mystic | dcf4e78aa4f4a43375e6c66a708f11e84986bd1f7bacc1564324e028fcba76f4

Analysis

max time kernel
142s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

869bcbfd039d3500134922f4d0ada9e8c16892c8167d8dfe873bf3063d0ef1c1.exe
Size

642KB
MD5

68ba92e8a25094909f917df7529250b9
SHA1

dce2e66744525105b2f3ae80eb1f3ab2c3133918
SHA256

869bcbfd039d3500134922f4d0ada9e8c16892c8167d8dfe873bf3063d0ef1c1
SHA512

000be4531b85fe06922d7182a4ca22099a677ba19d49bf7b69a4ea7bcf993fa7c13659b03b397082bb374c10f6db578f4d3c998babdfbe152cc4f64750081655
SSDEEP

12288:+Mriy907x3OTU9T2AOonWUoeoKelFZM8sgbyvRDUz2uDuYQC9K:Qy8x+TUx4j3FAgby5Iz2I8

Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral6/memory/1768-21-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral6/memory/1768-19-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral6/memory/1768-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 4 IoCs

pid	Process
736	Ll7jj11.exe
4736	1Hl72Sm0.exe
3124	2DP8586.exe
5004	3Td34ob.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	869bcbfd039d3500134922f4d0ada9e8c16892c8167d8dfe873bf3063d0ef1c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ll7jj11.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4736 set thread context of 2796	4736	1Hl72Sm0.exe	84
PID 3124 set thread context of 1768	3124	2DP8586.exe	87

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2184	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Td34ob.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Td34ob.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Td34ob.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2796	AppLaunch.exe
2796	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	AppLaunch.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 736	4816	869bcbfd039d3500134922f4d0ada9e8c16892c8167d8dfe873bf3063d0ef1c1.exe	82
PID 4816 wrote to memory of 736	4816	869bcbfd039d3500134922f4d0ada9e8c16892c8167d8dfe873bf3063d0ef1c1.exe	82
PID 4816 wrote to memory of 736	4816	869bcbfd039d3500134922f4d0ada9e8c16892c8167d8dfe873bf3063d0ef1c1.exe	82
PID 736 wrote to memory of 4736	736	Ll7jj11.exe	83
PID 736 wrote to memory of 4736	736	Ll7jj11.exe	83
PID 736 wrote to memory of 4736	736	Ll7jj11.exe	83
PID 4736 wrote to memory of 2796	4736	1Hl72Sm0.exe	84
PID 4736 wrote to memory of 2796	4736	1Hl72Sm0.exe	84
PID 4736 wrote to memory of 2796	4736	1Hl72Sm0.exe	84
PID 4736 wrote to memory of 2796	4736	1Hl72Sm0.exe	84
PID 4736 wrote to memory of 2796	4736	1Hl72Sm0.exe	84
PID 4736 wrote to memory of 2796	4736	1Hl72Sm0.exe	84
PID 4736 wrote to memory of 2796	4736	1Hl72Sm0.exe	84
PID 4736 wrote to memory of 2796	4736	1Hl72Sm0.exe	84
PID 736 wrote to memory of 3124	736	Ll7jj11.exe	85
PID 736 wrote to memory of 3124	736	Ll7jj11.exe	85
PID 736 wrote to memory of 3124	736	Ll7jj11.exe	85
PID 3124 wrote to memory of 1768	3124	2DP8586.exe	87
PID 3124 wrote to memory of 1768	3124	2DP8586.exe	87
PID 3124 wrote to memory of 1768	3124	2DP8586.exe	87
PID 3124 wrote to memory of 1768	3124	2DP8586.exe	87
PID 3124 wrote to memory of 1768	3124	2DP8586.exe	87
PID 3124 wrote to memory of 1768	3124	2DP8586.exe	87
PID 3124 wrote to memory of 1768	3124	2DP8586.exe	87
PID 3124 wrote to memory of 1768	3124	2DP8586.exe	87
PID 3124 wrote to memory of 1768	3124	2DP8586.exe	87
PID 3124 wrote to memory of 1768	3124	2DP8586.exe	87
PID 4816 wrote to memory of 5004	4816	869bcbfd039d3500134922f4d0ada9e8c16892c8167d8dfe873bf3063d0ef1c1.exe	88
PID 4816 wrote to memory of 5004	4816	869bcbfd039d3500134922f4d0ada9e8c16892c8167d8dfe873bf3063d0ef1c1.exe	88
PID 4816 wrote to memory of 5004	4816	869bcbfd039d3500134922f4d0ada9e8c16892c8167d8dfe873bf3063d0ef1c1.exe	88

C:\Users\Admin\AppData\Local\Temp\869bcbfd039d3500134922f4d0ada9e8c16892c8167d8dfe873bf3063d0ef1c1.exe
"C:\Users\Admin\AppData\Local\Temp\869bcbfd039d3500134922f4d0ada9e8c16892c8167d8dfe873bf3063d0ef1c1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ll7jj11.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ll7jj11.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Hl72Sm0.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Hl72Sm0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2796
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2DP8586.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2DP8586.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1768
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Td34ob.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Td34ob.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  PID:5004

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Td34ob.exe

Filesize
31KB

MD5
ee0c3786564939ae78d1484fae50663d

SHA1
e30f2d60fb1fb47cb4b3cf31af1b93c7b2f52070

SHA256
e4a987cade8ce6ab0d7e0d18aa515342422fd5a4b451eba4ab70c3348c0f2101

SHA512
51928a3521a305b6621765792bd5385dbacbc3667082a036733345ce4e28c3b84678b64f7dccd57fc1ff5da62f46d92bcbf4b098245daeef519231efa83e13d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ll7jj11.exe

Filesize
518KB

MD5
2ea5add7241091421a42ded256b8bc40

SHA1
38249951f7d0eab56ee32c51add8bcfb064db014

SHA256
f44880b747d796878efab66bb15c096e776f3d3f63bebc262f630f0637bd9b74

SHA512
6c3398224497b93f87635420b8f539e81ea24b692dcaa587764b6e53b361cc96795e98cc88fdb4ff710455b263dc37d621b99528a1b272c76c0616e2c3e20934

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Hl72Sm0.exe

Filesize
869KB

MD5
ff960d9d6e13e1c269e222ebfd258654

SHA1
e90dbc5f9fbdaa2d1113dac3be5bd41657824735

SHA256
36a694b2da8180f1148c7acb9649b11f70dd2e0d7328f4bbf62010adb88b55ec

SHA512
2b26a3064e295fa546ec0cab7ecea50b63ddd0bf56fa808633f8e499390f387d62e02a6334362ca67ee718f3ea8ac7227fdd34aa1deb71657ca373e63f09d293

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2DP8586.exe

Filesize
1.0MB

MD5
0c49f82a6e2a8192269a7432c9261d0d

SHA1
5d27c8ec6d31f7697ab604abf56ecacb0c7e5401

SHA256
966462bfcb6b35408db1e5a3d555fc1111235a9c235dbaf3eba8f54a092dee35

SHA512
b71e816da7e165c8a51f5217e308d871016f4f5410aa1487de6e1c87a00f6ad60ebffcef2ae7f4915bc89256c1db213bccd067aa339d9019b1ab037615bed68c

Download Submit
memory/1768-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5004-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5004-25-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download