mystic | 4b8426608d129065454fb59979cb7863e9b221d10a94bf05a1dddf8807d50656

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c0305778b4b02327cc84ac03c05c82f6839ea6dcb28c73b0751b4c168601e7c.exe
Size

1.1MB
MD5

4e9a064fd09528f5303170e09f4a9915
SHA1

660aba6a4f542e455c1c03d064a6a5d0f03f242b
SHA256

4c0305778b4b02327cc84ac03c05c82f6839ea6dcb28c73b0751b4c168601e7c
SHA512

dd16cf7e646bfb424d34de2ba2cb552f0ca987ab7f05e4e5fc02f0121cdcc64516a6f55205d30c8989c01b685cfffe6a5024dd939edcb5f394090fd6440f0ec5
SSDEEP

24576:wyEcwtFE7Dovi0Qy5knZeVw4dCsgjWLbFuap2FXSBmIQHg:3EcSmfoa0QyiZ34csv2FiUV

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral7/files/0x000800000002342c-33.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral7/files/0x000700000002342d-36.dat	family_redline
behavioral7/memory/3860-38-0x00000000004C0000-0x00000000004FE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
8	gX7Zm6Gs.exe
3240	Ub1Pu2Xt.exe
4772	sp2Zh2SH.exe
3472	dU7jF6bO.exe
3624	1Py64PZ7.exe
3860	2zY069an.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4c0305778b4b02327cc84ac03c05c82f6839ea6dcb28c73b0751b4c168601e7c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gX7Zm6Gs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ub1Pu2Xt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	sp2Zh2SH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	dU7jF6bO.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 8	3576	4c0305778b4b02327cc84ac03c05c82f6839ea6dcb28c73b0751b4c168601e7c.exe	83
PID 3576 wrote to memory of 8	3576	4c0305778b4b02327cc84ac03c05c82f6839ea6dcb28c73b0751b4c168601e7c.exe	83
PID 3576 wrote to memory of 8	3576	4c0305778b4b02327cc84ac03c05c82f6839ea6dcb28c73b0751b4c168601e7c.exe	83
PID 8 wrote to memory of 3240	8	gX7Zm6Gs.exe	84
PID 8 wrote to memory of 3240	8	gX7Zm6Gs.exe	84
PID 8 wrote to memory of 3240	8	gX7Zm6Gs.exe	84
PID 3240 wrote to memory of 4772	3240	Ub1Pu2Xt.exe	85
PID 3240 wrote to memory of 4772	3240	Ub1Pu2Xt.exe	85
PID 3240 wrote to memory of 4772	3240	Ub1Pu2Xt.exe	85
PID 4772 wrote to memory of 3472	4772	sp2Zh2SH.exe	87
PID 4772 wrote to memory of 3472	4772	sp2Zh2SH.exe	87
PID 4772 wrote to memory of 3472	4772	sp2Zh2SH.exe	87
PID 3472 wrote to memory of 3624	3472	dU7jF6bO.exe	88
PID 3472 wrote to memory of 3624	3472	dU7jF6bO.exe	88
PID 3472 wrote to memory of 3624	3472	dU7jF6bO.exe	88
PID 3472 wrote to memory of 3860	3472	dU7jF6bO.exe	89
PID 3472 wrote to memory of 3860	3472	dU7jF6bO.exe	89
PID 3472 wrote to memory of 3860	3472	dU7jF6bO.exe	89

C:\Users\Admin\AppData\Local\Temp\4c0305778b4b02327cc84ac03c05c82f6839ea6dcb28c73b0751b4c168601e7c.exe
"C:\Users\Admin\AppData\Local\Temp\4c0305778b4b02327cc84ac03c05c82f6839ea6dcb28c73b0751b4c168601e7c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gX7Zm6Gs.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gX7Zm6Gs.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ub1Pu2Xt.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ub1Pu2Xt.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sp2Zh2SH.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sp2Zh2SH.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dU7jF6bO.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dU7jF6bO.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3472
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Py64PZ7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Py64PZ7.exe
        6⤵
        Executes dropped EXE
        
