mystic | 47889c48da4c5e390f10c04d8390b2c5d9f68bec127bf0e18bbe686b9079b922

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe
Size

1.3MB
MD5

c49e3017e606c005354d432f3f881d03
SHA1

0389dd7d07aec776f09223ae287d5d033198fb9a
SHA256

1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01
SHA512

bdddec1ea1bec3e6b005d654ed550a22eada8a0dc8e78525e670dde8724dfe5732c96a94cdbc7be48e49bd2f4311c456cf565b4a1776d541ff485dcb3a0e45af
SSDEEP

24576:1y9U9byiriRkjDd3xZWxghIP9tph2ar9EFKFQJTDPglgJk:QMLriRkjD/glVFj9EFKFQJi0

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zz06fw3.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qO921Ls.exe	family_redline
behavioral3/memory/3624-38-0x00000000008B0000-0x00000000008EE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

oZ8sP2ZW.exeCT5Fu1Qk.exezu9Us3rr.exeLb4uO0ax.exe1Zz06fw3.exe2qO921Ls.exe

pid process

2404 oZ8sP2ZW.exe
4348 CT5Fu1Qk.exe
3948 zu9Us3rr.exe
1012 Lb4uO0ax.exe
2156 1Zz06fw3.exe
3624 2qO921Ls.exe

pid	process
2404	oZ8sP2ZW.exe
4348	CT5Fu1Qk.exe
3948	zu9Us3rr.exe
1012	Lb4uO0ax.exe
2156	1Zz06fw3.exe
3624	2qO921Ls.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

oZ8sP2ZW.exeCT5Fu1Qk.exezu9Us3rr.exeLb4uO0ax.exe1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	oZ8sP2ZW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	CT5Fu1Qk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zu9Us3rr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Lb4uO0ax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exeoZ8sP2ZW.exeCT5Fu1Qk.exezu9Us3rr.exeLb4uO0ax.exe

description	pid	process	target process
PID 3484 wrote to memory of 2404	3484	1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe	oZ8sP2ZW.exe
PID 3484 wrote to memory of 2404	3484	1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe	oZ8sP2ZW.exe
PID 3484 wrote to memory of 2404	3484	1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe	oZ8sP2ZW.exe
PID 2404 wrote to memory of 4348	2404	oZ8sP2ZW.exe	CT5Fu1Qk.exe
PID 2404 wrote to memory of 4348	2404	oZ8sP2ZW.exe	CT5Fu1Qk.exe
PID 2404 wrote to memory of 4348	2404	oZ8sP2ZW.exe	CT5Fu1Qk.exe
PID 4348 wrote to memory of 3948	4348	CT5Fu1Qk.exe	zu9Us3rr.exe
PID 4348 wrote to memory of 3948	4348	CT5Fu1Qk.exe	zu9Us3rr.exe
PID 4348 wrote to memory of 3948	4348	CT5Fu1Qk.exe	zu9Us3rr.exe
PID 3948 wrote to memory of 1012	3948	zu9Us3rr.exe	Lb4uO0ax.exe
PID 3948 wrote to memory of 1012	3948	zu9Us3rr.exe	Lb4uO0ax.exe
PID 3948 wrote to memory of 1012	3948	zu9Us3rr.exe	Lb4uO0ax.exe
PID 1012 wrote to memory of 2156	1012	Lb4uO0ax.exe	1Zz06fw3.exe
PID 1012 wrote to memory of 2156	1012	Lb4uO0ax.exe	1Zz06fw3.exe
PID 1012 wrote to memory of 2156	1012	Lb4uO0ax.exe	1Zz06fw3.exe
PID 1012 wrote to memory of 3624	1012	Lb4uO0ax.exe	2qO921Ls.exe
PID 1012 wrote to memory of 3624	1012	Lb4uO0ax.exe	2qO921Ls.exe
PID 1012 wrote to memory of 3624	1012	Lb4uO0ax.exe	2qO921Ls.exe

C:\Users\Admin\AppData\Local\Temp\1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe
"C:\Users\Admin\AppData\Local\Temp\1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3484

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oZ8sP2ZW.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oZ8sP2ZW.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2404

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CT5Fu1Qk.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CT5Fu1Qk.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4348

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zu9Us3rr.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zu9Us3rr.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lb4uO0ax.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lb4uO0ax.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1012

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zz06fw3.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zz06fw3.exe
6⤵
- Executes dropped EXE
PID:2156

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qO921Ls.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qO921Ls.exe
6⤵
- Executes dropped EXE
PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oZ8sP2ZW.exe

Filesize
1.2MB

MD5
6c15f866c71e1a25e71b0db145d5c3a9

SHA1
4593180ed2cc136c9410ec49ca4b854e8d41a7e7

SHA256
fe0764d80f110c2bc34d06ffd74f0007a8e6c0a8b1c50c5d2662724d6a532d21

SHA512
7e5719aa112486b41f151ab47db99bc099b20796d8fd491d91eeb9a35639be79b3516d2f06b75722193884dd3e82cb6ea40a064347339af7e403e05990272abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CT5Fu1Qk.exe

Filesize
1.0MB

MD5
7e75fe60fe433663e60a7a0ed28091ee

SHA1
75a94eaf40aa639ba30709919dd998fcc5655d59

SHA256
1d042fdd528be849963f2933cb92cde0b72fbd0977293aaa3aaa62983bc6c514

SHA512
fa25bfce07608b42ec45d6d421048bd42f655ec0e8c8578edf361316bc59f1c22131c3a181d499e02594d5ac52c46241b7c6afd7b43809e3b9529743204bd14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zu9Us3rr.exe

Filesize
522KB

MD5
1d5dd556f0cf50ecd2740d05794fcb89

SHA1
c457687cca2e72815ce77c0ee233fc5f7999a321

SHA256
edec722eef6449c82062159f04d673f13cf1b56729e1f7baa78476b4b034c4f6

SHA512
4161e8c055bf4f7ed09448c53a3a7979d12ddd268f8e3d5b0d28a3fccd716a24a3ecfe774664a9cdc758b2b5e48f2ae43570b7f42db6a965994d1fa15ebae397

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lb4uO0ax.exe

Filesize
326KB

MD5
37710e85f51e7568e64e7bbf003000a6

SHA1
5b8794a8273d33c128094980501b3aed7d4abc2c

SHA256
6049d9a0fe850a9afdd1921259f567936ceb90dc4c38d30237197474acdfc96c

SHA512
6961370d6f36c57a513e95ab22f17873fabc5606261333befcb0f1f24e39417e3ec64130d7bada1c67c74fe0bcd7b8b38cb6419376f2430262f3d5e98c32372c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Zz06fw3.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2qO921Ls.exe

Filesize
221KB

MD5
e5ce076cd23ed22376d3a258336a2d9f

SHA1
156e7e3db6195e9891963a2c261f691e6ece83d3

SHA256
1c0e49dc21a9cf848feb328c3da48d81f0ac969b3985f7fc40c1eb1582c19290

SHA512
47262d0bf6a8b06b32a6e09c71dd379700de02efa4f96bda2fe96f731956ed910eb565fbf8bfa67bcc4f4175040fb34f7ad154222b24bf0bfbaff9f98e351438

Download Submit
memory/3624-38-0x00000000008B0000-0x00000000008EE000-memory.dmp

Filesize
248KB

Download
memory/3624-39-0x0000000007D00000-0x00000000082A4000-memory.dmp

Filesize
5.6MB

Download
memory/3624-40-0x00000000077F0000-0x0000000007882000-memory.dmp

Filesize
584KB

Download
memory/3624-41-0x0000000002C80000-0x0000000002C8A000-memory.dmp

Filesize
40KB

Download
memory/3624-42-0x00000000088D0000-0x0000000008EE8000-memory.dmp

Filesize
6.1MB

Download
memory/3624-44-0x00000000079A0000-0x00000000079B2000-memory.dmp

Filesize
72KB

Download
memory/3624-43-0x0000000007B50000-0x0000000007C5A000-memory.dmp

Filesize
1.0MB

Download
memory/3624-45-0x0000000007A80000-0x0000000007ABC000-memory.dmp

Filesize
240KB

Download
memory/3624-46-0x0000000007AC0000-0x0000000007B0C000-memory.dmp

Filesize
304KB

Download