

pid	process
2820	GS3jc24.exe
5028	1FT75fe4.exe
4568	2NR7454.exe
4188	3Pm23bi.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exeGS3jc24.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	GS3jc24.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1FT75fe4.exe2NR7454.exe3Pm23bi.exe

description	pid	process	target process
PID 5028 set thread context of 3328	5028	1FT75fe4.exe	AppLaunch.exe
PID 4568 set thread context of 3960	4568	2NR7454.exe	AppLaunch.exe
PID 4188 set thread context of 4008	4188	3Pm23bi.exe	AppLaunch.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4264 5028 WerFault.exe 1FT75fe4.exe
4764 4568 WerFault.exe 2NR7454.exe
644 4188 WerFault.exe 3Pm23bi.exe

pid	pid_target	process	target process
4264	5028	WerFault.exe	1FT75fe4.exe
4764	4568	WerFault.exe	2NR7454.exe
644	4188	WerFault.exe	3Pm23bi.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

3328 AppLaunch.exe
3328 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 3328 AppLaunch.exe

pid	process
3328	AppLaunch.exe
3328	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	3328	AppLaunch.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exeGS3jc24.exe1FT75fe4.exe2NR7454.exe3Pm23bi.exe

description	pid	process	target process
PID 2760 wrote to memory of 2820	2760	0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe	GS3jc24.exe
PID 2760 wrote to memory of 2820	2760	0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe	GS3jc24.exe
PID 2760 wrote to memory of 2820	2760	0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe	GS3jc24.exe
PID 2820 wrote to memory of 5028	2820	GS3jc24.exe	1FT75fe4.exe
PID 2820 wrote to memory of 5028	2820	GS3jc24.exe	1FT75fe4.exe
PID 2820 wrote to memory of 5028	2820	GS3jc24.exe	1FT75fe4.exe
PID 5028 wrote to memory of 3328	5028	1FT75fe4.exe	AppLaunch.exe
PID 5028 wrote to memory of 3328	5028	1FT75fe4.exe	AppLaunch.exe
PID 5028 wrote to memory of 3328	5028	1FT75fe4.exe	AppLaunch.exe
PID 5028 wrote to memory of 3328	5028	1FT75fe4.exe	AppLaunch.exe
PID 5028 wrote to memory of 3328	5028	1FT75fe4.exe	AppLaunch.exe
PID 5028 wrote to memory of 3328	5028	1FT75fe4.exe	AppLaunch.exe
PID 5028 wrote to memory of 3328	5028	1FT75fe4.exe	AppLaunch.exe
PID 5028 wrote to memory of 3328	5028	1FT75fe4.exe	AppLaunch.exe
PID 2820 wrote to memory of 4568	2820	GS3jc24.exe	2NR7454.exe
PID 2820 wrote to memory of 4568	2820	GS3jc24.exe	2NR7454.exe
PID 2820 wrote to memory of 4568	2820	GS3jc24.exe	2NR7454.exe
PID 4568 wrote to memory of 3840	4568	2NR7454.exe	AppLaunch.exe
PID 4568 wrote to memory of 3840	4568	2NR7454.exe	AppLaunch.exe
PID 4568 wrote to memory of 3840	4568	2NR7454.exe	AppLaunch.exe
PID 4568 wrote to memory of 3960	4568	2NR7454.exe	AppLaunch.exe
PID 4568 wrote to memory of 3960	4568	2NR7454.exe	AppLaunch.exe
PID 4568 wrote to memory of 3960	4568	2NR7454.exe	AppLaunch.exe
PID 4568 wrote to memory of 3960	4568	2NR7454.exe	AppLaunch.exe
PID 4568 wrote to memory of 3960	4568	2NR7454.exe	AppLaunch.exe
PID 4568 wrote to memory of 3960	4568	2NR7454.exe	AppLaunch.exe
PID 4568 wrote to memory of 3960	4568	2NR7454.exe	AppLaunch.exe
PID 4568 wrote to memory of 3960	4568	2NR7454.exe	AppLaunch.exe
PID 4568 wrote to memory of 3960	4568	2NR7454.exe	AppLaunch.exe
PID 4568 wrote to memory of 3960	4568	2NR7454.exe	AppLaunch.exe
PID 2760 wrote to memory of 4188	2760	0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe	3Pm23bi.exe
PID 2760 wrote to memory of 4188	2760	0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe	3Pm23bi.exe
PID 2760 wrote to memory of 4188	2760	0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe	3Pm23bi.exe
PID 4188 wrote to memory of 4008	4188	3Pm23bi.exe	AppLaunch.exe
PID 4188 wrote to memory of 4008	4188	3Pm23bi.exe	AppLaunch.exe
PID 4188 wrote to memory of 4008	4188	3Pm23bi.exe	AppLaunch.exe
PID 4188 wrote to memory of 4008	4188	3Pm23bi.exe	AppLaunch.exe
PID 4188 wrote to memory of 4008	4188	3Pm23bi.exe	AppLaunch.exe
PID 4188 wrote to memory of 4008	4188	3Pm23bi.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe
"C:\Users\Admin\AppData\Local\Temp\0f998493b83f94488301c2a7f85ec4ad445820110ece601aee7e9d15a5ae5179.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GS3jc24.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GS3jc24.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FT75fe4.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FT75fe4.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 568
4⤵
- Program crash
PID:4264

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NR7454.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NR7454.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:3840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 584
4⤵
- Program crash
PID:4764

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Pm23bi.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Pm23bi.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Checks SCSI registry key(s)
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 152
3⤵
- Program crash
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5028 -ip 5028
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4568 -ip 4568
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4188 -ip 4188
1⤵
PID:3812

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Pm23bi.exe
Filesize
145KB

MD5
9bb0eb72d32ec101bc3815421314f021

SHA1
1d841de7459312d07946eb0dae13a4c87bc0ca3c

SHA256
3d5d022325d8cab27839dfecc7bb90cf6b6aa9e98c09f6092f85ed6e048d190d

SHA512
9d1d41309bc29ee325e47a7e533ac89c0b3244c4a45f1fc56d600d374f7aad6e95f34602e17178f05e7e4d4593a377f0b318b4a35ff33a6cdd529f72ef0bd3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GS3jc24.exe
Filesize
324KB

MD5
01ef9ff7ae7d9bf431b69d3071431266

SHA1
5177778dced679e5f8b51b7f2db415d941a50afd

SHA256
c3fb710c4c8b6204f6f6950a15743f9d94ceda63399f4b6bcbe1dbfb65058f01

SHA512
40915b996fb75c48c4c62876cb2815280f626afce175b740043e6248dcad5dfae2fbd8fdf615fe69e4f4191140a8480deeec8bc0b47288c64d0473c0f4191a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1FT75fe4.exe
Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2NR7454.exe
Filesize
295KB

MD5
74f239f9f94d46453dc31466f26f7640

SHA1
23da44b3dd957bfd5cb307c52186a2d3d75b0bc8

SHA256
81dbdaaefa4798995ed214aaaccd2175a91cc438d51b53da625d5d330eb0b304

SHA512
9fbeaadfe94ef04915e109e07ca0a0d698542073f7f3800c75b30d248a6206ed2b70d6a5a83c25bb349877304d7d5dc4426e6f2e66b1bd9585dd09ff04a6fb20

Download Submit
memory/3328-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3328-15-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

Filesize
4KB

Download
memory/3960-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3960-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3960-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4008-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download