mystic | d17e440d22156a8f0bccb6dcd7375da5af025b86aee404f088f75a31fab8e968

Analysis

max time kernel
193s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2023 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d17e440d22156a8f0bccb6dcd7375da5af025b86aee404f088f75a31fab8e968.exe
Size

930KB
MD5

9f2032e3e45d94c3b45082f3aeec21cb
SHA1

9da8b01d0ff52d32bf237421ea24c345eb1c6783
SHA256

d17e440d22156a8f0bccb6dcd7375da5af025b86aee404f088f75a31fab8e968
SHA512

2cf94ac12d7f34ab7d8d3f0f7ea35d55aa57870b12981416cdb83200261311bbcd323e9a74a2cc73f09d311ab019565e1c109697dce1a0f4e03079ea4981fb79
SSDEEP

12288:UMrGy90PmSFP4b1FUTfBMXZQo5itjunCiWs5H/eeQbz293s6kaT8txeLeOc6/Qsb:iyIxi1FwyXZQoJCiFH/dQe/LeH6/h

Score

10^/10

mystic redline luska infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/2508-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2508-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2508-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2508-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1712	x5321897.exe
1464	x2948598.exe
1352	x0316171.exe
3504	g7511048.exe
1172	h5396663.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d17e440d22156a8f0bccb6dcd7375da5af025b86aee404f088f75a31fab8e968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5321897.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2948598.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0316171.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3504 set thread context of 2508	3504	g7511048.exe	91

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3612	3504	WerFault.exe	89
4952	2508	WerFault.exe	91

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 1712	876	d17e440d22156a8f0bccb6dcd7375da5af025b86aee404f088f75a31fab8e968.exe	86
PID 876 wrote to memory of 1712	876	d17e440d22156a8f0bccb6dcd7375da5af025b86aee404f088f75a31fab8e968.exe	86
PID 876 wrote to memory of 1712	876	d17e440d22156a8f0bccb6dcd7375da5af025b86aee404f088f75a31fab8e968.exe	86
PID 1712 wrote to memory of 1464	1712	x5321897.exe	87
PID 1712 wrote to memory of 1464	1712	x5321897.exe	87
PID 1712 wrote to memory of 1464	1712	x5321897.exe	87
PID 1464 wrote to memory of 1352	1464	x2948598.exe	88
PID 1464 wrote to memory of 1352	1464	x2948598.exe	88
PID 1464 wrote to memory of 1352	1464	x2948598.exe	88
PID 1352 wrote to memory of 3504	1352	x0316171.exe	89
PID 1352 wrote to memory of 3504	1352	x0316171.exe	89
PID 1352 wrote to memory of 3504	1352	x0316171.exe	89
PID 3504 wrote to memory of 2508	3504	g7511048.exe	91
PID 3504 wrote to memory of 2508	3504	g7511048.exe	91
PID 3504 wrote to memory of 2508	3504	g7511048.exe	91
PID 3504 wrote to memory of 2508	3504	g7511048.exe	91
PID 3504 wrote to memory of 2508	3504	g7511048.exe	91
PID 3504 wrote to memory of 2508	3504	g7511048.exe	91
PID 3504 wrote to memory of 2508	3504	g7511048.exe	91
PID 3504 wrote to memory of 2508	3504	g7511048.exe	91
PID 3504 wrote to memory of 2508	3504	g7511048.exe	91
PID 3504 wrote to memory of 2508	3504	g7511048.exe	91
PID 1352 wrote to memory of 1172	1352	x0316171.exe	105
PID 1352 wrote to memory of 1172	1352	x0316171.exe	105
PID 1352 wrote to memory of 1172	1352	x0316171.exe	105

C:\Users\Admin\AppData\Local\Temp\d17e440d22156a8f0bccb6dcd7375da5af025b86aee404f088f75a31fab8e968.exe
"C:\Users\Admin\AppData\Local\Temp\d17e440d22156a8f0bccb6dcd7375da5af025b86aee404f088f75a31fab8e968.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5321897.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5321897.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2948598.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2948598.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0316171.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0316171.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7511048.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7511048.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 540
        7⤵
        Program crash
        
        PID:4952
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 136
        6⤵
        Program crash
        
        PID:3612
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5396663.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5396663.exe
        5⤵
        Executes dropped EXE
        
        PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2508 -ip 2508
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3504 -ip 3504
1⤵
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5321897.exe

Filesize
828KB

MD5
a68983a16f355732cc0413a705468b8b

SHA1
e2a45cc9962f7a7e606333d1501b86c096f12497

SHA256
854e152d13833763f1e5e1c4c5d7afd1edc519dde7b3c456b73c561a0498071e

SHA512
d52f2cac6ac937304f1dd71819686aaa842dcadb702895d0fc3e35ada80bd2a1efd94f27c8def6d019942aed25ba879016a7d90cfc1d53f59bf7106783e0d639

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5321897.exe

Filesize
828KB

MD5
a68983a16f355732cc0413a705468b8b

SHA1
e2a45cc9962f7a7e606333d1501b86c096f12497

SHA256
854e152d13833763f1e5e1c4c5d7afd1edc519dde7b3c456b73c561a0498071e

SHA512
d52f2cac6ac937304f1dd71819686aaa842dcadb702895d0fc3e35ada80bd2a1efd94f27c8def6d019942aed25ba879016a7d90cfc1d53f59bf7106783e0d639

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2948598.exe

Filesize
555KB

MD5
523927b8552bea0d8e13dc7db25146fb

SHA1
1419879fddde9db0b66b98fae7649fb88f91c676

SHA256
75944944ab723ab77b835f30500273cc8be14b528bde1cef399dff82f3bddcfd

SHA512
6dd60b9148190208c15ac18d0ecd60d9dc40d41480ae9f0e250d6ea817697e6f392b40a313942557d1b576467be66bb73114cb64fbd1b49d0fcb611322b7784d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2948598.exe

Filesize
555KB

MD5
523927b8552bea0d8e13dc7db25146fb

SHA1
1419879fddde9db0b66b98fae7649fb88f91c676

SHA256
75944944ab723ab77b835f30500273cc8be14b528bde1cef399dff82f3bddcfd

SHA512
6dd60b9148190208c15ac18d0ecd60d9dc40d41480ae9f0e250d6ea817697e6f392b40a313942557d1b576467be66bb73114cb64fbd1b49d0fcb611322b7784d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0316171.exe

Filesize
389KB

MD5
64eab73a20b2ca4878ccd0f4fd9509e1

SHA1
2217f5b971032306cd2b7610725709b3dc433532

SHA256
6e30d171b311a8f5b1227444ced4732d5fdbe6b8ee01b3d562b3519c1d61bdb0

SHA512
1e86648a3a71e4b4545b818881e76a019881a16c770aa2dc46716763ce105537cf3f5b7e193e62be159c5d82b8b9ed2249234061b950a445e3b44f6aa8298dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0316171.exe

Filesize
389KB

MD5
64eab73a20b2ca4878ccd0f4fd9509e1

SHA1
2217f5b971032306cd2b7610725709b3dc433532

SHA256
6e30d171b311a8f5b1227444ced4732d5fdbe6b8ee01b3d562b3519c1d61bdb0

SHA512
1e86648a3a71e4b4545b818881e76a019881a16c770aa2dc46716763ce105537cf3f5b7e193e62be159c5d82b8b9ed2249234061b950a445e3b44f6aa8298dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7511048.exe

Filesize
356KB

MD5
d0ff0435b193d1206a608e03a399345c

SHA1
88ba574545f9421d1ba4678e55e83b8ff0fd2c87

SHA256
114a1ba67d7f8f785ec836d3be3072244cc4c7eb3bc10f6669f008e69c576e88

SHA512
4303f8ff768b422272e9b2593ac89b6eb9f0da4832dfa127a8fcb7c343bb0d36d896ee3d3e09a81c461236ce8ca76b140e1b284b1387547680f71630e15e9e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7511048.exe

Filesize
356KB

MD5
d0ff0435b193d1206a608e03a399345c

SHA1
88ba574545f9421d1ba4678e55e83b8ff0fd2c87

SHA256
114a1ba67d7f8f785ec836d3be3072244cc4c7eb3bc10f6669f008e69c576e88

SHA512
4303f8ff768b422272e9b2593ac89b6eb9f0da4832dfa127a8fcb7c343bb0d36d896ee3d3e09a81c461236ce8ca76b140e1b284b1387547680f71630e15e9e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5396663.exe

Filesize
174KB

MD5
fb101fbfd01481920350f75401b6e014

SHA1
3463247f00390a5e315163ce8e3fe6357f807e00

SHA256
605c8d6b71f6771a6ea1168ba143950351dd40b9adfa8b7001f9cca128fe06c1

SHA512
45dd1658543a78d0c8e55ff0cbb115b2c8e8ff1eed0df9cb594c6812657f3f7f165e1761b348f3524308bd5abb1ecd1a3afde37c2f87af296f8988e152c54eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5396663.exe

Filesize
174KB

MD5
fb101fbfd01481920350f75401b6e014

SHA1
3463247f00390a5e315163ce8e3fe6357f807e00

SHA256
605c8d6b71f6771a6ea1168ba143950351dd40b9adfa8b7001f9cca128fe06c1

SHA512
45dd1658543a78d0c8e55ff0cbb115b2c8e8ff1eed0df9cb594c6812657f3f7f165e1761b348f3524308bd5abb1ecd1a3afde37c2f87af296f8988e152c54eb8

Download Submit
memory/1172-39-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/1172-40-0x0000000005A80000-0x0000000006098000-memory.dmp

Filesize
6.1MB

Download
memory/1172-46-0x0000000005700000-0x000000000574C000-memory.dmp

Filesize
304KB

Download
memory/1172-45-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/1172-36-0x0000000000B60000-0x0000000000B90000-memory.dmp

Filesize
192KB

Download
memory/1172-37-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/1172-44-0x0000000005590000-0x00000000055CC000-memory.dmp

Filesize
240KB

Download
memory/1172-43-0x0000000005530000-0x0000000005542000-memory.dmp

Filesize
72KB

Download
memory/1172-38-0x0000000005340000-0x0000000005346000-memory.dmp

Filesize
24KB

Download
memory/1172-41-0x00000000055F0000-0x00000000056FA000-memory.dmp

Filesize
1.0MB

Download
memory/1172-42-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/2508-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2508-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2508-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2508-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads