mystic | 1c629958e1c5d0ef1ba58f7e917271d33c0e5bd156802918200e57b64e2cdc09

Analysis

max time kernel
172s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2023 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c629958e1c5d0ef1ba58f7e917271d33c0e5bd156802918200e57b64e2cdc09.exe
Size

928KB
MD5

8a5caf15a8c70fce4cfb968409d66eba
SHA1

aeac8f699219fd85bd7a95929e42559604e6ddc1
SHA256

1c629958e1c5d0ef1ba58f7e917271d33c0e5bd156802918200e57b64e2cdc09
SHA512

821fc813fa7280be1d9c53ed486348207184212c22701974f6145d52f68f9df9d6afbd2911fb0f12302c380c2a4c9e6c96f18201aa6552a302eb79674c489f67
SSDEEP

24576:9y4wAFsQ4we3rtLuy/03jhgTuGhq6SniF:Y4wkfKrtFmOTuGhqu

Score

10^/10

mystic redline luska infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3076-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3076-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3076-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3076-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
812	x1481112.exe
1468	x2689925.exe
2820	x1172542.exe
3744	g1375864.exe
4464	h4095262.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1c629958e1c5d0ef1ba58f7e917271d33c0e5bd156802918200e57b64e2cdc09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1481112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2689925.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1172542.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3744 set thread context of 3076	3744	g1375864.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3688	3076	WerFault.exe	93
60	3744	WerFault.exe	89

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 812	536	1c629958e1c5d0ef1ba58f7e917271d33c0e5bd156802918200e57b64e2cdc09.exe	86
PID 536 wrote to memory of 812	536	1c629958e1c5d0ef1ba58f7e917271d33c0e5bd156802918200e57b64e2cdc09.exe	86
PID 536 wrote to memory of 812	536	1c629958e1c5d0ef1ba58f7e917271d33c0e5bd156802918200e57b64e2cdc09.exe	86
PID 812 wrote to memory of 1468	812	x1481112.exe	87
PID 812 wrote to memory of 1468	812	x1481112.exe	87
PID 812 wrote to memory of 1468	812	x1481112.exe	87
PID 1468 wrote to memory of 2820	1468	x2689925.exe	88
PID 1468 wrote to memory of 2820	1468	x2689925.exe	88
PID 1468 wrote to memory of 2820	1468	x2689925.exe	88
PID 2820 wrote to memory of 3744	2820	x1172542.exe	89
PID 2820 wrote to memory of 3744	2820	x1172542.exe	89
PID 2820 wrote to memory of 3744	2820	x1172542.exe	89
PID 3744 wrote to memory of 2604	3744	g1375864.exe	92
PID 3744 wrote to memory of 2604	3744	g1375864.exe	92
PID 3744 wrote to memory of 2604	3744	g1375864.exe	92
PID 3744 wrote to memory of 3076	3744	g1375864.exe	93
PID 3744 wrote to memory of 3076	3744	g1375864.exe	93
PID 3744 wrote to memory of 3076	3744	g1375864.exe	93
PID 3744 wrote to memory of 3076	3744	g1375864.exe	93
PID 3744 wrote to memory of 3076	3744	g1375864.exe	93
PID 3744 wrote to memory of 3076	3744	g1375864.exe	93
PID 3744 wrote to memory of 3076	3744	g1375864.exe	93
PID 3744 wrote to memory of 3076	3744	g1375864.exe	93
PID 3744 wrote to memory of 3076	3744	g1375864.exe	93
PID 3744 wrote to memory of 3076	3744	g1375864.exe	93
PID 2820 wrote to memory of 4464	2820	x1172542.exe	99
PID 2820 wrote to memory of 4464	2820	x1172542.exe	99
PID 2820 wrote to memory of 4464	2820	x1172542.exe	99

C:\Users\Admin\AppData\Local\Temp\1c629958e1c5d0ef1ba58f7e917271d33c0e5bd156802918200e57b64e2cdc09.exe
"C:\Users\Admin\AppData\Local\Temp\1c629958e1c5d0ef1ba58f7e917271d33c0e5bd156802918200e57b64e2cdc09.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1481112.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1481112.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2689925.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2689925.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1172542.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1172542.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1375864.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1375864.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3744
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2604
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 540
        7⤵
        Program crash
        
        PID:3688
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 596
        6⤵
        Program crash
        
        PID:60
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4095262.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4095262.exe
        5⤵
        Executes dropped EXE
        
        PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3076 -ip 3076
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3744 -ip 3744
1⤵
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1481112.exe

Filesize
828KB

MD5
c1a8f99ca19bda0b3a10bce13478b9bc

SHA1
43d6ce7ec0b0c770d8dccd75aafc21ca710099c0

SHA256
50f23ac31a0e2ed35fbdf8a8c63c34bcdbba2ca32e067a9f5e0500e4f2d61d8a

SHA512
1a91e391a73a50cc0d09f572a7a06991b368b3687553784f5b3fc44ef2197deaf5f99f47d2a104f7bf651ecbd631546301719d2a7baad998ab261a050cec3d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1481112.exe

Filesize
828KB

MD5
c1a8f99ca19bda0b3a10bce13478b9bc

SHA1
43d6ce7ec0b0c770d8dccd75aafc21ca710099c0

SHA256
50f23ac31a0e2ed35fbdf8a8c63c34bcdbba2ca32e067a9f5e0500e4f2d61d8a

SHA512
1a91e391a73a50cc0d09f572a7a06991b368b3687553784f5b3fc44ef2197deaf5f99f47d2a104f7bf651ecbd631546301719d2a7baad998ab261a050cec3d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2689925.exe

Filesize
555KB

MD5
86752d2472117bc1bf565a7aa0c9344b

SHA1
1abef02d57621ef4b57fa11e94ab3c0a1e8b6e31

SHA256
7cb9c6af3283e77f00676e5875cd0f74cc8480c8f29559307521d862c308f1c5

SHA512
d510e303e2af8025fe69bae3ac8eb7cfe4a015de0acfa2a73b2c0d588e827e023fe6be2ba77aa1d0a9d02fb02fd3e2e3cc6ffc6df75d01d277ef4ba90bdbf3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2689925.exe

Filesize
555KB

MD5
86752d2472117bc1bf565a7aa0c9344b

SHA1
1abef02d57621ef4b57fa11e94ab3c0a1e8b6e31

SHA256
7cb9c6af3283e77f00676e5875cd0f74cc8480c8f29559307521d862c308f1c5

SHA512
d510e303e2af8025fe69bae3ac8eb7cfe4a015de0acfa2a73b2c0d588e827e023fe6be2ba77aa1d0a9d02fb02fd3e2e3cc6ffc6df75d01d277ef4ba90bdbf3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1172542.exe

Filesize
389KB

MD5
5d51395f9c386207ec0f974afe939fb9

SHA1
6862315c0e9eaba72c477d9f1d66fadcb18a5878

SHA256
716c74f8887a4997d16404fa9d11b8e7d207f91dfd83d0eb9b86ae12db50efb2

SHA512
6ee4ea375e72fea82703395f4a5ee315bf54cdceaa97fb9149f1c7e18344e2e90b4bd26177af1422412334f0d5492091587596df434c656d869bdbbb69723e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1172542.exe

Filesize
389KB

MD5
5d51395f9c386207ec0f974afe939fb9

SHA1
6862315c0e9eaba72c477d9f1d66fadcb18a5878

SHA256
716c74f8887a4997d16404fa9d11b8e7d207f91dfd83d0eb9b86ae12db50efb2

SHA512
6ee4ea375e72fea82703395f4a5ee315bf54cdceaa97fb9149f1c7e18344e2e90b4bd26177af1422412334f0d5492091587596df434c656d869bdbbb69723e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1375864.exe

Filesize
356KB

MD5
2e26324e6bc278a965bc4c9bb90d340c

SHA1
51b40440965c1de24f6aac349221ee6ba9612601

SHA256
44b7868fe3a50c7a63c14fafaac27a7bd1abc27bd28698c11b02ef2533050150

SHA512
bc50e3b15f108b0ae948c1b5f5b6d2c14a39747063ecd0531824894363acf2b6257b6925c95b3151629092531183e032fa76f76eced0ceaec09c43f52c786b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1375864.exe

Filesize
356KB

MD5
2e26324e6bc278a965bc4c9bb90d340c

SHA1
51b40440965c1de24f6aac349221ee6ba9612601

SHA256
44b7868fe3a50c7a63c14fafaac27a7bd1abc27bd28698c11b02ef2533050150

SHA512
bc50e3b15f108b0ae948c1b5f5b6d2c14a39747063ecd0531824894363acf2b6257b6925c95b3151629092531183e032fa76f76eced0ceaec09c43f52c786b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4095262.exe

Filesize
174KB

MD5
2c9d436f9829b15eae1bdd2ec7aa6173

SHA1
1cba02b2b16221cbae23d99385e70bf279dfdc81

SHA256
5132e0f82a4fc1f35fc5ae4689531ee9c8c270787f3cf38e2285a04822bc5847

SHA512
809909fb6b07fa54b08307190117db24be84529af99190ae5ac9ac41520cffbf3ed23a9880e0b68498721be709939c337dd9ff781343ccabf44bd86eba7133d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4095262.exe

Filesize
174KB

MD5
2c9d436f9829b15eae1bdd2ec7aa6173

SHA1
1cba02b2b16221cbae23d99385e70bf279dfdc81

SHA256
5132e0f82a4fc1f35fc5ae4689531ee9c8c270787f3cf38e2285a04822bc5847

SHA512
809909fb6b07fa54b08307190117db24be84529af99190ae5ac9ac41520cffbf3ed23a9880e0b68498721be709939c337dd9ff781343ccabf44bd86eba7133d5

Download Submit
memory/3076-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3076-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3076-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3076-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4464-39-0x00000000055B0000-0x0000000005BC8000-memory.dmp

Filesize
6.1MB

Download
memory/4464-37-0x0000000000510000-0x0000000000540000-memory.dmp

Filesize
192KB

Download
memory/4464-38-0x0000000004F30000-0x0000000004F36000-memory.dmp

Filesize
24KB

Download
memory/4464-36-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4464-40-0x00000000050A0000-0x00000000051AA000-memory.dmp

Filesize
1.0MB

Download
memory/4464-41-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/4464-42-0x0000000004FE0000-0x0000000004FF2000-memory.dmp

Filesize
72KB

Download
memory/4464-43-0x0000000005040000-0x000000000507C000-memory.dmp

Filesize
240KB

Download
memory/4464-44-0x00000000051B0000-0x00000000051FC000-memory.dmp

Filesize
304KB

Download
memory/4464-45-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4464-46-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads