mystic | a44d7397ca2486a37cfbc6cd473037b204a5fe4678303dd2f187c814c85f25db

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc35c0b2bc4afaa3e56d0b585ddf1928790ef237331a245ad0eb919b4e8c2524.exe
Size

1.2MB
MD5

3393509c6d5b05efe89878eb3fb3013c
SHA1

1175b7a8c3a888e248fbf4d411e6e4f0c6542c1b
SHA256

cc35c0b2bc4afaa3e56d0b585ddf1928790ef237331a245ad0eb919b4e8c2524
SHA512

55ae1e3a88cd346e7152acd04d8ffdaaac70ed786e72b2851a8e7850d230f16fb976925a0e32ff886fe3b57b8c9032c1aea92fe2e869e92326b5fd67d7e0f445
SSDEEP

24576:RynSsXBtQ8o6btYGpIUdyvEf8ItfpQ5SmbimdzOG:ESsXBtRo65pI2g+8ItERdS

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral11/memory/796-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral11/memory/796-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral11/memory/796-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sM634yg.exe	family_redline
behavioral11/memory/5608-42-0x0000000000610000-0x000000000064E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

sJ7SM5RH.exeUi4nK7Ob.exety2tg8HH.exewD2cw9qP.exe1hb55Lz0.exe2sM634yg.exe

pid process

6100 sJ7SM5RH.exe
5204 Ui4nK7Ob.exe
5264 ty2tg8HH.exe
5680 wD2cw9qP.exe
5096 1hb55Lz0.exe
5608 2sM634yg.exe

pid	process
6100	sJ7SM5RH.exe
5204	Ui4nK7Ob.exe
5264	ty2tg8HH.exe
5680	wD2cw9qP.exe
5096	1hb55Lz0.exe
5608	2sM634yg.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ty2tg8HH.exewD2cw9qP.execc35c0b2bc4afaa3e56d0b585ddf1928790ef237331a245ad0eb919b4e8c2524.exesJ7SM5RH.exeUi4nK7Ob.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ty2tg8HH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	wD2cw9qP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cc35c0b2bc4afaa3e56d0b585ddf1928790ef237331a245ad0eb919b4e8c2524.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sJ7SM5RH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ui4nK7Ob.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1hb55Lz0.exe

description pid process target process

PID 5096 set thread context of 796 5096 1hb55Lz0.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

392 5096 WerFault.exe 1hb55Lz0.exe

description	pid	process	target process
PID 5096 set thread context of 796	5096	1hb55Lz0.exe	AppLaunch.exe

pid	pid_target	process	target process
392	5096	WerFault.exe	1hb55Lz0.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

cc35c0b2bc4afaa3e56d0b585ddf1928790ef237331a245ad0eb919b4e8c2524.exesJ7SM5RH.exeUi4nK7Ob.exety2tg8HH.exewD2cw9qP.exe1hb55Lz0.exe

description	pid	process	target process
PID 5020 wrote to memory of 6100	5020	cc35c0b2bc4afaa3e56d0b585ddf1928790ef237331a245ad0eb919b4e8c2524.exe	sJ7SM5RH.exe
PID 5020 wrote to memory of 6100	5020	cc35c0b2bc4afaa3e56d0b585ddf1928790ef237331a245ad0eb919b4e8c2524.exe	sJ7SM5RH.exe
PID 5020 wrote to memory of 6100	5020	cc35c0b2bc4afaa3e56d0b585ddf1928790ef237331a245ad0eb919b4e8c2524.exe	sJ7SM5RH.exe
PID 6100 wrote to memory of 5204	6100	sJ7SM5RH.exe	Ui4nK7Ob.exe
PID 6100 wrote to memory of 5204	6100	sJ7SM5RH.exe	Ui4nK7Ob.exe
PID 6100 wrote to memory of 5204	6100	sJ7SM5RH.exe	Ui4nK7Ob.exe
PID 5204 wrote to memory of 5264	5204	Ui4nK7Ob.exe	ty2tg8HH.exe
PID 5204 wrote to memory of 5264	5204	Ui4nK7Ob.exe	ty2tg8HH.exe
PID 5204 wrote to memory of 5264	5204	Ui4nK7Ob.exe	ty2tg8HH.exe
PID 5264 wrote to memory of 5680	5264	ty2tg8HH.exe	wD2cw9qP.exe
PID 5264 wrote to memory of 5680	5264	ty2tg8HH.exe	wD2cw9qP.exe
PID 5264 wrote to memory of 5680	5264	ty2tg8HH.exe	wD2cw9qP.exe
PID 5680 wrote to memory of 5096	5680	wD2cw9qP.exe	1hb55Lz0.exe
PID 5680 wrote to memory of 5096	5680	wD2cw9qP.exe	1hb55Lz0.exe
PID 5680 wrote to memory of 5096	5680	wD2cw9qP.exe	1hb55Lz0.exe
PID 5096 wrote to memory of 796	5096	1hb55Lz0.exe	AppLaunch.exe
PID 5096 wrote to memory of 796	5096	1hb55Lz0.exe	AppLaunch.exe
PID 5096 wrote to memory of 796	5096	1hb55Lz0.exe	AppLaunch.exe
PID 5096 wrote to memory of 796	5096	1hb55Lz0.exe	AppLaunch.exe
PID 5096 wrote to memory of 796	5096	1hb55Lz0.exe	AppLaunch.exe
PID 5096 wrote to memory of 796	5096	1hb55Lz0.exe	AppLaunch.exe
PID 5096 wrote to memory of 796	5096	1hb55Lz0.exe	AppLaunch.exe
PID 5096 wrote to memory of 796	5096	1hb55Lz0.exe	AppLaunch.exe
PID 5096 wrote to memory of 796	5096	1hb55Lz0.exe	AppLaunch.exe
PID 5096 wrote to memory of 796	5096	1hb55Lz0.exe	AppLaunch.exe
PID 5680 wrote to memory of 5608	5680	wD2cw9qP.exe	2sM634yg.exe
PID 5680 wrote to memory of 5608	5680	wD2cw9qP.exe	2sM634yg.exe
PID 5680 wrote to memory of 5608	5680	wD2cw9qP.exe	2sM634yg.exe

C:\Users\Admin\AppData\Local\Temp\cc35c0b2bc4afaa3e56d0b585ddf1928790ef237331a245ad0eb919b4e8c2524.exe
"C:\Users\Admin\AppData\Local\Temp\cc35c0b2bc4afaa3e56d0b585ddf1928790ef237331a245ad0eb919b4e8c2524.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sJ7SM5RH.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sJ7SM5RH.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:6100
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ui4nK7Ob.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ui4nK7Ob.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5204
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ty2tg8HH.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ty2tg8HH.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5264
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wD2cw9qP.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wD2cw9qP.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5680
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hb55Lz0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hb55Lz0.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:796
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 612
        7⤵
        Program crash
        
        PID:392
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sM634yg.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sM634yg.exe
        6⤵
        Executes dropped EXE
        
        PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5096 -ip 5096
1⤵
PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sJ7SM5RH.exe

Filesize
1.0MB

MD5
9e8ca5866a3a7cda0f94c4917f629b78

SHA1
cfe8ebdfbfd524c757b1b9f87dbb18aeed071d60

SHA256
5720ff9a2d103f0c2cec72ae47ae7d2c76fd46c1a6f0df33b16d7b09aeab7582

SHA512
75ce28d886915cba057b969a0a18324e80a58d0aad9e05ba0f8c24f884f9d8b225baf0141a36a6af18a1db8b960f460ce23e800a47d76fec5e9a3e23d3c3e1bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ui4nK7Ob.exe

Filesize
880KB

MD5
d73fad786732b71e29e853d071a52bd3

SHA1
6bd4a5ac829bc61bd41a83b0de5927864b02b064

SHA256
22f6b70399bd6ec3b719808d17c868664645b9c81c1f14c5d204fcf376a5c89c

SHA512
e05f4a9803dbb65e951c0ab22cf61bbef18fa92888823b33178eeb40e9812b5e2982376d328607b58c1e8fb595bd5a861c256da954f8da952337f90f6f4e919f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ty2tg8HH.exe

Filesize
585KB

MD5
144361b2922636a430c72a760cb9502b

SHA1
4b55c8fe91ebcad40b217499ba5fdf9a30bfada9

SHA256
e488a46da6bf18bec5ae7287bb1ede78bfa45ae2f3f7155bdf264ead6c67c306

SHA512
46c7a3a1ae06551f49af3b567900009bfc3a8f8be1dc381ccf10d0c42eabfc48540f0277769df95279b5ecc19388fbd9bd373e9093d3cff53c185b0fe77b5100

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\wD2cw9qP.exe

Filesize
413KB

MD5
bc86066c06d1f602d9863273724a0b79

SHA1
dec435c12a52dc40e21271a56b7b16e2aef2ee45

SHA256
762865c7cad29d0d74c75b253a36f7287cefdb0144f6ae8428451d5c7a58ba28

SHA512
55f83b060414efc99b90198c15bdcc1a56d13891a101a94ffd5617292fd3447d626c7a57d45240f8e28b13bd6fc3edc42e84dd9132629aec1e8c2839ea8bdeb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1hb55Lz0.exe

Filesize
378KB

MD5
a85290ae0ae3661b43b317a862d2da7c

SHA1
494797a656ba62bd9dcead84055458ed942688cb

SHA256
ce5209fceeefe30e58b68cc16fe1273bcd8256a6c19f64012b32209741ad933c

SHA512
b0a52ed3fcd7e373ac7f542c582cbbb4b964c35c16fea2260027d0e84460a9104520ec4882151a2c39e87f6b8c48f2259804b571f1ea95a9d210b31384e3b034

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sM634yg.exe

Filesize
221KB

MD5
cce6cda221f0f242bc96b7dd55117dba

SHA1
dd6f95c543f3250554e6c50f7cbf8ebae483f714

SHA256
49d532461f0d6c451cec2f12de677c3316f69fca8c558be4dffec344fa808033

SHA512
aaef2b1ce5ff60af41325324556ab718d3b5d1f569f979167fe60748f19cb7823016c18794d7b2f78e672c04d2bb92e8c36dcc8044c095a3704f55eba02f76c4

Download Submit
memory/796-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/796-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/796-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5608-42-0x0000000000610000-0x000000000064E000-memory.dmp

Filesize
248KB

Download
memory/5608-43-0x00000000078D0000-0x0000000007E74000-memory.dmp

Filesize
5.6MB

Download
memory/5608-44-0x00000000073D0000-0x0000000007462000-memory.dmp

Filesize
584KB

Download
memory/5608-45-0x0000000004970000-0x000000000497A000-memory.dmp

Filesize
40KB

Download
memory/5608-46-0x00000000084A0000-0x0000000008AB8000-memory.dmp

Filesize
6.1MB

Download
memory/5608-47-0x00000000076B0000-0x00000000077BA000-memory.dmp

Filesize
1.0MB

Download
memory/5608-48-0x00000000075D0000-0x00000000075E2000-memory.dmp

Filesize
72KB

Download
memory/5608-49-0x0000000007630000-0x000000000766C000-memory.dmp

Filesize
240KB

Download
memory/5608-50-0x00000000077C0000-0x000000000780C000-memory.dmp

Filesize
304KB

Download