mystic | d68cfdd5c0929418d396be83be0594b2d8a830ce2ee0119290a755512a2a0d3c

Analysis

max time kernel
143s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 21:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d68cfdd5c0929418d396be83be0594b2d8a830ce2ee0119290a755512a2a0d3c.exe
Size

929KB
MD5

322d54f130984ebd42d58b50989042be
SHA1

6ecf4dea87e49e629285124a51bd3fa36ac6541c
SHA256

d68cfdd5c0929418d396be83be0594b2d8a830ce2ee0119290a755512a2a0d3c
SHA512

c81e1e581586fe3e037dff3b748371294cc56b559ca88ab65afc21e9f209381042565756c77efc62c17b0e21461afc328ad8729aab1b9cce1dcb5c5698747eeb
SSDEEP

12288:aMrKy900Fl3QTY/eagDILhz7s8I60T+CgarW4WkFOzXRz1DVOtesHAWGfxCUETC8:UyPPaiesFIggHVUXRNVOtesgLpCARy

Score

10^/10

mystic redline luska infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1472-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1472-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1472-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1472-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
5008	x2322352.exe
4532	x2281247.exe
804	x7891445.exe
4448	g4492398.exe
1300	h6460800.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2322352.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2281247.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7891445.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d68cfdd5c0929418d396be83be0594b2d8a830ce2ee0119290a755512a2a0d3c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4448 set thread context of 1472	4448	g4492398.exe	91

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3344	1472	WerFault.exe	91
4216	4448	WerFault.exe	89

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 5008	772	d68cfdd5c0929418d396be83be0594b2d8a830ce2ee0119290a755512a2a0d3c.exe	86
PID 772 wrote to memory of 5008	772	d68cfdd5c0929418d396be83be0594b2d8a830ce2ee0119290a755512a2a0d3c.exe	86
PID 772 wrote to memory of 5008	772	d68cfdd5c0929418d396be83be0594b2d8a830ce2ee0119290a755512a2a0d3c.exe	86
PID 5008 wrote to memory of 4532	5008	x2322352.exe	87
PID 5008 wrote to memory of 4532	5008	x2322352.exe	87
PID 5008 wrote to memory of 4532	5008	x2322352.exe	87
PID 4532 wrote to memory of 804	4532	x2281247.exe	88
PID 4532 wrote to memory of 804	4532	x2281247.exe	88
PID 4532 wrote to memory of 804	4532	x2281247.exe	88
PID 804 wrote to memory of 4448	804	x7891445.exe	89
PID 804 wrote to memory of 4448	804	x7891445.exe	89
PID 804 wrote to memory of 4448	804	x7891445.exe	89
PID 4448 wrote to memory of 1472	4448	g4492398.exe	91
PID 4448 wrote to memory of 1472	4448	g4492398.exe	91
PID 4448 wrote to memory of 1472	4448	g4492398.exe	91
PID 4448 wrote to memory of 1472	4448	g4492398.exe	91
PID 4448 wrote to memory of 1472	4448	g4492398.exe	91
PID 4448 wrote to memory of 1472	4448	g4492398.exe	91
PID 4448 wrote to memory of 1472	4448	g4492398.exe	91
PID 4448 wrote to memory of 1472	4448	g4492398.exe	91
PID 4448 wrote to memory of 1472	4448	g4492398.exe	91
PID 4448 wrote to memory of 1472	4448	g4492398.exe	91
PID 804 wrote to memory of 1300	804	x7891445.exe	98
PID 804 wrote to memory of 1300	804	x7891445.exe	98
PID 804 wrote to memory of 1300	804	x7891445.exe	98

C:\Users\Admin\AppData\Local\Temp\d68cfdd5c0929418d396be83be0594b2d8a830ce2ee0119290a755512a2a0d3c.exe
"C:\Users\Admin\AppData\Local\Temp\d68cfdd5c0929418d396be83be0594b2d8a830ce2ee0119290a755512a2a0d3c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:772
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2322352.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2322352.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2281247.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2281247.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7891445.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7891445.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:804
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4492398.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4492398.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4448
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 540
        7⤵
        Program crash
        
        PID:3344
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 136
        6⤵
        Program crash
        
        PID:4216
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6460800.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6460800.exe
        5⤵
        Executes dropped EXE
        
        PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4448 -ip 4448
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1472 -ip 1472
1⤵
PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2322352.exe

Filesize
827KB

MD5
4d5ab61f257d1d54a54266297286638d

SHA1
e652cf6014c8ce449f6909217edd40d817bb0505

SHA256
c1d03b677b4ef20f7b44e2ecf98e1f4a91aeb9b22d3af953bb14f40d85889638

SHA512
9da57254cba67a72aa37c89f229e27ce5ad3a4e3e732f0e73ad0a43e5aba7b471ba4bd2bb75f27f645cde95307e303633b32af9f8d125d8baac0076755493e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2322352.exe

Filesize
827KB

MD5
4d5ab61f257d1d54a54266297286638d

SHA1
e652cf6014c8ce449f6909217edd40d817bb0505

SHA256
c1d03b677b4ef20f7b44e2ecf98e1f4a91aeb9b22d3af953bb14f40d85889638

SHA512
9da57254cba67a72aa37c89f229e27ce5ad3a4e3e732f0e73ad0a43e5aba7b471ba4bd2bb75f27f645cde95307e303633b32af9f8d125d8baac0076755493e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2281247.exe

Filesize
556KB

MD5
dc5716ed0e7fb32c8e40972e3766730a

SHA1
d2999cc9e2b3b53627781da2f44c6a3fa183edc7

SHA256
89b0b74e29c9766957d2af0b7c06688ff642da2d46cf609b5f6890725420705f

SHA512
7cf9b3464c5cced5b4cbb39e61257517a81258458ed47193a45908b23730be59a3753a800596c02fc83548d15e33c631687caca8267dbae2738a19c3f42e66b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2281247.exe

Filesize
556KB

MD5
dc5716ed0e7fb32c8e40972e3766730a

SHA1
d2999cc9e2b3b53627781da2f44c6a3fa183edc7

SHA256
89b0b74e29c9766957d2af0b7c06688ff642da2d46cf609b5f6890725420705f

SHA512
7cf9b3464c5cced5b4cbb39e61257517a81258458ed47193a45908b23730be59a3753a800596c02fc83548d15e33c631687caca8267dbae2738a19c3f42e66b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7891445.exe

Filesize
390KB

MD5
a754f66b03bfba7cf4302b2a085dbd93

SHA1
1cc8433d8bb412c2ac87c74d04ac225dfa72f0eb

SHA256
8d0d785d31db869720dd5ad0c9fa76d4aac09e0ac2e4f1d72247c416ec74dcca

SHA512
3e8451edcf2c40f155a99b2bf443cc57191aaa5947756661a170fc100953a8129d197f2558dc52d09d0eb00ce3fb1e4174f183dd3b4105ebc7b3c317ba003103

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7891445.exe

Filesize
390KB

MD5
a754f66b03bfba7cf4302b2a085dbd93

SHA1
1cc8433d8bb412c2ac87c74d04ac225dfa72f0eb

SHA256
8d0d785d31db869720dd5ad0c9fa76d4aac09e0ac2e4f1d72247c416ec74dcca

SHA512
3e8451edcf2c40f155a99b2bf443cc57191aaa5947756661a170fc100953a8129d197f2558dc52d09d0eb00ce3fb1e4174f183dd3b4105ebc7b3c317ba003103

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4492398.exe

Filesize
356KB

MD5
c7c2eeadeb3ffc1748ba28b2fd1e9c06

SHA1
93c85fdd61508697e21c74723c64015d03d5a59a

SHA256
074e06b04fae91d1b6b35ee49fbfe5aca9cfc25641dc5d62614280f2796d335c

SHA512
47760a13a0f12eaa354bdaf9c78b5048603f6465d8e4345622135740e0d13d0270539f664fb08821f67564e1c0ab9229d24229a740aaa59d20cd56303e0dc60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4492398.exe

Filesize
356KB

MD5
c7c2eeadeb3ffc1748ba28b2fd1e9c06

SHA1
93c85fdd61508697e21c74723c64015d03d5a59a

SHA256
074e06b04fae91d1b6b35ee49fbfe5aca9cfc25641dc5d62614280f2796d335c

SHA512
47760a13a0f12eaa354bdaf9c78b5048603f6465d8e4345622135740e0d13d0270539f664fb08821f67564e1c0ab9229d24229a740aaa59d20cd56303e0dc60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6460800.exe

Filesize
174KB

MD5
3b0557b7dd9a017c2315aacd3901d914

SHA1
1e135d91bb2e07c2e2914ce75466c752133a3f92

SHA256
3cb811d31fb31516e4807a57bfc258bbedbd9c857c45b5650bb276a97b558e13

SHA512
51805bcc04d7ec0e91fcfde5c2f062074a125264d29ca7bbeb9105883545009ec2389bace1a5cdfd207771c5c02f00f3bc60961a6cc2dd1389150cd91e864e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6460800.exe

Filesize
174KB

MD5
3b0557b7dd9a017c2315aacd3901d914

SHA1
1e135d91bb2e07c2e2914ce75466c752133a3f92

SHA256
3cb811d31fb31516e4807a57bfc258bbedbd9c857c45b5650bb276a97b558e13

SHA512
51805bcc04d7ec0e91fcfde5c2f062074a125264d29ca7bbeb9105883545009ec2389bace1a5cdfd207771c5c02f00f3bc60961a6cc2dd1389150cd91e864e64

Download Submit
memory/1300-39-0x00000000053F0000-0x0000000005A08000-memory.dmp

Filesize
6.1MB

Download
memory/1300-41-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1300-46-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1300-45-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/1300-36-0x0000000000420000-0x0000000000450000-memory.dmp

Filesize
192KB

Download
memory/1300-37-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/1300-44-0x0000000004E50000-0x0000000004E9C000-memory.dmp

Filesize
304KB

Download
memory/1300-40-0x0000000004EE0000-0x0000000004FEA000-memory.dmp

Filesize
1.0MB

Download
memory/1300-38-0x0000000000B90000-0x0000000000B96000-memory.dmp

Filesize
24KB

Download
memory/1300-42-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

Filesize
72KB

Download
memory/1300-43-0x0000000004E10000-0x0000000004E4C000-memory.dmp

Filesize
240KB

Download
memory/1472-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1472-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1472-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1472-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads