mystic | bd5cb5ed04f67f5a6f2f5411e9ad5c457c0c3e3bf3a38e4996624bdfba01d98d

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e4d47aad3f9ebbd9422d69a7b96b1808810801c43b385031da5bd1472cbd411.exe
Size

743KB
MD5

8007f70cede5d57d0c0e7783516c91b1
SHA1

944d21a372168dc1b9b5706e6de4623fba31b4ac
SHA256

7e4d47aad3f9ebbd9422d69a7b96b1808810801c43b385031da5bd1472cbd411
SHA512

b7e5748347a5ebb32f9dc6ce9fcf153a0484fff0cc5623d22d5cf1cb55a149dfb42ebecda43298d4fe3353c6bf5fc94b5697fd106e88faac3534fdd822f5c4f1
SSDEEP

12288:7MrRy90KTCaViOOvzI6irYlpoUHNoHhaKm3pouixDUD9I:qyL+axOL5JpBmno2uiRUD9I

Score

10^/10

mystic redline smokeloader breha backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral9/memory/900-25-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral9/memory/900-26-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral9/memory/900-28-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral9/memory/2960-36-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 6 IoCs

pid	Process
1480	DG2Uo92.exe
1624	qv7ZC27.exe
3968	1IY27nV8.exe
1508	2Gp2431.exe
3664	3GE67BJ.exe
3848	4nT383Hw.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7e4d47aad3f9ebbd9422d69a7b96b1808810801c43b385031da5bd1472cbd411.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	DG2Uo92.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	qv7ZC27.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3968 set thread context of 540	3968	1IY27nV8.exe	89
PID 1508 set thread context of 900	1508	2Gp2431.exe	95
PID 3664 set thread context of 3416	3664	3GE67BJ.exe	100
PID 3848 set thread context of 2960	3848	4nT383Hw.exe	108

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1356	3968	WerFault.exe	85
3392	1508	WerFault.exe	93
1948	3664	WerFault.exe	98
2732	3848	WerFault.exe	105