        PID:3624
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zY069an.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zY069an.exe
        6⤵
        Executes dropped EXE
        
        PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gX7Zm6Gs.exe

Filesize
1005KB

MD5
b906b8f0a83a778b6ae4a1fc58c5b0a6

SHA1
28a4cae041215a53dd1ae0f9b194001571ef4a27

SHA256
ccb4c557adf5eca8e74ea28d10813118076d655fdd2677a8cb0133b2ccd8711c

SHA512
55b23478b3a5f4c76342c144aedd1131ae5dbaf7f4a6547ca97c568d6e07ab8dcd90cdf3d3efd7b144b24dab0d5f209a24ef34e237f6dffa0ac8cc06bc440e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ub1Pu2Xt.exe

Filesize
816KB

MD5
8e02494bb3dacb883250585c26e5d2c8

SHA1
ae0cf9633d1b0146358522bbc19f57d50f36a3ce

SHA256
32a84b5aa989f0b443cf24c175b8dc5d507d12a6282eac3b12e0ae05801db7dd

SHA512
b67762558b6a66c9d88b370ae86b67001d2f75822362d9327bc82e59c01b44f33110e3bc4c25939811b6447540e7a4f2b54d642a04af788dd0b47cab3a27f27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sp2Zh2SH.exe

Filesize
522KB

MD5
30be969576a942a5b9eb4f2847c8659b

SHA1
8d14a261cceacabddfd73e34dbfb9c45bf6e58d3

SHA256
668679f85838b5faa5d271e648e436aa19f354b27ab4fa6c981b40d9ee1cd54d

SHA512
3e46c7c5d8387db57fa4ddfa8db286f1c5db38c88cb2ac2b3afed1e5286818facad4814e61d3c47beaf6c1fcda61c9341554e51e4b3674ecfe8ec9c708b1de1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dU7jF6bO.exe

Filesize
326KB

MD5
d7f8d34c614001be1d4e5f48fdd96c7c

SHA1
edb98c61f04363907f69240e9a2fe92cd9529290

SHA256
1e944b144765084fcfa1f63d0cf7161d44b6cd7c9285bd7c83ead9e89066a2a5

SHA512
f4798003d418b3287fd72b04b7340889512caccfc52155564969bdd26ef7a5ddef804390b53b48bbb326d1d688a33250954b908e2128a52c45389a57945a1ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Py64PZ7.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2zY069an.exe

Filesize
221KB

MD5
bd211f127317b3c37f9c485a6afd1501

SHA1
283637d08e054feb7e564cf8a893e31feaea89f2

SHA256
fcebde83146eee7195db260a3d0e8fb289f04211d9cdef5ba3b0fb9ea5f1753f

SHA512
f8148c1dcdade8d741e07582a152e7eaa08bdddbdf195e8f348a700821b3e5f7ffddeacd3334a4224ac7f51db4991bb5b4249cb64fb96c9e874e8aeae5d43fbf

Download Submit
memory/3860-38-0x00000000004C0000-0x00000000004FE000-memory.dmp

Filesize
248KB

Download
memory/3860-39-0x0000000007880000-0x0000000007E24000-memory.dmp

Filesize
5.6MB

Download
memory/3860-40-0x00000000073C0000-0x0000000007452000-memory.dmp

Filesize
584KB

Download
memory/3860-41-0x0000000004920000-0x000000000492A000-memory.dmp

Filesize
40KB

Download
memory/3860-42-0x0000000008450000-0x0000000008A68000-memory.dmp

Filesize
6.1MB

Download
memory/3860-43-0x00000000076A0000-0x00000000077AA000-memory.dmp

Filesize
1.0MB

Download
memory/3860-44-0x00000000075C0000-0x00000000075D2000-memory.dmp

Filesize
72KB

Download
memory/3860-45-0x0000000007620000-0x000000000765C000-memory.dmp

Filesize
240KB

Download
memory/3860-46-0x00000000077B0000-0x00000000077FC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads