mystic | dd599a6bab1a1dabfa1fca35b3aa571004102301666e21fec5316076b068ab55

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec3af3633a52750aaf806f34de5b8fb483a77417b0a8182b5cd0f8fe892b0c54.exe
Size

991KB
MD5

f68673838cfdf0022d6c83718855e777
SHA1

e6f2d528fd01636b01e25e9d13820d2ee98e6685
SHA256

ec3af3633a52750aaf806f34de5b8fb483a77417b0a8182b5cd0f8fe892b0c54
SHA512

913477ffae714db951880d9097d310cdaf6c440db34d13c6bb48b7ac2e5afe3fc27bb20cbce8f7fe65374a3c6911b3ee389b47b4749764774eacf353734f3215
SSDEEP

24576:cybquWadjzZbfJ0bQlr8RVFiMB2ahB/Vbtys:Lp1djFbfJG0BMvf

Score

10^/10

mystic redline smokeloader magia backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

magia

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral21/memory/4932-56-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral21/memory/4932-57-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral21/memory/4932-59-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1Ew15De9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1Ew15De9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1Ew15De9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1Ew15De9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	1Ew15De9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1Ew15De9.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral21/memory/4668-67-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 6 IoCs

pid	Process
3360	fY9bx11.exe
1732	AB0Cg45.exe
2720	1Ew15De9.exe
3728	2Wr3587.exe
4640	3ZA20EP.exe
680	4og835Ic.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1Ew15De9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1Ew15De9.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ec3af3633a52750aaf806f34de5b8fb483a77417b0a8182b5cd0f8fe892b0c54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	fY9bx11.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	AB0Cg45.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3728 set thread context of 4932	3728	2Wr3587.exe	97
PID 4640 set thread context of 2348	4640	3ZA20EP.exe	103
PID 680 set thread context of 4668	680	4og835Ic.exe	108

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2160	3728	WerFault.exe	95
940	4640	WerFault.exe	101
4448	680	WerFault.exe	106

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2720	1Ew15De9.exe
2720	1Ew15De9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	1Ew15De9.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 3360	4944	ec3af3633a52750aaf806f34de5b8fb483a77417b0a8182b5cd0f8fe892b0c54.exe	82
PID 4944 wrote to memory of 3360	4944	ec3af3633a52750aaf806f34de5b8fb483a77417b0a8182b5cd0f8fe892b0c54.exe	82
PID 4944 wrote to memory of 3360	4944	ec3af3633a52750aaf806f34de5b8fb483a77417b0a8182b5cd0f8fe892b0c54.exe	82
PID 3360 wrote to memory of 1732	3360	fY9bx11.exe	83
PID 3360 wrote to memory of 1732	3360	fY9bx11.exe	83
PID 3360 wrote to memory of 1732	3360	fY9bx11.exe	83
PID 1732 wrote to memory of 2720	1732	AB0Cg45.exe	84
PID 1732 wrote to memory of 2720	1732	AB0Cg45.exe	84
PID 1732 wrote to memory of 2720	1732	AB0Cg45.exe	84
PID 1732 wrote to memory of 3728	1732	AB0Cg45.exe	95
PID 1732 wrote to memory of 3728	1732	AB0Cg45.exe	95
PID 1732 wrote to memory of 3728	1732	AB0Cg45.exe	95
PID 3728 wrote to memory of 4932	3728	2Wr3587.exe	97
PID 3728 wrote to memory of 4932	3728	2Wr3587.exe	97
PID 3728 wrote to memory of 4932	3728	2Wr3587.exe	97
PID 3728 wrote to memory of 4932	3728	2Wr3587.exe	97
PID 3728 wrote to memory of 4932	3728	2Wr3587.exe	97
PID 3728 wrote to memory of 4932	3728	2Wr3587.exe	97
PID 3728 wrote to memory of 4932	3728	2Wr3587.exe	97
PID 3728 wrote to memory of 4932	3728	2Wr3587.exe	97
PID 3728 wrote to memory of 4932	3728	2Wr3587.exe	97
PID 3728 wrote to memory of 4932	3728	2Wr3587.exe	97
PID 3360 wrote to memory of 4640	3360	fY9bx11.exe	101
PID 3360 wrote to memory of 4640	3360	fY9bx11.exe	101
PID 3360 wrote to memory of 4640	3360	fY9bx11.exe	101
PID 4640 wrote to memory of 2348	4640	3ZA20EP.exe	103
PID 4640 wrote to memory of 2348	4640	3ZA20EP.exe	103
PID 4640 wrote to memory of 2348	4640	3ZA20EP.exe	103
PID 4640 wrote to memory of 2348	4640	3ZA20EP.exe	103
PID 4640 wrote to memory of 2348	4640	3ZA20EP.exe	103
PID 4640 wrote to memory of 2348	4640	3ZA20EP.exe	103
PID 4944 wrote to memory of 680	4944	ec3af3633a52750aaf806f34de5b8fb483a77417b0a8182b5cd0f8fe892b0c54.exe	106
PID 4944 wrote to memory of 680	4944	ec3af3633a52750aaf806f34de5b8fb483a77417b0a8182b5cd0f8fe892b0c54.exe	106
PID 4944 wrote to memory of 680	4944	ec3af3633a52750aaf806f34de5b8fb483a77417b0a8182b5cd0f8fe892b0c54.exe	106
PID 680 wrote to memory of 4668	680	4og835Ic.exe	108
PID 680 wrote to memory of 4668	680	4og835Ic.exe	108
PID 680 wrote to memory of 4668	680	4og835Ic.exe	108
PID 680 wrote to memory of 4668	680	4og835Ic.exe	108
PID 680 wrote to memory of 4668	680	4og835Ic.exe	108
PID 680 wrote to memory of 4668	680	4og835Ic.exe	108
PID 680 wrote to memory of 4668	680	4og835Ic.exe	108
PID 680 wrote to memory of 4668	680	4og835Ic.exe	108

C:\Users\Admin\AppData\Local\Temp\ec3af3633a52750aaf806f34de5b8fb483a77417b0a8182b5cd0f8fe892b0c54.exe
"C:\Users\Admin\AppData\Local\Temp\ec3af3633a52750aaf806f34de5b8fb483a77417b0a8182b5cd0f8fe892b0c54.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fY9bx11.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fY9bx11.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AB0Cg45.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AB0Cg45.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Ew15De9.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Ew15De9.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Wr3587.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Wr3587.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3728
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 596
        5⤵
        Program crash
        
        PID:2160
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ZA20EP.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ZA20EP.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Checks SCSI registry key(s)
      PID:2348
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 152
      4⤵
      Program crash
      PID:940
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4og835Ic.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4og835Ic.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 152
    3⤵
    - Program crash
    PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3728 -ip 3728
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4640 -ip 4640
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 680 -ip 680
1⤵
PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4og835Ic.exe

Filesize
459KB

MD5
43de8c0acdae428cb27f753fd7ed1389

SHA1
ff44121e2a5fb6e8bbc2309a4b666da30c737c0f

SHA256
755678dbd036fc42889e943fbb77de34cb73d4feca8fd07c7208b13486c64fbb

SHA512
9c40c3ef66bddd18bbdc3ebaff3486c6de2c2d7bf95b93977422155c608fa59bb3ffc62a94eb2ae8600186b6c3dab8f22db3d2471079c7042620067d23c41e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fY9bx11.exe

Filesize
696KB

MD5
78d9acb8de3b72d9a742a2b70f6c76f6

SHA1
7a4d6ea227fab57a4016987fdd592282ed798a9e

SHA256
92a1c0a698565601c42a8a82d6244d4a901189c48e079b98a10b5ea5c114fd83

SHA512
ba6c86a53c9843b5858934e42aed665a00019ffd1c396e531830967f3855d28eb0eb477ed12386b7a0ab4cef3aeee446c70d704812a8b30a6813c65421ff5794

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3ZA20EP.exe

Filesize
268KB

MD5
64f6170db232dcd4fc20a74a31462f64

SHA1
a6e8eb37c8a394a5b298c2e0ef0b0f69ea71694d

SHA256
3c21f4198422d8ca82b45969725111e385224b9af552ff95f09be05de51a331a

SHA512
4ace09e01bed9651344e2fd18d4753f03b371406ac69df5d7adac0b1db17664b9e6b8654ef6a239e96bfb91e702c606a263e324f5fc43ae8fa81467de9aed3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AB0Cg45.exe

Filesize
452KB

MD5
5f2ae759be8b853043e00102662315bf

SHA1
981bbee76fc13ef00f650577034493a517c74918

SHA256
c2e61e4e24fc2dcac36ceda4ea1dc90225ca2179cf82b2dabe43ffba27e5b72c

SHA512
f6787e6d4f024a2b08f6b467bf9f5451c9b0b17f02f2f36c74cca0e4f03948f240408e411e545b74d475df38aa09c97343168b4b3f1f209cb0fca879b67e59f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Ew15De9.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Wr3587.exe

Filesize
378KB

MD5
c8c838184e3dc920cb4accacc0c1231d

SHA1
ff97e857ecef259833a66aac7a51488c3f32d45c

SHA256
0b25b91180e180073251ca6fbf96e511b8cc13fc62c67c4c3fafe2782c1eda4a

SHA512
12573d5c0d039d4b8bb3b613df87e137cf3fdcaeb55cc12e7a029a004264c517bbcc9d5b6f323957e8a97d3201d103755d0c2c3aa242dc0f00793df6d1b72eb4

Download Submit
memory/2348-63-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2720-45-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2720-24-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2720-49-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2720-43-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2720-40-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2720-37-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2720-33-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2720-29-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2720-25-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2720-23-0x0000000004990000-0x00000000049AC000-memory.dmp

Filesize
112KB

Download
memory/2720-41-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2720-35-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2720-31-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2720-27-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2720-51-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2720-47-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/2720-21-0x0000000002350000-0x000000000236E000-memory.dmp

Filesize
120KB

Download
memory/2720-22-0x0000000004A40000-0x0000000004FE4000-memory.dmp

Filesize
5.6MB

Download
memory/4668-68-0x0000000007930000-0x00000000079C2000-memory.dmp

Filesize
584KB

Download
memory/4668-67-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4668-69-0x0000000004E80000-0x0000000004E8A000-memory.dmp

Filesize
40KB

Download
memory/4668-70-0x0000000008A10000-0x0000000009028000-memory.dmp

Filesize
6.1MB

Download
memory/4668-71-0x00000000083F0000-0x00000000084FA000-memory.dmp

Filesize
1.0MB

Download
memory/4668-72-0x00000000079F0000-0x0000000007A02000-memory.dmp

Filesize
72KB

Download
memory/4668-73-0x0000000007A50000-0x0000000007A8C000-memory.dmp

Filesize
240KB

Download
memory/4668-74-0x0000000007AA0000-0x0000000007AEC000-memory.dmp

Filesize
304KB

Download
memory/4932-59-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4932-57-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4932-56-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download