mystic | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe
Size

1.0MB
MD5

8219c91ff157d34ad13e9eaaca1ff3d0
SHA1

1ef89eb62e086d504b80795557ac9e42686a9d28
SHA256

f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f
SHA512

d01862cedd90ade8eb621e73e2bbc1eeb7a937b0c7f7d288422f32a83afcf8ba832b6554aefb8aee40d43597cd8721750c470e1d59926f7bb03d7539a416caf1
SSDEEP

24576:Cy6yVCA/5fXKw6PEZ9jSvWMLsfUAUgcsbb/ZYGtrSmzFgiHa:p6yfBfXKVPEfSv22Ps+s7z2i

Score

10^/10

mystic redline smokeloader grome backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral28/memory/4256-25-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral28/memory/4256-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral28/memory/4256-26-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral28/memory/4252-37-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 6 IoCs

pid	Process
4708	QO4vb69.exe
3940	yo2bo38.exe
1888	1cd54Dh6.exe
3836	2OK3253.exe
2076	3uO25Af.exe
4948	4RH916LN.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	QO4vb69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	yo2bo38.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1888 set thread context of 3136	1888	1cd54Dh6.exe	86
PID 3836 set thread context of 4256	3836	2OK3253.exe	89
PID 4948 set thread context of 4252	4948	4RH916LN.exe	94

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3uO25Af.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3uO25Af.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3uO25Af.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3136	AppLaunch.exe
3136	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3136	AppLaunch.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 4708	2420	f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe	82
PID 2420 wrote to memory of 4708	2420	f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe	82
PID 2420 wrote to memory of 4708	2420	f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe	82
PID 4708 wrote to memory of 3940	4708	QO4vb69.exe	83
PID 4708 wrote to memory of 3940	4708	QO4vb69.exe	83
PID 4708 wrote to memory of 3940	4708	QO4vb69.exe	83
PID 3940 wrote to memory of 1888	3940	yo2bo38.exe	84
PID 3940 wrote to memory of 1888	3940	yo2bo38.exe	84
PID 3940 wrote to memory of 1888	3940	yo2bo38.exe	84
PID 1888 wrote to memory of 4884	1888	1cd54Dh6.exe	85
PID 1888 wrote to memory of 4884	1888	1cd54Dh6.exe	85
PID 1888 wrote to memory of 4884	1888	1cd54Dh6.exe	85
PID 1888 wrote to memory of 3136	1888	1cd54Dh6.exe	86
PID 1888 wrote to memory of 3136	1888	1cd54Dh6.exe	86
PID 1888 wrote to memory of 3136	1888	1cd54Dh6.exe	86
PID 1888 wrote to memory of 3136	1888	1cd54Dh6.exe	86
PID 1888 wrote to memory of 3136	1888	1cd54Dh6.exe	86
PID 1888 wrote to memory of 3136	1888	1cd54Dh6.exe	86
PID 1888 wrote to memory of 3136	1888	1cd54Dh6.exe	86
PID 1888 wrote to memory of 3136	1888	1cd54Dh6.exe	86
PID 3940 wrote to memory of 3836	3940	yo2bo38.exe	87
PID 3940 wrote to memory of 3836	3940	yo2bo38.exe	87
PID 3940 wrote to memory of 3836	3940	yo2bo38.exe	87
PID 3836 wrote to memory of 4256	3836	2OK3253.exe	89
PID 3836 wrote to memory of 4256	3836	2OK3253.exe	89
PID 3836 wrote to memory of 4256	3836	2OK3253.exe	89
PID 3836 wrote to memory of 4256	3836	2OK3253.exe	89
PID 3836 wrote to memory of 4256	3836	2OK3253.exe	89
PID 3836 wrote to memory of 4256	3836	2OK3253.exe	89
PID 3836 wrote to memory of 4256	3836	2OK3253.exe	89
PID 3836 wrote to memory of 4256	3836	2OK3253.exe	89
PID 3836 wrote to memory of 4256	3836	2OK3253.exe	89
PID 3836 wrote to memory of 4256	3836	2OK3253.exe	89
PID 4708 wrote to memory of 2076	4708	QO4vb69.exe	90
PID 4708 wrote to memory of 2076	4708	QO4vb69.exe	90
PID 4708 wrote to memory of 2076	4708	QO4vb69.exe	90
PID 2420 wrote to memory of 4948	2420	f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe	92
PID 2420 wrote to memory of 4948	2420	f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe	92
PID 2420 wrote to memory of 4948	2420	f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe	92
PID 4948 wrote to memory of 4252	4948	4RH916LN.exe	94
PID 4948 wrote to memory of 4252	4948	4RH916LN.exe	94
PID 4948 wrote to memory of 4252	4948	4RH916LN.exe	94
PID 4948 wrote to memory of 4252	4948	4RH916LN.exe	94
PID 4948 wrote to memory of 4252	4948	4RH916LN.exe	94
PID 4948 wrote to memory of 4252	4948	4RH916LN.exe	94
PID 4948 wrote to memory of 4252	4948	4RH916LN.exe	94
PID 4948 wrote to memory of 4252	4948	4RH916LN.exe	94

