mystic | 926e1544f880ad87d377422e95ab3e5df6088ba2bc98f311f8c985fab5da600a

Analysis

max time kernel
157s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

926e1544f880ad87d377422e95ab3e5df6088ba2bc98f311f8c985fab5da600a.exe
Size

851KB
MD5

9dbcef9cf528357b319703d966bb5bf5
SHA1

f034496c250ef9e3a4ba819c725250b0eb0b213b
SHA256

926e1544f880ad87d377422e95ab3e5df6088ba2bc98f311f8c985fab5da600a
SHA512

002e925c0bdf6d0f8817b7d28c20e6d0f9080273c5c85b5ccf7cf2bd7aec4b979648cbefec07ba070337744b6ec511a9bed7b89933031672689c1d1e6172688e
SSDEEP

12288:tMrBy90WvqMN3s1jCSO+/JT+ZOrOsb/zaHSL/3RpSXjVvdqxycjW0g9OV4UWuK8:kym6SjY+Bkux7z3j3TS3Cy2g+fWT8

Score

10^/10

mystic redline luska infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/2116-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2116-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2116-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2116-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3308	x4645563.exe
4876	x1122828.exe
2712	x4805303.exe
2052	g1077811.exe
1492	h4154591.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	926e1544f880ad87d377422e95ab3e5df6088ba2bc98f311f8c985fab5da600a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4645563.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1122828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4805303.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2052 set thread context of 2116	2052	g1077811.exe	95

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2576	2052	WerFault.exe	92
4004	2116	WerFault.exe	95

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4720 wrote to memory of 3308	4720	926e1544f880ad87d377422e95ab3e5df6088ba2bc98f311f8c985fab5da600a.exe	89
PID 4720 wrote to memory of 3308	4720	926e1544f880ad87d377422e95ab3e5df6088ba2bc98f311f8c985fab5da600a.exe	89
PID 4720 wrote to memory of 3308	4720	926e1544f880ad87d377422e95ab3e5df6088ba2bc98f311f8c985fab5da600a.exe	89
PID 3308 wrote to memory of 4876	3308	x4645563.exe	90
PID 3308 wrote to memory of 4876	3308	x4645563.exe	90
PID 3308 wrote to memory of 4876	3308	x4645563.exe	90
PID 4876 wrote to memory of 2712	4876	x1122828.exe	91
PID 4876 wrote to memory of 2712	4876	x1122828.exe	91
PID 4876 wrote to memory of 2712	4876	x1122828.exe	91
PID 2712 wrote to memory of 2052	2712	x4805303.exe	92
PID 2712 wrote to memory of 2052	2712	x4805303.exe	92
PID 2712 wrote to memory of 2052	2712	x4805303.exe	92
PID 2052 wrote to memory of 4364	2052	g1077811.exe	94
PID 2052 wrote to memory of 4364	2052	g1077811.exe	94
PID 2052 wrote to memory of 4364	2052	g1077811.exe	94
PID 2052 wrote to memory of 2116	2052	g1077811.exe	95
PID 2052 wrote to memory of 2116	2052	g1077811.exe	95
PID 2052 wrote to memory of 2116	2052	g1077811.exe	95
PID 2052 wrote to memory of 2116	2052	g1077811.exe	95
PID 2052 wrote to memory of 2116	2052	g1077811.exe	95
PID 2052 wrote to memory of 2116	2052	g1077811.exe	95
PID 2052 wrote to memory of 2116	2052	g1077811.exe	95
PID 2052 wrote to memory of 2116	2052	g1077811.exe	95
PID 2052 wrote to memory of 2116	2052	g1077811.exe	95
PID 2052 wrote to memory of 2116	2052	g1077811.exe	95
PID 2712 wrote to memory of 1492	2712	x4805303.exe	103
PID 2712 wrote to memory of 1492	2712	x4805303.exe	103
PID 2712 wrote to memory of 1492	2712	x4805303.exe	103

C:\Users\Admin\AppData\Local\Temp\926e1544f880ad87d377422e95ab3e5df6088ba2bc98f311f8c985fab5da600a.exe
"C:\Users\Admin\AppData\Local\Temp\926e1544f880ad87d377422e95ab3e5df6088ba2bc98f311f8c985fab5da600a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4645563.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4645563.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1122828.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1122828.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4805303.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4805303.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1077811.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1077811.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2052
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4364
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 540
        7⤵
        Program crash
        
        PID:4004
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 600
        6⤵
        Program crash
        
        PID:2576
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4154591.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4154591.exe
        5⤵
        Executes dropped EXE
        
        PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2052 -ip 2052
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 80 -p 2116 -ip 2116
1⤵
PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4645563.exe

Filesize
750KB

MD5
a97d9ffbe8bd805d5c4b1b72b938e8b7

SHA1
ca102cd82505cf90cf10de08df332dc57462aa09

SHA256
04c34323973598289e338be8a3cee08a454b1012626268c5f6919e34c3463a1b

SHA512
25f8a71e80006c558619165b3ee0c5fac56df234f5f9012d41b5551f30036dc101282a5d86694f9b6f0c98ee725459b6e32ecf767b6cd7a2c60afb1f521fbf66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4645563.exe

Filesize
750KB

MD5
a97d9ffbe8bd805d5c4b1b72b938e8b7

SHA1
ca102cd82505cf90cf10de08df332dc57462aa09

SHA256
04c34323973598289e338be8a3cee08a454b1012626268c5f6919e34c3463a1b

SHA512
25f8a71e80006c558619165b3ee0c5fac56df234f5f9012d41b5551f30036dc101282a5d86694f9b6f0c98ee725459b6e32ecf767b6cd7a2c60afb1f521fbf66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1122828.exe

