mystic | 3c91163ea40ad7e35bac48ded16235cfe9003c914f570e27b4e2d7b3c9c46c05

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd708e30f7d26474cbb1cd6b2d77db28ffd7536090b6c02874b0aa4018c1b2e2.exe
Size

326KB
MD5

127e2336ebe16deb60ca283437db91f9
SHA1

3a3900abcc0162dfa098900f4efb1f111527ee92
SHA256

fd708e30f7d26474cbb1cd6b2d77db28ffd7536090b6c02874b0aa4018c1b2e2
SHA512

f75f8de57a1d5d04174661bf9331afe3bb34a5c245ec3b9bca323bf7076502cb918155a38e7481e31581d85e10a79ff7ffcb30955b33d8884ea4bf42d0d61b4b
SSDEEP

6144:KMy+bnr+Pp0yN90QECsX6VOwPBIAy+hy8vlvZgRkajW1Rqv6KR:8MrLy90ws+OnA4q2i1Y/R

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1jG30Zg2.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Nl327Uz.exe	family_redline
behavioral20/memory/1020-11-0x0000000000200000-0x000000000023E000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

1jG30Zg2.exe2Nl327Uz.exe

pid process

3516 1jG30Zg2.exe
1020 2Nl327Uz.exe

pid	process
3516	1jG30Zg2.exe
1020	2Nl327Uz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fd708e30f7d26474cbb1cd6b2d77db28ffd7536090b6c02874b0aa4018c1b2e2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fd708e30f7d26474cbb1cd6b2d77db28ffd7536090b6c02874b0aa4018c1b2e2.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fd708e30f7d26474cbb1cd6b2d77db28ffd7536090b6c02874b0aa4018c1b2e2.exe

description	pid	process	target process
PID 3220 wrote to memory of 3516	3220	fd708e30f7d26474cbb1cd6b2d77db28ffd7536090b6c02874b0aa4018c1b2e2.exe	1jG30Zg2.exe
PID 3220 wrote to memory of 3516	3220	fd708e30f7d26474cbb1cd6b2d77db28ffd7536090b6c02874b0aa4018c1b2e2.exe	1jG30Zg2.exe
PID 3220 wrote to memory of 3516	3220	fd708e30f7d26474cbb1cd6b2d77db28ffd7536090b6c02874b0aa4018c1b2e2.exe	1jG30Zg2.exe
PID 3220 wrote to memory of 1020	3220	fd708e30f7d26474cbb1cd6b2d77db28ffd7536090b6c02874b0aa4018c1b2e2.exe	2Nl327Uz.exe
PID 3220 wrote to memory of 1020	3220	fd708e30f7d26474cbb1cd6b2d77db28ffd7536090b6c02874b0aa4018c1b2e2.exe	2Nl327Uz.exe
PID 3220 wrote to memory of 1020	3220	fd708e30f7d26474cbb1cd6b2d77db28ffd7536090b6c02874b0aa4018c1b2e2.exe	2Nl327Uz.exe

C:\Users\Admin\AppData\Local\Temp\fd708e30f7d26474cbb1cd6b2d77db28ffd7536090b6c02874b0aa4018c1b2e2.exe
"C:\Users\Admin\AppData\Local\Temp\fd708e30f7d26474cbb1cd6b2d77db28ffd7536090b6c02874b0aa4018c1b2e2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1jG30Zg2.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1jG30Zg2.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Nl327Uz.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Nl327Uz.exe
  2⤵
  - Executes dropped EXE
  PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1jG30Zg2.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Nl327Uz.exe

Filesize
221KB

MD5
e99b9b73751982ac410553f9751e012a

SHA1
c9b3529442f8c74c93f54124f1f4bc9d6127e8db

SHA256
b655166219e26efa6ace18b3a9ec2cd52927d837b1d7e95482a14469a76b3091

SHA512
387e7bb0fa3c9db4562614fae05e70c7ddce63e48374c8b17d649525bf91f12ef0a8abbf08cc8af9df4f5428a0b5573c960d5eb2a50c013450f6c5f376f1e31b

Download Submit
memory/1020-10-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/1020-11-0x0000000000200000-0x000000000023E000-memory.dmp

Filesize
248KB

Download
memory/1020-12-0x0000000007600000-0x0000000007BA4000-memory.dmp

Filesize
5.6MB

Download
memory/1020-13-0x00000000070F0000-0x0000000007182000-memory.dmp

Filesize
584KB

Download
memory/1020-14-0x0000000002540000-0x000000000254A000-memory.dmp

Filesize
40KB

Download
memory/1020-15-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/1020-16-0x00000000081D0000-0x00000000087E8000-memory.dmp

Filesize
6.1MB

Download
memory/1020-17-0x0000000007470000-0x000000000757A000-memory.dmp

Filesize
1.0MB

Download
memory/1020-18-0x00000000072F0000-0x0000000007302000-memory.dmp

Filesize
72KB

Download
memory/1020-19-0x0000000007360000-0x000000000739C000-memory.dmp

Filesize
240KB

Download
memory/1020-20-0x00000000073A0000-0x00000000073EC000-memory.dmp

Filesize
304KB

Download
memory/1020-21-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/1020-22-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download