mystic | bf7c303ed8a366cab19c94d7490195b9a4a59457d07e354a078ba143ad7ca0c8

Analysis

max time kernel
94s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tV9ZS60.exe
Size

650KB
MD5

5ca40a98d4cd2fe05dc42edae5ad5e07
SHA1

be88d9087b7b3f676fa358f7d6a8218b40323b74
SHA256

145324d1c8cce92bd7ac91b493bcd25c4b8e98b42e4de4b956c83d9def2746ca
SHA512

3a948050655ff3fbe64bfc8f86e94395b2b46cabba18e0aa6a4ebde86ad495e9f3b2dd82084c1e9ebf856c0392718fd73b2b1399027aa28fb622550486975c90
SSDEEP

12288:5Mrfy90SE4KT2SiImyTv6U22E7R2pav4TakSZPTm2zEfiR48QzmDM:yyYjfiITraRKamaplZ3EMM

Score

10^/10

mystic smokeloader backdoor discovery evasion persistence stealer trojan

Malware Config

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral3/memory/412-19-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral3/memory/412-22-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral3/memory/412-20-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 4 IoCs

pid	Process
4896	fX1ds71.exe
4784	1cN97ix6.exe
5036	2Cs3775.exe
2060	3FE89fe.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	tV9ZS60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	fX1ds71.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4784 set thread context of 4412	4784	1cN97ix6.exe	84
PID 5036 set thread context of 412	5036	2Cs3775.exe	89

Program crash 2 IoCs

pid	pid_target	Process	procid_target
428	4784	WerFault.exe	83
636	5036	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cN97ix6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2Cs3775.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3FE89fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tV9ZS60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fX1ds71.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3FE89fe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3FE89fe.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3FE89fe.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4412	AppLaunch.exe
4412	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	AppLaunch.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4896	5080	tV9ZS60.exe	82
PID 5080 wrote to memory of 4896	5080	tV9ZS60.exe	82
PID 5080 wrote to memory of 4896	5080	tV9ZS60.exe	82
PID 4896 wrote to memory of 4784	4896	fX1ds71.exe	83
PID 4896 wrote to memory of 4784	4896	fX1ds71.exe	83
PID 4896 wrote to memory of 4784	4896	fX1ds71.exe	83
PID 4784 wrote to memory of 4412	4784	1cN97ix6.exe	84
PID 4784 wrote to memory of 4412	4784	1cN97ix6.exe	84
PID 4784 wrote to memory of 4412	4784	1cN97ix6.exe	84
PID 4784 wrote to memory of 4412	4784	1cN97ix6.exe	84
PID 4784 wrote to memory of 4412	4784	1cN97ix6.exe	84
PID 4784 wrote to memory of 4412	4784	1cN97ix6.exe	84
PID 4784 wrote to memory of 4412	4784	1cN97ix6.exe	84
PID 4784 wrote to memory of 4412	4784	1cN97ix6.exe	84
PID 4896 wrote to memory of 5036	4896	fX1ds71.exe	88
PID 4896 wrote to memory of 5036	4896	fX1ds71.exe	88
PID 4896 wrote to memory of 5036	4896	fX1ds71.exe	88
PID 5036 wrote to memory of 412	5036	2Cs3775.exe	89
PID 5036 wrote to memory of 412	5036	2Cs3775.exe	89
PID 5036 wrote to memory of 412	5036	2Cs3775.exe	89
PID 5036 wrote to memory of 412	5036	2Cs3775.exe	89
PID 5036 wrote to memory of 412	5036	2Cs3775.exe	89
PID 5036 wrote to memory of 412	5036	2Cs3775.exe	89
PID 5036 wrote to memory of 412	5036	2Cs3775.exe	89
PID 5036 wrote to memory of 412	5036	2Cs3775.exe	89
PID 5036 wrote to memory of 412	5036	2Cs3775.exe	89
PID 5036 wrote to memory of 412	5036	2Cs3775.exe	89
PID 5080 wrote to memory of 2060	5080	tV9ZS60.exe	92
PID 5080 wrote to memory of 2060	5080	tV9ZS60.exe	92
PID 5080 wrote to memory of 2060	5080	tV9ZS60.exe	92

C:\Users\Admin\AppData\Local\Temp\tV9ZS60.exe
"C:\Users\Admin\AppData\Local\Temp\tV9ZS60.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fX1ds71.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fX1ds71.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1cN97ix6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1cN97ix6.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 596
      4⤵
      Program crash
      PID:428
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Cs3775.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Cs3775.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 584
      4⤵
      Program crash
      PID:636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3FE89fe.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3FE89fe.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4784 -ip 4784
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5036 -ip 5036
1⤵
PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3FE89fe.exe

Filesize
30KB

MD5
cbfcd63a8f96be0c614609f05b2f5713

SHA1
be4a31bf3612ad0e63e9883d3a2842b4ab7b6f79

SHA256
9db77930f55c4a12c27f75fd29e911560b2dca8c7ae5632b71c2b79b2dd582f5

SHA512
28a8aea7b497e08a8db5a5bd5ebbfabe6d03483b8323e7baaaa6adb12d42c7680571bc4b4ec248d11781c21ff2a586baf9322366dab2c6ceca481e5e1816bbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fX1ds71.exe

Filesize
525KB

MD5
eb7c3f7f7da2ba045ca12840697c8d0d

SHA1
f1d21c9a1250394151e863bcffeb016909c11fd9

SHA256
e63b014992cf7b067c376d14b97db2146eaf66f0d7547590bc75791484480959

SHA512
0d83005562aee2baf54189205784990310843837eb3497d8ea4b98647df42044cb34b79035ce70047db78dfb8db69745ff23f78311e1ad92c0e284437ddbced5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1cN97ix6.exe

Filesize
890KB

MD5
e978c7e1a5be84e958419fdcecd0e1f0

SHA1
16990d1c40986a496472fe3221d9ceb981e25f4a

SHA256
e72e37b2e1966aa59d99102486d99e0cded9faded978cdb8e7b1e59e49c4cb14

SHA512
9fb36bc7791fa24cd8e87ab2fbe02079361f299a84866882b945fab775e44408d112543aced0735cb4aa6267fe8c325925a20ca643cd47b2bb3e07a2ba49484a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Cs3775.exe

Filesize
1.1MB

MD5
8a4f92e7bae66ff53f4af5d0b94d7f0b

SHA1
4a3e2802afd48fddcad3b3badc28261aac260ea7

SHA256
791eedb3d2a4b678426283d48a53a6b1d9a1e059d5ca71c942b4b854ea4f2cc5

SHA512
1d2140f8792e3ab56e1fbd956f4b2cc7a31efa698284644a858c43e373b2053840d76870a45eeac43cae5eca9bd6b9c2b1f5704e26b0b2c0732f0bec0fe96027

Download Submit
memory/412-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/412-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/412-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4412-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4412-15-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/4412-27-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download