mystic | 60fcc3045e1b1073753937ff8c184c464a45ea76225a406024335c07f898cf7b

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dce2842856c08ba56e502c9ada32f6f2021ca954c80f8cb01420313be7d87f6c.exe
Size

1.3MB
MD5

922aa1767805c66a52786db6e78a8bbb
SHA1

a8e0f525410c5ebdcccc86ebd8e060d91b9b9602
SHA256

dce2842856c08ba56e502c9ada32f6f2021ca954c80f8cb01420313be7d87f6c
SHA512

d64f580142bf8ccdd4000c7f970b58763f1ccfb395bc23bc0510ef4b8676230cf307943318e6304b6b50fd0245e3f5857381e72b32eeaf78faedfbce892e7b5d
SSDEEP

24576:JyT8hyO+o2e6TMXcwLimZ0ryGSx0ryePG321pNYwaQNas8BvfGrBDQeKuQRNhr18:8wITPwLYyhx0r7GGFYw/0TvCPKDNhpw

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TY56oM5.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gv383ir.exe	family_redline
behavioral19/memory/4496-38-0x0000000000AA0000-0x0000000000ADE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

uR9yv2AW.exegR7wi9wu.exeWD9nk3FV.exeEi8kk8Sv.exe1TY56oM5.exe2gv383ir.exe

pid process

1020 uR9yv2AW.exe
3628 gR7wi9wu.exe
2124 WD9nk3FV.exe
3900 Ei8kk8Sv.exe
5116 1TY56oM5.exe
4496 2gv383ir.exe

pid	process
1020	uR9yv2AW.exe
3628	gR7wi9wu.exe
2124	WD9nk3FV.exe
3900	Ei8kk8Sv.exe
5116	1TY56oM5.exe
4496	2gv383ir.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

uR9yv2AW.exegR7wi9wu.exeWD9nk3FV.exeEi8kk8Sv.exedce2842856c08ba56e502c9ada32f6f2021ca954c80f8cb01420313be7d87f6c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	uR9yv2AW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	gR7wi9wu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	WD9nk3FV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ei8kk8Sv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dce2842856c08ba56e502c9ada32f6f2021ca954c80f8cb01420313be7d87f6c.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

dce2842856c08ba56e502c9ada32f6f2021ca954c80f8cb01420313be7d87f6c.exeuR9yv2AW.exegR7wi9wu.exeWD9nk3FV.exeEi8kk8Sv.exe

description	pid	process	target process
PID 3396 wrote to memory of 1020	3396	dce2842856c08ba56e502c9ada32f6f2021ca954c80f8cb01420313be7d87f6c.exe	uR9yv2AW.exe
PID 3396 wrote to memory of 1020	3396	dce2842856c08ba56e502c9ada32f6f2021ca954c80f8cb01420313be7d87f6c.exe	uR9yv2AW.exe
PID 3396 wrote to memory of 1020	3396	dce2842856c08ba56e502c9ada32f6f2021ca954c80f8cb01420313be7d87f6c.exe	uR9yv2AW.exe
PID 1020 wrote to memory of 3628	1020	uR9yv2AW.exe	gR7wi9wu.exe
PID 1020 wrote to memory of 3628	1020	uR9yv2AW.exe	gR7wi9wu.exe
PID 1020 wrote to memory of 3628	1020	uR9yv2AW.exe	gR7wi9wu.exe
PID 3628 wrote to memory of 2124	3628	gR7wi9wu.exe	WD9nk3FV.exe
PID 3628 wrote to memory of 2124	3628	gR7wi9wu.exe	WD9nk3FV.exe
PID 3628 wrote to memory of 2124	3628	gR7wi9wu.exe	WD9nk3FV.exe
PID 2124 wrote to memory of 3900	2124	WD9nk3FV.exe	Ei8kk8Sv.exe
PID 2124 wrote to memory of 3900	2124	WD9nk3FV.exe	Ei8kk8Sv.exe
PID 2124 wrote to memory of 3900	2124	WD9nk3FV.exe	Ei8kk8Sv.exe
PID 3900 wrote to memory of 5116	3900	Ei8kk8Sv.exe	1TY56oM5.exe
PID 3900 wrote to memory of 5116	3900	Ei8kk8Sv.exe	1TY56oM5.exe
PID 3900 wrote to memory of 5116	3900	Ei8kk8Sv.exe	1TY56oM5.exe
PID 3900 wrote to memory of 4496	3900	Ei8kk8Sv.exe	2gv383ir.exe
PID 3900 wrote to memory of 4496	3900	Ei8kk8Sv.exe	2gv383ir.exe
PID 3900 wrote to memory of 4496	3900	Ei8kk8Sv.exe	2gv383ir.exe

C:\Users\Admin\AppData\Local\Temp\dce2842856c08ba56e502c9ada32f6f2021ca954c80f8cb01420313be7d87f6c.exe
"C:\Users\Admin\AppData\Local\Temp\dce2842856c08ba56e502c9ada32f6f2021ca954c80f8cb01420313be7d87f6c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3396

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uR9yv2AW.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uR9yv2AW.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1020

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gR7wi9wu.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gR7wi9wu.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3628

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WD9nk3FV.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WD9nk3FV.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2124

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ei8kk8Sv.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ei8kk8Sv.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TY56oM5.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TY56oM5.exe
6⤵
- Executes dropped EXE
PID:5116

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gv383ir.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gv383ir.exe
6⤵
- Executes dropped EXE
PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3840 /prefetch:8
1⤵
PID:4656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uR9yv2AW.exe
Filesize
1.2MB

MD5
3039ea0a9e93b50d891a55f1d3c81d21

SHA1
c9e53fd05dff5dff5d35e67721e028fb5b5b6b8a

SHA256
b14a26d3227e3bf099a22d8c7ab8c139375edec5ea5b3e94b783a840e09a2632

SHA512
beaa1de60a016224f42e62f765e9fc72d7348b69761c2b50cdc54a061236f213986b013fa3a2c62bbcf4633662ac2cbf415b2d21db9417d92efe206481020211

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gR7wi9wu.exe
Filesize
1.0MB

MD5
773db61480d653cbd71eacb17aa83880

SHA1
f43b811fc300dbc8f87ba1288d62175536f1ca87

SHA256
fd1e3e7b9bd143084db0a8f12b080608f1bb873b1138a34206a82bcfaec36ce7

SHA512
d92ff712d5b74ae508410644346f427862cfe3251aebd78b08a626af97d94dd846f19d87e94d2a6f8686396049f7f65843fca8b582392f064bfd7f9fa76f3633

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WD9nk3FV.exe
Filesize
522KB

MD5
c4e0d7a9d1bce4248ae2c82f60043005

SHA1
3d1fccac08ba736d19ece7940c8ea0ab2f0397da

SHA256
84c72377e7f701adeab1e2ae53a19c3528c855ff6126a6aa2ec9a742446b26ed

SHA512
28ee88e924dfbebc2586292f9d0abe723aa886021a4c965121fc179b9a90d13166beb7bf9b12ade10364ac35f41ecf595c15a8224ed8148df2af887aad93dfb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ei8kk8Sv.exe
Filesize
326KB

MD5
4f68fa80394b0e7b10900086a623cdeb

SHA1
ae5d4dc27adb9ad2cd048660686dbcbc5d98ee58

SHA256
953ecc1d5a11def470a25db794167c7ac7454240e943b2d92189b648db70325d

SHA512
a906843c6c74131a02f6e4c7900b161947a6aa83b4ea95cd079d21cb5ce83f9c98b1656cc985a0904cca0805d6c075f9c8b3109f50efdee283c0adb146b07726

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TY56oM5.exe
Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2gv383ir.exe
Filesize
221KB

MD5
41bde57e8df0bf8136c1a4e7a6a4fe2f

SHA1
985872bc4d6847c51c28278c1b1038016c9c92ad

SHA256
2b68924f4f44a5c550f39a0d86b3c7fcc082fa72dcb82f17849e064985f55714

SHA512
59f58959c6f4924df235fcbf43e0fe19bb09116f87ce06c9822d16b87e1b15ec561a3b389880096787ce9b2e8743e30c586ef43a2e3934bf7ae15c71e5945030

Download Submit
memory/4496-38-0x0000000000AA0000-0x0000000000ADE000-memory.dmp

Filesize
248KB

Download
memory/4496-40-0x0000000007A00000-0x0000000007A92000-memory.dmp

Filesize
584KB

Download
memory/4496-39-0x0000000007F10000-0x00000000084B4000-memory.dmp

Filesize
5.6MB

Download
memory/4496-41-0x0000000002DD0000-0x0000000002DDA000-memory.dmp

Filesize
40KB

Download
memory/4496-42-0x0000000008AE0000-0x00000000090F8000-memory.dmp

Filesize
6.1MB

Download
memory/4496-44-0x0000000007AA0000-0x0000000007AB2000-memory.dmp

Filesize
72KB

Download
memory/4496-43-0x00000000084C0000-0x00000000085CA000-memory.dmp

Filesize
1.0MB

Download
memory/4496-45-0x0000000007B00000-0x0000000007B3C000-memory.dmp

Filesize
240KB

Download
memory/4496-46-0x0000000007C40000-0x0000000007C8C000-memory.dmp

Filesize
304KB

Download