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
540	AppLaunch.exe
540	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	540	AppLaunch.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 1480	4452	7e4d47aad3f9ebbd9422d69a7b96b1808810801c43b385031da5bd1472cbd411.exe	83
PID 4452 wrote to memory of 1480	4452	7e4d47aad3f9ebbd9422d69a7b96b1808810801c43b385031da5bd1472cbd411.exe	83
PID 4452 wrote to memory of 1480	4452	7e4d47aad3f9ebbd9422d69a7b96b1808810801c43b385031da5bd1472cbd411.exe	83
PID 1480 wrote to memory of 1624	1480	DG2Uo92.exe	84
PID 1480 wrote to memory of 1624	1480	DG2Uo92.exe	84
PID 1480 wrote to memory of 1624	1480	DG2Uo92.exe	84
PID 1624 wrote to memory of 3968	1624	qv7ZC27.exe	85
PID 1624 wrote to memory of 3968	1624	qv7ZC27.exe	85
PID 1624 wrote to memory of 3968	1624	qv7ZC27.exe	85
PID 3968 wrote to memory of 540	3968	1IY27nV8.exe	89
PID 3968 wrote to memory of 540	3968	1IY27nV8.exe	89
PID 3968 wrote to memory of 540	3968	1IY27nV8.exe	89
PID 3968 wrote to memory of 540	3968	1IY27nV8.exe	89
PID 3968 wrote to memory of 540	3968	1IY27nV8.exe	89
PID 3968 wrote to memory of 540	3968	1IY27nV8.exe	89
PID 3968 wrote to memory of 540	3968	1IY27nV8.exe	89
PID 3968 wrote to memory of 540	3968	1IY27nV8.exe	89
PID 1624 wrote to memory of 1508	1624	qv7ZC27.exe	93
PID 1624 wrote to memory of 1508	1624	qv7ZC27.exe	93
PID 1624 wrote to memory of 1508	1624	qv7ZC27.exe	93
PID 1508 wrote to memory of 900	1508	2Gp2431.exe	95
PID 1508 wrote to memory of 900	1508	2Gp2431.exe	95
PID 1508 wrote to memory of 900	1508	2Gp2431.exe	95
PID 1508 wrote to memory of 900	1508	2Gp2431.exe	95
PID 1508 wrote to memory of 900	1508	2Gp2431.exe	95
PID 1508 wrote to memory of 900	1508	2Gp2431.exe	95
PID 1508 wrote to memory of 900	1508	2Gp2431.exe	95
PID 1508 wrote to memory of 900	1508	2Gp2431.exe	95
PID 1508 wrote to memory of 900	1508	2Gp2431.exe	95
PID 1508 wrote to memory of 900	1508	2Gp2431.exe	95
PID 1480 wrote to memory of 3664	1480	DG2Uo92.exe	98
PID 1480 wrote to memory of 3664	1480	DG2Uo92.exe	98
PID 1480 wrote to memory of 3664	1480	DG2Uo92.exe	98
PID 3664 wrote to memory of 3416	3664	3GE67BJ.exe	100
PID 3664 wrote to memory of 3416	3664	3GE67BJ.exe	100
PID 3664 wrote to memory of 3416	3664	3GE67BJ.exe	100
PID 3664 wrote to memory of 3416	3664	3GE67BJ.exe	100
PID 3664 wrote to memory of 3416	3664	3GE67BJ.exe	100
PID 3664 wrote to memory of 3416	3664	3GE67BJ.exe	100
PID 4452 wrote to memory of 3848	4452	7e4d47aad3f9ebbd9422d69a7b96b1808810801c43b385031da5bd1472cbd411.exe	105
PID 4452 wrote to memory of 3848	4452	7e4d47aad3f9ebbd9422d69a7b96b1808810801c43b385031da5bd1472cbd411.exe	105
PID 4452 wrote to memory of 3848	4452	7e4d47aad3f9ebbd9422d69a7b96b1808810801c43b385031da5bd1472cbd411.exe	105
PID 3848 wrote to memory of 4552	3848	4nT383Hw.exe	107
PID 3848 wrote to memory of 4552	3848	4nT383Hw.exe	107
PID 3848 wrote to memory of 4552	3848	4nT383Hw.exe	107
PID 3848 wrote to memory of 2960	3848	4nT383Hw.exe	108
PID 3848 wrote to memory of 2960	3848	4nT383Hw.exe	108
PID 3848 wrote to memory of 2960	3848	4nT383Hw.exe	108
PID 3848 wrote to memory of 2960	3848	4nT383Hw.exe	108
PID 3848 wrote to memory of 2960	3848	4nT383Hw.exe	108
PID 3848 wrote to memory of 2960	3848	4nT383Hw.exe	108
PID 3848 wrote to memory of 2960	3848	4nT383Hw.exe	108
PID 3848 wrote to memory of 2960	3848	4nT383Hw.exe	108

C:\Users\Admin\AppData\Local\Temp\7e4d47aad3f9ebbd9422d69a7b96b1808810801c43b385031da5bd1472cbd411.exe
"C:\Users\Admin\AppData\Local\Temp\7e4d47aad3f9ebbd9422d69a7b96b1808810801c43b385031da5bd1472cbd411.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DG2Uo92.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DG2Uo92.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qv7ZC27.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qv7ZC27.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1IY27nV8.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1IY27nV8.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 552
        5⤵
        Program crash
        
        PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Gp2431.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Gp2431.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:900
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 148
        5⤵
        Program crash
        
        PID:3392
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GE67BJ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GE67BJ.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Checks SCSI registry key(s)
      PID:3416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 592
      4⤵
      Program crash
      PID:1948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4nT383Hw.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4nT383Hw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4552
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 152
    3⤵
    - Program crash
    PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3968 -ip 3968
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1508 -ip 1508
1⤵
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3664 -ip 3664
1⤵
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3848 -ip 3848
1⤵
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4nT383Hw.exe

Filesize
336KB

MD5
9e3258d7d48bcf90a1de3768ce6a96c6

SHA1
e54ebc4e997d3fd1b0daedee9619343a04741c28

SHA256
e11ab1641030329fdf3364a915807a0bd6f9149b6b891c79bf8b001f2eed1686

SHA512
337861b93ee25dfab4022d7c8e5db3305bfb089bf058c9603ed639d16b8d36a2d09686d75dcbd308e63e6591714a403b6a0e869c8a34bfd08aef2070372d7ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DG2Uo92.exe

Filesize
509KB

MD5
c7227d309c37d8ffb02ed710de7d6785

SHA1
6a1a202fb7669eb0f8f6ec5d5d2709d49b8c3eaa

SHA256
13a6782f472f01fb560dcc1dbb27b5a473c41f56c5daf765f8c6e5a9ece3d890

SHA512
886c35f31a33821ac72040b81fce8bc238746438acefe208eab43c2df47a8b46099b9ba49ffac5259f52805ad72333d7282ac1280d1246b5432fb4450e93d76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GE67BJ.exe

Filesize
145KB

MD5
64170dcbb2570559237e3064caca8aa8

SHA1
6e8960e86e3f2cabd6a6bd6ec6ffc567f1f39b9d

SHA256
ab5609496cd7e2238ad2aa9ec4df2d30876ca4a3feef68be07e83140aa02d42c

SHA512
6d6140526b7cf791e3496fc7c7a304c5198c7b33aef13ee823af1aeef54246e23e1b99911852a143ee9b291c2b7d4b1753a013de0055db9f78824ad492833c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qv7ZC27.exe

Filesize
325KB

MD5
d24f862f452d59deab6e0f08e1635982

SHA1
0e3f6fa2624167cc6981e67fe243f593739c4b14

SHA256
0c98f54f849394f5f18202a12bc0f6fcc39198b8dadf136081ffcecd1ecce63c

SHA512
39e8fd31e42852b1078cb14fdff0872612210735e92fec708bb7b3e998931a3097af1027bb58f7951270a4d37e94ef0a151b6127863f276dc2c880a313e6c38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1IY27nV8.exe

Filesize
129KB

MD5
4ed940ea493451635145489ffbdec386

SHA1
4b5d0ba229b8ac04f753864c1170da0070673e35

SHA256
b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

SHA512
8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Gp2431.exe

Filesize
295KB

MD5
aace7e6f87d7b85254de727a03634a6f

SHA1
aee2b626ced061f75aa0246f8a76184deab9164f

SHA256
10fc79fcb203a3d8e6b2a7241af770bc84d50976369ffc6ee6c7c608f13722af

SHA512
dc0bdc9c0022a02aa0a683085975d5b98a31a5daac7bf34b03c99690dbcb1939c6c4f75f4337e290fa85d8ad40f5e0e30f755403679107d8c688489c6a8b3dbf

Download Submit
memory/540-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/900-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/900-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/900-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2960-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-37-0x00000000079F0000-0x0000000007F94000-memory.dmp

Filesize
5.6MB

Download
memory/2960-38-0x00000000074E0000-0x0000000007572000-memory.dmp

Filesize
584KB

Download
memory/2960-39-0x00000000049B0000-0x00000000049BA000-memory.dmp

Filesize
40KB

Download
memory/2960-40-0x00000000085C0000-0x0000000008BD8000-memory.dmp

Filesize
6.1MB

Download
memory/2960-41-0x00000000077F0000-0x00000000078FA000-memory.dmp

Filesize
1.0MB

Download
memory/2960-42-0x00000000074A0000-0x00000000074B2000-memory.dmp

Filesize
72KB

Download
memory/2960-43-0x00000000076E0000-0x000000000771C000-memory.dmp

Filesize
240KB

Download
memory/2960-44-0x0000000007670000-0x00000000076BC000-memory.dmp

Filesize
304KB

Download
memory/3416-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download