Filesize
518KB

MD5
caf1263a0160ddc9f025cc4e76bb6b6b

SHA1
1c5ebb516257fc418e97d0c641b28871ca3be551

SHA256
8beb2574dab826ef841006a86f6306dc0e2ca78f0b1b20ff55dfb4ea77c50c81

SHA512
0bd1d31d6b1fb048c2abe87c6a68acae1823a8a18364f504a14a2f3529b79c124d6e73cf684c4d8437f5814a8144804ffb393711e3e84bb882f63738f7b1af4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1122828.exe

Filesize
518KB

MD5
caf1263a0160ddc9f025cc4e76bb6b6b

SHA1
1c5ebb516257fc418e97d0c641b28871ca3be551

SHA256
8beb2574dab826ef841006a86f6306dc0e2ca78f0b1b20ff55dfb4ea77c50c81

SHA512
0bd1d31d6b1fb048c2abe87c6a68acae1823a8a18364f504a14a2f3529b79c124d6e73cf684c4d8437f5814a8144804ffb393711e3e84bb882f63738f7b1af4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4805303.exe

Filesize
352KB

MD5
c85c50651621922adec0c8fe0cc5880a

SHA1
2af68b699df837fbb8e331ea239f97a9e6b6944b

SHA256
98e6a892388b976efe80692f123e222074171963a2a3420ac38c3fe04fc87a1f

SHA512
d49214749b737f25dd8b751f3a62c272fe36a5e1d6e925b619a5013ce7a89cb50fbc844d3d33d23f8522dcdff8cd907eb919a152feda209bd0550b02564d9f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4805303.exe

Filesize
352KB

MD5
c85c50651621922adec0c8fe0cc5880a

SHA1
2af68b699df837fbb8e331ea239f97a9e6b6944b

SHA256
98e6a892388b976efe80692f123e222074171963a2a3420ac38c3fe04fc87a1f

SHA512
d49214749b737f25dd8b751f3a62c272fe36a5e1d6e925b619a5013ce7a89cb50fbc844d3d33d23f8522dcdff8cd907eb919a152feda209bd0550b02564d9f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1077811.exe

Filesize
280KB

MD5
07693f0717cb9bb086b667be73e70d5b

SHA1
dcae8c0372083bf335e77811127841d39fb8f730

SHA256
467a0f07ef769aa31a7e7c119ec9f9b062d8d2306e823d24b4621e8c7d8e8b86

SHA512
629f59ce72bfd4e31f813e9685377e20a46101483a0e8c3c3ac0d1c71a747d0f58b424701269935428ef2e33341b6e63b07909eb893323c6f50e33b7c928ceb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1077811.exe

Filesize
280KB

MD5
07693f0717cb9bb086b667be73e70d5b

SHA1
dcae8c0372083bf335e77811127841d39fb8f730

SHA256
467a0f07ef769aa31a7e7c119ec9f9b062d8d2306e823d24b4621e8c7d8e8b86

SHA512
629f59ce72bfd4e31f813e9685377e20a46101483a0e8c3c3ac0d1c71a747d0f58b424701269935428ef2e33341b6e63b07909eb893323c6f50e33b7c928ceb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4154591.exe

Filesize
174KB

MD5
7e9f57b0b0f303d74ada46694a78da51

SHA1
7bb62134549d1e9d55f98742df95012152ba6d76

SHA256
f016964d75fbc10325994cbee7100b06a1dcfa30dc81eab07e4f8601473946fe

SHA512
c9ddfce9ccb1b0ab9f0b1a6990d5c82abfa8beae88beca98b008fbe81ac20320c75481bf8f0ca16ab246868c8bafe197669969327957f8430dec49cfca14d2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4154591.exe

Filesize
174KB

MD5
7e9f57b0b0f303d74ada46694a78da51

SHA1
7bb62134549d1e9d55f98742df95012152ba6d76

SHA256
f016964d75fbc10325994cbee7100b06a1dcfa30dc81eab07e4f8601473946fe

SHA512
c9ddfce9ccb1b0ab9f0b1a6990d5c82abfa8beae88beca98b008fbe81ac20320c75481bf8f0ca16ab246868c8bafe197669969327957f8430dec49cfca14d2b9

Download Submit
memory/1492-39-0x0000000073E20000-0x00000000745D0000-memory.dmp

Filesize
7.7MB

Download
memory/1492-42-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/1492-46-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/1492-45-0x0000000004B50000-0x0000000004B9C000-memory.dmp

Filesize
304KB

Download
memory/1492-36-0x0000000073E20000-0x00000000745D0000-memory.dmp

Filesize
7.7MB

Download
memory/1492-37-0x00000000001D0000-0x0000000000200000-memory.dmp

Filesize
192KB

Download
memory/1492-44-0x000000000A260000-0x000000000A29C000-memory.dmp

Filesize
240KB

Download
memory/1492-40-0x000000000A600000-0x000000000AC18000-memory.dmp

Filesize
6.1MB

Download
memory/1492-38-0x0000000002520000-0x0000000002526000-memory.dmp

Filesize
24KB

Download
memory/1492-41-0x000000000A2C0000-0x000000000A3CA000-memory.dmp

Filesize
1.0MB

Download
memory/1492-43-0x000000000A200000-0x000000000A212000-memory.dmp

Filesize
72KB

Download
memory/2116-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2116-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2116-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2116-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads