mystic | af72dab6219eb934a7b0b7a1b69fceb6c6ad9ff276c8025c8daca56e2b6d012b

Analysis

max time kernel
148s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5f54ad86a0f57d47f032a01ee8ac7e36c520e32193edceadad1ce394a6dbc6e.exe
Size

907KB
MD5

33630f9cca0b659a6913b272f751f39a
SHA1

d5dadc51d2be29c9d4484c0c0ba614f3322c0674
SHA256

e5f54ad86a0f57d47f032a01ee8ac7e36c520e32193edceadad1ce394a6dbc6e
SHA512

c4ede52bc820fd31e21d13ae92d99cd9ced943f0fe7fd38c6b68b954e2149fe94bab5fe1c91725711a12c042d4c4bb44ec795accf4100bbeae7702a8a45c05b7
SSDEEP

12288:7MrWy90WFCISEeg7QdgSBy52t4mURVIMhiYe54v0Mr0HvPm2tV//PjTRYu+:JyjeTggybRxzhUx7//fyu+

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1780-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1780-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1780-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1780-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2404	x1118482.exe
1568	x6867102.exe
3500	x9629096.exe
4668	g0479760.exe
2212	h1984855.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e5f54ad86a0f57d47f032a01ee8ac7e36c520e32193edceadad1ce394a6dbc6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1118482.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6867102.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9629096.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4668 set thread context of 1780	4668	g0479760.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4844	4668	WerFault.exe	89
2920	1780	WerFault.exe	92

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 2404	3852	e5f54ad86a0f57d47f032a01ee8ac7e36c520e32193edceadad1ce394a6dbc6e.exe	86
PID 3852 wrote to memory of 2404	3852	e5f54ad86a0f57d47f032a01ee8ac7e36c520e32193edceadad1ce394a6dbc6e.exe	86
PID 3852 wrote to memory of 2404	3852	e5f54ad86a0f57d47f032a01ee8ac7e36c520e32193edceadad1ce394a6dbc6e.exe	86
PID 2404 wrote to memory of 1568	2404	x1118482.exe	87
PID 2404 wrote to memory of 1568	2404	x1118482.exe	87
PID 2404 wrote to memory of 1568	2404	x1118482.exe	87
PID 1568 wrote to memory of 3500	1568	x6867102.exe	88
PID 1568 wrote to memory of 3500	1568	x6867102.exe	88
PID 1568 wrote to memory of 3500	1568	x6867102.exe	88
PID 3500 wrote to memory of 4668	3500	x9629096.exe	89
PID 3500 wrote to memory of 4668	3500	x9629096.exe	89
PID 3500 wrote to memory of 4668	3500	x9629096.exe	89
PID 4668 wrote to memory of 4592	4668	g0479760.exe	91
PID 4668 wrote to memory of 4592	4668	g0479760.exe	91
PID 4668 wrote to memory of 4592	4668	g0479760.exe	91
PID 4668 wrote to memory of 1780	4668	g0479760.exe	92
PID 4668 wrote to memory of 1780	4668	g0479760.exe	92
PID 4668 wrote to memory of 1780	4668	g0479760.exe	92
PID 4668 wrote to memory of 1780	4668	g0479760.exe	92
PID 4668 wrote to memory of 1780	4668	g0479760.exe	92
PID 4668 wrote to memory of 1780	4668	g0479760.exe	92
PID 4668 wrote to memory of 1780	4668	g0479760.exe	92
PID 4668 wrote to memory of 1780	4668	g0479760.exe	92
PID 4668 wrote to memory of 1780	4668	g0479760.exe	92
PID 4668 wrote to memory of 1780	4668	g0479760.exe	92
PID 3500 wrote to memory of 2212	3500	x9629096.exe	101
PID 3500 wrote to memory of 2212	3500	x9629096.exe	101
PID 3500 wrote to memory of 2212	3500	x9629096.exe	101

C:\Users\Admin\AppData\Local\Temp\e5f54ad86a0f57d47f032a01ee8ac7e36c520e32193edceadad1ce394a6dbc6e.exe
"C:\Users\Admin\AppData\Local\Temp\e5f54ad86a0f57d47f032a01ee8ac7e36c520e32193edceadad1ce394a6dbc6e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1118482.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1118482.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6867102.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6867102.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9629096.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9629096.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3500
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0479760.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0479760.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4668
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4592
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 540
        7⤵
        Program crash
        
        PID:2920
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 572
        6⤵
        Program crash
        
        PID:4844
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1984855.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1984855.exe
        5⤵
        Executes dropped EXE
        
        PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4668 -ip 4668
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1780 -ip 1780
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1118482.exe

Filesize
805KB

MD5
1301b2bd99c3ccee106dc63a26edd908

SHA1
5721e9751b2ea7d9a2c6ce4da0a3922a0b09c508

SHA256
d93639bdf2fd29849b3fbe78edf4da36d87fdb1d1043520a6437f6950f842cc3

SHA512
22c3aa1952300857965f2d2073a6d0bdcac82262fdec28d870680bb57ef8ff3b3d0ca59f6ff5289da548eee6d85bf91110074d984cee73efc86e38b8e7eb3bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1118482.exe

Filesize
805KB

MD5
1301b2bd99c3ccee106dc63a26edd908

SHA1
5721e9751b2ea7d9a2c6ce4da0a3922a0b09c508

SHA256
d93639bdf2fd29849b3fbe78edf4da36d87fdb1d1043520a6437f6950f842cc3

SHA512
22c3aa1952300857965f2d2073a6d0bdcac82262fdec28d870680bb57ef8ff3b3d0ca59f6ff5289da548eee6d85bf91110074d984cee73efc86e38b8e7eb3bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6867102.exe

Filesize
545KB

MD5
c9da13f0d0a692e804ba335c3b681f11

SHA1
76de42d0bf6eb719f88c5e14430111bf14319509

SHA256
ab15196622280b7ce00156ed0c16b3756c4b58102e2d38269bb434dabc99541c

SHA512
7034b345ac40b57ad5de2a0d1a5f2e5e5c7bdb517f8c021677cff2e9143194c6dde1f82086d73ec923fde0b7be387021e3e87854cc681b46351150c6db6b0696

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6867102.exe

Filesize
545KB

MD5
c9da13f0d0a692e804ba335c3b681f11

SHA1
76de42d0bf6eb719f88c5e14430111bf14319509

SHA256
ab15196622280b7ce00156ed0c16b3756c4b58102e2d38269bb434dabc99541c

SHA512
7034b345ac40b57ad5de2a0d1a5f2e5e5c7bdb517f8c021677cff2e9143194c6dde1f82086d73ec923fde0b7be387021e3e87854cc681b46351150c6db6b0696

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9629096.exe

Filesize
379KB

MD5
706bb63bef1aad4ddff57d5b0898e1dc

SHA1
a14a4c75d29857d61c3d0527d28ad12b80eab992

SHA256
381893df2cfa9df2abf38b31aeb7b3d3a8d5bea1c69be6b1f3e303f43f9390bd

SHA512
f2394c0d42fc34007359c9f1562cd4ae115b79ffab4f384ef40372bc13e8acda7e9893bd0eba8e6857691816582a42870775183db7bb1a9c7aef8228b64b4d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9629096.exe

Filesize
379KB

MD5
706bb63bef1aad4ddff57d5b0898e1dc

SHA1
a14a4c75d29857d61c3d0527d28ad12b80eab992

SHA256
381893df2cfa9df2abf38b31aeb7b3d3a8d5bea1c69be6b1f3e303f43f9390bd

SHA512
f2394c0d42fc34007359c9f1562cd4ae115b79ffab4f384ef40372bc13e8acda7e9893bd0eba8e6857691816582a42870775183db7bb1a9c7aef8228b64b4d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0479760.exe

Filesize
350KB

MD5
b87e3dfe46e1eedd6282f970abe0af03

SHA1
dd2e874283e3bd34d1e7dc790cc817609489f41a

SHA256
47ccbd52fff2840c5556ba49c1d565e5b617dbd6a519bb80bc45e9bc6c019b83

SHA512
1fe1031305a0e637f4438f78eda21f7de17aa4c7ff21180330459940c7a03d8115b6e233ef1bbafca3dc88ea4813107dc70e0ec8b310ba3f95b122eead0f3a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0479760.exe

Filesize
350KB

MD5
b87e3dfe46e1eedd6282f970abe0af03

SHA1
dd2e874283e3bd34d1e7dc790cc817609489f41a

SHA256
47ccbd52fff2840c5556ba49c1d565e5b617dbd6a519bb80bc45e9bc6c019b83

SHA512
1fe1031305a0e637f4438f78eda21f7de17aa4c7ff21180330459940c7a03d8115b6e233ef1bbafca3dc88ea4813107dc70e0ec8b310ba3f95b122eead0f3a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1984855.exe

Filesize
174KB

MD5
671ac203e227c3819c78269831d9fee7

SHA1
3461d7673e3cd28b7de727a8b3268261cdf43652

SHA256
2ed2e970eb84a5298b6531d5e110a0034e7788272edf83bfc7e31fa214b1253f

SHA512
390c77028369a9843d2af79d6190eefbf8dbce1dc804beb56718f0e7b9b9c6d777133c186d54efa980c2f2fc04d6209cdacdc51d816a8a4f83941ec9d63fbb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1984855.exe

Filesize
174KB

MD5
671ac203e227c3819c78269831d9fee7

SHA1
3461d7673e3cd28b7de727a8b3268261cdf43652

SHA256
2ed2e970eb84a5298b6531d5e110a0034e7788272edf83bfc7e31fa214b1253f

SHA512
390c77028369a9843d2af79d6190eefbf8dbce1dc804beb56718f0e7b9b9c6d777133c186d54efa980c2f2fc04d6209cdacdc51d816a8a4f83941ec9d63fbb3d

Download Submit
memory/1780-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1780-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1780-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1780-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2212-39-0x0000000005600000-0x0000000005C18000-memory.dmp

Filesize
6.1MB

Download
memory/2212-36-0x0000000000490000-0x00000000004C0000-memory.dmp

Filesize
192KB

Download
memory/2212-38-0x0000000000C80000-0x0000000000C86000-memory.dmp

Filesize
24KB

Download
memory/2212-37-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/2212-40-0x00000000050F0000-0x00000000051FA000-memory.dmp

Filesize
1.0MB

Download
memory/2212-41-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/2212-42-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/2212-43-0x0000000004FE0000-0x000000000501C000-memory.dmp

Filesize
240KB

Download
memory/2212-44-0x0000000005020000-0x000000000506C000-memory.dmp

Filesize
304KB

Download
memory/2212-45-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/2212-46-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads