mystic | 3c91163ea40ad7e35bac48ded16235cfe9003c914f570e27b4e2d7b3c9c46c05

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16b785fdba23a1e8ce123eff83acdb78721163b0ff8cab22979a4b4fb39ec108.exe
Size

640KB
MD5

7cfa0d411448e107aeba15ed220bde20
SHA1

a9486fc6de8b4ab9135eeb034f261b4f426f34ee
SHA256

16b785fdba23a1e8ce123eff83acdb78721163b0ff8cab22979a4b4fb39ec108
SHA512

368c2bf8f37608c6f6a8a5e45626f39ba2cf2e44fd0bdd5f8d5f60eafbf3e62aa6500fb8505f7f262c5a1fa0581956f637bd73f3611cc78fe3719aa9e753ee01
SSDEEP

12288:MMr5y90o4ugxm9XP9mg39ZnzdjOgXBYHJ2CKJQGEfUbIjBsLpQvb:Nykm3t1zFreJ2nJQGYPKLS

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2300-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2300-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2300-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2300-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zt221Ll.exe	family_redline
behavioral1/memory/3040-22-0x00000000005D0000-0x000000000060E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

WH1ax0Oa.exe1TW62ly2.exe2zt221Ll.exe

pid process

1000 WH1ax0Oa.exe
2748 1TW62ly2.exe
3040 2zt221Ll.exe

pid	process
1000	WH1ax0Oa.exe
2748	1TW62ly2.exe
3040	2zt221Ll.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

16b785fdba23a1e8ce123eff83acdb78721163b0ff8cab22979a4b4fb39ec108.exeWH1ax0Oa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	16b785fdba23a1e8ce123eff83acdb78721163b0ff8cab22979a4b4fb39ec108.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	WH1ax0Oa.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1TW62ly2.exe

description pid process target process

PID 2748 set thread context of 2300 2748 1TW62ly2.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3552 2300 WerFault.exe AppLaunch.exe
1552 2748 WerFault.exe 1TW62ly2.exe

description	pid	process	target process
PID 2748 set thread context of 2300	2748	1TW62ly2.exe	AppLaunch.exe

pid	pid_target	process	target process
3552	2300	WerFault.exe	AppLaunch.exe
1552	2748	WerFault.exe	1TW62ly2.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

16b785fdba23a1e8ce123eff83acdb78721163b0ff8cab22979a4b4fb39ec108.exeWH1ax0Oa.exe1TW62ly2.exe

description	pid	process	target process
PID 1220 wrote to memory of 1000	1220	16b785fdba23a1e8ce123eff83acdb78721163b0ff8cab22979a4b4fb39ec108.exe	WH1ax0Oa.exe
PID 1220 wrote to memory of 1000	1220	16b785fdba23a1e8ce123eff83acdb78721163b0ff8cab22979a4b4fb39ec108.exe	WH1ax0Oa.exe
PID 1220 wrote to memory of 1000	1220	16b785fdba23a1e8ce123eff83acdb78721163b0ff8cab22979a4b4fb39ec108.exe	WH1ax0Oa.exe
PID 1000 wrote to memory of 2748	1000	WH1ax0Oa.exe	1TW62ly2.exe
PID 1000 wrote to memory of 2748	1000	WH1ax0Oa.exe	1TW62ly2.exe
PID 1000 wrote to memory of 2748	1000	WH1ax0Oa.exe	1TW62ly2.exe
PID 2748 wrote to memory of 2300	2748	1TW62ly2.exe	AppLaunch.exe
PID 2748 wrote to memory of 2300	2748	1TW62ly2.exe	AppLaunch.exe
PID 2748 wrote to memory of 2300	2748	1TW62ly2.exe	AppLaunch.exe
PID 2748 wrote to memory of 2300	2748	1TW62ly2.exe	AppLaunch.exe
PID 2748 wrote to memory of 2300	2748	1TW62ly2.exe	AppLaunch.exe
PID 2748 wrote to memory of 2300	2748	1TW62ly2.exe	AppLaunch.exe
PID 2748 wrote to memory of 2300	2748	1TW62ly2.exe	AppLaunch.exe
PID 2748 wrote to memory of 2300	2748	1TW62ly2.exe	AppLaunch.exe
PID 2748 wrote to memory of 2300	2748	1TW62ly2.exe	AppLaunch.exe
PID 2748 wrote to memory of 2300	2748	1TW62ly2.exe	AppLaunch.exe
PID 1000 wrote to memory of 3040	1000	WH1ax0Oa.exe	2zt221Ll.exe
PID 1000 wrote to memory of 3040	1000	WH1ax0Oa.exe	2zt221Ll.exe
PID 1000 wrote to memory of 3040	1000	WH1ax0Oa.exe	2zt221Ll.exe

C:\Users\Admin\AppData\Local\Temp\16b785fdba23a1e8ce123eff83acdb78721163b0ff8cab22979a4b4fb39ec108.exe
"C:\Users\Admin\AppData\Local\Temp\16b785fdba23a1e8ce123eff83acdb78721163b0ff8cab22979a4b4fb39ec108.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WH1ax0Oa.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WH1ax0Oa.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1TW62ly2.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1TW62ly2.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 556
5⤵
- Program crash
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 584
4⤵
- Program crash
PID:1552

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zt221Ll.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zt221Ll.exe
3⤵
- Executes dropped EXE
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2300 -ip 2300
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2748 -ip 2748
1⤵
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WH1ax0Oa.exe
Filesize
444KB

MD5
4d2c882e3b67664159b8c6be1d8a11dc

SHA1
7d6206c93b04c1bdffd50f7c4380c49527347152

SHA256
105659ebad08f28be1c1bcfdf196e9b7fb09656640825bf91dd6413ab52141e0

SHA512
7b99950216f3412c53dd5aa9160debc2ee3d3ec985f8ece567a12f5343e4bef0196d8924d06c53630235d5c8548ea4deb6eb3dc0ded563cd4b88250a92292f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1TW62ly2.exe
Filesize
423KB

MD5
5cfb58a43ab0dcd3f7bd1dcd8ca61d71

SHA1
cb92ea73034c35ba4c9b008fd1a0569fcc227ec8

SHA256
a550efc679ce70a7625f7ae8f44a3e0a53b32346e7da0c4ed850a57a0f562ff8

SHA512
fba245a3b8199f9d0dd2bd1d3fe1ad90a0cf24504257eff16434a4149f669df71ffe4c7278fa1b162d7b1c15d22ff6c1aadad039e618e1415308986e6667470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zt221Ll.exe
Filesize
221KB

MD5
e0c1f5aae17ca8525c8b2097f83e7259

SHA1
a1e66657dea0f35c40506de00f7ef4da59b9be3f

SHA256
34e6e0394c43fce3a4f65920bdacdd11aea0907e1e539d5bf25f534ca7bf388d

SHA512
8a570e97928e0c1c4426dad80e76194e369f93502d30d62cd59c576cfab0c7ba37194d34d8b37bdbe88cbe85ac6b50ead92d8b73b25229b46307017faccf5eea

Download Submit
memory/2300-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-23-0x00000000078D0000-0x0000000007E74000-memory.dmp

Filesize
5.6MB

Download
memory/3040-22-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/3040-24-0x00000000073C0000-0x0000000007452000-memory.dmp

Filesize
584KB

Download
memory/3040-25-0x00000000027C0000-0x00000000027CA000-memory.dmp

Filesize
40KB

Download
memory/3040-26-0x00000000084A0000-0x0000000008AB8000-memory.dmp

Filesize
6.1MB

Download
memory/3040-27-0x0000000007710000-0x000000000781A000-memory.dmp

Filesize
1.0MB

Download
memory/3040-28-0x0000000007570000-0x0000000007582000-memory.dmp

Filesize
72KB

Download
memory/3040-29-0x0000000007640000-0x000000000767C000-memory.dmp

Filesize
240KB

Download
memory/3040-30-0x0000000007680000-0x00000000076CC000-memory.dmp

Filesize
304KB

Download