mystic | 9874024432d4a4dc4017d0ebf9773eaea78b9aea747dfbe995938af4b572eb38

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe
Size

733KB
MD5

f6ff6d5bcfc6785ac6f50078974cab80
SHA1

40b4e177adf9c23cc7e08a67b78250874f78c501
SHA256

bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1
SHA512

86b9ab7ba445bd325e7ab0c5d40ea57799c8254dba0bacc1e11f4306a3fc4be7b0902138ad5c4d1819ba1197e11a0aee5429c734dca7b4600fe30ddda8dda6a1
SSDEEP

12288:AMr2y90cvDIUilEPl88a0nkI8BuKu2GRkAPUwVmBkBiq+4sltxxFi:myhsUilEPq8Fnkpu2GRkRrRqvslt4

Score

10^/10

mystic smokeloader backdoor evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral18/memory/4708-54-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral18/memory/4708-57-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral18/memory/4708-55-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

1HE24SB2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1HE24SB2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	1HE24SB2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1HE24SB2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1HE24SB2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1HE24SB2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1HE24SB2.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 4 IoCs

Processes:

VU8XV55.exe1HE24SB2.exe2nh0970.exe3uW43Fx.exe

pid process

1480 VU8XV55.exe
1932 1HE24SB2.exe
2120 2nh0970.exe
3496 3uW43Fx.exe

pid	process
1480	VU8XV55.exe
1932	1HE24SB2.exe
2120	2nh0970.exe
3496	3uW43Fx.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

1HE24SB2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1HE24SB2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1HE24SB2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exeVU8XV55.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	VU8XV55.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2nh0970.exe3uW43Fx.exe

description	pid	process	target process
PID 2120 set thread context of 4708	2120	2nh0970.exe	AppLaunch.exe
PID 3496 set thread context of 4088	3496	3uW43Fx.exe	AppLaunch.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4792 2120 WerFault.exe 2nh0970.exe
3048 3496 WerFault.exe 3uW43Fx.exe

pid	pid_target	process	target process
4792	2120	WerFault.exe	2nh0970.exe
3048	3496	WerFault.exe	3uW43Fx.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1HE24SB2.exe

pid process

1932 1HE24SB2.exe
1932 1HE24SB2.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1HE24SB2.exe

description pid process

Token: SeDebugPrivilege 1932 1HE24SB2.exe

pid	process
1932	1HE24SB2.exe
1932	1HE24SB2.exe

description	pid	process
Token: SeDebugPrivilege	1932	1HE24SB2.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exeVU8XV55.exe2nh0970.exe3uW43Fx.exe

description	pid	process	target process
PID 3420 wrote to memory of 1480	3420	bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe	VU8XV55.exe
PID 3420 wrote to memory of 1480	3420	bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe	VU8XV55.exe
PID 3420 wrote to memory of 1480	3420	bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe	VU8XV55.exe
PID 1480 wrote to memory of 1932	1480	VU8XV55.exe	1HE24SB2.exe
PID 1480 wrote to memory of 1932	1480	VU8XV55.exe	1HE24SB2.exe
PID 1480 wrote to memory of 1932	1480	VU8XV55.exe	1HE24SB2.exe
PID 1480 wrote to memory of 2120	1480	VU8XV55.exe	2nh0970.exe
PID 1480 wrote to memory of 2120	1480	VU8XV55.exe	2nh0970.exe
PID 1480 wrote to memory of 2120	1480	VU8XV55.exe	2nh0970.exe
PID 2120 wrote to memory of 4280	2120	2nh0970.exe	AppLaunch.exe
PID 2120 wrote to memory of 4280	2120	2nh0970.exe	AppLaunch.exe
PID 2120 wrote to memory of 4280	2120	2nh0970.exe	AppLaunch.exe
PID 2120 wrote to memory of 2344	2120	2nh0970.exe	AppLaunch.exe
PID 2120 wrote to memory of 2344	2120	2nh0970.exe	AppLaunch.exe
PID 2120 wrote to memory of 2344	2120	2nh0970.exe	AppLaunch.exe
PID 2120 wrote to memory of 4708	2120	2nh0970.exe	AppLaunch.exe
PID 2120 wrote to memory of 4708	2120	2nh0970.exe	AppLaunch.exe
PID 2120 wrote to memory of 4708	2120	2nh0970.exe	AppLaunch.exe
PID 2120 wrote to memory of 4708	2120	2nh0970.exe	AppLaunch.exe
PID 2120 wrote to memory of 4708	2120	2nh0970.exe	AppLaunch.exe
PID 2120 wrote to memory of 4708	2120	2nh0970.exe	AppLaunch.exe
PID 2120 wrote to memory of 4708	2120	2nh0970.exe	AppLaunch.exe
PID 2120 wrote to memory of 4708	2120	2nh0970.exe	AppLaunch.exe
PID 2120 wrote to memory of 4708	2120	2nh0970.exe	AppLaunch.exe
PID 2120 wrote to memory of 4708	2120	2nh0970.exe	AppLaunch.exe
PID 3420 wrote to memory of 3496	3420	bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe	3uW43Fx.exe
PID 3420 wrote to memory of 3496	3420	bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe	3uW43Fx.exe
PID 3420 wrote to memory of 3496	3420	bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe	3uW43Fx.exe
PID 3496 wrote to memory of 4088	3496	3uW43Fx.exe	AppLaunch.exe
PID 3496 wrote to memory of 4088	3496	3uW43Fx.exe	AppLaunch.exe
PID 3496 wrote to memory of 4088	3496	3uW43Fx.exe	AppLaunch.exe
PID 3496 wrote to memory of 4088	3496	3uW43Fx.exe	AppLaunch.exe
PID 3496 wrote to memory of 4088	3496	3uW43Fx.exe	AppLaunch.exe
PID 3496 wrote to memory of 4088	3496	3uW43Fx.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe
"C:\Users\Admin\AppData\Local\Temp\bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3420

