mystic | 35fa914c6357cde578322016bb343396ee5cbe965e37dbbc27e58563c27f3d00

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

982ac80dc3c29453250a0bd0e8cb19fcf14d9871dfc2fc8d4363fb7dad5533af.exe
Size

844KB
MD5

67619038243c3ca7ef31f0f8083ed899
SHA1

35c712d03c386f634071082592ec1cda12407ce4
SHA256

982ac80dc3c29453250a0bd0e8cb19fcf14d9871dfc2fc8d4363fb7dad5533af
SHA512

04e9ba958fcd880ac913d869fc07253c3c7e4f7b5a9f74b8090ea03774565643f8cae187e2ae34d20a4a5059325a92168641db67edf81d03af573d794a715109
SSDEEP

24576:yySzsY8Js10a3SA62+QzFy9l25fYFUxbhDbDVMaX0YEZr:ZSAU+aY21zkJUxbx3VkT

Score

10^/10

mystic redline smokeloader breha backdoor infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral11/memory/5060-29-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral11/memory/5060-32-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral11/memory/5060-30-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral11/memory/1976-40-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral11/memory/632-21-0x00000000024A0000-0x00000000024C0000-memory.dmp	net_reactor
behavioral11/memory/632-23-0x0000000004F50000-0x0000000004F6E000-memory.dmp	net_reactor

Executes dropped EXE 6 IoCs

Processes:

SK7Fw08.exeIl7xP59.exe1cF86eS5.exe2Ts4818.exe3PG43MK.exe4ad436NX.exe

pid process

3136 SK7Fw08.exe
4732 Il7xP59.exe
632 1cF86eS5.exe
3564 2Ts4818.exe
4244 3PG43MK.exe
4740 4ad436NX.exe

pid	process
3136	SK7Fw08.exe
4732	Il7xP59.exe
632	1cF86eS5.exe
3564	2Ts4818.exe
4244	3PG43MK.exe
4740	4ad436NX.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SK7Fw08.exeIl7xP59.exe982ac80dc3c29453250a0bd0e8cb19fcf14d9871dfc2fc8d4363fb7dad5533af.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	SK7Fw08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Il7xP59.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	982ac80dc3c29453250a0bd0e8cb19fcf14d9871dfc2fc8d4363fb7dad5533af.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

2Ts4818.exe3PG43MK.exe4ad436NX.exe

description	pid	process	target process
PID 3564 set thread context of 5060	3564	2Ts4818.exe	AppLaunch.exe
PID 4244 set thread context of 3980	4244	3PG43MK.exe	AppLaunch.exe
PID 4740 set thread context of 1976	4740	4ad436NX.exe	AppLaunch.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3116 3564 WerFault.exe 2Ts4818.exe
2684 4244 WerFault.exe 3PG43MK.exe
1368 4740 WerFault.exe 4ad436NX.exe

pid	pid_target	process	target process
3116	3564	WerFault.exe	2Ts4818.exe
2684	4244	WerFault.exe	3PG43MK.exe
1368	4740	WerFault.exe	4ad436NX.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1cF86eS5.exe

description pid process

Token: SeDebugPrivilege 632 1cF86eS5.exe

description	pid	process
Token: SeDebugPrivilege	632	1cF86eS5.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

982ac80dc3c29453250a0bd0e8cb19fcf14d9871dfc2fc8d4363fb7dad5533af.exeSK7Fw08.exeIl7xP59.exe2Ts4818.exe3PG43MK.exe4ad436NX.exe

description	pid	process	target process
PID 4848 wrote to memory of 3136	4848	982ac80dc3c29453250a0bd0e8cb19fcf14d9871dfc2fc8d4363fb7dad5533af.exe	SK7Fw08.exe
PID 4848 wrote to memory of 3136	4848	982ac80dc3c29453250a0bd0e8cb19fcf14d9871dfc2fc8d4363fb7dad5533af.exe	SK7Fw08.exe
PID 4848 wrote to memory of 3136	4848	982ac80dc3c29453250a0bd0e8cb19fcf14d9871dfc2fc8d4363fb7dad5533af.exe	SK7Fw08.exe
PID 3136 wrote to memory of 4732	3136	SK7Fw08.exe	Il7xP59.exe
PID 3136 wrote to memory of 4732	3136	SK7Fw08.exe	Il7xP59.exe
PID 3136 wrote to memory of 4732	3136	SK7Fw08.exe	Il7xP59.exe
PID 4732 wrote to memory of 632	4732	Il7xP59.exe	1cF86eS5.exe
PID 4732 wrote to memory of 632	4732	Il7xP59.exe	1cF86eS5.exe
PID 4732 wrote to memory of 632	4732	Il7xP59.exe	1cF86eS5.exe
PID 4732 wrote to memory of 3564	4732	Il7xP59.exe	2Ts4818.exe
PID 4732 wrote to memory of 3564	4732	Il7xP59.exe	2Ts4818.exe
PID 4732 wrote to memory of 3564	4732	Il7xP59.exe	2Ts4818.exe
PID 3564 wrote to memory of 5060	3564	2Ts4818.exe	AppLaunch.exe
PID 3564 wrote to memory of 5060	3564	2Ts4818.exe	AppLaunch.exe
PID 3564 wrote to memory of 5060	3564	2Ts4818.exe	AppLaunch.exe
PID 3564 wrote to memory of 5060	3564	2Ts4818.exe	AppLaunch.exe
PID 3564 wrote to memory of 5060	3564	2Ts4818.exe	AppLaunch.exe
PID 3564 wrote to memory of 5060	3564	2Ts4818.exe	AppLaunch.exe
PID 3564 wrote to memory of 5060	3564	2Ts4818.exe	AppLaunch.exe
PID 3564 wrote to memory of 5060	3564	2Ts4818.exe	AppLaunch.exe
PID 3564 wrote to memory of 5060	3564	2Ts4818.exe	AppLaunch.exe
PID 3564 wrote to memory of 5060	3564	2Ts4818.exe	AppLaunch.exe
PID 3136 wrote to memory of 4244	3136	SK7Fw08.exe	3PG43MK.exe
PID 3136 wrote to memory of 4244	3136	SK7Fw08.exe	3PG43MK.exe
PID 3136 wrote to memory of 4244	3136	SK7Fw08.exe	3PG43MK.exe
PID 4244 wrote to memory of 4832	4244	3PG43MK.exe	AppLaunch.exe
PID 4244 wrote to memory of 4832	4244	3PG43MK.exe	AppLaunch.exe
PID 4244 wrote to memory of 4832	4244	3PG43MK.exe	AppLaunch.exe
PID 4244 wrote to memory of 3980	4244	3PG43MK.exe	AppLaunch.exe
PID 4244 wrote to memory of 3980	4244	3PG43MK.exe	AppLaunch.exe
PID 4244 wrote to memory of 3980	4244	3PG43MK.exe	AppLaunch.exe
PID 4244 wrote to memory of 3980	4244	3PG43MK.exe	AppLaunch.exe
PID 4244 wrote to memory of 3980	4244	3PG43MK.exe	AppLaunch.exe
PID 4244 wrote to memory of 3980	4244	3PG43MK.exe	AppLaunch.exe
PID 4848 wrote to memory of 4740	4848	982ac80dc3c29453250a0bd0e8cb19fcf14d9871dfc2fc8d4363fb7dad5533af.exe	4ad436NX.exe
PID 4848 wrote to memory of 4740	4848	982ac80dc3c29453250a0bd0e8cb19fcf14d9871dfc2fc8d4363fb7dad5533af.exe	4ad436NX.exe
PID 4848 wrote to memory of 4740	4848	982ac80dc3c29453250a0bd0e8cb19fcf14d9871dfc2fc8d4363fb7dad5533af.exe	4ad436NX.exe
PID 4740 wrote to memory of 1976	4740	4ad436NX.exe	AppLaunch.exe
PID 4740 wrote to memory of 1976	4740	4ad436NX.exe	AppLaunch.exe
PID 4740 wrote to memory of 1976	4740	4ad436NX.exe	AppLaunch.exe
PID 4740 wrote to memory of 1976	4740	4ad436NX.exe	AppLaunch.exe
PID 4740 wrote to memory of 1976	4740	4ad436NX.exe	AppLaunch.exe
PID 4740 wrote to memory of 1976	4740	4ad436NX.exe	AppLaunch.exe
PID 4740 wrote to memory of 1976	4740	4ad436NX.exe	AppLaunch.exe
PID 4740 wrote to memory of 1976	4740	4ad436NX.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\982ac80dc3c29453250a0bd0e8cb19fcf14d9871dfc2fc8d4363fb7dad5533af.exe
"C:\Users\Admin\AppData\Local\Temp\982ac80dc3c29453250a0bd0e8cb19fcf14d9871dfc2fc8d4363fb7dad5533af.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SK7Fw08.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SK7Fw08.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Il7xP59.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Il7xP59.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4732

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cF86eS5.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cF86eS5.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ts4818.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ts4818.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 580
5⤵
- Program crash
PID:3116

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PG43MK.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PG43MK.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:4832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Checks SCSI registry key(s)
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 588
4⤵
- Program crash
PID:2684

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ad436NX.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ad436NX.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 136
3⤵
- Program crash
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3564 -ip 3564
1⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4244 -ip 4244
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4740 -ip 4740
1⤵
PID:376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ad436NX.exe
Filesize
339KB

MD5
de9e3cedd7e524d93284fb86be651d34

SHA1
8b4ae7d764d0188af573d7f98a1b4f8dd228ceea

SHA256
35810da260999da005e1c124b887a6d9545168a993129a7aeeaf11f8f45518e3

SHA512
81e5ca0a44d1ad7e87c5749490b49f2edb455ddf7863c2d448dc1f6eaf171a12d9afc0282b9b403736d481c9815179b34552b1de162a0cf0b67be0f48c4334ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SK7Fw08.exe
Filesize
608KB

MD5
92dbfae14bb0ab9b3e87ca23d1857323

SHA1
9fb8d024842f63b8af1eb15b4a60fdd117ea64c1

SHA256
3a5ad720dfcc29fdbb7c77d7fb17e81b038a3b45246d4ba92eaf863a5fd629e9

SHA512
e20f66f8a9c0c6fcfd4a2affc268a46a187c70a05ed8e4345e823fd44c1f179742f51d6bf39960b899e94edef589c48589afba48d1ec803827ecff9e92908a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3PG43MK.exe
Filesize
148KB

MD5
36881b32d8411948d0e821dd20d9e5e3

SHA1
3373216a3c4cef9c19964a07f7e1bacab8b85342

SHA256
2e33ece6665fb701ff10da765c33b90ed6a72565b112f8f05ec68e15ae067af6

SHA512
43f3bdae7078079531a0e4402d600fdbc208aa789f567e381a7509d4f9cfebbd0ba8c0804c0b28b5ea96d78d828575395b78d6cfb9b1333d45b2b4b608932522

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Il7xP59.exe
Filesize
423KB

MD5
e3dbd313560a2b8be986ac1c0a300597

SHA1
99fde2d1610e64ed9c5e51d70a92933990d75a9b

SHA256
343df5f1332be55510661305e5c2162fff838fd52ceb61eae34e9c08518e98f1

SHA512
519d38c36be9e807f640c81999e1d13b622707328c7c71dff9dc160f42da8bb9b1d770569d1420f058874d5363f42082d170ee7fec1a347a1488f861898aa30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cF86eS5.exe
Filesize
188KB

MD5
425e2a994509280a8c1e2812dfaad929

SHA1
4d5eff2fb3835b761e2516a873b537cbaacea1fe

SHA256
6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a

SHA512
080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ts4818.exe
Filesize
298KB

MD5
71b33a091e12bd381be84f1883ce3c8d

SHA1
c91dca4d95d02e700596efe1ab1c2ead29d0d9d3

SHA256
930792b0d74c5128084fd3d45f0ca82b5e67021e602dafc779af93640c0818cb

SHA512
4ba97247ed668ed85307e01cb6d7651807b2f96eb087c0b8bbbda763953867a9be80f2463b0d13b22a9d751b8dd325503e615497e5f8298c0f0ce6afd5003471

Download Submit
memory/632-21-0x00000000024A0000-0x00000000024C0000-memory.dmp

Filesize
128KB

Download
memory/632-22-0x0000000004950000-0x0000000004EF4000-memory.dmp

Filesize
5.6MB

Download
memory/632-23-0x0000000004F50000-0x0000000004F6E000-memory.dmp

Filesize
120KB

Download
memory/632-24-0x0000000005070000-0x0000000005102000-memory.dmp

Filesize
584KB

Download
memory/1976-41-0x0000000007B50000-0x0000000007B5A000-memory.dmp

Filesize
40KB

Download
memory/1976-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1976-42-0x0000000008C40000-0x0000000009258000-memory.dmp

Filesize
6.1MB

Download
memory/1976-43-0x0000000007F30000-0x000000000803A000-memory.dmp

Filesize
1.0MB

Download
memory/1976-44-0x0000000007CD0000-0x0000000007CE2000-memory.dmp

Filesize
72KB

Download
memory/1976-45-0x0000000007E60000-0x0000000007E9C000-memory.dmp

Filesize
240KB

Download
memory/1976-46-0x0000000007EA0000-0x0000000007EEC000-memory.dmp

Filesize
304KB

Download
memory/3980-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5060-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5060-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5060-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download