mystic | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03c5b52913f2d935873e6576fc8246512a2381daa2ae332880d218afe379df29.exe
Size

1.0MB
MD5

b552294e3e6467d2594b1e8926474b10
SHA1

4701c4b91f11ce28d256d29efe8d75a7f8c0ee52
SHA256

03c5b52913f2d935873e6576fc8246512a2381daa2ae332880d218afe379df29
SHA512

a7db60d0167a3706e4a456d2e635122fe6521c8a3165ae666e51db0373dd198bcf925fea18f4b81d3e4f07fb1a845e5b8df6fe37c8c6eb17b82af371b45c7a2f
SSDEEP

24576:/yWN0hJkMJp1nRz9i16oIg/wmFE4GUoFZmcPI7MRe3e:Khhemp9RxQ6a/9EfqT

Score

10^/10

mystic redline smokeloader grome backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2968-25-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral2/memory/2968-26-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral2/memory/2968-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5080-37-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 6 IoCs

Processes:

oE6qz77.exeYB6wP35.exe1sk18vn4.exe2eG8880.exe3cc41VF.exe4er828qS.exe

pid process

4484 oE6qz77.exe
60 YB6wP35.exe
932 1sk18vn4.exe
2072 2eG8880.exe
1052 3cc41VF.exe
4276 4er828qS.exe

pid	process
4484	oE6qz77.exe
60	YB6wP35.exe
932	1sk18vn4.exe
2072	2eG8880.exe
1052	3cc41VF.exe
4276	4er828qS.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

03c5b52913f2d935873e6576fc8246512a2381daa2ae332880d218afe379df29.exeoE6qz77.exeYB6wP35.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	03c5b52913f2d935873e6576fc8246512a2381daa2ae332880d218afe379df29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	oE6qz77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	YB6wP35.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1sk18vn4.exe2eG8880.exe4er828qS.exe

description	pid	process	target process
PID 932 set thread context of 1464	932	1sk18vn4.exe	AppLaunch.exe
PID 2072 set thread context of 2968	2072	2eG8880.exe	AppLaunch.exe
PID 4276 set thread context of 5080	4276	4er828qS.exe	AppLaunch.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1920 sc.exe

pid	process
1920	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3cc41VF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3cc41VF.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3cc41VF.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3cc41VF.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

1464 AppLaunch.exe
1464 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1464 AppLaunch.exe

pid	process
1464	AppLaunch.exe
1464	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1464	AppLaunch.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

03c5b52913f2d935873e6576fc8246512a2381daa2ae332880d218afe379df29.exeoE6qz77.exeYB6wP35.exe1sk18vn4.exe2eG8880.exe4er828qS.exe

description	pid	process	target process
PID 3644 wrote to memory of 4484	3644	03c5b52913f2d935873e6576fc8246512a2381daa2ae332880d218afe379df29.exe	oE6qz77.exe
PID 3644 wrote to memory of 4484	3644	03c5b52913f2d935873e6576fc8246512a2381daa2ae332880d218afe379df29.exe	oE6qz77.exe
PID 3644 wrote to memory of 4484	3644	03c5b52913f2d935873e6576fc8246512a2381daa2ae332880d218afe379df29.exe	oE6qz77.exe
PID 4484 wrote to memory of 60	4484	oE6qz77.exe	YB6wP35.exe
PID 4484 wrote to memory of 60	4484	oE6qz77.exe	YB6wP35.exe
PID 4484 wrote to memory of 60	4484	oE6qz77.exe	YB6wP35.exe
PID 60 wrote to memory of 932	60	YB6wP35.exe	1sk18vn4.exe
PID 60 wrote to memory of 932	60	YB6wP35.exe	1sk18vn4.exe
PID 60 wrote to memory of 932	60	YB6wP35.exe	1sk18vn4.exe
PID 932 wrote to memory of 1464	932	1sk18vn4.exe	AppLaunch.exe
PID 932 wrote to memory of 1464	932	1sk18vn4.exe	AppLaunch.exe
PID 932 wrote to memory of 1464	932	1sk18vn4.exe	AppLaunch.exe
PID 932 wrote to memory of 1464	932	1sk18vn4.exe	AppLaunch.exe
PID 932 wrote to memory of 1464	932	1sk18vn4.exe	AppLaunch.exe
PID 932 wrote to memory of 1464	932	1sk18vn4.exe	AppLaunch.exe
PID 932 wrote to memory of 1464	932	1sk18vn4.exe	AppLaunch.exe
PID 932 wrote to memory of 1464	932	1sk18vn4.exe	AppLaunch.exe
PID 60 wrote to memory of 2072	60	YB6wP35.exe	2eG8880.exe
PID 60 wrote to memory of 2072	60	YB6wP35.exe	2eG8880.exe
PID 60 wrote to memory of 2072	60	YB6wP35.exe	2eG8880.exe
PID 2072 wrote to memory of 2968	2072	2eG8880.exe	AppLaunch.exe
PID 2072 wrote to memory of 2968	2072	2eG8880.exe	AppLaunch.exe
PID 2072 wrote to memory of 2968	2072	2eG8880.exe	AppLaunch.exe
PID 2072 wrote to memory of 2968	2072	2eG8880.exe	AppLaunch.exe
PID 2072 wrote to memory of 2968	2072	2eG8880.exe	AppLaunch.exe
PID 2072 wrote to memory of 2968	2072	2eG8880.exe	AppLaunch.exe
PID 2072 wrote to memory of 2968	2072	2eG8880.exe	AppLaunch.exe
PID 2072 wrote to memory of 2968	2072	2eG8880.exe	AppLaunch.exe
PID 2072 wrote to memory of 2968	2072	2eG8880.exe	AppLaunch.exe
PID 2072 wrote to memory of 2968	2072	2eG8880.exe	AppLaunch.exe
PID 4484 wrote to memory of 1052	4484	oE6qz77.exe	3cc41VF.exe
PID 4484 wrote to memory of 1052	4484	oE6qz77.exe	3cc41VF.exe
PID 4484 wrote to memory of 1052	4484	oE6qz77.exe	3cc41VF.exe
PID 3644 wrote to memory of 4276	3644	03c5b52913f2d935873e6576fc8246512a2381daa2ae332880d218afe379df29.exe	4er828qS.exe
PID 3644 wrote to memory of 4276	3644	03c5b52913f2d935873e6576fc8246512a2381daa2ae332880d218afe379df29.exe	4er828qS.exe
PID 3644 wrote to memory of 4276	3644	03c5b52913f2d935873e6576fc8246512a2381daa2ae332880d218afe379df29.exe	4er828qS.exe
PID 4276 wrote to memory of 5080	4276	4er828qS.exe	AppLaunch.exe
PID 4276 wrote to memory of 5080	4276	4er828qS.exe	AppLaunch.exe
PID 4276 wrote to memory of 5080	4276	4er828qS.exe	AppLaunch.exe
PID 4276 wrote to memory of 5080	4276	4er828qS.exe	AppLaunch.exe
PID 4276 wrote to memory of 5080	4276	4er828qS.exe	AppLaunch.exe
PID 4276 wrote to memory of 5080	4276	4er828qS.exe	AppLaunch.exe
PID 4276 wrote to memory of 5080	4276	4er828qS.exe	AppLaunch.exe
PID 4276 wrote to memory of 5080	4276	4er828qS.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\03c5b52913f2d935873e6576fc8246512a2381daa2ae332880d218afe379df29.exe
"C:\Users\Admin\AppData\Local\Temp\03c5b52913f2d935873e6576fc8246512a2381daa2ae332880d218afe379df29.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3644

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oE6qz77.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oE6qz77.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4484

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YB6wP35.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YB6wP35.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:60

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1sk18vn4.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1sk18vn4.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eG8880.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eG8880.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3cc41VF.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3cc41VF.exe
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1052

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4er828qS.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4er828qS.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:5080

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4er828qS.exe
Filesize
1.1MB

MD5
1fef4579f4d08ec4f3d627c3f225a7c3

SHA1
201277b41015ca5b65c5a84b9e9b8079c5dcf230

SHA256
c950de6308893200f558c1d2413fa4b5bce9a9102d8b8d96a658edd8064bcf52

SHA512
9a76150ee8ac69208d82759e8bdb598dff86ee0990153a515c9cb3d92311e099e996daf52c06deb35216fa241e5acb496c1cbee91fb1c8cedc5fc51571dffe4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oE6qz77.exe
Filesize
643KB

MD5
3e41e93bb6754815de31d4a9b5b19ac2

SHA1
f4f2db820043e7a5fff1e6ffdaa4db9129e14ecf

SHA256
ed6e9e36f71c5d4acdca4d8189cf20c7b0f66259098330a02506cd7ca9d7823e

SHA512
2706b999de3131232e19af6bb8c0642669a32243609cfaeac75f65d85a2a72c042c3df97c489473918cde9f4cc006cb10ec533ebc7ac2da463cfdeb69ce57f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3cc41VF.exe
Filesize
30KB

MD5
c7bf022e255e64000479c7901816c26c

SHA1
dba1ac434c86be6f3940b363236e48a2ee699a47

SHA256
83da144fdfcabb04da74da5991beb707a99c62561e50c7d0a4b2489098c38c42

SHA512
1002c95e2f9e3dc6a4051c6d881e35b748e3bff5604bdd521845b90b44cc6aa13445a90ed5692b0739226b6d20cf73d147e9f8b0c0bf7d1198433aa9b22b56a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YB6wP35.exe
Filesize
518KB

MD5
3749ba5067bff821dd1611e65729d1ae

SHA1
6299f2ca5b2b2ed53a9f7bcc0672578b6008827e

SHA256
b7e48aeb971628ce4dd2939a4628fe64088de9fc1ef8595bde9a14a5364d1a13

SHA512
211cfa9150cf2fc37c903e93dc3f99952db9dd5dfcb9790088980ee002449c226c91f5837ef83867d7497439f203c6105400765ecc2e8b18d27adf67a7c9ef71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1sk18vn4.exe
Filesize
874KB

MD5
9eee364499677bcd3f52ac655db1097b

SHA1
d65d31912b259e60c71af9358b743f3e137c8936

SHA256
1ba694e249e4faca92ccce8670b5d6e2a5e6ac0d1f523220a91f75aab3d78155

SHA512
1364dece0df02e181c2feb9a3b9e559662945991d3919ae0c1db2fcc091de3ceb349dcf4e4921b904e265263e6a2cca9c83a6a914ca9544850f8d2bb2fe41678

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2eG8880.exe
Filesize
1.1MB

MD5
7e88670e893f284a13a2d88af7295317

SHA1
4bc0d76245e9d6ca8fe69daa23c46b2b8f770f1a

SHA256
d5e9e8612572f4586bc94b4475503558b7c4cd9329d3ade5b86f45018957deb9

SHA512
01541840ee2aa44de1f5f41bee31409560c481c10ed07d854239c0c9bdb648c86857a6a83a907e23f3b2865043b175689aa5f4f13fd0fd5f5444756b9ddfcdc2

Download Submit
memory/1052-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1052-32-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1464-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2968-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5080-38-0x0000000007E60000-0x0000000008404000-memory.dmp

Filesize
5.6MB

Download
memory/5080-39-0x00000000079A0000-0x0000000007A32000-memory.dmp

Filesize
584KB

Download
memory/5080-40-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

Filesize
40KB

Download
memory/5080-41-0x0000000008A30000-0x0000000009048000-memory.dmp

Filesize
6.1MB

Download
memory/5080-43-0x0000000007BD0000-0x0000000007BE2000-memory.dmp

Filesize
72KB

Download
memory/5080-42-0x0000000007D30000-0x0000000007E3A000-memory.dmp

Filesize
1.0MB

Download
memory/5080-44-0x0000000007C60000-0x0000000007C9C000-memory.dmp

Filesize
240KB

Download
memory/5080-45-0x0000000007CA0000-0x0000000007CEC000-memory.dmp

Filesize
304KB

Download