mystic | 5e831beab1114ac9acd665a6dc93e4478c72f9985bcae804c34864e3b6ee4705

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7bf16d19af53ce0e356ff0a03ca5f2bf14034d9e265c438dc88513cd09cf55c.exe
Size

1.2MB
MD5

dc9b74f110010f383b089951fffa25a6
SHA1

64b60b766c56ceef8caeb825d984a3a1fee901aa
SHA256

c7bf16d19af53ce0e356ff0a03ca5f2bf14034d9e265c438dc88513cd09cf55c
SHA512

6e00b0e9c0451d9aad2715074ebb18a2000b62dca1846cfcbb2d6bb8a372ad97a6f0bb2f51fce43e97f977b7e70876e58133acd2c3fa4f62717c91bbd042ba33
SSDEEP

24576:0yPClHm/RqsNjI8rN9OvEDOLRlb/3K1WRQIGMH2RVTecm+XRbvU:DKlG8sN9nC9NlbfKa1H2zJX9

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral16/memory/3464-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral16/memory/3464-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral16/memory/3464-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lg438Wc.exe	family_redline
behavioral16/memory/1232-42-0x0000000000AE0000-0x0000000000B1E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

Id7Qx6xD.exent8ae2mY.exeKN1QV7kB.exeZm4wm3pa.exe1xx85nk3.exe2Lg438Wc.exe

pid process

1592 Id7Qx6xD.exe
2748 nt8ae2mY.exe
1020 KN1QV7kB.exe
6100 Zm4wm3pa.exe
5388 1xx85nk3.exe
1232 2Lg438Wc.exe

pid	process
1592	Id7Qx6xD.exe
2748	nt8ae2mY.exe
1020	KN1QV7kB.exe
6100	Zm4wm3pa.exe
5388	1xx85nk3.exe
1232	2Lg438Wc.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c7bf16d19af53ce0e356ff0a03ca5f2bf14034d9e265c438dc88513cd09cf55c.exeId7Qx6xD.exent8ae2mY.exeKN1QV7kB.exeZm4wm3pa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c7bf16d19af53ce0e356ff0a03ca5f2bf14034d9e265c438dc88513cd09cf55c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Id7Qx6xD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	nt8ae2mY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	KN1QV7kB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Zm4wm3pa.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1xx85nk3.exe

description pid process target process

PID 5388 set thread context of 3464 5388 1xx85nk3.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2144 5388 WerFault.exe 1xx85nk3.exe

description	pid	process	target process
PID 5388 set thread context of 3464	5388	1xx85nk3.exe	AppLaunch.exe

pid	pid_target	process	target process
2144	5388	WerFault.exe	1xx85nk3.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

c7bf16d19af53ce0e356ff0a03ca5f2bf14034d9e265c438dc88513cd09cf55c.exeId7Qx6xD.exent8ae2mY.exeKN1QV7kB.exeZm4wm3pa.exe1xx85nk3.exe

description	pid	process	target process
PID 5728 wrote to memory of 1592	5728	c7bf16d19af53ce0e356ff0a03ca5f2bf14034d9e265c438dc88513cd09cf55c.exe	Id7Qx6xD.exe
PID 5728 wrote to memory of 1592	5728	c7bf16d19af53ce0e356ff0a03ca5f2bf14034d9e265c438dc88513cd09cf55c.exe	Id7Qx6xD.exe
PID 5728 wrote to memory of 1592	5728	c7bf16d19af53ce0e356ff0a03ca5f2bf14034d9e265c438dc88513cd09cf55c.exe	Id7Qx6xD.exe
PID 1592 wrote to memory of 2748	1592	Id7Qx6xD.exe	nt8ae2mY.exe
PID 1592 wrote to memory of 2748	1592	Id7Qx6xD.exe	nt8ae2mY.exe
PID 1592 wrote to memory of 2748	1592	Id7Qx6xD.exe	nt8ae2mY.exe
PID 2748 wrote to memory of 1020	2748	nt8ae2mY.exe	KN1QV7kB.exe
PID 2748 wrote to memory of 1020	2748	nt8ae2mY.exe	KN1QV7kB.exe
PID 2748 wrote to memory of 1020	2748	nt8ae2mY.exe	KN1QV7kB.exe
PID 1020 wrote to memory of 6100	1020	KN1QV7kB.exe	Zm4wm3pa.exe
PID 1020 wrote to memory of 6100	1020	KN1QV7kB.exe	Zm4wm3pa.exe
PID 1020 wrote to memory of 6100	1020	KN1QV7kB.exe	Zm4wm3pa.exe
PID 6100 wrote to memory of 5388	6100	Zm4wm3pa.exe	1xx85nk3.exe
PID 6100 wrote to memory of 5388	6100	Zm4wm3pa.exe	1xx85nk3.exe
PID 6100 wrote to memory of 5388	6100	Zm4wm3pa.exe	1xx85nk3.exe
PID 5388 wrote to memory of 3464	5388	1xx85nk3.exe	AppLaunch.exe
PID 5388 wrote to memory of 3464	5388	1xx85nk3.exe	AppLaunch.exe
PID 5388 wrote to memory of 3464	5388	1xx85nk3.exe	AppLaunch.exe
PID 5388 wrote to memory of 3464	5388	1xx85nk3.exe	AppLaunch.exe
PID 5388 wrote to memory of 3464	5388	1xx85nk3.exe	AppLaunch.exe
PID 5388 wrote to memory of 3464	5388	1xx85nk3.exe	AppLaunch.exe
PID 5388 wrote to memory of 3464	5388	1xx85nk3.exe	AppLaunch.exe
PID 5388 wrote to memory of 3464	5388	1xx85nk3.exe	AppLaunch.exe
PID 5388 wrote to memory of 3464	5388	1xx85nk3.exe	AppLaunch.exe
PID 5388 wrote to memory of 3464	5388	1xx85nk3.exe	AppLaunch.exe
PID 6100 wrote to memory of 1232	6100	Zm4wm3pa.exe	2Lg438Wc.exe
PID 6100 wrote to memory of 1232	6100	Zm4wm3pa.exe	2Lg438Wc.exe
PID 6100 wrote to memory of 1232	6100	Zm4wm3pa.exe	2Lg438Wc.exe

C:\Users\Admin\AppData\Local\Temp\c7bf16d19af53ce0e356ff0a03ca5f2bf14034d9e265c438dc88513cd09cf55c.exe
"C:\Users\Admin\AppData\Local\Temp\c7bf16d19af53ce0e356ff0a03ca5f2bf14034d9e265c438dc88513cd09cf55c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5728

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Id7Qx6xD.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Id7Qx6xD.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nt8ae2mY.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nt8ae2mY.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KN1QV7kB.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KN1QV7kB.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1020

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zm4wm3pa.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zm4wm3pa.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:6100

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1xx85nk3.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1xx85nk3.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 592
7⤵
- Program crash
PID:2144

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lg438Wc.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lg438Wc.exe
6⤵
- Executes dropped EXE
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5388 -ip 5388
1⤵
PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Id7Qx6xD.exe

Filesize
1.0MB

MD5
2915043c840f44d3d194fe1d187bd830

SHA1
68952a46a2911fe8e4ef0e4a71defe63a26f4a60

SHA256
27d8069284dbed6f8674f85ef84f65270311b3955464664d790589e6001ec917

SHA512
3ff90aac7a77ac9c381160c250d294f7ecc86979e3a6dc27d393263ac1140236549010f970d1d6c274d8667e17c994e4692e98b6327a1390a6ff73ffd7a3dd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nt8ae2mY.exe

Filesize
878KB

MD5
705469b3d149cffb1d963ab2d279e715

SHA1
dbff86ea579a30049f9a2d8cc0548ffb70787abc

SHA256
85c4e1d89fa3f1ea0b1d51c0f6a54650688cbb25b225dcd053589b36a9699136

SHA512
ae68b59d965e063ee461ba2209cf7110df5f5160adbe6ae2c0bb11b95fffffb7f2d24f316a85839b5026906d99ff8c286aa9d0425508cef8578440f478c3409d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KN1QV7kB.exe

Filesize
584KB

MD5
0add6a19f1ff447f8a22f4d91c8cc638

SHA1
094efea1eef56f8d9d4e72cc379b670a10f3932d

SHA256
e063bce632dc135876a27490a271936c15a052934d726ec7576c9c2101cc7fde

SHA512
17410c72838d51433e1a0d5ea52d89d810fb343e25be300b1fba0aceb15f5951009e5f1fd610c12027f20758675e52111cd4556a731ee410bf616582461d67f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Zm4wm3pa.exe

Filesize
412KB

MD5
08b49c63669ef42d3595cf6a6892b2c4

SHA1
0a0ade1b847f6d8b18714338cc9635873dafbd6e

SHA256
0390274e46d678d2e17fc7ad1584f8e80c29d2266a06cb69a33d8d10a820701e

SHA512
c323951b4401001765ee0287d8b014bd9eb8f3e2d45783649d41d5b230ece6c6c5e6a411938a3bf484d1c155df008dc61adbb23edb952b7bb8fa2da33b8ac262

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1xx85nk3.exe

Filesize
378KB

MD5
86b7b551e32d4d5ace605126db5363a5

SHA1
800cbccf5a9784d576f0b118a2d2f5014a21b03b

SHA256
1abd730d0a582af55ebfe4ba177eb3ca1252c06638e66e45a51320d8b58d8a72

SHA512
77ec61c1de3aa9be2b49662256f6bfb479eedea848b0a29a4f1ad7f1495cb5ddbd4dab4c0d4822fcf1a56d1af95625eefc7782e86ad3b96e3872c7a2a85a9e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lg438Wc.exe

Filesize
221KB

MD5
97b8ee19628a60c8656c653840c584eb

SHA1
71179bf72658adc1df55928b763c533baf0d27ca

SHA256
a8f4959931614764afaf30191036a8ebe37b60e383bda2f481aa2c0f119be119

SHA512
99dab928335004c29c3cd323aafa6986bbec5a6e3fbe634806f7179c6ac80837e8b246e1f3eaa62a3328a98ddf839e04661e740cb907024d009318bdbc972c53

Download Submit
memory/1232-42-0x0000000000AE0000-0x0000000000B1E000-memory.dmp

Filesize
248KB

Download
memory/1232-43-0x0000000007E10000-0x00000000083B4000-memory.dmp

Filesize
5.6MB

Download
memory/1232-44-0x0000000007900000-0x0000000007992000-memory.dmp

Filesize
584KB

Download
memory/1232-45-0x0000000004E90000-0x0000000004E9A000-memory.dmp

Filesize
40KB

Download
memory/1232-46-0x00000000089E0000-0x0000000008FF8000-memory.dmp

Filesize
6.1MB

Download
memory/1232-47-0x0000000007CD0000-0x0000000007DDA000-memory.dmp

Filesize
1.0MB

Download
memory/1232-48-0x0000000007A90000-0x0000000007AA2000-memory.dmp

Filesize
72KB

Download
memory/1232-49-0x0000000007B20000-0x0000000007B5C000-memory.dmp

Filesize
240KB

Download
memory/1232-50-0x0000000007AB0000-0x0000000007AFC000-memory.dmp

Filesize
304KB

Download
memory/3464-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3464-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3464-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download