mystic | 35fa914c6357cde578322016bb343396ee5cbe965e37dbbc27e58563c27f3d00

Analysis

max time kernel
136s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f02e0ba4295116b4506be32206118a19a6184f5b2d4d67ce0083cc2c5a6da1b.exe
Size

608KB
MD5

1f518ef039d2a698f64f5a6c1105f825
SHA1

c9691253d74e204ec795808adfc8b6b3395e9d40
SHA256

8f02e0ba4295116b4506be32206118a19a6184f5b2d4d67ce0083cc2c5a6da1b
SHA512

abc844ff4fb6b481cbc0fea297544311ebea272ee64ce67f777fa34b1c217b788f207087c13239b507cc8b90e2279e3c5835cd0e408daf94714c72bbddb7c192
SSDEEP

12288:sMrOy90eK4sPqZRUcvuEhyxbAI7eszmAx8bK8pNnhhRLmBUAe4w:6yMPqZG/Ey7eEVObK8PnhTqUMw

Score

10^/10

mystic smokeloader backdoor persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral9/memory/1892-26-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral9/memory/1892-29-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral9/memory/1892-28-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral9/memory/4644-15-0x0000000004A10000-0x0000000004A30000-memory.dmp	net_reactor
behavioral9/memory/4644-18-0x0000000004AD0000-0x0000000004AEE000-memory.dmp	net_reactor

Executes dropped EXE 4 IoCs

pid	Process
3720	ho4Fh93.exe
4644	1fw69QF3.exe
4832	2rQ1834.exe
4444	3YX42NV.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8f02e0ba4295116b4506be32206118a19a6184f5b2d4d67ce0083cc2c5a6da1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ho4Fh93.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4832 set thread context of 1892	4832	2rQ1834.exe	101
PID 4444 set thread context of 4360	4444	3YX42NV.exe	108

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3384	4832	WerFault.exe	97
3480	4444	WerFault.exe	105

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4644	1fw69QF3.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 3720	2144	8f02e0ba4295116b4506be32206118a19a6184f5b2d4d67ce0083cc2c5a6da1b.exe	85
PID 2144 wrote to memory of 3720	2144	8f02e0ba4295116b4506be32206118a19a6184f5b2d4d67ce0083cc2c5a6da1b.exe	85
PID 2144 wrote to memory of 3720	2144	8f02e0ba4295116b4506be32206118a19a6184f5b2d4d67ce0083cc2c5a6da1b.exe	85
PID 3720 wrote to memory of 4644	3720	ho4Fh93.exe	86
PID 3720 wrote to memory of 4644	3720	ho4Fh93.exe	86
PID 3720 wrote to memory of 4644	3720	ho4Fh93.exe	86
PID 3720 wrote to memory of 4832	3720	ho4Fh93.exe	97
PID 3720 wrote to memory of 4832	3720	ho4Fh93.exe	97
PID 3720 wrote to memory of 4832	3720	ho4Fh93.exe	97
PID 4832 wrote to memory of 1892	4832	2rQ1834.exe	101
PID 4832 wrote to memory of 1892	4832	2rQ1834.exe	101
PID 4832 wrote to memory of 1892	4832	2rQ1834.exe	101
PID 4832 wrote to memory of 1892	4832	2rQ1834.exe	101
PID 4832 wrote to memory of 1892	4832	2rQ1834.exe	101
PID 4832 wrote to memory of 1892	4832	2rQ1834.exe	101
PID 4832 wrote to memory of 1892	4832	2rQ1834.exe	101
PID 4832 wrote to memory of 1892	4832	2rQ1834.exe	101
PID 4832 wrote to memory of 1892	4832	2rQ1834.exe	101
PID 4832 wrote to memory of 1892	4832	2rQ1834.exe	101
PID 2144 wrote to memory of 4444	2144	8f02e0ba4295116b4506be32206118a19a6184f5b2d4d67ce0083cc2c5a6da1b.exe	105
PID 2144 wrote to memory of 4444	2144	8f02e0ba4295116b4506be32206118a19a6184f5b2d4d67ce0083cc2c5a6da1b.exe	105
PID 2144 wrote to memory of 4444	2144	8f02e0ba4295116b4506be32206118a19a6184f5b2d4d67ce0083cc2c5a6da1b.exe	105
PID 4444 wrote to memory of 3092	4444	3YX42NV.exe	107
PID 4444 wrote to memory of 3092	4444	3YX42NV.exe	107
PID 4444 wrote to memory of 3092	4444	3YX42NV.exe	107
PID 4444 wrote to memory of 4360	4444	3YX42NV.exe	108
PID 4444 wrote to memory of 4360	4444	3YX42NV.exe	108
PID 4444 wrote to memory of 4360	4444	3YX42NV.exe	108
PID 4444 wrote to memory of 4360	4444	3YX42NV.exe	108
PID 4444 wrote to memory of 4360	4444	3YX42NV.exe	108
PID 4444 wrote to memory of 4360	4444	3YX42NV.exe	108

C:\Users\Admin\AppData\Local\Temp\8f02e0ba4295116b4506be32206118a19a6184f5b2d4d67ce0083cc2c5a6da1b.exe
"C:\Users\Admin\AppData\Local\Temp\8f02e0ba4295116b4506be32206118a19a6184f5b2d4d67ce0083cc2c5a6da1b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ho4Fh93.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ho4Fh93.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1fw69QF3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1fw69QF3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4644
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2rQ1834.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2rQ1834.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1892
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 580
      4⤵
      Program crash
      PID:3384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3YX42NV.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3YX42NV.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Checks SCSI registry key(s)
    PID:4360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 572
    3⤵
    - Program crash
    PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4832 -ip 4832
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4444 -ip 4444
1⤵
PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3YX42NV.exe

Filesize
148KB

MD5
1378e808a814cb161918699c6c9e429b

SHA1
2b99dd82425483a2384256751ed9a88db6acd05b

SHA256
1fae1c6842c4868d0a4fd8a0f8b421e6602a3fe4955dcc414bcd3d5a80a1bac5

SHA512
00c9b69138c47f0f58f68efca6a4d6d470ffc5937c7d4905db10a77c190f2fe5ad8e49b44612815fa2533448a865bb5dfc022c9c661b6ec7763bec3dbd21f5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ho4Fh93.exe

Filesize
423KB

MD5
ac4ab6efe632df425852a05daefdee7c

SHA1
1fd1d1ed167ac15d6548c8b97a3d75f0dd508915

SHA256
3edf0234ac6f8d70ec3772826ffee23a028e8e1ec31eb37e55ca234f26618da2

SHA512
3e91a0d0507b6d55bcf52c23660a1bf46c4b025a5f541c69835e622cdf736fba88d9d3d4a2828833727114ffd15c57e44c70697ee9a9658676327ecfce650b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1fw69QF3.exe

Filesize
188KB

MD5
425e2a994509280a8c1e2812dfaad929

SHA1
4d5eff2fb3835b761e2516a873b537cbaacea1fe

SHA256
6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a

SHA512
080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2rQ1834.exe

Filesize
298KB

MD5
5521b4817e39742e4e2ffe071df61100

SHA1
e9e2e068332533478976c836438578c9af2da85f

SHA256
dcb7615911b247add98bcbaadc3db07dde8a351a9a3b76e8b0b0b00e98a7eca4

SHA512
28a0250429c35f5296e9360b0515ca1a6cccbc4b36841898a77081ac7c21eb7184608ee29a5acc528734843bb0eed9944c6c9608161e3f934d9e4369390930a4

Download Submit
memory/1892-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1892-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1892-26-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4360-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4644-16-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/4644-22-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/4644-20-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/4644-19-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/4644-18-0x0000000004AD0000-0x0000000004AEE000-memory.dmp

Filesize
120KB

Download
memory/4644-17-0x0000000004B00000-0x00000000050A4000-memory.dmp

Filesize
5.6MB

Download
memory/4644-15-0x0000000004A10000-0x0000000004A30000-memory.dmp

Filesize
128KB

Download
memory/4644-14-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads