mystic | 47203fc7445c1e0e06643f363dd7d86ccc46b70ab234e5fbfe72badfdd6704ae

Analysis

max time kernel
144s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f.exe
Size

508KB
MD5

e6833a21a604a3c8ab01355dcd97b2c2
SHA1

4809d45faa3a7bfc8d8b30b2733e941bfb4fb52e
SHA256

498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f
SHA512

c66cc61603a7a0f3f329ec95bfc82a747a0b0cd64561c9d5d87d5e21a0cbe468ccee5d55a4fd7ef56d278cf8b50319e7500459802741addf3ea13519350e68e3
SSDEEP

12288:gMrIy90lSHpAvVRYEBOhtCr3+903jhZ2XQe:4ySgpSVRYZIuShsXQe

Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2592-19-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral2/memory/2592-20-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral2/memory/2592-22-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 4 IoCs

Processes:

Vl6PO87.exe1hv66Ib9.exe2AL6717.exe3Gh04Vq.exe

pid process

4660 Vl6PO87.exe
1800 1hv66Ib9.exe
4960 2AL6717.exe
4992 3Gh04Vq.exe

pid	process
4660	Vl6PO87.exe
1800	1hv66Ib9.exe
4960	2AL6717.exe
4992	3Gh04Vq.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f.exeVl6PO87.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Vl6PO87.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1hv66Ib9.exe2AL6717.exe3Gh04Vq.exe

description	pid	process	target process
PID 1800 set thread context of 4152	1800	1hv66Ib9.exe	AppLaunch.exe
PID 4960 set thread context of 2592	4960	2AL6717.exe	AppLaunch.exe
PID 4992 set thread context of 1728	4992	3Gh04Vq.exe	AppLaunch.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2148 1800 WerFault.exe 1hv66Ib9.exe
1436 4960 WerFault.exe 2AL6717.exe
2260 4992 WerFault.exe 3Gh04Vq.exe

pid	pid_target	process	target process
2148	1800	WerFault.exe	1hv66Ib9.exe
1436	4960	WerFault.exe	2AL6717.exe
2260	4992	WerFault.exe	3Gh04Vq.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

4152 AppLaunch.exe
4152 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 4152 AppLaunch.exe

pid	process
4152	AppLaunch.exe
4152	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4152	AppLaunch.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f.exeVl6PO87.exe1hv66Ib9.exe2AL6717.exe3Gh04Vq.exe