C:\Users\Admin\AppData\Local\Temp\f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe
"C:\Users\Admin\AppData\Local\Temp\f9420469aa3326f8f0142d01cbe53363a015e3579644b84fcce388b71edb614f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QO4vb69.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QO4vb69.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo2bo38.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo2bo38.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cd54Dh6.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cd54Dh6.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1888
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4884
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OK3253.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OK3253.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3836
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4256
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3uO25Af.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3uO25Af.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:2076
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4RH916LN.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4RH916LN.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4RH916LN.exe

Filesize
1.1MB

MD5
285fa61da44042a76502bdaf177bfdc3

SHA1
633c6a7d280526ce15fc4b3cc592d23b3f0b9369

SHA256
518d5eb779e2a1b222e4c73ddee1d1fc11f084b7e4a86c89cd5c7527588440c0

SHA512
0e5104787d42c631f406bd0f8f1a514ea20deb3b82fa3ba17c53e18b7bdfaa873085eb71ea4154ba0e42d6bab974e2671b5befc63d8bbb56a511b0d9900350e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QO4vb69.exe

Filesize
649KB

MD5
b026152757756ac3658155420556791e

SHA1
ab377b5c0fba225ce59f5167b4a9afc1425f2ab5

SHA256
2b692d9f64d5f9addafddb0daac9e57132a2d0a1374eaabe3c4190055f569092

SHA512
6ccab4c67b217accc645ff3065f2dc6b004c9d0b8dbe251e54ececf21c99d20341605afdf2c3dfaacb77ac3a30624dc8247829419f7d3229a1cf508f6998371e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3uO25Af.exe

Filesize
31KB

MD5
1b1ed2b600574a71547a0083548c700f

SHA1
ff3db11401b1c4d5b5cae6a324ca389e5f8b4759

SHA256
1e3a92e82f55f3b4b64751d07f43cf680b1581d6378a582fc58661a46c0aa1ac

SHA512
ab83ae4f1a85887c252dd488725c7b7acc4b57d380963ade7706fcf09ed17081b44fece8670ab33ef1d27fb895effcbea90da57a2ee13f9a7dd4b483f037f4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo2bo38.exe

Filesize
524KB

MD5
ee03c76fafa1cb23016c46da39946c86

SHA1
1e05b2852217613d068e1020935675f3b2accbc9

SHA256
f2817b700b78788fba27a54934f8a1b51bf26cb256f9394ce7cd4a7ce3b81bf0

SHA512
c7c5254d1b01714c5582b1239cd0a2ab4cfd5fe01915a807f341f92515d108b8891b35e0eaaf368853327a3e842b7ebbe147c9c1a7034e803855c18db826d568

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cd54Dh6.exe

Filesize
869KB

MD5
aa0738466cdc5ed137b0d11b7dba6c2c

SHA1
1de62c97e5c6d871febd5e5d1a14acbacca0535d

SHA256
0d48ce616f40f1e405cfabc0ad7f363b7e950a7085b5e81520ba25d8e81530c5

SHA512
349d0c13ef9fb7eadaf63f5bb09e8956745506d4badfd731ae81c4ced4cbfc6f7ec2c504b42eb4c131b6926eb2d6279bcfd96e4cfb01a7d51c86db97de052784

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OK3253.exe

Filesize
1.0MB

MD5
37bc46e7c2dccba4f672787f18871529

SHA1
7e17d2ccc3bf3fea74ba523bb63b763200c41ebe

SHA256
0c012cf84f2a566233834482aee726755afe7f058afb09fd87f9c8b9390c7e1d

SHA512
56dfe64e3e684552eeeebeaeb7185cfa076bb5b570fdc5fdf0970a1930226f207190403393d1e3137beb1f92cdc89534c9be80fe55b25523c0968545ca50e230

Download Submit
memory/2076-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2076-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3136-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4252-40-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/4252-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4252-38-0x0000000007760000-0x0000000007D04000-memory.dmp

Filesize
5.6MB

Download
memory/4252-39-0x0000000007250000-0x00000000072E2000-memory.dmp

Filesize
584KB

Download
memory/4252-41-0x0000000008330000-0x0000000008948000-memory.dmp

Filesize
6.1MB

Download
memory/4252-42-0x0000000007530000-0x000000000763A000-memory.dmp

Filesize
1.0MB

Download
memory/4252-43-0x0000000007450000-0x0000000007462000-memory.dmp

Filesize
72KB

Download
memory/4252-44-0x00000000074B0000-0x00000000074EC000-memory.dmp

Filesize
240KB

Download
memory/4252-45-0x0000000007640000-0x000000000768C000-memory.dmp

Filesize
304KB

Download
memory/4256-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4256-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download