mystic | 034cce255affd598aec81c2ff724583e2188d0cce603c9145bea8ee94e151934

Analysis

max time kernel
139s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

034cce255affd598aec81c2ff724583e2188d0cce603c9145bea8ee94e151934.exe
Size

929KB
MD5

262b9638b6245d7f8247906cbe04553c
SHA1

c8ce68f28e39e45a7d6890a173c1813ebb8687b7
SHA256

034cce255affd598aec81c2ff724583e2188d0cce603c9145bea8ee94e151934
SHA512

6dc549615f579094375dee6632f2af61872c8870068589288b8794b3cf5c030c1ee2e0300eecd1dceb69c8639ae7ef9c309be8eec34f65460acb3d7d51822893
SSDEEP

24576:RyOzbJqTNy+gPifa1OUzHekU3s8xR3NXZ3:EOzbJqTNy+gq8vSp3Np

Score

10^/10

mystic redline luska infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1704-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1704-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1704-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1704-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2300	x6012042.exe
1612	x8077387.exe
4164	x4154358.exe
2984	g6584622.exe
4556	h3271332.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	034cce255affd598aec81c2ff724583e2188d0cce603c9145bea8ee94e151934.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6012042.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8077387.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4154358.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2984 set thread context of 1704	2984	g6584622.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
652	2984	WerFault.exe	90
3036	1704	WerFault.exe	93

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 2300	4524	034cce255affd598aec81c2ff724583e2188d0cce603c9145bea8ee94e151934.exe	87
PID 4524 wrote to memory of 2300	4524	034cce255affd598aec81c2ff724583e2188d0cce603c9145bea8ee94e151934.exe	87
PID 4524 wrote to memory of 2300	4524	034cce255affd598aec81c2ff724583e2188d0cce603c9145bea8ee94e151934.exe	87
PID 2300 wrote to memory of 1612	2300	x6012042.exe	88
PID 2300 wrote to memory of 1612	2300	x6012042.exe	88
PID 2300 wrote to memory of 1612	2300	x6012042.exe	88
PID 1612 wrote to memory of 4164	1612	x8077387.exe	89
PID 1612 wrote to memory of 4164	1612	x8077387.exe	89
PID 1612 wrote to memory of 4164	1612	x8077387.exe	89
PID 4164 wrote to memory of 2984	4164	x4154358.exe	90
PID 4164 wrote to memory of 2984	4164	x4154358.exe	90
PID 4164 wrote to memory of 2984	4164	x4154358.exe	90
PID 2984 wrote to memory of 1704	2984	g6584622.exe	93
PID 2984 wrote to memory of 1704	2984	g6584622.exe	93
PID 2984 wrote to memory of 1704	2984	g6584622.exe	93
PID 2984 wrote to memory of 1704	2984	g6584622.exe	93
PID 2984 wrote to memory of 1704	2984	g6584622.exe	93
PID 2984 wrote to memory of 1704	2984	g6584622.exe	93
PID 2984 wrote to memory of 1704	2984	g6584622.exe	93
PID 2984 wrote to memory of 1704	2984	g6584622.exe	93
PID 2984 wrote to memory of 1704	2984	g6584622.exe	93
PID 2984 wrote to memory of 1704	2984	g6584622.exe	93
PID 4164 wrote to memory of 4556	4164	x4154358.exe	102
PID 4164 wrote to memory of 4556	4164	x4154358.exe	102
PID 4164 wrote to memory of 4556	4164	x4154358.exe	102

C:\Users\Admin\AppData\Local\Temp\034cce255affd598aec81c2ff724583e2188d0cce603c9145bea8ee94e151934.exe
"C:\Users\Admin\AppData\Local\Temp\034cce255affd598aec81c2ff724583e2188d0cce603c9145bea8ee94e151934.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6012042.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6012042.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8077387.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8077387.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4154358.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4154358.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4164
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6584622.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6584622.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 540
        7⤵
        Program crash
        
        PID:3036
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 588
        6⤵
        Program crash
        
        PID:652
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3271332.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3271332.exe
        5⤵
        Executes dropped EXE
        
        PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2984 -ip 2984
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1704 -ip 1704
1⤵
PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6012042.exe

Filesize
827KB

MD5
d39306107388a2c92c760c51faefdb14

SHA1
4b7b600ec202020545b2576e633cbee603a9b014

SHA256
c11503d255511f43a8c6b1df6d2714e89c65360c1768cb3938eee4d36f15f3f8

SHA512
addaec16d8f700890332fd98ab21d8c24379c819b7f7aed4c474ae5d11e3336742804559efbc4806eafe6fca65804ea7bef800bb3cb2cff36a6bdd3830d1a944

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6012042.exe

Filesize
827KB

MD5
d39306107388a2c92c760c51faefdb14

SHA1
4b7b600ec202020545b2576e633cbee603a9b014

SHA256
c11503d255511f43a8c6b1df6d2714e89c65360c1768cb3938eee4d36f15f3f8

SHA512
addaec16d8f700890332fd98ab21d8c24379c819b7f7aed4c474ae5d11e3336742804559efbc4806eafe6fca65804ea7bef800bb3cb2cff36a6bdd3830d1a944

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8077387.exe

Filesize
556KB

MD5
885f246c61ed05cfb181deeea22e30b8

SHA1
12005365f3a3203e9dfa88379c9901cd5f276a29

SHA256
4f16c9a7de7b9d669b18b19bb06fa2640e5dc9d36a80babbe68555a05f74fd1f

SHA512
1cc1d8c5eb533fd09a88d6c619eb1c0975a104e658724a8e538e8c7562168fe1cb666d79f69dddb3aceac0c853afba1bdf406e1f43e653f194ad589d9a971b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8077387.exe

Filesize
556KB

MD5
885f246c61ed05cfb181deeea22e30b8

SHA1
12005365f3a3203e9dfa88379c9901cd5f276a29

SHA256
4f16c9a7de7b9d669b18b19bb06fa2640e5dc9d36a80babbe68555a05f74fd1f

SHA512
1cc1d8c5eb533fd09a88d6c619eb1c0975a104e658724a8e538e8c7562168fe1cb666d79f69dddb3aceac0c853afba1bdf406e1f43e653f194ad589d9a971b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4154358.exe

Filesize
390KB

MD5
7ea0cdad6bef554d961a7065c17f02b7

SHA1
b866342565b05fe7b96f34428135b1d7a7f59050

SHA256
221a3ec1622752510c340346dcc3fc5f3fff0453d2e897c64d970b07c9a4df22

SHA512
591493d0d39edb028891813ffff4769abbfa397885fb5fac5fd3d75a18bffbab383351b174f90c2c53c1591a70e40cdf359ac754ab8ad1a37fb755be52459247

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4154358.exe

Filesize
390KB

MD5
7ea0cdad6bef554d961a7065c17f02b7

SHA1
b866342565b05fe7b96f34428135b1d7a7f59050

SHA256
221a3ec1622752510c340346dcc3fc5f3fff0453d2e897c64d970b07c9a4df22

SHA512
591493d0d39edb028891813ffff4769abbfa397885fb5fac5fd3d75a18bffbab383351b174f90c2c53c1591a70e40cdf359ac754ab8ad1a37fb755be52459247

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6584622.exe

Filesize
356KB

MD5
d1330f71782aa4915cbdbf64286830df

SHA1
c74c3d08baaea3e21e187a6791761fca35007c05

SHA256
b14e1d4f52d706fce86f3051d68540e239c6145f4f0006c7881ad46aa8bf759e

SHA512
6b06892ec534caf9d3c848aab839ebfc733f12f1f4b8668225fb53231fee9ba1f63ce3813bcb1c6b6ba470d4cce88e1f633c53ec007659a9b9ea12e95a806b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6584622.exe

Filesize
356KB

MD5
d1330f71782aa4915cbdbf64286830df

SHA1
c74c3d08baaea3e21e187a6791761fca35007c05

SHA256
b14e1d4f52d706fce86f3051d68540e239c6145f4f0006c7881ad46aa8bf759e

SHA512
6b06892ec534caf9d3c848aab839ebfc733f12f1f4b8668225fb53231fee9ba1f63ce3813bcb1c6b6ba470d4cce88e1f633c53ec007659a9b9ea12e95a806b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3271332.exe

Filesize
174KB

MD5
f534e1e4043d4ce82a52d46639197fc4

SHA1
bacf63780d90b8ba47949abb5ca4652f1b6a8177

SHA256
d7cf55ff576e29a7f2ad11673293e0a7143eebb908c1170ab701e22bdb211e6a

SHA512
e52292389cae1aca6f217638ced347e712e2d2a394fabc53c9836085f478f28b800a6897a583f1a94bf9944f4636c17316e6465f0c6029c7f2f67b98feb4e378

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3271332.exe

Filesize
174KB

MD5
f534e1e4043d4ce82a52d46639197fc4

SHA1
bacf63780d90b8ba47949abb5ca4652f1b6a8177

SHA256
d7cf55ff576e29a7f2ad11673293e0a7143eebb908c1170ab701e22bdb211e6a

SHA512
e52292389cae1aca6f217638ced347e712e2d2a394fabc53c9836085f478f28b800a6897a583f1a94bf9944f4636c17316e6465f0c6029c7f2f67b98feb4e378

Download Submit
memory/1704-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1704-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1704-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1704-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4556-39-0x00000000052D0000-0x00000000058E8000-memory.dmp

Filesize
6.1MB

Download
memory/4556-37-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/4556-38-0x0000000004C20000-0x0000000004C26000-memory.dmp

Filesize
24KB

Download
memory/4556-36-0x0000000000300000-0x0000000000330000-memory.dmp

Filesize
192KB

Download
memory/4556-40-0x0000000004DC0000-0x0000000004ECA000-memory.dmp

Filesize
1.0MB

Download
memory/4556-41-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/4556-42-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/4556-43-0x0000000004CF0000-0x0000000004D2C000-memory.dmp

Filesize
240KB

Download
memory/4556-44-0x0000000004D30000-0x0000000004D7C000-memory.dmp

Filesize
304KB

Download
memory/4556-45-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/4556-46-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads