mystic | ddc6b496a8a25762ee7b933f47107c5553187f5846568bf68b67dd8d5f4a7548

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba494624eebd5343a245e58b1f24e0044ccb4c80897feb6a13e393719d23900c.exe
Size

929KB
MD5

0c034ec9bd1d1265492a265494e3c888
SHA1

8beb9a78b3b865194fdab4e2d9b4d6db8614f666
SHA256

ba494624eebd5343a245e58b1f24e0044ccb4c80897feb6a13e393719d23900c
SHA512

289a673f598b3f80b80c703513f9fa70169e4660aeb30cd962f5a7573c438b642549313114aba381e3e8fe5ad3a58dac3dcc1446e78d4fe2ae55216c7b8434a9
SSDEEP

24576:SymM9fMKeuKjgYQ2bkgXKtf/Gu/H17D1S7:5t9UKeHcYQ2bk0KEQH17D1S

Score

10^/10

mystic redline luska infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral14/memory/2408-28-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral14/memory/2408-30-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral14/memory/2408-31-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7071108.exe	family_redline
behavioral14/memory/2640-35-0x0000000000180000-0x00000000001B0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

x3338334.exex7229528.exex5451534.exeg6077926.exeh7071108.exe

pid process

2996 x3338334.exe
4704 x7229528.exe
1060 x5451534.exe
3644 g6077926.exe
2640 h7071108.exe

pid	process
2996	x3338334.exe
4704	x7229528.exe
1060	x5451534.exe
3644	g6077926.exe
2640	h7071108.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ba494624eebd5343a245e58b1f24e0044ccb4c80897feb6a13e393719d23900c.exex3338334.exex7229528.exex5451534.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ba494624eebd5343a245e58b1f24e0044ccb4c80897feb6a13e393719d23900c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3338334.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7229528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x5451534.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g6077926.exe

description pid process target process

PID 3644 set thread context of 2408 3644 g6077926.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3160 3644 WerFault.exe g6077926.exe

description	pid	process	target process
PID 3644 set thread context of 2408	3644	g6077926.exe	AppLaunch.exe

pid	pid_target	process	target process
3160	3644	WerFault.exe	g6077926.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

ba494624eebd5343a245e58b1f24e0044ccb4c80897feb6a13e393719d23900c.exex3338334.exex7229528.exex5451534.exeg6077926.exe

description	pid	process	target process
PID 2708 wrote to memory of 2996	2708	ba494624eebd5343a245e58b1f24e0044ccb4c80897feb6a13e393719d23900c.exe	x3338334.exe
PID 2708 wrote to memory of 2996	2708	ba494624eebd5343a245e58b1f24e0044ccb4c80897feb6a13e393719d23900c.exe	x3338334.exe
PID 2708 wrote to memory of 2996	2708	ba494624eebd5343a245e58b1f24e0044ccb4c80897feb6a13e393719d23900c.exe	x3338334.exe
PID 2996 wrote to memory of 4704	2996	x3338334.exe	x7229528.exe
PID 2996 wrote to memory of 4704	2996	x3338334.exe	x7229528.exe
PID 2996 wrote to memory of 4704	2996	x3338334.exe	x7229528.exe
PID 4704 wrote to memory of 1060	4704	x7229528.exe	x5451534.exe
PID 4704 wrote to memory of 1060	4704	x7229528.exe	x5451534.exe
PID 4704 wrote to memory of 1060	4704	x7229528.exe	x5451534.exe
PID 1060 wrote to memory of 3644	1060	x5451534.exe	g6077926.exe
PID 1060 wrote to memory of 3644	1060	x5451534.exe	g6077926.exe
PID 1060 wrote to memory of 3644	1060	x5451534.exe	g6077926.exe
PID 3644 wrote to memory of 3472	3644	g6077926.exe	AppLaunch.exe
PID 3644 wrote to memory of 3472	3644	g6077926.exe	AppLaunch.exe
PID 3644 wrote to memory of 3472	3644	g6077926.exe	AppLaunch.exe
PID 3644 wrote to memory of 2408	3644	g6077926.exe	AppLaunch.exe
PID 3644 wrote to memory of 2408	3644	g6077926.exe	AppLaunch.exe
PID 3644 wrote to memory of 2408	3644	g6077926.exe	AppLaunch.exe
PID 3644 wrote to memory of 2408	3644	g6077926.exe	AppLaunch.exe
PID 3644 wrote to memory of 2408	3644	g6077926.exe	AppLaunch.exe
PID 3644 wrote to memory of 2408	3644	g6077926.exe	AppLaunch.exe
PID 3644 wrote to memory of 2408	3644	g6077926.exe	AppLaunch.exe
PID 3644 wrote to memory of 2408	3644	g6077926.exe	AppLaunch.exe
PID 3644 wrote to memory of 2408	3644	g6077926.exe	AppLaunch.exe
PID 3644 wrote to memory of 2408	3644	g6077926.exe	AppLaunch.exe
PID 1060 wrote to memory of 2640	1060	x5451534.exe	h7071108.exe
PID 1060 wrote to memory of 2640	1060	x5451534.exe	h7071108.exe
PID 1060 wrote to memory of 2640	1060	x5451534.exe	h7071108.exe

C:\Users\Admin\AppData\Local\Temp\ba494624eebd5343a245e58b1f24e0044ccb4c80897feb6a13e393719d23900c.exe
"C:\Users\Admin\AppData\Local\Temp\ba494624eebd5343a245e58b1f24e0044ccb4c80897feb6a13e393719d23900c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3338334.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3338334.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2996

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7229528.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7229528.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4704

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5451534.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5451534.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6077926.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6077926.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:3472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 580
6⤵
- Program crash
PID:3160

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7071108.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7071108.exe
5⤵
- Executes dropped EXE
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3644 -ip 3644
1⤵
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3338334.exe

Filesize
828KB

MD5
d6d173ad0d8374701fe49464c3e26273

SHA1
75add4edb0e710d86173e2d72de847a41fdcb1f4

SHA256
190f8da208468213e0025531229c21b94a028aad21c0100258c54a1396405dd3

SHA512
bae71985a773e93a42f33668249e4a316fec0daad9eea982b930bb5e9e5952e8bd466f0d531c597ea88209870f93ebcea13b1c8d93909cae13952c0c32dea39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7229528.exe

Filesize
556KB

MD5
cb10eb8ad36c71404478fa72c9246bda

SHA1
1dacb993abfbcf6dc0250e1f012aef78f5582d3b

SHA256
adc4d98eda93b5b2180c15b5ef56188626ae8776275ce29cbca259ad11fc314b

SHA512
a073080a0bb7eff80e950747a0c4e3cdf0d06d6c4022e9caebeb1f7056f9fc9f5a02cd54a713409b8bc9619eabd1a9fc9559ca30218528292a5b473ad0e7a920

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5451534.exe

Filesize
390KB

MD5
4d128fe4546ce3ebd90a496e1915e1ee

SHA1
75f395899c54e8e00950711790ca9a29dfaabae8

SHA256
f37af0a7ec52f2bc564e2dc79390c3db7bc371888a0b501614c6270195488365

SHA512
9666c9590f3c859ed045d81630004cf7886db6607038b3a7af66e52c449c1976d97a884b21fa92effaede3451e32342047925330c06986e7d975d1e51e1b8ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6077926.exe

Filesize
356KB

MD5
e38f41447352ad628eab47dd37d06648

SHA1
e64f1c8171fe495ce46047810dd26482eb2e01ae

SHA256
aabc8909e1bfdc0a593e17439aa430bf16f1db1c5ea95f7238e1faa6b2ea7f96

SHA512
2c3faf280ea224ca930012b3c1b9569e1b76c32cc9c25dcfd8af36d426e68ff89f489dcd427f03b4ffcf29ffdf051bf0e78eb78b3099e8c9985be0ee3d5974e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7071108.exe

Filesize
174KB

MD5
d711ad10c83928e03adc95ae3c13bec9

SHA1
38fc7266ed70dfb2d9aca063781b0a48ba805ebd

SHA256
7d98f18ea849fdc8ac6d6edc5e0f50e0e55a76f54f20651e30df386878bbc673

SHA512
c3d87fd33f0082ce3620f4f1cf43518fcc5a94a5a541a30d75226ce8a4971f531f937d534e3c26605638060c0bfe8bc61339a338ed44d2aaeb2e7127d11a24de

Download Submit
memory/2408-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2408-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2408-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2640-35-0x0000000000180000-0x00000000001B0000-memory.dmp

Filesize
192KB

Download
memory/2640-36-0x00000000024B0000-0x00000000024B6000-memory.dmp

Filesize
24KB

Download
memory/2640-37-0x000000000A600000-0x000000000AC18000-memory.dmp

Filesize
6.1MB

Download
memory/2640-38-0x000000000A130000-0x000000000A23A000-memory.dmp

Filesize
1.0MB

Download
memory/2640-39-0x000000000A070000-0x000000000A082000-memory.dmp

Filesize
72KB

Download
memory/2640-40-0x000000000A0D0000-0x000000000A10C000-memory.dmp

Filesize
240KB

Download
memory/2640-41-0x0000000004610000-0x000000000465C000-memory.dmp

Filesize
304KB

Download