mystic | 6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7

Analysis

max time kernel
160s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7.exe
Size

929KB
MD5

120a44c174787e2468251b13ab4bdfb9
SHA1

a19b8b24353513645712f6d8a863d4a87fdc70be
SHA256

6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7
SHA512

036ff4f9003bc145fe8ed7336445bc61bbe6b2916851d0264adadba9f733649a774b8465b8b09fea59a6210f7388aa026a6b59b4d38ace9507cb221a15a463f7
SSDEEP

24576:ZyiBy1sjD7ZfxQZ99PazLhvZD1J9U3q2i:MkyGXJxQZrPazFd1JO3V

Score

10^/10

mystic redline luska infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/2952-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2952-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2952-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2952-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3876	x1725499.exe
1584	x6482262.exe
4708	x9247759.exe
2852	g0075173.exe
4900	h0097819.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1725499.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6482262.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9247759.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2852 set thread context of 2952	2852	g0075173.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4392	2852	WerFault.exe	89
3748	2952	WerFault.exe	92

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 3876	4532	6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7.exe	86
PID 4532 wrote to memory of 3876	4532	6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7.exe	86
PID 4532 wrote to memory of 3876	4532	6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7.exe	86
PID 3876 wrote to memory of 1584	3876	x1725499.exe	87
PID 3876 wrote to memory of 1584	3876	x1725499.exe	87
PID 3876 wrote to memory of 1584	3876	x1725499.exe	87
PID 1584 wrote to memory of 4708	1584	x6482262.exe	88
PID 1584 wrote to memory of 4708	1584	x6482262.exe	88
PID 1584 wrote to memory of 4708	1584	x6482262.exe	88
PID 4708 wrote to memory of 2852	4708	x9247759.exe	89
PID 4708 wrote to memory of 2852	4708	x9247759.exe	89
PID 4708 wrote to memory of 2852	4708	x9247759.exe	89
PID 2852 wrote to memory of 2844	2852	g0075173.exe	91
PID 2852 wrote to memory of 2844	2852	g0075173.exe	91
PID 2852 wrote to memory of 2844	2852	g0075173.exe	91
PID 2852 wrote to memory of 2952	2852	g0075173.exe	92
PID 2852 wrote to memory of 2952	2852	g0075173.exe	92
PID 2852 wrote to memory of 2952	2852	g0075173.exe	92
PID 2852 wrote to memory of 2952	2852	g0075173.exe	92
PID 2852 wrote to memory of 2952	2852	g0075173.exe	92
PID 2852 wrote to memory of 2952	2852	g0075173.exe	92
PID 2852 wrote to memory of 2952	2852	g0075173.exe	92
PID 2852 wrote to memory of 2952	2852	g0075173.exe	92
PID 2852 wrote to memory of 2952	2852	g0075173.exe	92
PID 2852 wrote to memory of 2952	2852	g0075173.exe	92
PID 4708 wrote to memory of 4900	4708	x9247759.exe	100
PID 4708 wrote to memory of 4900	4708	x9247759.exe	100
PID 4708 wrote to memory of 4900	4708	x9247759.exe	100

C:\Users\Admin\AppData\Local\Temp\6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7.exe
"C:\Users\Admin\AppData\Local\Temp\6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1725499.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1725499.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6482262.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6482262.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9247759.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9247759.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4708
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0075173.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0075173.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2844
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 540
        7⤵
        Program crash
        
        PID:3748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 604
        6⤵
        Program crash
        
        PID:4392
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0097819.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0097819.exe
        5⤵
        Executes dropped EXE
        
        PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2852 -ip 2852
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2952 -ip 2952
1⤵
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1725499.exe

Filesize
827KB

MD5
2ebdc435d93120f32d30fa312119eab0

SHA1
c2ff4bab3e1ec446c9fb7b4286786a2700ddebef

SHA256
8e0aeb8776d01888fc1c556293ed8cc1f59c20cc3370d500632bc624ac7a73b0

SHA512
da0f2abe94be5175da0274eb5c8956433285939f15ceca64281a6acae86e997b6c8fdf97e050eef73b15eca4f98f429fc3097f2ef648249a93a4ba974df5c249

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1725499.exe

Filesize
827KB

MD5
2ebdc435d93120f32d30fa312119eab0

SHA1
c2ff4bab3e1ec446c9fb7b4286786a2700ddebef

SHA256
8e0aeb8776d01888fc1c556293ed8cc1f59c20cc3370d500632bc624ac7a73b0

SHA512
da0f2abe94be5175da0274eb5c8956433285939f15ceca64281a6acae86e997b6c8fdf97e050eef73b15eca4f98f429fc3097f2ef648249a93a4ba974df5c249

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6482262.exe

Filesize
555KB

MD5
2f412ad7797bea87704c7551dbad23b5

SHA1
7c6239dfd02b43566c308fe538b5fef51b1a6106

SHA256
26ad225a92c9c8152a554e2545a2371df814a6298a35ad7d37e4f4806e089e8f

SHA512
f9a0d2c8de8c7041d210e9df20af1f2a3155ca5246da1f4d9e0984b0d95a5763c2542c2a6b2890d96717219f8fb540a537a9dd3b196b2ee8f9712add7bca87ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6482262.exe

Filesize
555KB

MD5
2f412ad7797bea87704c7551dbad23b5

SHA1
7c6239dfd02b43566c308fe538b5fef51b1a6106

SHA256
26ad225a92c9c8152a554e2545a2371df814a6298a35ad7d37e4f4806e089e8f

SHA512
f9a0d2c8de8c7041d210e9df20af1f2a3155ca5246da1f4d9e0984b0d95a5763c2542c2a6b2890d96717219f8fb540a537a9dd3b196b2ee8f9712add7bca87ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9247759.exe

Filesize
389KB

MD5
adb516b98c71eb4bbd76ca4110696c67

SHA1
8d1d2906c8c36b87ebf93108d0c1ae7e8a990d07

SHA256
068b579116e1f24cb609e1eb39a97f4baab70b88fc1046b7b4ea095cc7e13c7f

SHA512
2367c8bab28c01b916befbd33cb5b83f56fd0813d5e709b4004268992ed1d790f896ad3a1d69953e7efcd42e228b922b462a8f4fcf25ac2242dccfd0ba6600e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9247759.exe

Filesize
389KB

MD5
adb516b98c71eb4bbd76ca4110696c67

SHA1
8d1d2906c8c36b87ebf93108d0c1ae7e8a990d07

SHA256
068b579116e1f24cb609e1eb39a97f4baab70b88fc1046b7b4ea095cc7e13c7f

SHA512
2367c8bab28c01b916befbd33cb5b83f56fd0813d5e709b4004268992ed1d790f896ad3a1d69953e7efcd42e228b922b462a8f4fcf25ac2242dccfd0ba6600e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0075173.exe

Filesize
356KB

MD5
21948e014a020f924f931d2f233a9c89

SHA1
97a5eeebd9e98967c139d6d23261b52b1b06b05c

SHA256
351ce31a07a6b9ab0d3900c7922338feb4ae6fb93c1fa9b77739176ce004dcc1

SHA512
6c3d4f4799be35d5eeb2545c487a0fb1135400b9691466abaa4d95262f7091a6e2b277376549db4366fa6ffaf433a735c8811fef85008b4881dc28910ff64a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0075173.exe

Filesize
356KB

MD5
21948e014a020f924f931d2f233a9c89

SHA1
97a5eeebd9e98967c139d6d23261b52b1b06b05c

SHA256
351ce31a07a6b9ab0d3900c7922338feb4ae6fb93c1fa9b77739176ce004dcc1

SHA512
6c3d4f4799be35d5eeb2545c487a0fb1135400b9691466abaa4d95262f7091a6e2b277376549db4366fa6ffaf433a735c8811fef85008b4881dc28910ff64a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0097819.exe

Filesize
174KB

MD5
d0380b704348e2db6c1d8f2870626bb3

SHA1
553821e3bfb2bcef38f14738f3f2447172f6b3e4

SHA256
a8d5970a68d20a219302e97a0472e74d2f3cb5b1853a07773297c38a7486710f

SHA512
56c9d079567e6a496d147d4f03c078a81d71d71c9cac589d75fbd4b59d93c6042acae9ea1e07c5e6ebaf57a3b6a0c90c887a49615dd227978e54b10bd1cf83d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0097819.exe

Filesize
174KB

MD5
d0380b704348e2db6c1d8f2870626bb3

SHA1
553821e3bfb2bcef38f14738f3f2447172f6b3e4

SHA256
a8d5970a68d20a219302e97a0472e74d2f3cb5b1853a07773297c38a7486710f

SHA512
56c9d079567e6a496d147d4f03c078a81d71d71c9cac589d75fbd4b59d93c6042acae9ea1e07c5e6ebaf57a3b6a0c90c887a49615dd227978e54b10bd1cf83d6

Download Submit
memory/2952-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2952-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2952-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2952-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4900-39-0x00000000059B0000-0x0000000005FC8000-memory.dmp

Filesize
6.1MB

Download
memory/4900-37-0x0000000000A40000-0x0000000000A70000-memory.dmp

Filesize
192KB

Download
memory/4900-38-0x0000000002CF0000-0x0000000002CF6000-memory.dmp

Filesize
24KB

Download
memory/4900-36-0x0000000074260000-0x0000000074A10000-memory.dmp

Filesize
7.7MB

Download
memory/4900-40-0x00000000054A0000-0x00000000055AA000-memory.dmp

Filesize
1.0MB

Download
memory/4900-42-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/4900-41-0x00000000053D0000-0x00000000053E2000-memory.dmp

Filesize
72KB

Download
memory/4900-43-0x0000000005430000-0x000000000546C000-memory.dmp

Filesize
240KB

Download
memory/4900-44-0x0000000074260000-0x0000000074A10000-memory.dmp

Filesize
7.7MB

Download
memory/4900-45-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/4900-46-0x0000000005280000-0x00000000052CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads