mystic | 4ce71244da4dd5d9b0b7535c6b62aebf516adc87a36195170af93efa3a630b9f

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe
Size

879KB
MD5

7a5928cb075392ea164a53fdd5b3afd0
SHA1

2f29f7ea3d22abe93dcbe754afd698abff05bede
SHA256

a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92
SHA512

fef6e2d27d5bee66733ca4aad9115e3117f85d6d7e2f9c82cd9b41e1e0a63d8be04155931c06dcb556e6612ab675e135fc580c09d21e0f08820ff0173878dd26
SSDEEP

12288:DMroy90mBIeotMtXS+V3ROZtmWy0jZlcQyuTSWN/4zhr+Dn2h8iDFobRhjin:zylDiI3RLWN/6Jin25DGbRdin

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral18/memory/5040-21-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral18/memory/5040-24-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral18/memory/5040-22-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2sx258dC.exe	family_redline
behavioral18/memory/952-28-0x0000000000940000-0x000000000097E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

nM5BX0Vg.exexC6GG2NC.exe1pn58wd0.exe2sx258dC.exe

pid process

2316 nM5BX0Vg.exe
1368 xC6GG2NC.exe
4564 1pn58wd0.exe
952 2sx258dC.exe

pid	process
2316	nM5BX0Vg.exe
1368	xC6GG2NC.exe
4564	1pn58wd0.exe
952	2sx258dC.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exenM5BX0Vg.exexC6GG2NC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nM5BX0Vg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	xC6GG2NC.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1pn58wd0.exe

description pid process target process

PID 4564 set thread context of 5040 4564 1pn58wd0.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4780 4564 WerFault.exe 1pn58wd0.exe

description	pid	process	target process
PID 4564 set thread context of 5040	4564	1pn58wd0.exe	AppLaunch.exe

pid	pid_target	process	target process
4780	4564	WerFault.exe	1pn58wd0.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exenM5BX0Vg.exexC6GG2NC.exe1pn58wd0.exe

description	pid	process	target process
PID 4620 wrote to memory of 2316	4620	a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe	nM5BX0Vg.exe
PID 4620 wrote to memory of 2316	4620	a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe	nM5BX0Vg.exe
PID 4620 wrote to memory of 2316	4620	a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe	nM5BX0Vg.exe
PID 2316 wrote to memory of 1368	2316	nM5BX0Vg.exe	xC6GG2NC.exe
PID 2316 wrote to memory of 1368	2316	nM5BX0Vg.exe	xC6GG2NC.exe
PID 2316 wrote to memory of 1368	2316	nM5BX0Vg.exe	xC6GG2NC.exe
PID 1368 wrote to memory of 4564	1368	xC6GG2NC.exe	1pn58wd0.exe
PID 1368 wrote to memory of 4564	1368	xC6GG2NC.exe	1pn58wd0.exe
PID 1368 wrote to memory of 4564	1368	xC6GG2NC.exe	1pn58wd0.exe
PID 4564 wrote to memory of 5040	4564	1pn58wd0.exe	AppLaunch.exe
PID 4564 wrote to memory of 5040	4564	1pn58wd0.exe	AppLaunch.exe
PID 4564 wrote to memory of 5040	4564	1pn58wd0.exe	AppLaunch.exe
PID 4564 wrote to memory of 5040	4564	1pn58wd0.exe	AppLaunch.exe
PID 4564 wrote to memory of 5040	4564	1pn58wd0.exe	AppLaunch.exe
PID 4564 wrote to memory of 5040	4564	1pn58wd0.exe	AppLaunch.exe
PID 4564 wrote to memory of 5040	4564	1pn58wd0.exe	AppLaunch.exe
PID 4564 wrote to memory of 5040	4564	1pn58wd0.exe	AppLaunch.exe
PID 4564 wrote to memory of 5040	4564	1pn58wd0.exe	AppLaunch.exe
PID 4564 wrote to memory of 5040	4564	1pn58wd0.exe	AppLaunch.exe
PID 1368 wrote to memory of 952	1368	xC6GG2NC.exe	2sx258dC.exe
PID 1368 wrote to memory of 952	1368	xC6GG2NC.exe	2sx258dC.exe
PID 1368 wrote to memory of 952	1368	xC6GG2NC.exe	2sx258dC.exe

C:\Users\Admin\AppData\Local\Temp\a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe
"C:\Users\Admin\AppData\Local\Temp\a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4620

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM5BX0Vg.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM5BX0Vg.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xC6GG2NC.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xC6GG2NC.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1pn58wd0.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1pn58wd0.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 592
5⤵
- Program crash
PID:4780

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2sx258dC.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2sx258dC.exe
4⤵
- Executes dropped EXE
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4564 -ip 4564
1⤵
PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1308,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4460 /prefetch:8
1⤵
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM5BX0Vg.exe

Filesize
585KB

MD5
5d84d9a040ed7079a5f434a6ce732b3a

SHA1
cb19095e05db97c07ba869b998619f2aabc2332d

SHA256
03b76d8af28aac08a86fdc89e0b8482cab7a4ecd37706b3c56f86000e14edb3d

SHA512
05e64a1327d4e269b214aff7f0f1132486ec5a49bbb885d124094fb66b0a9a35d889b22dd3a3e49ee40bc022ea86c39a8e5b57191cb04b0a30439f112d0e2a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xC6GG2NC.exe

Filesize
412KB

MD5
1b00caa89398f68407087c99a0d32d96

SHA1
c1dc0ac4a5832700a212d3fd2fb370382e982614

SHA256
7767d060b1bb37706be1320ee7f7e2398bfb9193575d4a808c65fed5c91cc24b

SHA512
b9688fa1022eb95e3aa3c81b0748d24e890b1ed424474670afb014f89d921102e96941d2b90343c621316abfba395bef5a45651bd924692df833401040c069d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1pn58wd0.exe

Filesize
378KB

MD5
bd073e92f856923e750c1d02212f56f3

SHA1
744aa3395344c898e9fd30aeec2f2a75a3cb74b6

SHA256
687820b69c61268f3a3546bfc37dd897d2ea377f936a939f4c26841d988bbf4a

SHA512
01a8ffdcc82fc76ed557beced540990da15671196a67abd49d12ddfed23af9a2227e3f7ae8d606b30a3b97f3d9e3ea46ee703fbaf154f676b428f909a3de9bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2sx258dC.exe

Filesize
221KB

MD5
2a9b435a6ed3bdcc18c637b434031073

SHA1
c07d300a9c4688ea672ace565ac7de4fee9479a7

SHA256
592e3fba0f4b0c4ab97e41afd0340187b6ab373b4bdf567cdb4d43da84cd50d2

SHA512
f0a3e64d6759a4ae6bd404ccf93d5d41094e1333ffc650b0804e9a98b8e341c238f670569ecd920eea708b23fe830c18f62179c9cc8d4e10ba3a4b953076897b

Download Submit
memory/952-33-0x0000000007B20000-0x0000000007C2A000-memory.dmp

Filesize
1.0MB

Download
memory/952-28-0x0000000000940000-0x000000000097E000-memory.dmp

Filesize
248KB

Download
memory/952-29-0x0000000007CB0000-0x0000000008254000-memory.dmp

Filesize
5.6MB

Download
memory/952-30-0x0000000007800000-0x0000000007892000-memory.dmp

Filesize
584KB

Download
memory/952-31-0x0000000004E10000-0x0000000004E1A000-memory.dmp

Filesize
40KB

Download
memory/952-32-0x0000000008880000-0x0000000008E98000-memory.dmp

Filesize
6.1MB

Download
memory/952-34-0x0000000007A40000-0x0000000007A52000-memory.dmp

Filesize
72KB

Download
memory/952-35-0x0000000007AA0000-0x0000000007ADC000-memory.dmp

Filesize
240KB

Download
memory/952-36-0x0000000007C30000-0x0000000007C7C000-memory.dmp

Filesize
304KB

Download
memory/5040-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5040-24-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5040-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download