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VU8XV55.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VU8XV55.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1HE24SB2.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1HE24SB2.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2nh0970.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2nh0970.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:4280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 624
4⤵
- Program crash
PID:4792

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3uW43Fx.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3uW43Fx.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Checks SCSI registry key(s)
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 136
3⤵
- Program crash
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2120 -ip 2120
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3496 -ip 3496
1⤵
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3uW43Fx.exe
Filesize
280KB

MD5
0bd32839b444684cfb65a34e4f31780b

SHA1
55a5b4bd45696e03d4a35c1d0a6260b3a46846b0

SHA256
27b58702d8f19e28ab866afe7c633d75c93f4d0ac154d3803a6e3d8e8f32bfc3

SHA512
6d9fe18e99c1a82c016e4450b2dfe19bb4e67d26bba2da6e8b560e71de4793e76f09599f39f54ab27a46898c7f7dda888be421bbcb5bb8b3f06566e944ccfc76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VU8XV55.exe
Filesize
485KB

MD5
0f205ca2cc22873955c23316cfb699ec

SHA1
cb6eb8bb00190355d40ab1e8523f01625d99223a

SHA256
072f1187c5b0ffe2ff3de81416fefc27c9a178d9ae310d8dda3afd2f3b4fb4a4

SHA512
f55f904302b822d303c4a1a052979ce0a801d6ec606ba04931568674c54de4db2f6b10de832c552b33890da1b25b2ac7a141862169eed3fddd50bdfdea90d33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1HE24SB2.exe
Filesize
194KB

MD5
35d718538c3e1346cb4fcf54aaa0f141

SHA1
234c0aa0465c27c190a83936e8e3aa3c4b991224

SHA256
97e62bfa90aca06c595fb150e36f56b4a285f58cc072b8c458ae79805523fc36

SHA512
4bcf5cabe93ec54608ccb95d80822f411bb32c2746be609873a493045913fb53e0a953e75f82dfe620d661f049437da7a70d34995dc915bb0b09426e97f0aec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2nh0970.exe
Filesize
432KB

MD5
8170d94baae55a3e44b95b13f236a055

SHA1
b43a34a894ea751cd9a63c621786cbec7849e279

SHA256
be82ae3d01c3f9a5e75c54a99d555a990e04257a9fea1998ad7c661cf1a07ad4

SHA512
d7db6dc84fa4c6197756609403eb73568c3a6ac6ce9d4fd690d41d40e05c06b0d649caf2ec9881188b75d425c9edc8e917bea1b2e68b0f47502db01c794aa09a

Download Submit
memory/1932-40-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/1932-35-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/1932-18-0x0000000002510000-0x000000000252C000-memory.dmp

Filesize
112KB

Download
memory/1932-19-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/1932-20-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/1932-21-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/1932-48-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/1932-46-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/1932-44-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/1932-42-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/1932-16-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/1932-38-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/1932-36-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/1932-17-0x0000000004C00000-0x00000000051A4000-memory.dmp

Filesize
5.6MB

Download
memory/1932-32-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/1932-31-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/1932-28-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/1932-26-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/1932-24-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/1932-22-0x0000000002510000-0x0000000002526000-memory.dmp

Filesize
88KB

Download
memory/1932-50-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/1932-15-0x00000000007C0000-0x00000000007DE000-memory.dmp

Filesize
120KB

Download
memory/1932-14-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

Filesize
4KB

Download
memory/4088-61-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4708-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download