mystic | 78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9

Analysis

max time kernel
151s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9.exe
Size

1.0MB
MD5

f866e8c43a85c50cc717ae40adb5cb6d
SHA1

015f7d1090741a56bcf4179ce82b2d0f9e292ee6
SHA256

78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9
SHA512

973d56b7c06009415d96ccc7fd4012c2c8b97262bf05c22f69c2ef0161972b56abee12fd37a2c808b72e32c6d922da64c5ace3d319d9107c847f9c0b4c28628b
SSDEEP

24576:CylZiL54xBHHS0Ay615EFKrzfOdpCidbjTRelK1:pmd7MA5EErzYpCi1ReM

Score

10^/10

mystic redline luska infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1000-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1000-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1000-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1000-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1976	x0330471.exe
3664	x3821732.exe
3936	x6844263.exe
4700	x5348639.exe
2676	g6634113.exe
4168	h6807148.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0330471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3821732.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x6844263.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	x5348639.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 1000	2676	g6634113.exe	94

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2884	1000	WerFault.exe	94
4544	2676	WerFault.exe	92

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 1976	3120	78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9.exe	88
PID 3120 wrote to memory of 1976	3120	78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9.exe	88
PID 3120 wrote to memory of 1976	3120	78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9.exe	88
PID 1976 wrote to memory of 3664	1976	x0330471.exe	89
PID 1976 wrote to memory of 3664	1976	x0330471.exe	89
PID 1976 wrote to memory of 3664	1976	x0330471.exe	89
PID 3664 wrote to memory of 3936	3664	x3821732.exe	90
PID 3664 wrote to memory of 3936	3664	x3821732.exe	90
PID 3664 wrote to memory of 3936	3664	x3821732.exe	90
PID 3936 wrote to memory of 4700	3936	x6844263.exe	91
PID 3936 wrote to memory of 4700	3936	x6844263.exe	91
PID 3936 wrote to memory of 4700	3936	x6844263.exe	91
PID 4700 wrote to memory of 2676	4700	x5348639.exe	92
PID 4700 wrote to memory of 2676	4700	x5348639.exe	92
PID 4700 wrote to memory of 2676	4700	x5348639.exe	92
PID 2676 wrote to memory of 1000	2676	g6634113.exe	94
PID 2676 wrote to memory of 1000	2676	g6634113.exe	94
PID 2676 wrote to memory of 1000	2676	g6634113.exe	94
PID 2676 wrote to memory of 1000	2676	g6634113.exe	94
PID 2676 wrote to memory of 1000	2676	g6634113.exe	94
PID 2676 wrote to memory of 1000	2676	g6634113.exe	94
PID 2676 wrote to memory of 1000	2676	g6634113.exe	94
PID 2676 wrote to memory of 1000	2676	g6634113.exe	94
PID 2676 wrote to memory of 1000	2676	g6634113.exe	94
PID 2676 wrote to memory of 1000	2676	g6634113.exe	94
PID 4700 wrote to memory of 4168	4700	x5348639.exe	101
PID 4700 wrote to memory of 4168	4700	x5348639.exe	101
PID 4700 wrote to memory of 4168	4700	x5348639.exe	101

C:\Users\Admin\AppData\Local\Temp\78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9.exe
"C:\Users\Admin\AppData\Local\Temp\78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0330471.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0330471.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3821732.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3821732.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6844263.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6844263.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5348639.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5348639.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4700
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g6634113.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g6634113.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 196
        8⤵
        Program crash
        
        PID:2884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 588
        7⤵
        Program crash
        
        PID:4544
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h6807148.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h6807148.exe
        6⤵
        Executes dropped EXE
        
        PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2676 -ip 2676
1⤵
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1000 -ip 1000
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0330471.exe

Filesize
928KB

MD5
1dd0105374ed2849af4fbea60dc1263a

SHA1
0f999680dc964fec21909d0e21046961218de86e

SHA256
1e6630a4833e362af70b912da480bb86c9fcd9501ddbc5e2b1ebc78a31c404d4

SHA512
8c6cd78ade80d95af64cf2f1e192e9214f0f9bc0cef0532371af8ec7171ad12b5a91ac81ff372446fea0929f81153182e8a9c155fcc323de8b9fa3768185ba9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0330471.exe

Filesize
928KB

MD5
1dd0105374ed2849af4fbea60dc1263a

SHA1
0f999680dc964fec21909d0e21046961218de86e

SHA256
1e6630a4833e362af70b912da480bb86c9fcd9501ddbc5e2b1ebc78a31c404d4

SHA512
8c6cd78ade80d95af64cf2f1e192e9214f0f9bc0cef0532371af8ec7171ad12b5a91ac81ff372446fea0929f81153182e8a9c155fcc323de8b9fa3768185ba9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3821732.exe

Filesize
746KB

MD5
78ca9edc41564d56fb90571b9a760164

SHA1
aaa18dcc7e28adeb383d9bc65a8421d7df8ea88b

SHA256
67781bf140b0bb77a91f0d1f9f70a02bf4b4751ca725df38bb783ede01dda5d2

SHA512
719d14eefcacb4063317d8699f6ff2ac829c7df2d4cab99bc4967d5dd8074bf970b63f46b4668d7e0efa64246d86b22f91ff56417e07293affe3032772f4ccf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3821732.exe

Filesize
746KB

MD5
78ca9edc41564d56fb90571b9a760164

SHA1
aaa18dcc7e28adeb383d9bc65a8421d7df8ea88b

SHA256
67781bf140b0bb77a91f0d1f9f70a02bf4b4751ca725df38bb783ede01dda5d2

SHA512
719d14eefcacb4063317d8699f6ff2ac829c7df2d4cab99bc4967d5dd8074bf970b63f46b4668d7e0efa64246d86b22f91ff56417e07293affe3032772f4ccf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6844263.exe

Filesize
515KB

MD5
8e7430a8c392dbebc0ddda6a1c170287

SHA1
6494942f39b9e1d8dc2d2afd20c535aeb6f0f276

SHA256
4aab8d2920bac28a115141e6dd41242aeda80941d6f9b46ee22e3eb8326f64c6

SHA512
67a5c9fea06e695801b11cde9ec7a04cda12b283e83a9a79b203157c177858547ba88f8d696373403466a2067fba2470b234981aad1bf0a96897a3cfeae99296

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6844263.exe

Filesize
515KB

MD5
8e7430a8c392dbebc0ddda6a1c170287

SHA1
6494942f39b9e1d8dc2d2afd20c535aeb6f0f276

SHA256
4aab8d2920bac28a115141e6dd41242aeda80941d6f9b46ee22e3eb8326f64c6

SHA512
67a5c9fea06e695801b11cde9ec7a04cda12b283e83a9a79b203157c177858547ba88f8d696373403466a2067fba2470b234981aad1bf0a96897a3cfeae99296

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5348639.exe

Filesize
350KB

MD5
fe0baded9f0b055f0824d99b647b032d

SHA1
b7dffbb66bd35adc884850adaaa130564b8fcb22

SHA256
57903b2af8c1ba2b88b3caee1457622209b6eae85cb14cb4b9cba8fff4b9def2

SHA512
0b8e1cc86883c3844466f7c668036ade6bac507c780f290f584a3d5d5fdb68b2bc4aee915519732336a16a301f4e6ddf9d56db96941fd5c7c441c0288505fb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5348639.exe

Filesize
350KB

MD5
fe0baded9f0b055f0824d99b647b032d

SHA1
b7dffbb66bd35adc884850adaaa130564b8fcb22

SHA256
57903b2af8c1ba2b88b3caee1457622209b6eae85cb14cb4b9cba8fff4b9def2

SHA512
0b8e1cc86883c3844466f7c668036ade6bac507c780f290f584a3d5d5fdb68b2bc4aee915519732336a16a301f4e6ddf9d56db96941fd5c7c441c0288505fb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g6634113.exe

Filesize
276KB

MD5
4186d77c96511ae22ef295132a469f08

SHA1
da0498d6bc8ae72ba77910879523e47875e6a9bf

SHA256
28c41fcf920a949921c7c6c43195b9bc38c60eec39c4a156fd704c6c33a43caa

SHA512
e0f4104b538089e7fc8ecc818681a2adbf615c2ac0be2be9fb1ba3c1718037da69ded59a894a1a5252400f938fb742deef30bad07d29f95d737f0e8d67b833a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g6634113.exe

Filesize
276KB

MD5
4186d77c96511ae22ef295132a469f08

SHA1
da0498d6bc8ae72ba77910879523e47875e6a9bf

SHA256
28c41fcf920a949921c7c6c43195b9bc38c60eec39c4a156fd704c6c33a43caa

SHA512
e0f4104b538089e7fc8ecc818681a2adbf615c2ac0be2be9fb1ba3c1718037da69ded59a894a1a5252400f938fb742deef30bad07d29f95d737f0e8d67b833a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h6807148.exe

Filesize
174KB

MD5
7727cb9dfbd2bd64f3a2968fbdab2f63

SHA1
04cbeb69bae8507360a26e4941e8ff74f5258a48

SHA256
72e38390bd5b6ff77efb4ca5e619385938cc57984b6c87048750cd952113b357

SHA512
84a6c6a3c58d7cdd71b36e5513d4a662f4c9ff8069c4dc44d03bb92921d7eb42a8ec04963d80f22e5b7441bbf446be94666752ca78547e0d9c9a43833de7949a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h6807148.exe

Filesize
174KB

MD5
7727cb9dfbd2bd64f3a2968fbdab2f63

SHA1
04cbeb69bae8507360a26e4941e8ff74f5258a48

SHA256
72e38390bd5b6ff77efb4ca5e619385938cc57984b6c87048750cd952113b357

SHA512
84a6c6a3c58d7cdd71b36e5513d4a662f4c9ff8069c4dc44d03bb92921d7eb42a8ec04963d80f22e5b7441bbf446be94666752ca78547e0d9c9a43833de7949a

Download Submit
memory/1000-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1000-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1000-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1000-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4168-46-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/4168-44-0x00000000009E0000-0x0000000000A10000-memory.dmp

Filesize
192KB

Download
memory/4168-45-0x0000000002BD0000-0x0000000002BD6000-memory.dmp

Filesize
24KB

Download
memory/4168-43-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/4168-47-0x000000000AE10000-0x000000000B428000-memory.dmp

Filesize
6.1MB

Download
memory/4168-48-0x000000000A990000-0x000000000AA9A000-memory.dmp

Filesize
1.0MB

Download
memory/4168-49-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download
memory/4168-50-0x000000000A8D0000-0x000000000A8E2000-memory.dmp

Filesize
72KB

Download
memory/4168-51-0x000000000A930000-0x000000000A96C000-memory.dmp

Filesize
240KB

Download
memory/4168-52-0x0000000005200000-0x000000000524C000-memory.dmp

Filesize
304KB

Download
memory/4168-53-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads