mystic | 47889c48da4c5e390f10c04d8390b2c5d9f68bec127bf0e18bbe686b9079b922

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1509297f254a9c327f8d2f138ec5907931f396cedb4bb4796c5057e78cda87d.exe
Size

1005KB
MD5

d2a0ec7976e5c9f027555141a8b407a1
SHA1

6b5785c452bc0b47a363ffc44f5cd9261b9c53b7
SHA256

c1509297f254a9c327f8d2f138ec5907931f396cedb4bb4796c5057e78cda87d
SHA512

f42fa8cce1a7d77ec7aeee0efb9d45cd654ff19f18dc70ce22a77de3b24fa5a3a8ebcc502692fac421aafaa1e86dcc032cca6fcc1187b2a1d4c21c39dc1b1445
SSDEEP

24576:9yDhDOhrrGmu6n6ncBm2sPYOiPBW3umz9HbZIokron:Ytzy60OwOic3Tb/

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1wK35Xb6.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ek642Qw.exe	family_redline
behavioral16/memory/2452-31-0x0000000000090000-0x00000000000CE000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

DO0ay6qy.exesZ6ET9Fv.exeLR6hb9GW.exe1wK35Xb6.exe2ek642Qw.exe

pid process

2672 DO0ay6qy.exe
3124 sZ6ET9Fv.exe
3224 LR6hb9GW.exe
4116 1wK35Xb6.exe
2452 2ek642Qw.exe

pid	process
2672	DO0ay6qy.exe
3124	sZ6ET9Fv.exe
3224	LR6hb9GW.exe
4116	1wK35Xb6.exe
2452	2ek642Qw.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c1509297f254a9c327f8d2f138ec5907931f396cedb4bb4796c5057e78cda87d.exeDO0ay6qy.exesZ6ET9Fv.exeLR6hb9GW.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c1509297f254a9c327f8d2f138ec5907931f396cedb4bb4796c5057e78cda87d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	DO0ay6qy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sZ6ET9Fv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	LR6hb9GW.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

c1509297f254a9c327f8d2f138ec5907931f396cedb4bb4796c5057e78cda87d.exeDO0ay6qy.exesZ6ET9Fv.exeLR6hb9GW.exe

description	pid	process	target process
PID 4408 wrote to memory of 2672	4408	c1509297f254a9c327f8d2f138ec5907931f396cedb4bb4796c5057e78cda87d.exe	DO0ay6qy.exe
PID 4408 wrote to memory of 2672	4408	c1509297f254a9c327f8d2f138ec5907931f396cedb4bb4796c5057e78cda87d.exe	DO0ay6qy.exe
PID 4408 wrote to memory of 2672	4408	c1509297f254a9c327f8d2f138ec5907931f396cedb4bb4796c5057e78cda87d.exe	DO0ay6qy.exe
PID 2672 wrote to memory of 3124	2672	DO0ay6qy.exe	sZ6ET9Fv.exe
PID 2672 wrote to memory of 3124	2672	DO0ay6qy.exe	sZ6ET9Fv.exe
PID 2672 wrote to memory of 3124	2672	DO0ay6qy.exe	sZ6ET9Fv.exe
PID 3124 wrote to memory of 3224	3124	sZ6ET9Fv.exe	LR6hb9GW.exe
PID 3124 wrote to memory of 3224	3124	sZ6ET9Fv.exe	LR6hb9GW.exe
PID 3124 wrote to memory of 3224	3124	sZ6ET9Fv.exe	LR6hb9GW.exe
PID 3224 wrote to memory of 4116	3224	LR6hb9GW.exe	1wK35Xb6.exe
PID 3224 wrote to memory of 4116	3224	LR6hb9GW.exe	1wK35Xb6.exe
PID 3224 wrote to memory of 4116	3224	LR6hb9GW.exe	1wK35Xb6.exe
PID 3224 wrote to memory of 2452	3224	LR6hb9GW.exe	2ek642Qw.exe
PID 3224 wrote to memory of 2452	3224	LR6hb9GW.exe	2ek642Qw.exe
PID 3224 wrote to memory of 2452	3224	LR6hb9GW.exe	2ek642Qw.exe

C:\Users\Admin\AppData\Local\Temp\c1509297f254a9c327f8d2f138ec5907931f396cedb4bb4796c5057e78cda87d.exe
"C:\Users\Admin\AppData\Local\Temp\c1509297f254a9c327f8d2f138ec5907931f396cedb4bb4796c5057e78cda87d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4408

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DO0ay6qy.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DO0ay6qy.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sZ6ET9Fv.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sZ6ET9Fv.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3124

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LR6hb9GW.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LR6hb9GW.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3224

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1wK35Xb6.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1wK35Xb6.exe
5⤵
- Executes dropped EXE
PID:4116

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ek642Qw.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ek642Qw.exe
5⤵
- Executes dropped EXE
PID:2452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4460,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8
1⤵
PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DO0ay6qy.exe

Filesize
816KB

MD5
6b086529f48d5ab41497cb7d3dde4f39

SHA1
857db143f027eab843b6a618979801290b6c188d

SHA256
bae9f66c3294eaadcee19d44f63e0c882ebfe98470c1dc8a239d8bec6a371bb0

SHA512
0c404cc46b65ebf9d63340e68ec07e2d88e3b154a83b2c68138472a41b06e97659b172d1d1ff6a7d0edbf67aae8b4d71ad0b44d3270fd0812ae648833c6984be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sZ6ET9Fv.exe

Filesize
522KB

MD5
0ca8772e3a9632872cec96b699196310

SHA1
4b29743944773efbf83373ad42c12f0145e7ab94

SHA256
2979712d446a93f83db6b925cb88f447140647b66a37509cebe8322dc795f58d

SHA512
4cbb7081d9edaf083296ea49b88f4bffadc93340aa598752bbc45a9a788a9ba3b08d8eac1b6b1d308b72dfdf11e38405a6b73e0a70a37303ed9124d23a88b46e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LR6hb9GW.exe

Filesize
326KB

MD5
6537e8357be06f5e6f1d0db2e519760c

SHA1
4cd8dc3d02c3a30eb2425a3188c65c579c26e6cc

SHA256
27bb684c0f846b643c4d7a1b94f5f4a392353bb222a7a77d671c94173e0259d6

SHA512
556cc06b31150bc0ca919e77d898d003e4a22fbf76e07f8bda1b785f220b91201245d4a1559a2e7c2786455cc8903397459067570525b438a888c685864ce771

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1wK35Xb6.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2ek642Qw.exe

Filesize
221KB

MD5
716318cb810c03d6c0b662cae18ef136

SHA1
038a3a20966e4bccf9d80240e93a8f7173d4d8e0

SHA256
e9e5b15d4bae02c16d4f3eda0c0a1ec10d69cc63285a133810d2095b3b3d4782

SHA512
8ebeb1de6ca6e7ad1ca6d0fc2bd7b1e610a8bc4709a5550db5b7011752f6d560c50887dabbb9241f72b32baea70d5a027ab2b352a89d3bc1e4417d88b352bb9d

Download Submit
memory/2452-31-0x0000000000090000-0x00000000000CE000-memory.dmp

Filesize
248KB

Download
memory/2452-32-0x00000000074F0000-0x0000000007A94000-memory.dmp

Filesize
5.6MB

Download
memory/2452-33-0x0000000006FE0000-0x0000000007072000-memory.dmp

Filesize
584KB

Download
memory/2452-34-0x0000000004540000-0x000000000454A000-memory.dmp

Filesize
40KB

Download
memory/2452-35-0x00000000080C0000-0x00000000086D8000-memory.dmp

Filesize
6.1MB

Download
memory/2452-36-0x0000000007280000-0x000000000738A000-memory.dmp

Filesize
1.0MB

Download
memory/2452-37-0x0000000007190000-0x00000000071A2000-memory.dmp

Filesize
72KB

Download
memory/2452-38-0x00000000071F0000-0x000000000722C000-memory.dmp

Filesize
240KB

Download
memory/2452-39-0x0000000007230000-0x000000000727C000-memory.dmp

Filesize
304KB

Download