mystic | c5d6bd9e558b4a0a61eb954ca7b0a28833221666fbc2bd299ce60f62bd62e29d

Analysis

max time kernel
147s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b72642f104bdbb23c275c4e8f2504fc6.exe
Size

942KB
MD5

b72642f104bdbb23c275c4e8f2504fc6
SHA1

19eb6e9469e8bd99fefcf362009d91b49e16b543
SHA256

c5d6bd9e558b4a0a61eb954ca7b0a28833221666fbc2bd299ce60f62bd62e29d
SHA512

7f6bb1104fd17e131b10190ad5b9962a7a975886107338430e45be12eac4a30d594de1eba538d4722b600a8b7b0ce9e56fb472c2e952c951811c97979a063baa
SSDEEP

12288:7Mr5y90C5q5YrS5wJHnwzzkgf3ZXV0lp6thwmam1adqcRDgX+vo/78lkyMVHHuhQ:eywMx5szkw0PFmEJVMVuhEK6w4tR

Score

10^/10

mystic redline luate infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luate

77.91.124.55:19071

Attributes

auth_value
e45cd419aba6c9d372088ffe5629308b

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/532-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/532-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/532-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/532-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3324	x2987309.exe
2388	x5283578.exe
2496	x0220654.exe
2032	g3837789.exe
1800	h2449650.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5283578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0220654.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b72642f104bdbb23c275c4e8f2504fc6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2987309.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 532	2032	g3837789.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2168	532	WerFault.exe	90
880	2032	WerFault.exe	86

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 3324	5020	b72642f104bdbb23c275c4e8f2504fc6.exe	83
PID 5020 wrote to memory of 3324	5020	b72642f104bdbb23c275c4e8f2504fc6.exe	83
PID 5020 wrote to memory of 3324	5020	b72642f104bdbb23c275c4e8f2504fc6.exe	83
PID 3324 wrote to memory of 2388	3324	x2987309.exe	84
PID 3324 wrote to memory of 2388	3324	x2987309.exe	84
PID 3324 wrote to memory of 2388	3324	x2987309.exe	84
PID 2388 wrote to memory of 2496	2388	x5283578.exe	85
PID 2388 wrote to memory of 2496	2388	x5283578.exe	85
PID 2388 wrote to memory of 2496	2388	x5283578.exe	85
PID 2496 wrote to memory of 2032	2496	x0220654.exe	86
PID 2496 wrote to memory of 2032	2496	x0220654.exe	86
PID 2496 wrote to memory of 2032	2496	x0220654.exe	86
PID 2032 wrote to memory of 4820	2032	g3837789.exe	87
PID 2032 wrote to memory of 4820	2032	g3837789.exe	87
PID 2032 wrote to memory of 4820	2032	g3837789.exe	87
PID 2032 wrote to memory of 4712	2032	g3837789.exe	88
PID 2032 wrote to memory of 4712	2032	g3837789.exe	88
PID 2032 wrote to memory of 4712	2032	g3837789.exe	88
PID 2032 wrote to memory of 4332	2032	g3837789.exe	89
PID 2032 wrote to memory of 4332	2032	g3837789.exe	89
PID 2032 wrote to memory of 4332	2032	g3837789.exe	89
PID 2032 wrote to memory of 532	2032	g3837789.exe	90
PID 2032 wrote to memory of 532	2032	g3837789.exe	90
PID 2032 wrote to memory of 532	2032	g3837789.exe	90
PID 2032 wrote to memory of 532	2032	g3837789.exe	90
PID 2032 wrote to memory of 532	2032	g3837789.exe	90
PID 2032 wrote to memory of 532	2032	g3837789.exe	90
PID 2032 wrote to memory of 532	2032	g3837789.exe	90
PID 2032 wrote to memory of 532	2032	g3837789.exe	90
PID 2032 wrote to memory of 532	2032	g3837789.exe	90
PID 2032 wrote to memory of 532	2032	g3837789.exe	90
PID 2496 wrote to memory of 1800	2496	x0220654.exe	99
PID 2496 wrote to memory of 1800	2496	x0220654.exe	99
PID 2496 wrote to memory of 1800	2496	x0220654.exe	99

C:\Users\Admin\AppData\Local\Temp\b72642f104bdbb23c275c4e8f2504fc6.exe
"C:\Users\Admin\AppData\Local\Temp\b72642f104bdbb23c275c4e8f2504fc6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2987309.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2987309.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5283578.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5283578.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0220654.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0220654.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3837789.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3837789.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2032
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4820
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4712
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4332
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 540
        7⤵
        Program crash
        
        PID:2168
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 600
        6⤵
        Program crash
        
        PID:880
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2449650.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2449650.exe
        5⤵
        Executes dropped EXE
        
        PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2032 -ip 2032
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 532 -ip 532
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2987309.exe

Filesize
840KB

MD5
164355782ac23c32eef196edf5ce121a

SHA1
a59c187df77b1c8f31e2ceb6dc3f07af301057e4

SHA256
e7bcaec3a71e20ff4be13d0dbdd992a5b56e5075308d0fd7db9033f1f869f4b4

SHA512
c43fe30b5b41d871b17e4ee846821db22d0d23068164a776e752d9d399d3b08516ca959333b6eb18972a7548f19ecea856da9ce27ed6a1b6d2db33ba958570a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2987309.exe

Filesize
840KB

MD5
164355782ac23c32eef196edf5ce121a

SHA1
a59c187df77b1c8f31e2ceb6dc3f07af301057e4

SHA256
e7bcaec3a71e20ff4be13d0dbdd992a5b56e5075308d0fd7db9033f1f869f4b4

SHA512
c43fe30b5b41d871b17e4ee846821db22d0d23068164a776e752d9d399d3b08516ca959333b6eb18972a7548f19ecea856da9ce27ed6a1b6d2db33ba958570a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5283578.exe

Filesize
562KB

MD5
e6b78815b15658197cea978d533b44c3

SHA1
93532d5b2f66cc6277947e507d72d1fc6da94382

SHA256
4b55825cc30e9460643e85481bdfa0108195ba019e441d00d1c5bc8905727870

SHA512
e10c327054757a68d8b819696a1ba6418c14290df6b873aa5c6b75f71ec8091f79e214699deb82fe5e9ec4a6c4859b2fff58d02c15d591729f7fa908525c0b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5283578.exe

Filesize
562KB

MD5
e6b78815b15658197cea978d533b44c3

SHA1
93532d5b2f66cc6277947e507d72d1fc6da94382

SHA256
4b55825cc30e9460643e85481bdfa0108195ba019e441d00d1c5bc8905727870

SHA512
e10c327054757a68d8b819696a1ba6418c14290df6b873aa5c6b75f71ec8091f79e214699deb82fe5e9ec4a6c4859b2fff58d02c15d591729f7fa908525c0b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0220654.exe

Filesize
396KB

MD5
4c87cbfe90a611e8ebcfeec5fd49599f

SHA1
815c8243d2b1e96bd9b9d2dea976921a78ef60f1

SHA256
7a0836bf57e2254a6d0da76cb20145caab1b58887188d147cd6c835e61cd7bed

SHA512
03251391c64374e4d783b3f73f2a18c1b7316ee51451fcda939740265f05cbda4463927f7b59a4b1881d6eee163f7a819cd739a40dc625411175f5fa6dd58cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0220654.exe

Filesize
396KB

MD5
4c87cbfe90a611e8ebcfeec5fd49599f

SHA1
815c8243d2b1e96bd9b9d2dea976921a78ef60f1

SHA256
7a0836bf57e2254a6d0da76cb20145caab1b58887188d147cd6c835e61cd7bed

SHA512
03251391c64374e4d783b3f73f2a18c1b7316ee51451fcda939740265f05cbda4463927f7b59a4b1881d6eee163f7a819cd739a40dc625411175f5fa6dd58cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3837789.exe

Filesize
379KB

MD5
e6c7cafddc2d8fc42c46e7309f1930a0

SHA1
732c0edb05a6dbce5b837d4352b39eaad40e1659

SHA256
92a54302e10aaef5532a9751928a7caf4d728712ccf2bc3f0626c44b4c6d13f6

SHA512
b07d508f2cad5f956c88978413d285835ab226f692a81958819345a0cea5a5561f305ad8e40dfbe48137d7f81a2f475221b14459ce18314954e9f831ef11abc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3837789.exe

Filesize
379KB

MD5
e6c7cafddc2d8fc42c46e7309f1930a0

SHA1
732c0edb05a6dbce5b837d4352b39eaad40e1659

SHA256
92a54302e10aaef5532a9751928a7caf4d728712ccf2bc3f0626c44b4c6d13f6

SHA512
b07d508f2cad5f956c88978413d285835ab226f692a81958819345a0cea5a5561f305ad8e40dfbe48137d7f81a2f475221b14459ce18314954e9f831ef11abc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2449650.exe

Filesize
174KB

MD5
29d84ae8f2d0cae3e30afadbb56fc1cb

SHA1
e73b2cc210b40f178853cf2cc24701492c78b25a

SHA256
d85ff93dc55fa7caf4ab844d8d705c7ecfb8c6c2e9b3d723c1ad9f1c18ce5658

SHA512
99886564ba383e0cb40cf644dda85c4b1a91aa3079b537639cc04025c994c25c4f90000e1eb497dcd432f86a6a350e5b18bc90b02f7dcde28ae11490c341738e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2449650.exe

Filesize
174KB

MD5
29d84ae8f2d0cae3e30afadbb56fc1cb

SHA1
e73b2cc210b40f178853cf2cc24701492c78b25a

SHA256
d85ff93dc55fa7caf4ab844d8d705c7ecfb8c6c2e9b3d723c1ad9f1c18ce5658

SHA512
99886564ba383e0cb40cf644dda85c4b1a91aa3079b537639cc04025c994c25c4f90000e1eb497dcd432f86a6a350e5b18bc90b02f7dcde28ae11490c341738e

Download Submit
memory/532-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/532-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/532-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/532-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1800-39-0x0000000005570000-0x0000000005B88000-memory.dmp

Filesize
6.1MB

Download
memory/1800-37-0x0000000073E20000-0x00000000745D0000-memory.dmp

Filesize
7.7MB

Download
memory/1800-38-0x0000000002740000-0x0000000002746000-memory.dmp

Filesize
24KB

Download
memory/1800-36-0x0000000000420000-0x0000000000450000-memory.dmp

Filesize
192KB

Download
memory/1800-40-0x0000000005060000-0x000000000516A000-memory.dmp

Filesize
1.0MB

Download
memory/1800-41-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1800-42-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

Filesize
72KB

Download
memory/1800-43-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/1800-44-0x0000000004F90000-0x0000000004FDC000-memory.dmp

Filesize
304KB

Download
memory/1800-45-0x0000000073E20000-0x00000000745D0000-memory.dmp

Filesize
7.7MB

Download
memory/1800-46-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads