mystic | 1787a1fa6e7758008391e962b6911100817801e799b4752c50879de555b5e736

Analysis

max time kernel
136s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1787a1fa6e7758008391e962b6911100817801e799b4752c50879de555b5e736.exe
Size

1.1MB
MD5

c950b18ebc6ae5c21fecb0636a2c8dc9
SHA1

cdda4b3641169d68c3aa43ba69b81c0bf39ddd74
SHA256

1787a1fa6e7758008391e962b6911100817801e799b4752c50879de555b5e736
SHA512

1b7a40f3c941f5aad8b23fcc5dd11a839bd7f47218702ff7c7dd5154fbfbf5a2d2430ef22daff3728fca9260ccccbdd3e53e38cd3952fdaf39f8bd14e9b4d16f
SSDEEP

24576:Vy1CjMtIxQaliYA3hyJlsgdt7FA8BtScx:w1qMi2HTim4tS8

Score

10^/10

mystic redline luska infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/2712-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2712-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2712-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2712-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1528	x6211296.exe
4940	x4170473.exe
4564	x9646728.exe
1304	g5303443.exe
3092	h9808887.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1787a1fa6e7758008391e962b6911100817801e799b4752c50879de555b5e736.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6211296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4170473.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9646728.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1304 set thread context of 2712	1304	g5303443.exe	95

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2028	2712	WerFault.exe	95
2924	1304	WerFault.exe	92

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 1528	4048	1787a1fa6e7758008391e962b6911100817801e799b4752c50879de555b5e736.exe	86
PID 4048 wrote to memory of 1528	4048	1787a1fa6e7758008391e962b6911100817801e799b4752c50879de555b5e736.exe	86
PID 4048 wrote to memory of 1528	4048	1787a1fa6e7758008391e962b6911100817801e799b4752c50879de555b5e736.exe	86
PID 1528 wrote to memory of 4940	1528	x6211296.exe	87
PID 1528 wrote to memory of 4940	1528	x6211296.exe	87
PID 1528 wrote to memory of 4940	1528	x6211296.exe	87
PID 4940 wrote to memory of 4564	4940	x4170473.exe	89
PID 4940 wrote to memory of 4564	4940	x4170473.exe	89
PID 4940 wrote to memory of 4564	4940	x4170473.exe	89
PID 4564 wrote to memory of 1304	4564	x9646728.exe	92
PID 4564 wrote to memory of 1304	4564	x9646728.exe	92
PID 4564 wrote to memory of 1304	4564	x9646728.exe	92
PID 1304 wrote to memory of 2712	1304	g5303443.exe	95
PID 1304 wrote to memory of 2712	1304	g5303443.exe	95
PID 1304 wrote to memory of 2712	1304	g5303443.exe	95
PID 1304 wrote to memory of 2712	1304	g5303443.exe	95
PID 1304 wrote to memory of 2712	1304	g5303443.exe	95
PID 1304 wrote to memory of 2712	1304	g5303443.exe	95
PID 1304 wrote to memory of 2712	1304	g5303443.exe	95
PID 1304 wrote to memory of 2712	1304	g5303443.exe	95
PID 1304 wrote to memory of 2712	1304	g5303443.exe	95
PID 1304 wrote to memory of 2712	1304	g5303443.exe	95
PID 4564 wrote to memory of 3092	4564	x9646728.exe	102
PID 4564 wrote to memory of 3092	4564	x9646728.exe	102
PID 4564 wrote to memory of 3092	4564	x9646728.exe	102

C:\Users\Admin\AppData\Local\Temp\1787a1fa6e7758008391e962b6911100817801e799b4752c50879de555b5e736.exe
"C:\Users\Admin\AppData\Local\Temp\1787a1fa6e7758008391e962b6911100817801e799b4752c50879de555b5e736.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6211296.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6211296.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4170473.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4170473.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9646728.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9646728.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4564
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5303443.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5303443.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1304
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 540
        7⤵
        Program crash
        
        PID:2028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 140
        6⤵
        Program crash
        
        PID:2924
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9808887.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9808887.exe
        5⤵
        Executes dropped EXE
        
        PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2712 -ip 2712
1⤵
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1304 -ip 1304
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6211296.exe

Filesize
1.0MB

MD5
9385f6f1acb94c2dbb2832a27e0e6d30

SHA1
e451fc87bbefb0bef92eecfb71dda4fce00a4b9b

SHA256
163d9e5ad1c77fc4271e87da25ff698c099326c1591970d4768d704158af2d73

SHA512
73159abc24ea2d51d15d893becd8d3e411359b02f3dd1b87c298a059ef14789c1690b694bde25080b6df1bbf9e3b6b713acbbe3adf81d6a3fad524ec79e01707

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6211296.exe

Filesize
1.0MB

MD5
9385f6f1acb94c2dbb2832a27e0e6d30

SHA1
e451fc87bbefb0bef92eecfb71dda4fce00a4b9b

SHA256
163d9e5ad1c77fc4271e87da25ff698c099326c1591970d4768d704158af2d73

SHA512
73159abc24ea2d51d15d893becd8d3e411359b02f3dd1b87c298a059ef14789c1690b694bde25080b6df1bbf9e3b6b713acbbe3adf81d6a3fad524ec79e01707

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4170473.exe

Filesize
675KB

MD5
b82d16df74f98edb4f79c3acc52c8798

SHA1
09c3b79bc4029f6d917b6a8a78a9c922135f167a

SHA256
6d30857b84efa6270b941e8ffad76dd94511bace9ba0ce1e31c314c5911400d5

SHA512
95d58defe224f5cb758944468f6d357f67df2ae72c6b91b83b876c3e39182ce0d7796fb04a00e1d1532496af0678209f361948f61fd6fb4d9356b65fb5cfe479

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4170473.exe

Filesize
675KB

MD5
b82d16df74f98edb4f79c3acc52c8798

SHA1
09c3b79bc4029f6d917b6a8a78a9c922135f167a

SHA256
6d30857b84efa6270b941e8ffad76dd94511bace9ba0ce1e31c314c5911400d5

SHA512
95d58defe224f5cb758944468f6d357f67df2ae72c6b91b83b876c3e39182ce0d7796fb04a00e1d1532496af0678209f361948f61fd6fb4d9356b65fb5cfe479

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9646728.exe

Filesize
509KB

MD5
3e0c333ed134ba6892b9979a11bb74fc

SHA1
041369264f3ea172d1ef862b6f176c48eac0d9c9

SHA256
d46bbc48dc68fda891faf6570a413a1c4dbb12d2b6db4db900d9e56e2dcbd825

SHA512
a8ec70a06626df780c0728ce0d7d79eec9873c849b6bfd26363bc1ac708f0e1f8222083545ac55c5cee645f23caa76d3c09f14198aa37f9fe2a4e920f591e3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9646728.exe

Filesize
509KB

MD5
3e0c333ed134ba6892b9979a11bb74fc

SHA1
041369264f3ea172d1ef862b6f176c48eac0d9c9

SHA256
d46bbc48dc68fda891faf6570a413a1c4dbb12d2b6db4db900d9e56e2dcbd825

SHA512
a8ec70a06626df780c0728ce0d7d79eec9873c849b6bfd26363bc1ac708f0e1f8222083545ac55c5cee645f23caa76d3c09f14198aa37f9fe2a4e920f591e3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5303443.exe

Filesize
1016KB

MD5
d8566b9b323c85d2ebd3245cc6ee060b

SHA1
ad3c6a2904a10363578ec3e71111c1989aebf9d3

SHA256
cca845f3b1196393f92375454d622f4e0d6c8737e7acf37f534bd90b25eba1b4

SHA512
4fcb8fc53e3d275da6d46a1520a12369413e61221f0e5a0f66e0dfb783be9f26acb4fc3abbfe75bff0a4de96b9916e608b4dcaf0c14d1f192618e720c9b5b04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5303443.exe

Filesize
1016KB

MD5
d8566b9b323c85d2ebd3245cc6ee060b

SHA1
ad3c6a2904a10363578ec3e71111c1989aebf9d3

SHA256
cca845f3b1196393f92375454d622f4e0d6c8737e7acf37f534bd90b25eba1b4

SHA512
4fcb8fc53e3d275da6d46a1520a12369413e61221f0e5a0f66e0dfb783be9f26acb4fc3abbfe75bff0a4de96b9916e608b4dcaf0c14d1f192618e720c9b5b04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9808887.exe

Filesize
174KB

MD5
2354ff9e8f82ed687962f7f221268003

SHA1
2a70500a392af030852c42d75e384d7293298d1c

SHA256
b396c1174d43349150114404efa9ea66373b3708d041cf5adcc512f51aef5a14

SHA512
275be8dbf148be7ca2821b9d052b4fc89ecfc3aeac89305533e33e6c2b659a6c744de275b906d4574e38dc49c850d10fb6099e0ca8f524afa1ee63d74deb283a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9808887.exe

Filesize
174KB

MD5
2354ff9e8f82ed687962f7f221268003

SHA1
2a70500a392af030852c42d75e384d7293298d1c

SHA256
b396c1174d43349150114404efa9ea66373b3708d041cf5adcc512f51aef5a14

SHA512
275be8dbf148be7ca2821b9d052b4fc89ecfc3aeac89305533e33e6c2b659a6c744de275b906d4574e38dc49c850d10fb6099e0ca8f524afa1ee63d74deb283a

Download Submit
memory/2712-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2712-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2712-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2712-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3092-39-0x0000000005E30000-0x0000000006448000-memory.dmp

Filesize
6.1MB

Download
memory/3092-37-0x0000000073CC0000-0x0000000074470000-memory.dmp

Filesize
7.7MB

Download
memory/3092-38-0x0000000005520000-0x0000000005526000-memory.dmp

Filesize
24KB

Download
memory/3092-36-0x0000000000D40000-0x0000000000D70000-memory.dmp

Filesize
192KB

Download
memory/3092-40-0x0000000005920000-0x0000000005A2A000-memory.dmp

Filesize
1.0MB

Download
memory/3092-41-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/3092-42-0x0000000005810000-0x0000000005822000-memory.dmp

Filesize
72KB

Download
memory/3092-43-0x0000000005870000-0x00000000058AC000-memory.dmp

Filesize
240KB

Download
memory/3092-44-0x00000000058B0000-0x00000000058FC000-memory.dmp

Filesize
304KB

Download
memory/3092-45-0x0000000073CC0000-0x0000000074470000-memory.dmp

Filesize
7.7MB

Download
memory/3092-46-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads