mystic | dd599a6bab1a1dabfa1fca35b3aa571004102301666e21fec5316076b068ab55

Analysis

max time kernel
137s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa03da34a3df5ccd4a8378896e723e73365b3d7713664fcafe751f873108dcc3.exe
Size

1.0MB
MD5

9f6c04bd0bbcf415ffa42768e2183a73
SHA1

a44f938d1c7ad1fc21882a00da4d2f35af3174b6
SHA256

aa03da34a3df5ccd4a8378896e723e73365b3d7713664fcafe751f873108dcc3
SHA512

a7075b29cb0a85620f641ed5d72acf198554a0083925a66e0ee2313edf169321c8167058c94004077c31f94cbc2b7a1a5c9d094cb27e26925dcafd6e08788f5f
SSDEEP

24576:Kyv+2Lx/11SMH1d7yboNDkwZmaujBRgSbRBl9Srlb2NP:Rv+K/CavNY4+zgq3srlC

Score

10^/10

mystic redline smokeloader plost backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

plost

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral16/memory/1212-25-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral16/memory/1212-26-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral16/memory/1212-28-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral16/memory/1688-37-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 6 IoCs

pid	Process
1308	KL8Ci89.exe
3440	Ws0Cs25.exe
3424	1hG30or6.exe
1488	2il4240.exe
212	3cn07WY.exe
508	4tK390UO.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aa03da34a3df5ccd4a8378896e723e73365b3d7713664fcafe751f873108dcc3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	KL8Ci89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ws0Cs25.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3424 set thread context of 3572	3424	1hG30or6.exe	85
PID 1488 set thread context of 1212	1488	2il4240.exe	88
PID 508 set thread context of 1688	508	4tK390UO.exe	91

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4208	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3cn07WY.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3cn07WY.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3cn07WY.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3572	AppLaunch.exe
3572	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3572	AppLaunch.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 1308	4700	aa03da34a3df5ccd4a8378896e723e73365b3d7713664fcafe751f873108dcc3.exe	82
PID 4700 wrote to memory of 1308	4700	aa03da34a3df5ccd4a8378896e723e73365b3d7713664fcafe751f873108dcc3.exe	82
PID 4700 wrote to memory of 1308	4700	aa03da34a3df5ccd4a8378896e723e73365b3d7713664fcafe751f873108dcc3.exe	82
PID 1308 wrote to memory of 3440	1308	KL8Ci89.exe	83
PID 1308 wrote to memory of 3440	1308	KL8Ci89.exe	83
PID 1308 wrote to memory of 3440	1308	KL8Ci89.exe	83
PID 3440 wrote to memory of 3424	3440	Ws0Cs25.exe	84
PID 3440 wrote to memory of 3424	3440	Ws0Cs25.exe	84
PID 3440 wrote to memory of 3424	3440	Ws0Cs25.exe	84
PID 3424 wrote to memory of 3572	3424	1hG30or6.exe	85
PID 3424 wrote to memory of 3572	3424	1hG30or6.exe	85
PID 3424 wrote to memory of 3572	3424	1hG30or6.exe	85
PID 3424 wrote to memory of 3572	3424	1hG30or6.exe	85
PID 3424 wrote to memory of 3572	3424	1hG30or6.exe	85
PID 3424 wrote to memory of 3572	3424	1hG30or6.exe	85
PID 3424 wrote to memory of 3572	3424	1hG30or6.exe	85
PID 3424 wrote to memory of 3572	3424	1hG30or6.exe	85
PID 3440 wrote to memory of 1488	3440	Ws0Cs25.exe	86
PID 3440 wrote to memory of 1488	3440	Ws0Cs25.exe	86
PID 3440 wrote to memory of 1488	3440	Ws0Cs25.exe	86
PID 1488 wrote to memory of 1212	1488	2il4240.exe	88
PID 1488 wrote to memory of 1212	1488	2il4240.exe	88
PID 1488 wrote to memory of 1212	1488	2il4240.exe	88
PID 1488 wrote to memory of 1212	1488	2il4240.exe	88
PID 1488 wrote to memory of 1212	1488	2il4240.exe	88
PID 1488 wrote to memory of 1212	1488	2il4240.exe	88
PID 1488 wrote to memory of 1212	1488	2il4240.exe	88
PID 1488 wrote to memory of 1212	1488	2il4240.exe	88
PID 1488 wrote to memory of 1212	1488	2il4240.exe	88
PID 1488 wrote to memory of 1212	1488	2il4240.exe	88
PID 1308 wrote to memory of 212	1308	KL8Ci89.exe	89
PID 1308 wrote to memory of 212	1308	KL8Ci89.exe	89
PID 1308 wrote to memory of 212	1308	KL8Ci89.exe	89
PID 4700 wrote to memory of 508	4700	aa03da34a3df5ccd4a8378896e723e73365b3d7713664fcafe751f873108dcc3.exe	90
PID 4700 wrote to memory of 508	4700	aa03da34a3df5ccd4a8378896e723e73365b3d7713664fcafe751f873108dcc3.exe	90
PID 4700 wrote to memory of 508	4700	aa03da34a3df5ccd4a8378896e723e73365b3d7713664fcafe751f873108dcc3.exe	90
PID 508 wrote to memory of 1688	508	4tK390UO.exe	91
PID 508 wrote to memory of 1688	508	4tK390UO.exe	91
PID 508 wrote to memory of 1688	508	4tK390UO.exe	91
PID 508 wrote to memory of 1688	508	4tK390UO.exe	91
PID 508 wrote to memory of 1688	508	4tK390UO.exe	91
PID 508 wrote to memory of 1688	508	4tK390UO.exe	91
PID 508 wrote to memory of 1688	508	4tK390UO.exe	91
PID 508 wrote to memory of 1688	508	4tK390UO.exe	91

C:\Users\Admin\AppData\Local\Temp\aa03da34a3df5ccd4a8378896e723e73365b3d7713664fcafe751f873108dcc3.exe
"C:\Users\Admin\AppData\Local\Temp\aa03da34a3df5ccd4a8378896e723e73365b3d7713664fcafe751f873108dcc3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KL8Ci89.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KL8Ci89.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ws0Cs25.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ws0Cs25.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hG30or6.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hG30or6.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3424
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2il4240.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2il4240.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1212
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3cn07WY.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3cn07WY.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4tK390UO.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4tK390UO.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:508
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:1688

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4tK390UO.exe

Filesize
1.1MB

MD5
fe77925312ef6d6fe198bb23f4f7ccbc

SHA1
e51ba7779fc491488df0067fab8ff0f2a287e18c

SHA256
49a51ab7d5847d49a0b84541c3396507534ce8781a0475ab6eef20f77f2c198f

SHA512
991143abdb509d4d13c3be124a8b8b1a0e2c5032136b938bf20147300048a6416ed32b10452c32bf30c9e2cca678be0949b2fa2db9d000b19421dc30cc50762b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KL8Ci89.exe

Filesize
641KB

MD5
3e8e767f7d2e79c2090fd233c9fc91bf

SHA1
72817414899227d7059da767216eaa018f4d8f1f

SHA256
43445eec066c9d8f91679666ae423b092e12d5d1c9b74a1dd04f602ccde87ab0

SHA512
daeb32f4088afb6e460d358a981e3b10a833a432da495019ddc0acf0b6bc78f5af1a5c30e5fa1352de356baa2b71cd971b8c2e32252669337e96d26ff0bd7070

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3cn07WY.exe

Filesize
31KB

MD5
a5d2b5187bff43ec33ee9c3fd4217e90

SHA1
8e65d0c12a24dc675f831ce291caef80949587f4

SHA256
9fe056b48a20dcbcefa601585e6ce3e315979f98f5eb7c22e8c30253305de341

SHA512
69deae10ea5405d247e96fee75efcb9a8e0cfd9581829b0a9412526d3e82b4fbd4b9060e9aabfd5f3ec7fab0ec3fb67e561269b3a1e833964a4ccacd42a6b58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ws0Cs25.exe

Filesize
517KB

MD5
9634eebfd5f832f1c1db723e3fc45674

SHA1
1d9768b277009b65daeab5e0ada6665f03ad09e6

SHA256
bab3700e41ce808617827ad9335bf4553ffd411d0d50d753cccb6913a4bb1ffc

SHA512
ce0e07c6cd8fda04ee133d0009c1ab2e1c4884cd36ce99d5dcc64fc12bd7236be7dd15e03563a51029d8e7d1df745fcee885fa505e60217a83a34637fc165f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hG30or6.exe

Filesize
869KB

MD5
30dd76d725a70f794ee06eab1b8f4f77

SHA1
bc0a8d3e9ac1be5bd0caeb70b5a4511580a258c3

SHA256
04affaf5ac9124656a363e040a898b457b1a1190de39cf9cf8f2349cce37d66d

SHA512
672a032b9d61cd2b23fe1b45c69cb9038b103a8f01d1ddd874e2c6ecf5a3fe303700e1f70d2283cabd105c8b3e4dd8d7dd44539f4a13ce803a7772b5860b7d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2il4240.exe

Filesize
1.0MB

MD5
e77c18ab4189c1e4111631f11a15d6a5

SHA1
de61d89b227426000526ecf1659ebe3d16e063de

SHA256
8d7667f5e70abbb8e6e0888900bf53771265aef7c6de4909963e49700b3f9f64

SHA512
352d425966c21fa52d576801b312cb2cff98ccd3bb8a313a2eb3c6c4d8614b2a68b0fe98246aa80272ae25a61a55763a6d85ad282291f5f7029dbcea66c1ba92

Download Submit
memory/212-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/212-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1212-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1212-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-37-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1688-38-0x0000000007B60000-0x0000000008104000-memory.dmp

Filesize
5.6MB

Download
memory/1688-39-0x00000000076B0000-0x0000000007742000-memory.dmp

Filesize
584KB

Download
memory/1688-40-0x0000000004B60000-0x0000000004B6A000-memory.dmp

Filesize
40KB

Download
memory/1688-41-0x0000000008730000-0x0000000008D48000-memory.dmp

Filesize
6.1MB

Download
memory/1688-42-0x0000000008110000-0x000000000821A000-memory.dmp

Filesize
1.0MB

Download
memory/1688-43-0x0000000007A40000-0x0000000007A52000-memory.dmp

Filesize
72KB

Download
memory/1688-44-0x0000000007AA0000-0x0000000007ADC000-memory.dmp

Filesize
240KB

Download
memory/1688-45-0x0000000007AE0000-0x0000000007B2C000-memory.dmp

Filesize
304KB

Download
memory/3572-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download