mystic | 5e831beab1114ac9acd665a6dc93e4478c72f9985bcae804c34864e3b6ee4705

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe
Size

747KB
MD5

34d77e8b622d28f48bd184ef3c91df85
SHA1

d60559183722c9fe5dfed24eb8203bf54bfdb405
SHA256

12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7
SHA512

19ea6bdb290b283d8c3d23cd5ebea3295c8182fcbf4d4da3f086a91fb1ed98955d1e2ee9ae90ccfa0aad3b0871aced16f1a3130a6b37a7576d41f44133bb8ffc
SSDEEP

12288:bMrMy90zXi2rhvtabiPHBZjT9CFcJGNUJh7gvztpRxxMg4kASa:7yELfBR9CgYuMtpFMg4LZ

Score

10^/10

mystic redline frant evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

frant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1180-53-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral2/memory/1180-54-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral2/memory/1180-56-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

1Lm73aI8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	1Lm73aI8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1Lm73aI8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1Lm73aI8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1Lm73aI8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1Lm73aI8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1Lm73aI8.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4464-60-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

Pi5ZN69.exe1Lm73aI8.exe2aP21au.exe3zi0508.exe

pid process

2988 Pi5ZN69.exe
4760 1Lm73aI8.exe
4544 2aP21au.exe
4708 3zi0508.exe

pid	process
2988	Pi5ZN69.exe
4760	1Lm73aI8.exe
4544	2aP21au.exe
4708	3zi0508.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

1Lm73aI8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	1Lm73aI8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	1Lm73aI8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Pi5ZN69.exe12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Pi5ZN69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2aP21au.exe3zi0508.exe

description	pid	process	target process
PID 4544 set thread context of 1180	4544	2aP21au.exe	AppLaunch.exe
PID 4708 set thread context of 4464	4708	3zi0508.exe	AppLaunch.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2452 4544 WerFault.exe 2aP21au.exe
1976 4708 WerFault.exe 3zi0508.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1Lm73aI8.exe

pid process

4760 1Lm73aI8.exe
4760 1Lm73aI8.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1Lm73aI8.exe

description pid process

Token: SeDebugPrivilege 4760 1Lm73aI8.exe

pid	pid_target	process	target process
2452	4544	WerFault.exe	2aP21au.exe
1976	4708	WerFault.exe	3zi0508.exe

pid	process
4760	1Lm73aI8.exe
4760	1Lm73aI8.exe

description	pid	process
Token: SeDebugPrivilege	4760	1Lm73aI8.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exePi5ZN69.exe2aP21au.exe3zi0508.exe

description	pid	process	target process
PID 2600 wrote to memory of 2988	2600	12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe	Pi5ZN69.exe
PID 2600 wrote to memory of 2988	2600	12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe	Pi5ZN69.exe
PID 2600 wrote to memory of 2988	2600	12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe	Pi5ZN69.exe
PID 2988 wrote to memory of 4760	2988	Pi5ZN69.exe	1Lm73aI8.exe
PID 2988 wrote to memory of 4760	2988	Pi5ZN69.exe	1Lm73aI8.exe
PID 2988 wrote to memory of 4760	2988	Pi5ZN69.exe	1Lm73aI8.exe
PID 2988 wrote to memory of 4544	2988	Pi5ZN69.exe	2aP21au.exe
PID 2988 wrote to memory of 4544	2988	Pi5ZN69.exe	2aP21au.exe
PID 2988 wrote to memory of 4544	2988	Pi5ZN69.exe	2aP21au.exe
PID 4544 wrote to memory of 1180	4544	2aP21au.exe	AppLaunch.exe
PID 4544 wrote to memory of 1180	4544	2aP21au.exe	AppLaunch.exe
PID 4544 wrote to memory of 1180	4544	2aP21au.exe	AppLaunch.exe
PID 4544 wrote to memory of 1180	4544	2aP21au.exe	AppLaunch.exe
PID 4544 wrote to memory of 1180	4544	2aP21au.exe	AppLaunch.exe
PID 4544 wrote to memory of 1180	4544	2aP21au.exe	AppLaunch.exe
PID 4544 wrote to memory of 1180	4544	2aP21au.exe	AppLaunch.exe
PID 4544 wrote to memory of 1180	4544	2aP21au.exe	AppLaunch.exe
PID 4544 wrote to memory of 1180	4544	2aP21au.exe	AppLaunch.exe
PID 4544 wrote to memory of 1180	4544	2aP21au.exe	AppLaunch.exe
PID 2600 wrote to memory of 4708	2600	12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe	3zi0508.exe
PID 2600 wrote to memory of 4708	2600	12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe	3zi0508.exe
PID 2600 wrote to memory of 4708	2600	12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe	3zi0508.exe
PID 4708 wrote to memory of 4464	4708	3zi0508.exe	AppLaunch.exe
PID 4708 wrote to memory of 4464	4708	3zi0508.exe	AppLaunch.exe
PID 4708 wrote to memory of 4464	4708	3zi0508.exe	AppLaunch.exe
PID 4708 wrote to memory of 4464	4708	3zi0508.exe	AppLaunch.exe
PID 4708 wrote to memory of 4464	4708	3zi0508.exe	AppLaunch.exe
PID 4708 wrote to memory of 4464	4708	3zi0508.exe	AppLaunch.exe
PID 4708 wrote to memory of 4464	4708	3zi0508.exe	AppLaunch.exe
PID 4708 wrote to memory of 4464	4708	3zi0508.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe
"C:\Users\Admin\AppData\Local\Temp\12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pi5ZN69.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pi5ZN69.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Lm73aI8.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Lm73aI8.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2aP21au.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2aP21au.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 152
4⤵
- Program crash
PID:2452

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3zi0508.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3zi0508.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 156
3⤵
- Program crash
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4544 -ip 4544
1⤵
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4708 -ip 4708
1⤵
PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3zi0508.exe

Filesize
459KB

MD5
a8041be69bfff4789e52bdda0e13e3e3

SHA1
a1d1d75969b56ecfdb13ccdf35c4e5e4e5969836

SHA256
49a1a7a7665d39297972bb1188175b2cea1e1a7802d0c7050db47acbe488b5b2

SHA512
8f25dfe43675272b71976d03f21cf6fb5a58ff88f59edc6336b95bfd368e1f612e978882db81975942aac5f01947e467e4f53c242b0c2f381062a713b6033fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pi5ZN69.exe

Filesize
452KB

MD5
c1974e114247601e40aaa9e5146ec1ac

SHA1
acb75352a7e4eb093adcecf551ad6f594a3c9124

SHA256
4cfb319b5e29fb1823ca64c75a303652b799ed5aadf3e606a08d508a7c306d38

SHA512
00831340f50805e6fc48ec3cd96fd56b864f88954ed3725a680b9ff92929ee5d299b5ab3371ce8c493f6b06acf920c94319fba4244aa26b0c4a60f5430485209

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Lm73aI8.exe

Filesize
192KB

MD5
8904f85abd522c7d0cb5789d9583ccff

SHA1
5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

SHA256
7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

SHA512
04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2aP21au.exe

Filesize
378KB

MD5
32b9897e8aeda75a8b718044ef406a5b

SHA1
9c7c2edfd89c52099858419482128e4528f3be1a

SHA256
c6a4e06cc2890a2fd4697bf9a95ebb187bf2f041afff1a5e57a3af84785c5e8a

SHA512
b3dc2e6fa817cd7def9911e825d45f55e9e69f7b5f1c26e43c96750331ccf2735e731f5bd57898ba083d45ea67a43f0c88e3d215b1ca5d279eb2db62b2662d02

Download Submit
memory/1180-53-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1180-54-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1180-56-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4464-66-0x0000000007810000-0x000000000784C000-memory.dmp

Filesize
240KB

Download
memory/4464-61-0x0000000007590000-0x0000000007622000-memory.dmp

Filesize
584KB

Download
memory/4464-62-0x00000000049C0000-0x00000000049CA000-memory.dmp

Filesize
40KB

Download
memory/4464-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4464-63-0x0000000008630000-0x0000000008C48000-memory.dmp

Filesize
6.1MB

Download
memory/4464-64-0x0000000007920000-0x0000000007A2A000-memory.dmp

Filesize
1.0MB

Download
memory/4464-65-0x0000000007650000-0x0000000007662000-memory.dmp

Filesize
72KB

Download
memory/4464-67-0x0000000007670000-0x00000000076BC000-memory.dmp

Filesize
304KB

Download
memory/4760-44-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4760-32-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4760-24-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4760-47-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/4760-19-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4760-36-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4760-22-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4760-20-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4760-49-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/4760-28-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4760-30-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4760-26-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4760-34-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4760-39-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4760-42-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4760-46-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4760-40-0x0000000004990000-0x00000000049A6000-memory.dmp

Filesize
88KB

Download
memory/4760-18-0x0000000004990000-0x00000000049AC000-memory.dmp

Filesize
112KB

Download
memory/4760-17-0x0000000004A40000-0x0000000004FE4000-memory.dmp

Filesize
5.6MB

Download
memory/4760-16-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/4760-15-0x00000000022B0000-0x00000000022CE000-memory.dmp

Filesize
120KB

Download
memory/4760-14-0x000000007421E000-0x000000007421F000-memory.dmp

Filesize
4KB

Download