mystic | 02cacf524527064e447c85bef406a6e5125d06b69bd35e10a813bf4a5659b985

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59.exe
Size

645KB
MD5

ef0669622d6448e4556501afe1dad056
SHA1

c85d621294c88c8050b202b0e20f62d7889a86c5
SHA256

142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59
SHA512

64f71711babea80de14ca75680b8abb38ce5326b86925f6121a3a3724739158930c09b6b077d473e08661b508ae585973c7e6dd31a848f06bf16b2eb67026b34
SSDEEP

12288:aMray909okg/mJPJBxxSrCUHBayC0xzVN5Hn7uQQrzHWw:cy6HJ5UdhadGzVLHCr7Ww

Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/2340-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/2340-21-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral2/memory/2340-19-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 4 IoCs

pid	Process
4324	ER7ZO53.exe
3824	1Jb47aJ2.exe
4852	2ef9383.exe
4612	3FJ40tG.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ER7ZO53.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3824 set thread context of 4820	3824	1Jb47aJ2.exe	87
PID 4852 set thread context of 2340	4852	2ef9383.exe	90

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3FJ40tG.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3FJ40tG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3FJ40tG.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4820	AppLaunch.exe
4820	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4820	AppLaunch.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 4324	1996	142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59.exe	85
PID 1996 wrote to memory of 4324	1996	142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59.exe	85
PID 1996 wrote to memory of 4324	1996	142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59.exe	85
PID 4324 wrote to memory of 3824	4324	ER7ZO53.exe	86
PID 4324 wrote to memory of 3824	4324	ER7ZO53.exe	86
PID 4324 wrote to memory of 3824	4324	ER7ZO53.exe	86
PID 3824 wrote to memory of 4820	3824	1Jb47aJ2.exe	87
PID 3824 wrote to memory of 4820	3824	1Jb47aJ2.exe	87
PID 3824 wrote to memory of 4820	3824	1Jb47aJ2.exe	87
PID 3824 wrote to memory of 4820	3824	1Jb47aJ2.exe	87
PID 3824 wrote to memory of 4820	3824	1Jb47aJ2.exe	87
PID 3824 wrote to memory of 4820	3824	1Jb47aJ2.exe	87
PID 3824 wrote to memory of 4820	3824	1Jb47aJ2.exe	87
PID 3824 wrote to memory of 4820	3824	1Jb47aJ2.exe	87
PID 4324 wrote to memory of 4852	4324	ER7ZO53.exe	88
PID 4324 wrote to memory of 4852	4324	ER7ZO53.exe	88
PID 4324 wrote to memory of 4852	4324	ER7ZO53.exe	88
PID 4852 wrote to memory of 2340	4852	2ef9383.exe	90
PID 4852 wrote to memory of 2340	4852	2ef9383.exe	90
PID 4852 wrote to memory of 2340	4852	2ef9383.exe	90
PID 4852 wrote to memory of 2340	4852	2ef9383.exe	90
PID 4852 wrote to memory of 2340	4852	2ef9383.exe	90
PID 4852 wrote to memory of 2340	4852	2ef9383.exe	90
PID 4852 wrote to memory of 2340	4852	2ef9383.exe	90
PID 4852 wrote to memory of 2340	4852	2ef9383.exe	90
PID 4852 wrote to memory of 2340	4852	2ef9383.exe	90
PID 4852 wrote to memory of 2340	4852	2ef9383.exe	90
PID 1996 wrote to memory of 4612	1996	142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59.exe	91
PID 1996 wrote to memory of 4612	1996	142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59.exe	91
PID 1996 wrote to memory of 4612	1996	142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59.exe	91

C:\Users\Admin\AppData\Local\Temp\142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59.exe
"C:\Users\Admin\AppData\Local\Temp\142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ER7ZO53.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ER7ZO53.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jb47aJ2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jb47aJ2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4820
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ef9383.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ef9383.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3FJ40tG.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3FJ40tG.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3FJ40tG.exe

Filesize
31KB

MD5
0c60dc000d08a97e584db700c23f486e

SHA1
1f216996ecc70011624c09ba2b1cd7c4f5c51964

SHA256
967172026135b940948c9b5fe8f63fb4bfd462cbf5d1140262b13c66028d8d39

SHA512
2250ae181d9b7af35126bc3492b32cf24220a909f802301267421ddbdbf9824afee5f7fa1242adf5e15e4f4b40abaa60166c6b167ad5286bb38ea03e3801dccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ER7ZO53.exe

Filesize
520KB

MD5
f346ea95de2b6798a719cb31ac5d0bee

SHA1
0b8d003e0e65c2dc1d17056bd5b2653dd7f15e5e

SHA256
efc8bc507e209597af278cc2aea99c47bda1cf652e0b778be31ebbde1732a2a5

SHA512
9849acb7dd4c8ed5d7fd268e9062d0a1a02e78f6819c92ea4cbe57048f726c7bbc2724a54918cdb3669e77a6b15225ac75a2c4fb57aaff4d29a4d92c39adfb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jb47aJ2.exe

Filesize
869KB

MD5
f387640a209aecb0c90b8f1e34336797

SHA1
15b7666b93c541ae347806317d960589005ae2cd

SHA256
04de1502a47290c5318ab8a07bc45c3267be8c621ecfce3afd63517098b3e756

SHA512
d8c79dd36bc4f056286eebb9478a92b32591bc35b6a7a6a9d565448557df65852510f43cd3c586f5de0467df766e58f110ac744d8f27273cb4a46502be9bfaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ef9383.exe

Filesize
1.0MB

MD5
21ca6d9e474ccb28faacb35f436fe8e4

SHA1
8e78bed30accf9e921538a06cb7caf98c9c1d2c2

SHA256
143a4e5dd66463b2434597a5ddba47f9114e3f353c0c455e070ec802f90c23e9

SHA512
7223cd673addc4a4365efc013948a18f6edd2f9df32525c6040104485d2b5e681eb13f1f8d39e79b6c344963a7690b71e4293fd952bbfb4eda2d3103b8fb8459

Download Submit
memory/2340-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4612-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4820-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download