mystic | 2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935

Analysis

max time kernel
139s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935.exe
Size

1.0MB
MD5

db4a23dcf72244c48018e9fe9d9adf62
SHA1

9e7e5e1e2061917685b60e7b14d72379a31d9884
SHA256

2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935
SHA512

4dd419dedc5b03460e2a236bcd91ce726d08b1a8753bf7da216ff9b15655f2c8aa2f25ebc9e04fa1f1b2c82196d6cd14f108b0a0674e6e348520679e2ff60955
SSDEEP

24576:PyN08Cw6700HN8mkhicALPpKaSRuWyS6xDoevxM9w6KiT3n0:aNtu00tCQ2/ypoeay6KiTX

Score

10^/10

mystic redline smokeloader grome backdoor discovery evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/3524-25-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3524-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/3524-26-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2580-37-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 6 IoCs

pid	Process
2440	Bc0FS66.exe
2140	KS4Tw61.exe
4720	1gN79JO3.exe
1288	2IK8647.exe
2308	3Yc63Fv.exe
716	4ux734Si.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Bc0FS66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	KS4Tw61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4720 set thread context of 5052	4720	1gN79JO3.exe	87
PID 1288 set thread context of 3524	1288	2IK8647.exe	96
PID 716 set thread context of 2580	716	4ux734Si.exe	101

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4612	4720	WerFault.exe	86
1236	1288	WerFault.exe	94
2176	716	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3Yc63Fv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ux734Si.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bc0FS66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KS4Tw61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1gN79JO3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2IK8647.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Yc63Fv.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Yc63Fv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Yc63Fv.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5052	AppLaunch.exe
5052	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5052	AppLaunch.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 2440	632	2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935.exe	84
PID 632 wrote to memory of 2440	632	2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935.exe	84
PID 632 wrote to memory of 2440	632	2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935.exe	84
PID 2440 wrote to memory of 2140	2440	Bc0FS66.exe	85
PID 2440 wrote to memory of 2140	2440	Bc0FS66.exe	85
PID 2440 wrote to memory of 2140	2440	Bc0FS66.exe	85
PID 2140 wrote to memory of 4720	2140	KS4Tw61.exe	86
PID 2140 wrote to memory of 4720	2140	KS4Tw61.exe	86
PID 2140 wrote to memory of 4720	2140	KS4Tw61.exe	86
PID 4720 wrote to memory of 5052	4720	1gN79JO3.exe	87
PID 4720 wrote to memory of 5052	4720	1gN79JO3.exe	87
PID 4720 wrote to memory of 5052	4720	1gN79JO3.exe	87
PID 4720 wrote to memory of 5052	4720	1gN79JO3.exe	87
PID 4720 wrote to memory of 5052	4720	1gN79JO3.exe	87
PID 4720 wrote to memory of 5052	4720	1gN79JO3.exe	87
PID 4720 wrote to memory of 5052	4720	1gN79JO3.exe	87
PID 4720 wrote to memory of 5052	4720	1gN79JO3.exe	87
PID 2140 wrote to memory of 1288	2140	KS4Tw61.exe	94
PID 2140 wrote to memory of 1288	2140	KS4Tw61.exe	94
PID 2140 wrote to memory of 1288	2140	KS4Tw61.exe	94
PID 1288 wrote to memory of 3524	1288	2IK8647.exe	96
PID 1288 wrote to memory of 3524	1288	2IK8647.exe	96
PID 1288 wrote to memory of 3524	1288	2IK8647.exe	96
PID 1288 wrote to memory of 3524	1288	2IK8647.exe	96
PID 1288 wrote to memory of 3524	1288	2IK8647.exe	96
PID 1288 wrote to memory of 3524	1288	2IK8647.exe	96
PID 1288 wrote to memory of 3524	1288	2IK8647.exe	96
PID 1288 wrote to memory of 3524	1288	2IK8647.exe	96
PID 1288 wrote to memory of 3524	1288	2IK8647.exe	96
PID 1288 wrote to memory of 3524	1288	2IK8647.exe	96
PID 2440 wrote to memory of 2308	2440	Bc0FS66.exe	99
PID 2440 wrote to memory of 2308	2440	Bc0FS66.exe	99
PID 2440 wrote to memory of 2308	2440	Bc0FS66.exe	99
PID 632 wrote to memory of 716	632	2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935.exe	100
PID 632 wrote to memory of 716	632	2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935.exe	100
PID 632 wrote to memory of 716	632	2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935.exe	100
PID 716 wrote to memory of 2580	716	4ux734Si.exe	101
PID 716 wrote to memory of 2580	716	4ux734Si.exe	101
PID 716 wrote to memory of 2580	716	4ux734Si.exe	101
PID 716 wrote to memory of 2580	716	4ux734Si.exe	101
PID 716 wrote to memory of 2580	716	4ux734Si.exe	101
PID 716 wrote to memory of 2580	716	4ux734Si.exe	101
PID 716 wrote to memory of 2580	716	4ux734Si.exe	101
PID 716 wrote to memory of 2580	716	4ux734Si.exe	101

C:\Users\Admin\AppData\Local\Temp\2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935.exe
"C:\Users\Admin\AppData\Local\Temp\2c5f03af869d1d37d9492e0773ac9370dbbbb7f98ef143d01eaab2c0664bb935.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bc0FS66.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bc0FS66.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KS4Tw61.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KS4Tw61.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1gN79JO3.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1gN79JO3.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4720
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 588
        5⤵
        Program crash
        
        PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2IK8647.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2IK8647.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1288
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3524
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 580
        5⤵
        Program crash
        
        PID:1236
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yc63Fv.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yc63Fv.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    PID:2308
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ux734Si.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ux734Si.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 584
    3⤵
    - Program crash
    PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4720 -ip 4720
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1288 -ip 1288
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 716 -ip 716
1⤵
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ux734Si.exe

Filesize
1.1MB

MD5
c474cb24af058ec68f12ecedb0bd6087

SHA1
ba1cdb7706fc2085052d82a3ed402aa443a164d7

SHA256
8cbcd459d3ec3e02afb56c45998ee13d21a8cd608872d3a4b34a4e50271691e6

SHA512
cd55dee64cdebd241f7c2346eb1a623c039efbcc2d692c779d7fbe7a6b398ac2650f3ce9a7b19d9f0e7ae1c297703161872fbef045c089b052ec97c09a6cccaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bc0FS66.exe

Filesize
650KB

MD5
34b2af8d1759b130545f818004a45fe4

SHA1
00ce40d9571b792a99572931fbf8b8959f092813

SHA256
464d6f7785bbab1a09339448f1a6d92b480a2473b9a1695431a328ec4819c34b

SHA512
2f3d732784a9c5378b597ac19951bff835f6b85cc5bf8bd5a314764d645256375dfee4b998905a9067f52288bbfe68354e8bce6b7f61db788a65a457a07ba60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Yc63Fv.exe

Filesize
30KB

MD5
4e4a1488a4ac71f61123ecce47db81ff

SHA1
aeeb923d643eb5f10d4af3c282240649ddfcab9f

SHA256
e5bba9b9f0e1427b368011db72a01f849c13f0bd5e9b273881cd8aa1d7ec4653

SHA512
9ef132a21f8e776526979a40ca7c64e0ab6c7bea673de881e02c1adc163641fe36877c6ceedc051043c56baa96d054d59fe1e200f21556893c9e90e3b1a3fd3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KS4Tw61.exe

Filesize
525KB

MD5
c057731f2ef89a322692cb90b0c1b2ef

SHA1
ec029f24fc25623eaa11259c31e44e34b18d1587

SHA256
e5c866a044913a6d421b6b09a3b0cc5ba8a32ef4bd37a7043b17310dddf3bc0d

SHA512
d6b941dbc33637f22772193dfe94c81a7154b7f9ff6fb92af47f7a65b5232c8c5478387ab1136473cbc6177a28af8b9ea50cf604400cc777407c635655beaf38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1gN79JO3.exe

Filesize
890KB

MD5
e978c7e1a5be84e958419fdcecd0e1f0

SHA1
16990d1c40986a496472fe3221d9ceb981e25f4a

SHA256
e72e37b2e1966aa59d99102486d99e0cded9faded978cdb8e7b1e59e49c4cb14

SHA512
9fb36bc7791fa24cd8e87ab2fbe02079361f299a84866882b945fab775e44408d112543aced0735cb4aa6267fe8c325925a20ca643cd47b2bb3e07a2ba49484a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2IK8647.exe

Filesize
1.1MB

MD5
8a4f92e7bae66ff53f4af5d0b94d7f0b

SHA1
4a3e2802afd48fddcad3b3badc28261aac260ea7

SHA256
791eedb3d2a4b678426283d48a53a6b1d9a1e059d5ca71c942b4b854ea4f2cc5

SHA512
1d2140f8792e3ab56e1fbd956f4b2cc7a31efa698284644a858c43e373b2053840d76870a45eeac43cae5eca9bd6b9c2b1f5704e26b0b2c0732f0bec0fe96027

Download Submit
memory/2308-31-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2308-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2580-40-0x0000000004E20000-0x0000000004E2A000-memory.dmp

Filesize
40KB

Download
memory/2580-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2580-38-0x0000000007E80000-0x0000000008424000-memory.dmp

Filesize
5.6MB

Download
memory/2580-39-0x0000000007970000-0x0000000007A02000-memory.dmp

Filesize
584KB

Download
memory/2580-41-0x0000000008A50000-0x0000000009068000-memory.dmp

Filesize
6.1MB

Download
memory/2580-42-0x0000000007CB0000-0x0000000007DBA000-memory.dmp

Filesize
1.0MB

Download
memory/2580-43-0x0000000007B70000-0x0000000007B82000-memory.dmp

Filesize
72KB

Download
memory/2580-44-0x0000000007BE0000-0x0000000007C1C000-memory.dmp

Filesize
240KB

Download
memory/2580-45-0x0000000007C20000-0x0000000007C6C000-memory.dmp

Filesize
304KB

Download
memory/3524-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download