mystic | dcf4e78aa4f4a43375e6c66a708f11e84986bd1f7bacc1564324e028fcba76f4

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acced6c53e1b934a83d5078e487974940fb30074e0dc4027f969dbab9ca9539e.exe
Size

1.4MB
MD5

5adfe625ce0b9acb6f2fcfb7ddb93ed1
SHA1

bae77070ad159af4a47d9f002c9242ab5a046203
SHA256

acced6c53e1b934a83d5078e487974940fb30074e0dc4027f969dbab9ca9539e
SHA512

4bf3c5b513e8c92eb3d749922ad755f732e3e1808177519575dd308b5869ae190496b028c020331a2d09dd09de774843f4bed27351fa195c412e6afa1f1d50df
SSDEEP

24576:HygAMt/9IiF58aP+3j9v9sjVcPJ+6Zg6lTLxw6xarOO/p/VKVncZJW56R1L:SdX88q+3jRGVE86Zg6hy6xarlxEnc5

Score

10^/10

mystic redline smokeloader breha backdoor infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

breha

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral13/memory/2168-29-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/2168-32-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/2168-30-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral13/memory/1088-40-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral13/memory/1116-21-0x0000000002470000-0x0000000002490000-memory.dmp	net_reactor
behavioral13/memory/1116-23-0x0000000004990000-0x00000000049AE000-memory.dmp	net_reactor

Executes dropped EXE 6 IoCs

pid	Process
2768	LC1Fv16.exe
2516	tJ9jX65.exe
1116	1Es77QW0.exe
1064	2IO6427.exe
2748	3mW13OM.exe
912	4er892rY.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	acced6c53e1b934a83d5078e487974940fb30074e0dc4027f969dbab9ca9539e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	LC1Fv16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tJ9jX65.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1064 set thread context of 2168	1064	2IO6427.exe	99
PID 2748 set thread context of 880	2748	3mW13OM.exe	102
PID 912 set thread context of 1088	912	4er892rY.exe	105

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1116	1Es77QW0.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 2768	3248	acced6c53e1b934a83d5078e487974940fb30074e0dc4027f969dbab9ca9539e.exe	83
PID 3248 wrote to memory of 2768	3248	acced6c53e1b934a83d5078e487974940fb30074e0dc4027f969dbab9ca9539e.exe	83
PID 3248 wrote to memory of 2768	3248	acced6c53e1b934a83d5078e487974940fb30074e0dc4027f969dbab9ca9539e.exe	83
PID 2768 wrote to memory of 2516	2768	LC1Fv16.exe	84
PID 2768 wrote to memory of 2516	2768	LC1Fv16.exe	84
PID 2768 wrote to memory of 2516	2768	LC1Fv16.exe	84
PID 2516 wrote to memory of 1116	2516	tJ9jX65.exe	85
PID 2516 wrote to memory of 1116	2516	tJ9jX65.exe	85
PID 2516 wrote to memory of 1116	2516	tJ9jX65.exe	85
PID 2516 wrote to memory of 1064	2516	tJ9jX65.exe	95
PID 2516 wrote to memory of 1064	2516	tJ9jX65.exe	95
PID 2516 wrote to memory of 1064	2516	tJ9jX65.exe	95
PID 1064 wrote to memory of 2168	1064	2IO6427.exe	99
PID 1064 wrote to memory of 2168	1064	2IO6427.exe	99
PID 1064 wrote to memory of 2168	1064	2IO6427.exe	99
PID 1064 wrote to memory of 2168	1064	2IO6427.exe	99
PID 1064 wrote to memory of 2168	1064	2IO6427.exe	99
PID 1064 wrote to memory of 2168	1064	2IO6427.exe	99
PID 1064 wrote to memory of 2168	1064	2IO6427.exe	99
PID 1064 wrote to memory of 2168	1064	2IO6427.exe	99
PID 1064 wrote to memory of 2168	1064	2IO6427.exe	99
PID 1064 wrote to memory of 2168	1064	2IO6427.exe	99
PID 2768 wrote to memory of 2748	2768	LC1Fv16.exe	100
PID 2768 wrote to memory of 2748	2768	LC1Fv16.exe	100
PID 2768 wrote to memory of 2748	2768	LC1Fv16.exe	100
PID 2748 wrote to memory of 880	2748	3mW13OM.exe	102
PID 2748 wrote to memory of 880	2748	3mW13OM.exe	102
PID 2748 wrote to memory of 880	2748	3mW13OM.exe	102
PID 2748 wrote to memory of 880	2748	3mW13OM.exe	102
PID 2748 wrote to memory of 880	2748	3mW13OM.exe	102
PID 2748 wrote to memory of 880	2748	3mW13OM.exe	102
PID 3248 wrote to memory of 912	3248	acced6c53e1b934a83d5078e487974940fb30074e0dc4027f969dbab9ca9539e.exe	103
PID 3248 wrote to memory of 912	3248	acced6c53e1b934a83d5078e487974940fb30074e0dc4027f969dbab9ca9539e.exe	103
PID 3248 wrote to memory of 912	3248	acced6c53e1b934a83d5078e487974940fb30074e0dc4027f969dbab9ca9539e.exe	103
PID 912 wrote to memory of 1088	912	4er892rY.exe	105
PID 912 wrote to memory of 1088	912	4er892rY.exe	105
PID 912 wrote to memory of 1088	912	4er892rY.exe	105
PID 912 wrote to memory of 1088	912	4er892rY.exe	105
PID 912 wrote to memory of 1088	912	4er892rY.exe	105
PID 912 wrote to memory of 1088	912	4er892rY.exe	105
PID 912 wrote to memory of 1088	912	4er892rY.exe	105
PID 912 wrote to memory of 1088	912	4er892rY.exe	105

C:\Users\Admin\AppData\Local\Temp\acced6c53e1b934a83d5078e487974940fb30074e0dc4027f969dbab9ca9539e.exe
"C:\Users\Admin\AppData\Local\Temp\acced6c53e1b934a83d5078e487974940fb30074e0dc4027f969dbab9ca9539e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LC1Fv16.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LC1Fv16.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tJ9jX65.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tJ9jX65.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Es77QW0.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Es77QW0.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2IO6427.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2IO6427.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2168
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3mW13OM.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3mW13OM.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Checks SCSI registry key(s)
      PID:880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4er892rY.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4er892rY.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4er892rY.exe

Filesize
1.2MB

MD5
267ef1a960bfb0bb33928ec219dc1cea

SHA1
fc28acaa6e4e4af3ad7fc8c2a851e84419a2eebf

SHA256
b462fedfb5904509e82387e2591bdb1ddfe6d12b6a28a189c6403a860050965e

SHA512
ba09e6c6b71426e09214c1c6773114d0a46edd133d711f81960390f940a81a695550971b30c1d292109873b524db94b596ecaebfaf379e6c6bcfd4089379e38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LC1Fv16.exe

Filesize
1005KB

MD5
25e67b7fef8a7516eb46e1ae99e4adcc

SHA1
2cff044528c475f8fca107c25db6989b82664f58

SHA256
d388552e755d178d396916c5cced3efbb39f0900e79121da01e68397b59fc865

SHA512
945fad17d8ffc5011629d35c26f4f6c7b4f8160afb9a44651cfca04ac3f2d6c96c6a451211c574673b61aebd3b877e159cb55762e21b068941d33e29c11988ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3mW13OM.exe

Filesize
973KB

MD5
5dc4be46727c1853e63ebdd240ec9bd9

SHA1
6265b41bbecbb96cf666d2b4cbd6f209f44d7a2d

SHA256
1df63e2de3adac7ff425c75b3f649078fd7a8e0008e5063bd290adb1cdba2446

SHA512
59828cba7af9fb26c6717eb3e655eec07f732ec92d3ec0cce7ed2df1acf6095dec2d97cdbbd3591ed96c08cb2adcff12c31534a93b48757ff8976c0a4233062b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tJ9jX65.exe

Filesize
621KB

MD5
e8cf8c4fe5c92ebe4a847898c5390558

SHA1
7392e693b3fd0aa86176fa509d8c04a4ec27421a

SHA256
a4635bd2f929dbf5077f4a83049f3d8d88c9c7c1f239073d43db9ec339b32178

SHA512
4780baaf2ee308a0fd6b5146478f31a5cd9692b7a6988f1f8f63b51d5c1fd60400d1eceae3c91df0b196225f9b6931c0a0de1f65abc2094c5a112ff31776e75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Es77QW0.exe

Filesize
195KB

MD5
7f726f7dac36a27880ea545866534dda

SHA1
a644a86f8ffe8497101eb2c8ef69b859fb51119d

SHA256
7d8062c6ae88e04ecadb6f8eb85e1d77caba2cb70fed241f04454fd5d70ced2a

SHA512
8d8216a173bf1b498e5bf6d9292b05cd27b913c3203e296d55b169a1980bc38d8589bdb3e88a685a238183a60b8e86049cf280dd47143445c1ba5b6d287c2775

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2IO6427.exe

Filesize
1.1MB

MD5
6ef68ec5b2d91cbc9c66fa0553e527ec

SHA1
8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

SHA256
8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

SHA512
1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

Download Submit
memory/880-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1088-45-0x0000000007730000-0x000000000776C000-memory.dmp

Filesize
240KB

Download
memory/1088-43-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/1088-44-0x00000000075B0000-0x00000000075C2000-memory.dmp

Filesize
72KB

Download
memory/1088-41-0x0000000004AA0000-0x0000000004AAA000-memory.dmp

Filesize
40KB

Download
memory/1088-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1088-42-0x0000000008590000-0x0000000008BA8000-memory.dmp

Filesize
6.1MB

Download
memory/1088-46-0x00000000075E0000-0x000000000762C000-memory.dmp

Filesize
304KB

Download
memory/1116-23-0x0000000004990000-0x00000000049AE000-memory.dmp

Filesize
120KB

Download
memory/1116-24-0x0000000005080000-0x0000000005112000-memory.dmp

Filesize
584KB

Download
memory/1116-22-0x0000000004AD0000-0x0000000005074000-memory.dmp

Filesize
5.6MB

Download
memory/1116-21-0x0000000002470000-0x0000000002490000-memory.dmp

Filesize
128KB

Download
memory/2168-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2168-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2168-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads