mystic | 5e831beab1114ac9acd665a6dc93e4478c72f9985bcae804c34864e3b6ee4705

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fac8fce7e33f863be353a7bbf44a4fc673ab60a051fa66cebe5511a000ee1a0e.exe
Size

1.2MB
MD5

3dd8f6854fef67699626058ab40d3f31
SHA1

063567df515ff47d7ee1dbc5152aefe9024a6e8e
SHA256

fac8fce7e33f863be353a7bbf44a4fc673ab60a051fa66cebe5511a000ee1a0e
SHA512

07679ffa6bcea79843d49525a079197b87aa2f9b531a19a72356da9e98516501a21f0aae1c848dc7875e37255c5ec2865ac44a71435e1d3e51b146689d7d60a1
SSDEEP

24576:CyUq8WjMVqJf2oLszWLQ023zwJ16iiGwWeN3AikgMLpl4OxQa:pJjMVEf2FWM023zwncWeN3xA74+

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral20/memory/2612-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral20/memory/2612-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral20/memory/2612-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral20/files/0x000700000002327d-40.dat	family_redline
behavioral20/memory/4560-42-0x0000000000A50000-0x0000000000A8E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4564	qv0HZ8If.exe
3472	Zh0NE0xa.exe
368	rj5UI4Hy.exe
2880	ln5gB9mu.exe
4780	1AD57Uv8.exe
4560	2LS198EB.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fac8fce7e33f863be353a7bbf44a4fc673ab60a051fa66cebe5511a000ee1a0e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	qv0HZ8If.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Zh0NE0xa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	rj5UI4Hy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ln5gB9mu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4780 set thread context of 2612	4780	1AD57Uv8.exe	99

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4620	4780	WerFault.exe	95

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 4564	4188	fac8fce7e33f863be353a7bbf44a4fc673ab60a051fa66cebe5511a000ee1a0e.exe	91
PID 4188 wrote to memory of 4564	4188	fac8fce7e33f863be353a7bbf44a4fc673ab60a051fa66cebe5511a000ee1a0e.exe	91
PID 4188 wrote to memory of 4564	4188	fac8fce7e33f863be353a7bbf44a4fc673ab60a051fa66cebe5511a000ee1a0e.exe	91
PID 4564 wrote to memory of 3472	4564	qv0HZ8If.exe	92
PID 4564 wrote to memory of 3472	4564	qv0HZ8If.exe	92
PID 4564 wrote to memory of 3472	4564	qv0HZ8If.exe	92
PID 3472 wrote to memory of 368	3472	Zh0NE0xa.exe	93
PID 3472 wrote to memory of 368	3472	Zh0NE0xa.exe	93
PID 3472 wrote to memory of 368	3472	Zh0NE0xa.exe	93
PID 368 wrote to memory of 2880	368	rj5UI4Hy.exe	94
PID 368 wrote to memory of 2880	368	rj5UI4Hy.exe	94
PID 368 wrote to memory of 2880	368	rj5UI4Hy.exe	94
PID 2880 wrote to memory of 4780	2880	ln5gB9mu.exe	95
PID 2880 wrote to memory of 4780	2880	ln5gB9mu.exe	95
PID 2880 wrote to memory of 4780	2880	ln5gB9mu.exe	95
PID 4780 wrote to memory of 1944	4780	1AD57Uv8.exe	97
PID 4780 wrote to memory of 1944	4780	1AD57Uv8.exe	97
PID 4780 wrote to memory of 1944	4780	1AD57Uv8.exe	97
PID 4780 wrote to memory of 3192	4780	1AD57Uv8.exe	98
PID 4780 wrote to memory of 3192	4780	1AD57Uv8.exe	98
PID 4780 wrote to memory of 3192	4780	1AD57Uv8.exe	98
PID 4780 wrote to memory of 2612	4780	1AD57Uv8.exe	99
PID 4780 wrote to memory of 2612	4780	1AD57Uv8.exe	99
PID 4780 wrote to memory of 2612	4780	1AD57Uv8.exe	99
PID 4780 wrote to memory of 2612	4780	1AD57Uv8.exe	99
PID 4780 wrote to memory of 2612	4780	1AD57Uv8.exe	99
PID 4780 wrote to memory of 2612	4780	1AD57Uv8.exe	99
PID 4780 wrote to memory of 2612	4780	1AD57Uv8.exe	99
PID 4780 wrote to memory of 2612	4780	1AD57Uv8.exe	99
PID 4780 wrote to memory of 2612	4780	1AD57Uv8.exe	99
PID 4780 wrote to memory of 2612	4780	1AD57Uv8.exe	99
PID 2880 wrote to memory of 4560	2880	ln5gB9mu.exe	103
PID 2880 wrote to memory of 4560	2880	ln5gB9mu.exe	103
PID 2880 wrote to memory of 4560	2880	ln5gB9mu.exe	103

C:\Users\Admin\AppData\Local\Temp\fac8fce7e33f863be353a7bbf44a4fc673ab60a051fa66cebe5511a000ee1a0e.exe
"C:\Users\Admin\AppData\Local\Temp\fac8fce7e33f863be353a7bbf44a4fc673ab60a051fa66cebe5511a000ee1a0e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv0HZ8If.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv0HZ8If.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zh0NE0xa.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zh0NE0xa.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rj5UI4Hy.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rj5UI4Hy.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:368
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ln5gB9mu.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ln5gB9mu.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AD57Uv8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AD57Uv8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 592
        7⤵
        Program crash
        
        PID:4620
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2LS198EB.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2LS198EB.exe
        6⤵
        Executes dropped EXE
        
        PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4780 -ip 4780
1⤵
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3700 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qv0HZ8If.exe

Filesize
1.0MB

MD5
421724b3b04cf59d903e680d1a766b9d

SHA1
e67dba336882e8c0913df87c9cb9b810899d097c

SHA256
29da8b84b16fc190b6df1772b7daa1fdc5cd34f2bac277222fbd64ddcfdc0011

SHA512
1662edf937aab2ce230d1362b13d72c99c13ceecba5c93948a3737c2a7b2d0c6c6869a8c52b99a2def58791a0bc1e0b54db64a981d0c781fbb4980c870444f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zh0NE0xa.exe

Filesize
878KB

MD5
eec8eb6e512d020b86cd3ae6b09bce8a

SHA1
2ac3ddcca7f88e978028b46757783b60a7dc8e8f

SHA256
7be7783b69491f75e1dfd11e06bd8338543b1a65d7bc7576c7e171d349b020af

SHA512
cbdb244f6dafc6de5f5e67daa557934839095b704dbcd0ca7d160124bc66edd73a3923d6ea7d23cdd97e90ad259be6ed91c95846618dff3939125ae88ece75b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rj5UI4Hy.exe

Filesize
584KB

MD5
5dbe56050d97c6522d37ed730065cc18

SHA1
7a5d90cda04bb324e06e58bd7558a8785f39ea30

SHA256
614d5d3b560bed426a2725ca08410b0d1c055d9b1edde5c7e48f0d9635587ec9

SHA512
9f689afb24e46864ede2c6dd7f970c0130035fcd009e4c3f5944c7a8bb6827c48503de21eba88d39c19f13f1b3a0fa13b163c7b8274900d41048c1f805ce9b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ln5gB9mu.exe

Filesize
412KB

MD5
b8cb540a578f232a290b557f8670ee6f

SHA1
d4163893a566b6d1f8cac693c8bfb8bb69c86fcf

SHA256
3cf95466757cf38ec2626f95a2a296d9dedaa4c0957f74ae1fee51bd20782239

SHA512
ffa67ee216d11131afde10909f10756a08429cd841b52b3f753dace98e360e8d33a7c9ce0d50bcd5f7f1c3a50917bbb9f151ca7bf51553b8d4ccac6c9f314b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AD57Uv8.exe

Filesize
378KB

MD5
41989dfc3f7c36881a197de5c3fbe49e

SHA1
8e5a7a040938b00af293038decd9b680ad53f9b3

SHA256
1bf18819c586f189d900d3cc7a251702a7c80f1b35717c8eedc4fd7243d4313b

SHA512
fcbc8cd96840b8d27decc46d33f668407080cd104da9387100f8a200dcae9b7145f1455cafc1e6b81e599af7dd111c7d63e03c05e25f832fb86837a83126dd54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2LS198EB.exe

Filesize
221KB

MD5
9bb44e94db4192011c80db7d4c4a3229

SHA1
dc345692e3723796692456f0fd46934df6533011

SHA256
acd646257837774c57f84737190332cdd8cf56fbf881b896dcefc8a4ee0770dd

SHA512
54d3ed04e280304e9fd783ddf0b538945137c6f0f5dde500cea9428f6e1ee6a963d55eb279a855822fc9fcbff96e77586796b6d61079e2ad4fa9945a0f29e676

Download Submit
memory/2612-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2612-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2612-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4560-42-0x0000000000A50000-0x0000000000A8E000-memory.dmp

Filesize
248KB

Download
memory/4560-43-0x0000000007CD0000-0x0000000008274000-memory.dmp

Filesize
5.6MB

Download
memory/4560-44-0x0000000007810000-0x00000000078A2000-memory.dmp

Filesize
584KB

Download
memory/4560-45-0x00000000078E0000-0x00000000078EA000-memory.dmp

Filesize
40KB

Download
memory/4560-46-0x00000000088A0000-0x0000000008EB8000-memory.dmp

Filesize
6.1MB

Download
memory/4560-47-0x0000000008280000-0x000000000838A000-memory.dmp

Filesize
1.0MB

Download
memory/4560-48-0x0000000007BF0000-0x0000000007C02000-memory.dmp

Filesize
72KB

Download
memory/4560-49-0x0000000007C50000-0x0000000007C8C000-memory.dmp

Filesize
240KB

Download
memory/4560-50-0x0000000008390000-0x00000000083DC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads