mystic | 3cc30911c3eb32deaf5fb8bc4dfe2ca6abbafa106ab4c16e8ff25a715c1fe7e7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d62198c81df0ae252c179f6cb6041efd2bb2aea225a387a06ee457bcd7d5930d.exe
Size

839KB
MD5

ff24fae8745206c4269b6c6fa50b1639
SHA1

3528935a1c923cf79eb507bdfe79e0af92dd7f79
SHA256

d62198c81df0ae252c179f6cb6041efd2bb2aea225a387a06ee457bcd7d5930d
SHA512

46bd86945bf49339fb278337a13e0a52939673a4cd352c1dd2eac551e12bd56e12a50faf7f62da3d935b161ae9d8c6779ffc7130923d735c05f6a750547a5bda
SSDEEP

24576:QyObegToqBD6bfxbOqgsmK//21X7gZYQeQAw:XhgHD6bfxbOgm2l3

Score

10^/10

mystic redline smokeloader breha backdoor infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral16/memory/2084-29-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral16/memory/2084-32-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral16/memory/2084-30-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral16/memory/636-40-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral16/memory/2964-21-0x00000000025B0000-0x00000000025D0000-memory.dmp	net_reactor
behavioral16/memory/2964-23-0x00000000050A0000-0x00000000050BE000-memory.dmp	net_reactor

Executes dropped EXE 6 IoCs

Processes:

Jx7dR05.exesi5KZ07.exe1mu02gG0.exe2OX2884.exe3Lu07EY.exe4wr717kr.exe

pid process

2488 Jx7dR05.exe
384 si5KZ07.exe
2964 1mu02gG0.exe
1548 2OX2884.exe
4588 3Lu07EY.exe
4224 4wr717kr.exe

pid	process
2488	Jx7dR05.exe
384	si5KZ07.exe
2964	1mu02gG0.exe
1548	2OX2884.exe
4588	3Lu07EY.exe
4224	4wr717kr.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d62198c81df0ae252c179f6cb6041efd2bb2aea225a387a06ee457bcd7d5930d.exeJx7dR05.exesi5KZ07.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d62198c81df0ae252c179f6cb6041efd2bb2aea225a387a06ee457bcd7d5930d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Jx7dR05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	si5KZ07.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

2OX2884.exe3Lu07EY.exe4wr717kr.exe

description	pid	process	target process
PID 1548 set thread context of 2084	1548	2OX2884.exe	AppLaunch.exe
PID 4588 set thread context of 3564	4588	3Lu07EY.exe	AppLaunch.exe
PID 4224 set thread context of 636	4224	4wr717kr.exe	AppLaunch.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3324 1548 WerFault.exe 2OX2884.exe
1916 4588 WerFault.exe 3Lu07EY.exe
3040 4224 WerFault.exe 4wr717kr.exe

pid	pid_target	process	target process
3324	1548	WerFault.exe	2OX2884.exe
1916	4588	WerFault.exe	3Lu07EY.exe
3040	4224	WerFault.exe	4wr717kr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1mu02gG0.exe

description pid process

Token: SeDebugPrivilege 2964 1mu02gG0.exe

description	pid	process
Token: SeDebugPrivilege	2964	1mu02gG0.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

d62198c81df0ae252c179f6cb6041efd2bb2aea225a387a06ee457bcd7d5930d.exeJx7dR05.exesi5KZ07.exe2OX2884.exe3Lu07EY.exe4wr717kr.exe

description	pid	process	target process
PID 1508 wrote to memory of 2488	1508	d62198c81df0ae252c179f6cb6041efd2bb2aea225a387a06ee457bcd7d5930d.exe	Jx7dR05.exe
PID 1508 wrote to memory of 2488	1508	d62198c81df0ae252c179f6cb6041efd2bb2aea225a387a06ee457bcd7d5930d.exe	Jx7dR05.exe
PID 1508 wrote to memory of 2488	1508	d62198c81df0ae252c179f6cb6041efd2bb2aea225a387a06ee457bcd7d5930d.exe	Jx7dR05.exe
PID 2488 wrote to memory of 384	2488	Jx7dR05.exe	si5KZ07.exe
PID 2488 wrote to memory of 384	2488	Jx7dR05.exe	si5KZ07.exe
PID 2488 wrote to memory of 384	2488	Jx7dR05.exe	si5KZ07.exe
PID 384 wrote to memory of 2964	384	si5KZ07.exe	1mu02gG0.exe
PID 384 wrote to memory of 2964	384	si5KZ07.exe	1mu02gG0.exe
PID 384 wrote to memory of 2964	384	si5KZ07.exe	1mu02gG0.exe
PID 384 wrote to memory of 1548	384	si5KZ07.exe	2OX2884.exe
PID 384 wrote to memory of 1548	384	si5KZ07.exe	2OX2884.exe
PID 384 wrote to memory of 1548	384	si5KZ07.exe	2OX2884.exe
PID 1548 wrote to memory of 2084	1548	2OX2884.exe	AppLaunch.exe
PID 1548 wrote to memory of 2084	1548	2OX2884.exe	AppLaunch.exe
PID 1548 wrote to memory of 2084	1548	2OX2884.exe	AppLaunch.exe
PID 1548 wrote to memory of 2084	1548	2OX2884.exe	AppLaunch.exe
PID 1548 wrote to memory of 2084	1548	2OX2884.exe	AppLaunch.exe
PID 1548 wrote to memory of 2084	1548	2OX2884.exe	AppLaunch.exe
PID 1548 wrote to memory of 2084	1548	2OX2884.exe	AppLaunch.exe
PID 1548 wrote to memory of 2084	1548	2OX2884.exe	AppLaunch.exe
PID 1548 wrote to memory of 2084	1548	2OX2884.exe	AppLaunch.exe
PID 1548 wrote to memory of 2084	1548	2OX2884.exe	AppLaunch.exe
PID 2488 wrote to memory of 4588	2488	Jx7dR05.exe	3Lu07EY.exe
PID 2488 wrote to memory of 4588	2488	Jx7dR05.exe	3Lu07EY.exe
PID 2488 wrote to memory of 4588	2488	Jx7dR05.exe	3Lu07EY.exe
PID 4588 wrote to memory of 3564	4588	3Lu07EY.exe	AppLaunch.exe
PID 4588 wrote to memory of 3564	4588	3Lu07EY.exe	AppLaunch.exe
PID 4588 wrote to memory of 3564	4588	3Lu07EY.exe	AppLaunch.exe
PID 4588 wrote to memory of 3564	4588	3Lu07EY.exe	AppLaunch.exe
PID 4588 wrote to memory of 3564	4588	3Lu07EY.exe	AppLaunch.exe
PID 4588 wrote to memory of 3564	4588	3Lu07EY.exe	AppLaunch.exe
PID 1508 wrote to memory of 4224	1508	d62198c81df0ae252c179f6cb6041efd2bb2aea225a387a06ee457bcd7d5930d.exe	4wr717kr.exe
PID 1508 wrote to memory of 4224	1508	d62198c81df0ae252c179f6cb6041efd2bb2aea225a387a06ee457bcd7d5930d.exe	4wr717kr.exe
PID 1508 wrote to memory of 4224	1508	d62198c81df0ae252c179f6cb6041efd2bb2aea225a387a06ee457bcd7d5930d.exe	4wr717kr.exe
PID 4224 wrote to memory of 636	4224	4wr717kr.exe	AppLaunch.exe
PID 4224 wrote to memory of 636	4224	4wr717kr.exe	AppLaunch.exe
PID 4224 wrote to memory of 636	4224	4wr717kr.exe	AppLaunch.exe
PID 4224 wrote to memory of 636	4224	4wr717kr.exe	AppLaunch.exe
PID 4224 wrote to memory of 636	4224	4wr717kr.exe	AppLaunch.exe
PID 4224 wrote to memory of 636	4224	4wr717kr.exe	AppLaunch.exe
PID 4224 wrote to memory of 636	4224	4wr717kr.exe	AppLaunch.exe
PID 4224 wrote to memory of 636	4224	4wr717kr.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\d62198c81df0ae252c179f6cb6041efd2bb2aea225a387a06ee457bcd7d5930d.exe
"C:\Users\Admin\AppData\Local\Temp\d62198c81df0ae252c179f6cb6041efd2bb2aea225a387a06ee457bcd7d5930d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jx7dR05.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jx7dR05.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\si5KZ07.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\si5KZ07.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1mu02gG0.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1mu02gG0.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OX2884.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OX2884.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 152
5⤵
- Program crash
PID:3324

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Lu07EY.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Lu07EY.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Checks SCSI registry key(s)
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 616
4⤵
- Program crash
PID:1916

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4wr717kr.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4wr717kr.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 148
3⤵
- Program crash
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1548 -ip 1548
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4588 -ip 4588
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4224 -ip 4224
1⤵
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4wr717kr.exe

Filesize
336KB

MD5
0b15e3e1c8209f3f7d7c4e44c2aa238f

SHA1
21bef4ed4a8cf16884f3fc2ce8bd3827ec751c3a

SHA256
c36b6cee46b96ac2d72e328f2f678f708453a51de1c175b6f5ad5eca899fa4fb

SHA512
7e183f67cd6c117fcfb1eb472e6e7a77ba9a0817dbde1487f2c80bf5e05885bde2842428418b2d972e39a28e9a5d0a68161a996bca8502150142111a3b895e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jx7dR05.exe

Filesize
605KB

MD5
1a05054a990150bff4ab5013ead71fe3

SHA1
8f803b1b92854df5e30e82000445121ed1ade5fa

SHA256
d4a6ce621e37b52a0502934e8cc88d895a9ef0bb02e5a70c172fa9b712c8b805

SHA512
4b3b20e8af6c8dbbac4e5cba35d3ab195ee27cab1d89389cb2fe5d5fba4e2e8ce329797c3ef03fca39ea689aaf9d7de4d30216408695f94e8e8fecf2ff0bd588

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Lu07EY.exe

Filesize
145KB

MD5
af5a39fa501e1fa61435e80f169b2c9f

SHA1
2b87ca8d6e43603c47e0ea3be6736c540c283abf

SHA256
c820ef22dea01c865740e810b7bc6961b438ad5435420e7bd3f6840d609a5446

SHA512
faa24942bb6ac3c04032a0a42be30c0741e9912ca4a16d52a429df04e2a85425fdbc29ee8aa654bf16b3d46e382deafe45b53120dbfc12a5fa7f47d27ec27d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\si5KZ07.exe

Filesize
421KB

MD5
375c5ea54f3bdbfdcee491b25dc06d15

SHA1
661c142637651b501c0e9bf979de3915726ea94b

SHA256
6041ab8a20cbf9f1431afc955849e3562357f873bc9212f4f91700ee11590876

SHA512
828dea20c1ee26071f2e784cc21b63e0f4c472e1912893f523a6be38b8fa480f271671ecb96e0acb5bde1436ba11020b255c5560288816490d3285531880b4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1mu02gG0.exe

Filesize
188KB

MD5
425e2a994509280a8c1e2812dfaad929

SHA1
4d5eff2fb3835b761e2516a873b537cbaacea1fe

SHA256
6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a

SHA512
080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2OX2884.exe

Filesize
295KB

MD5
8393d3108b66e6b5861f618633647788

SHA1
ce610b0c10df715f4a781614a58213b1b60bcbe5

SHA256
fd7686f5574cf48913aa709c30afeedf1382d6bc507fa81928906119f96a2a96

SHA512
08956b6a74ee1dab5879de3406642fa1a039884ef0016631c80c4bbb2eff4664462714a81cdcc173dc0d0a366aa8eafa336c93b2060df835b60b7310843fcc2c

Download Submit
memory/636-43-0x0000000007FE0000-0x00000000080EA000-memory.dmp

Filesize
1.0MB

Download
memory/636-44-0x0000000007F10000-0x0000000007F22000-memory.dmp

Filesize
72KB

Download
memory/636-42-0x0000000008D90000-0x00000000093A8000-memory.dmp

Filesize
6.1MB

Download
memory/636-41-0x0000000003130000-0x000000000313A000-memory.dmp

Filesize
40KB

Download
memory/636-45-0x0000000007F70000-0x0000000007FAC000-memory.dmp

Filesize
240KB

Download
memory/636-46-0x00000000080F0000-0x000000000813C000-memory.dmp

Filesize
304KB

Download
memory/636-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2084-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2084-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2084-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2964-24-0x00000000051C0000-0x0000000005252000-memory.dmp

Filesize
584KB

Download
memory/2964-23-0x00000000050A0000-0x00000000050BE000-memory.dmp

Filesize
120KB

Download
memory/2964-22-0x0000000004AF0000-0x0000000005094000-memory.dmp

Filesize
5.6MB

Download
memory/2964-21-0x00000000025B0000-0x00000000025D0000-memory.dmp

Filesize
128KB

Download
memory/3564-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download