description	pid	process	target process
PID 3984 wrote to memory of 4660	3984	498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f.exe	Vl6PO87.exe
PID 3984 wrote to memory of 4660	3984	498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f.exe	Vl6PO87.exe
PID 3984 wrote to memory of 4660	3984	498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f.exe	Vl6PO87.exe
PID 4660 wrote to memory of 1800	4660	Vl6PO87.exe	1hv66Ib9.exe
PID 4660 wrote to memory of 1800	4660	Vl6PO87.exe	1hv66Ib9.exe
PID 4660 wrote to memory of 1800	4660	Vl6PO87.exe	1hv66Ib9.exe
PID 1800 wrote to memory of 4152	1800	1hv66Ib9.exe	AppLaunch.exe
PID 1800 wrote to memory of 4152	1800	1hv66Ib9.exe	AppLaunch.exe
PID 1800 wrote to memory of 4152	1800	1hv66Ib9.exe	AppLaunch.exe
PID 1800 wrote to memory of 4152	1800	1hv66Ib9.exe	AppLaunch.exe
PID 1800 wrote to memory of 4152	1800	1hv66Ib9.exe	AppLaunch.exe
PID 1800 wrote to memory of 4152	1800	1hv66Ib9.exe	AppLaunch.exe
PID 1800 wrote to memory of 4152	1800	1hv66Ib9.exe	AppLaunch.exe
PID 1800 wrote to memory of 4152	1800	1hv66Ib9.exe	AppLaunch.exe
PID 4660 wrote to memory of 4960	4660	Vl6PO87.exe	2AL6717.exe
PID 4660 wrote to memory of 4960	4660	Vl6PO87.exe	2AL6717.exe
PID 4660 wrote to memory of 4960	4660	Vl6PO87.exe	2AL6717.exe
PID 4960 wrote to memory of 2592	4960	2AL6717.exe	AppLaunch.exe
PID 4960 wrote to memory of 2592	4960	2AL6717.exe	AppLaunch.exe
PID 4960 wrote to memory of 2592	4960	2AL6717.exe	AppLaunch.exe
PID 4960 wrote to memory of 2592	4960	2AL6717.exe	AppLaunch.exe
PID 4960 wrote to memory of 2592	4960	2AL6717.exe	AppLaunch.exe
PID 4960 wrote to memory of 2592	4960	2AL6717.exe	AppLaunch.exe
PID 4960 wrote to memory of 2592	4960	2AL6717.exe	AppLaunch.exe
PID 4960 wrote to memory of 2592	4960	2AL6717.exe	AppLaunch.exe
PID 4960 wrote to memory of 2592	4960	2AL6717.exe	AppLaunch.exe
PID 4960 wrote to memory of 2592	4960	2AL6717.exe	AppLaunch.exe
PID 3984 wrote to memory of 4992	3984	498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f.exe	3Gh04Vq.exe
PID 3984 wrote to memory of 4992	3984	498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f.exe	3Gh04Vq.exe
PID 3984 wrote to memory of 4992	3984	498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f.exe	3Gh04Vq.exe
PID 4992 wrote to memory of 1728	4992	3Gh04Vq.exe	AppLaunch.exe
PID 4992 wrote to memory of 1728	4992	3Gh04Vq.exe	AppLaunch.exe
PID 4992 wrote to memory of 1728	4992	3Gh04Vq.exe	AppLaunch.exe
PID 4992 wrote to memory of 1728	4992	3Gh04Vq.exe	AppLaunch.exe
PID 4992 wrote to memory of 1728	4992	3Gh04Vq.exe	AppLaunch.exe
PID 4992 wrote to memory of 1728	4992	3Gh04Vq.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f.exe
"C:\Users\Admin\AppData\Local\Temp\498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vl6PO87.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vl6PO87.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4660

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1hv66Ib9.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1hv66Ib9.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 552
4⤵
- Program crash
PID:2148

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2AL6717.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2AL6717.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 152
4⤵
- Program crash
PID:1436

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Gh04Vq.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Gh04Vq.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Checks SCSI registry key(s)
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 584
3⤵
- Program crash
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1800 -ip 1800
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4960 -ip 4960
1⤵
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4992 -ip 4992
1⤵
PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Gh04Vq.exe

Filesize
145KB

MD5
8542337aa909d166e7a522078bafddbe

SHA1
a9c38fd9ca014dccc533f2affa431b4251f7628c

SHA256
cc55656469d96d3718f2e926577f6e60612e6d5c564f397f3f70a2027ffe71f6

SHA512
e236adb3d846e7143d2840b4fb3c5be1a69beb5c07630faf9708c772d658cb1b7efe05c87f3cd21deafa0020094556996e04225108e1ea012173fe7a1b307e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vl6PO87.exe

Filesize
324KB

MD5
13d31da71757b05495abbe8e458fc704

SHA1
7613a6fbdfb6469d98e14f92e47bf4de8a14df45

SHA256
dfd0b7a02e3a4caf9d23bbdb411b9d473ccfc0c95d83d358b69ef0f11ffdff72

SHA512
991b9fb716c92ca4e3f96fa04bd5209c9afa2910f325bb63eac2e2d2a8851cf8a3f656fc6181860ee339fb2f3306bb9750fbb7a655e9bafe9d3ed4279ea061ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1hv66Ib9.exe

Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2AL6717.exe

Filesize
295KB

MD5
480d1ad80b21cd8d739809c6f8e2e24b

SHA1
022a8c4741cf3ca41345c9019bc98987c2d7b34e

SHA256
bfe793dab4dbac74da72433ed5ba1ad54f8fcdfea31975c4cdd3cb0d721d7097

SHA512
69a33092b2dc1e025b4e1bc0527be2bd483c82728df35e395b9b43df3d65ea264c655a276f20a8e51325e6a4dc139db4afd7a73179e8a392084c314f16ba1b5c

Download Submit
memory/1728-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2592-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2592-20-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2592-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4152-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4152-15-0x0000000074A4E000-0x0000000074A4F000-memory.dmp

Filesize
4KB

Download