mystic | 3c91163ea40ad7e35bac48ded16235cfe9003c914f570e27b4e2d7b3c9c46c05

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

458df588f5966c10e2094b70930a00d3b16a8c7a53455d78817db7b98db8e48e.exe
Size

1.2MB
MD5

749cc27ede9844db268292f4bfb11810
SHA1

c5ea969f966654b089c5ea4ff849dca2d9a2d0b3
SHA256

458df588f5966c10e2094b70930a00d3b16a8c7a53455d78817db7b98db8e48e
SHA512

57613793dece26dbfc7466c96ab5dd120d5a57e1d669ffa0d743cab0b14b3f10316bca821ea327fdffef86cbc3224fd0f10900475ae98ef326f863483f600915
SSDEEP

24576:xyFAyEwceNyOtnb6W4rS+we8iviqMSXOwVD6OiaWK5:kQwceN5CrS+1Z6ETVDjirK

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral5/memory/4664-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral5/memory/4664-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral5/memory/4664-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2rM076aT.exe	family_redline
behavioral5/memory/5020-42-0x00000000006E0000-0x000000000071E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

Uk9KV4Kc.exeae0Iu6pu.exeri5EW7aR.exezu1Yy0DJ.exe1Xm57iz0.exe2rM076aT.exe

pid process

4464 Uk9KV4Kc.exe
1548 ae0Iu6pu.exe
4800 ri5EW7aR.exe
3600 zu1Yy0DJ.exe
4940 1Xm57iz0.exe
5020 2rM076aT.exe

pid	process
4464	Uk9KV4Kc.exe
1548	ae0Iu6pu.exe
4800	ri5EW7aR.exe
3600	zu1Yy0DJ.exe
4940	1Xm57iz0.exe
5020	2rM076aT.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ae0Iu6pu.exeri5EW7aR.exezu1Yy0DJ.exe458df588f5966c10e2094b70930a00d3b16a8c7a53455d78817db7b98db8e48e.exeUk9KV4Kc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ae0Iu6pu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ri5EW7aR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	zu1Yy0DJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	458df588f5966c10e2094b70930a00d3b16a8c7a53455d78817db7b98db8e48e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Uk9KV4Kc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Xm57iz0.exe

description pid process target process

PID 4940 set thread context of 4664 4940 1Xm57iz0.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3344 4940 WerFault.exe 1Xm57iz0.exe

description	pid	process	target process
PID 4940 set thread context of 4664	4940	1Xm57iz0.exe	AppLaunch.exe

pid	pid_target	process	target process
3344	4940	WerFault.exe	1Xm57iz0.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

458df588f5966c10e2094b70930a00d3b16a8c7a53455d78817db7b98db8e48e.exeUk9KV4Kc.exeae0Iu6pu.exeri5EW7aR.exezu1Yy0DJ.exe1Xm57iz0.exe

description	pid	process	target process
PID 4400 wrote to memory of 4464	4400	458df588f5966c10e2094b70930a00d3b16a8c7a53455d78817db7b98db8e48e.exe	Uk9KV4Kc.exe
PID 4400 wrote to memory of 4464	4400	458df588f5966c10e2094b70930a00d3b16a8c7a53455d78817db7b98db8e48e.exe	Uk9KV4Kc.exe
PID 4400 wrote to memory of 4464	4400	458df588f5966c10e2094b70930a00d3b16a8c7a53455d78817db7b98db8e48e.exe	Uk9KV4Kc.exe
PID 4464 wrote to memory of 1548	4464	Uk9KV4Kc.exe	ae0Iu6pu.exe
PID 4464 wrote to memory of 1548	4464	Uk9KV4Kc.exe	ae0Iu6pu.exe
PID 4464 wrote to memory of 1548	4464	Uk9KV4Kc.exe	ae0Iu6pu.exe
PID 1548 wrote to memory of 4800	1548	ae0Iu6pu.exe	ri5EW7aR.exe
PID 1548 wrote to memory of 4800	1548	ae0Iu6pu.exe	ri5EW7aR.exe
PID 1548 wrote to memory of 4800	1548	ae0Iu6pu.exe	ri5EW7aR.exe
PID 4800 wrote to memory of 3600	4800	ri5EW7aR.exe	zu1Yy0DJ.exe
PID 4800 wrote to memory of 3600	4800	ri5EW7aR.exe	zu1Yy0DJ.exe
PID 4800 wrote to memory of 3600	4800	ri5EW7aR.exe	zu1Yy0DJ.exe
PID 3600 wrote to memory of 4940	3600	zu1Yy0DJ.exe	1Xm57iz0.exe
PID 3600 wrote to memory of 4940	3600	zu1Yy0DJ.exe	1Xm57iz0.exe
PID 3600 wrote to memory of 4940	3600	zu1Yy0DJ.exe	1Xm57iz0.exe
PID 4940 wrote to memory of 2116	4940	1Xm57iz0.exe	AppLaunch.exe
PID 4940 wrote to memory of 2116	4940	1Xm57iz0.exe	AppLaunch.exe
PID 4940 wrote to memory of 2116	4940	1Xm57iz0.exe	AppLaunch.exe
PID 4940 wrote to memory of 4664	4940	1Xm57iz0.exe	AppLaunch.exe
PID 4940 wrote to memory of 4664	4940	1Xm57iz0.exe	AppLaunch.exe
PID 4940 wrote to memory of 4664	4940	1Xm57iz0.exe	AppLaunch.exe
PID 4940 wrote to memory of 4664	4940	1Xm57iz0.exe	AppLaunch.exe
PID 4940 wrote to memory of 4664	4940	1Xm57iz0.exe	AppLaunch.exe
PID 4940 wrote to memory of 4664	4940	1Xm57iz0.exe	AppLaunch.exe
PID 4940 wrote to memory of 4664	4940	1Xm57iz0.exe	AppLaunch.exe
PID 4940 wrote to memory of 4664	4940	1Xm57iz0.exe	AppLaunch.exe
PID 4940 wrote to memory of 4664	4940	1Xm57iz0.exe	AppLaunch.exe
PID 4940 wrote to memory of 4664	4940	1Xm57iz0.exe	AppLaunch.exe
PID 3600 wrote to memory of 5020	3600	zu1Yy0DJ.exe	2rM076aT.exe
PID 3600 wrote to memory of 5020	3600	zu1Yy0DJ.exe	2rM076aT.exe
PID 3600 wrote to memory of 5020	3600	zu1Yy0DJ.exe	2rM076aT.exe

C:\Users\Admin\AppData\Local\Temp\458df588f5966c10e2094b70930a00d3b16a8c7a53455d78817db7b98db8e48e.exe
"C:\Users\Admin\AppData\Local\Temp\458df588f5966c10e2094b70930a00d3b16a8c7a53455d78817db7b98db8e48e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4400

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uk9KV4Kc.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uk9KV4Kc.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4464

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ae0Iu6pu.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ae0Iu6pu.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ri5EW7aR.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ri5EW7aR.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4800

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zu1Yy0DJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zu1Yy0DJ.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3600

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Xm57iz0.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Xm57iz0.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 560
7⤵
- Program crash
PID:3344

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2rM076aT.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2rM076aT.exe
6⤵
- Executes dropped EXE
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4940 -ip 4940
1⤵
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uk9KV4Kc.exe
Filesize
1.0MB

MD5
c6c7af16614004bd63f0a4a845134ea5

SHA1
aa4f1ee2bd81feb40aac9b34f010e4ce25ac8be3

SHA256
0d1fb003e68dd722dd928d39dc7051ae4beb0854135648eec78b4c66f7af83ad

SHA512
a00954e9a670e8728facce4471933e1ae8806da4eff72095b52c37098da27dd8fe1855d6345c3c8cc79a451c4f8f7251754e0cf1d22663fe317daaa5524531fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ae0Iu6pu.exe
Filesize
879KB

MD5
27d45a6491d50c2590bee99d0a00c230

SHA1
9390283b49608f34f92f735568b428ab3c9b6475

SHA256
8b33d48f0910d5fcadf473bf9bbfb4ba23b1a33be89de8da7754c94fe276b4f2

SHA512
2156f3bd3781bd492aaadb11346cb423c2117b6c6fa6f0e749d830c45aa7da68d0fb95aecad408f9bbd9524268c391ba5d9e8f974546867d311e325c13ccc25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ri5EW7aR.exe
Filesize
584KB

MD5
5be23c6fe708855cb9c322d4d3df08e2

SHA1
5890268c738440943826eb3bc1a9ca0998770b69

SHA256
11179717baa9f634e9b5d6335d94b40f2b2edbc03787858172ffb9c0060f69c1

SHA512
bfb29fd0ec232d3b7df2ebcb1d78e7f723e6429b153567480044524b1002c5135846645d5aba92aab414b9b0d602ac28f456dabc5da2120fd9fe576a3e0ea7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zu1Yy0DJ.exe
Filesize
412KB

MD5
6c0207019b96c618c5130f6b12415561

SHA1
46bcd8da4c43127dcfcc8ad51db96ecc643c2e51

SHA256
7594e1c1e28b3969eac8b2c7115ba5ac269a228066d4c27fbdfc82df5b42a779

SHA512
66a5f0924afdabd32bb0ca8d7619b12f7caf00aa573ef4ed898083841ee9ed88b75677d00b56488d6ce940957c94c1f5e380cc90d96c6a460896ff48ac9e2a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Xm57iz0.exe
Filesize
378KB

MD5
bfe7442caeb18368243826ce84888156

SHA1
dd578912fbc17e704c3b34fb12fe523131b30ba8

SHA256
6c1cd889dc8ccb7a6a610b9748507d3a062f8dd1743a93a5ffde212b75a05992

SHA512
c0b94d2db368beaf7d90f4d09c0b1feb02a4a6579281959232a8a6c106e6a15a0079263ba2f66be2679ee6917aaa1b1850f129f74a67f87591b539ca4250958f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2rM076aT.exe
Filesize
221KB

MD5
de190f7459b84719a45aec907259eb55

SHA1
4006e9320fbe1e71cb1360057b0f151fc1133fa4

SHA256
0daa63306c9e4ae387dbe32a247a2c15b20362e7f96175874cff59b30c7d675b

SHA512
982ab4d5117ea4886bd3feedaba821b42ff99539ec96df933e2c6a1ba9b577f1ebcee52c1341c246bb93ba6623a626c68778a1986c2ade65e229fdbb17f791da

Download Submit
memory/4664-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4664-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4664-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5020-42-0x00000000006E0000-0x000000000071E000-memory.dmp

Filesize
248KB

Download
memory/5020-43-0x00000000079A0000-0x0000000007F44000-memory.dmp

Filesize
5.6MB

Download
memory/5020-44-0x0000000007490000-0x0000000007522000-memory.dmp

Filesize
584KB

Download
memory/5020-45-0x0000000007560000-0x000000000756A000-memory.dmp

Filesize
40KB

Download
memory/5020-46-0x0000000008570000-0x0000000008B88000-memory.dmp

Filesize
6.1MB

Download
memory/5020-47-0x0000000007F50000-0x000000000805A000-memory.dmp

Filesize
1.0MB

Download
memory/5020-48-0x0000000007880000-0x0000000007892000-memory.dmp

Filesize
72KB

Download
memory/5020-49-0x00000000078E0000-0x000000000791C000-memory.dmp

Filesize
240KB

Download
memory/5020-50-0x0000000007920000-0x000000000796C000-memory.dmp

Filesize
304KB

Download