mystic | a44d7397ca2486a37cfbc6cd473037b204a5fe4678303dd2f187c814c85f25db

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d65bb810ccd243a6f5edda6c97b9e2e03e46b6306aca9415c3ae84a27a61a7a7.exe
Size

1.3MB
MD5

0c51767548ed6965b9d3ccb2ba84cde1
SHA1

000014edd0e804ddb4bd99aebb086efc76ac5a03
SHA256

d65bb810ccd243a6f5edda6c97b9e2e03e46b6306aca9415c3ae84a27a61a7a7
SHA512

6d1695dd7859f54b6126544650421367b741330212068673402d9f971587ac27a9e9c721934decea3e4f7ebf9f8c6d43b123a2e12c6f7727b40f3d1575c76ba0
SSDEEP

24576:uyiIDMKCYrzNfqjQXkOikMzAm4vtksKlet5XJzNtaIIcc52ig45Kx1I+B:9iIDMKFrJfqcXkOTMsmInUeXJ2IVigg9

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral13/files/0x0008000000023452-33.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral13/files/0x0007000000023453-36.dat	family_redline
behavioral13/memory/4532-38-0x0000000000ED0000-0x0000000000F0E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
412	Kk2OF6oI.exe
3304	ev7kM1GH.exe
1896	jw8JJ3mr.exe
2004	Ff7ld6ri.exe
432	1Fs26Bg4.exe
4532	2uZ650ND.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ev7kM1GH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	jw8JJ3mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ff7ld6ri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d65bb810ccd243a6f5edda6c97b9e2e03e46b6306aca9415c3ae84a27a61a7a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Kk2OF6oI.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 412	1584	d65bb810ccd243a6f5edda6c97b9e2e03e46b6306aca9415c3ae84a27a61a7a7.exe	82
PID 1584 wrote to memory of 412	1584	d65bb810ccd243a6f5edda6c97b9e2e03e46b6306aca9415c3ae84a27a61a7a7.exe	82
PID 1584 wrote to memory of 412	1584	d65bb810ccd243a6f5edda6c97b9e2e03e46b6306aca9415c3ae84a27a61a7a7.exe	82
PID 412 wrote to memory of 3304	412	Kk2OF6oI.exe	83
PID 412 wrote to memory of 3304	412	Kk2OF6oI.exe	83
PID 412 wrote to memory of 3304	412	Kk2OF6oI.exe	83
PID 3304 wrote to memory of 1896	3304	ev7kM1GH.exe	84
PID 3304 wrote to memory of 1896	3304	ev7kM1GH.exe	84
PID 3304 wrote to memory of 1896	3304	ev7kM1GH.exe	84
PID 1896 wrote to memory of 2004	1896	jw8JJ3mr.exe	85
PID 1896 wrote to memory of 2004	1896	jw8JJ3mr.exe	85
PID 1896 wrote to memory of 2004	1896	jw8JJ3mr.exe	85
PID 2004 wrote to memory of 432	2004	Ff7ld6ri.exe	86
PID 2004 wrote to memory of 432	2004	Ff7ld6ri.exe	86
PID 2004 wrote to memory of 432	2004	Ff7ld6ri.exe	86
PID 2004 wrote to memory of 4532	2004	Ff7ld6ri.exe	87
PID 2004 wrote to memory of 4532	2004	Ff7ld6ri.exe	87
PID 2004 wrote to memory of 4532	2004	Ff7ld6ri.exe	87

C:\Users\Admin\AppData\Local\Temp\d65bb810ccd243a6f5edda6c97b9e2e03e46b6306aca9415c3ae84a27a61a7a7.exe
"C:\Users\Admin\AppData\Local\Temp\d65bb810ccd243a6f5edda6c97b9e2e03e46b6306aca9415c3ae84a27a61a7a7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk2OF6oI.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk2OF6oI.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ev7kM1GH.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ev7kM1GH.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3304
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jw8JJ3mr.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jw8JJ3mr.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ff7ld6ri.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ff7ld6ri.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fs26Bg4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fs26Bg4.exe
        6⤵
        Executes dropped EXE
        
        PID:432
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2uZ650ND.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2uZ650ND.exe
        6⤵
        Executes dropped EXE
        
        PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kk2OF6oI.exe

Filesize
1.2MB

MD5
2b75803aa30126bb7c2c97d324ea49af

SHA1
53ddaf2674be3a5d8590767e04de21850c3d9c2e

SHA256
bb2a652e4e62c9e6f7ea498c1e1c399989724eb4f10c63a81ccd56ebf23255cd

SHA512
93c4268f5838a9555a260b5ece5eb3b0d1df3ebef6b6b42d169ed7776b81027b4aac2bad28972bd7c3309cf9c75fe1e20158eeced3a6c76c637c4e0718ad496e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ev7kM1GH.exe

Filesize
1.0MB

MD5
a954aec9a9012d80def332169cb57a96

SHA1
f7288e871c126526803f95823e6c14383dfb9053

SHA256
769f1a11b614f4335c824ed2e68552703ccb9e1d9375ca9f4fef7b8c2b5df745

SHA512
8aa138c2031ba3260d8610bfe79c45efdf6806efdd490262c72ad5cbc70c99c69384924d01f82ef7c4cdc11b7833e05fda182647d9d53bfa8b56f052fc43f04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jw8JJ3mr.exe

Filesize
522KB

MD5
e26c489f24740eebf9e8f2830a46580e

SHA1
afd5813c91538fe44e7febed60a0f65dc4b61168

SHA256
2f617c6be79ee926fcd15814cef7e807a4c050a1a627afbb300cd94a2709ec97

SHA512
cec157748d8a697924ecc3ee34043609f6b4fa486d85bc04fa6d3fc583fee7453c7d70dcafd2fd24078995f6b482ad3b194c3185e166cffc7195ce76f968a079

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ff7ld6ri.exe

Filesize
326KB

MD5
4b21a3aa9c58ecded687a2e14c069fe2

SHA1
fa2c22b1ed6a1245e0e273b63b22586338512642

SHA256
ab45a9192ab73cd4aba00baf62a88f57d1e5a077bcff596fe4c1a1e35ec15d7f

SHA512
ebecf9f9c397d780ca23bf4091a94cd151ed2f6a3ef1b9204c301c6c13f0e3837b87fb88e27ab81623cc039665a51d4e26a481a08586fe623e2e0249534a6736

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fs26Bg4.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2uZ650ND.exe

Filesize
221KB

MD5
f5d4adbeeb0f17a2a770bef89e92c2b7

SHA1
303fad31b1bcbf428574a77d51d50c88156a230d

SHA256
7f17370951d01481898818536e694193138aebe3f8e40e863509ac0d43d593a5

SHA512
8556df9d008682ac5d812911417b3034b7dc688b56117a4286986faa80c161609beed31c2bc7790c421dc71cae27b64d07a71d58012c89953be087eaee8d60bc

Download Submit
memory/4532-38-0x0000000000ED0000-0x0000000000F0E000-memory.dmp

Filesize
248KB

Download
memory/4532-39-0x00000000082D0000-0x0000000008874000-memory.dmp

Filesize
5.6MB

Download
memory/4532-40-0x0000000007DD0000-0x0000000007E62000-memory.dmp

Filesize
584KB

Download
memory/4532-41-0x0000000005380000-0x000000000538A000-memory.dmp

Filesize
40KB

Download
memory/4532-42-0x0000000008EA0000-0x00000000094B8000-memory.dmp

Filesize
6.1MB

Download
memory/4532-43-0x0000000008140000-0x000000000824A000-memory.dmp

Filesize
1.0MB

Download
memory/4532-44-0x0000000007EC0000-0x0000000007ED2000-memory.dmp

Filesize
72KB

Download
memory/4532-45-0x0000000008070000-0x00000000080AC000-memory.dmp

Filesize
240KB

Download
memory/4532-46-0x00000000080B0000-0x00000000080FC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads