mystic | dd599a6bab1a1dabfa1fca35b3aa571004102301666e21fec5316076b068ab55

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b5a910219dbef3059255fe4700c0b661a248a20051c4624275c60fcb969a4c6.exe
Size

1.1MB
MD5

d0d194be51a5db58d5a70d55a11f2a4f
SHA1

874dd824189eab5d48557bf6c86f9bea8fece28c
SHA256

6b5a910219dbef3059255fe4700c0b661a248a20051c4624275c60fcb969a4c6
SHA512

4d1e6fef7b8233791e46e51e2f0a21c2a7ba6c85f1b25f7f994b5692f0f7a53f27ce6a15ed8364e12842b176a50ef6df4a93322807bb4350a49d98c61913c7a3
SSDEEP

24576:oyheIf0FTqJGh5A+cexouCaqGDT5C2uVG6TDI:vheq2T8+cXJ5GD9JuVGe

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral8/files/0x0008000000023441-33.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral8/files/0x0007000000023442-36.dat	family_redline
behavioral8/memory/336-38-0x0000000000E40000-0x0000000000E7E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3236	cv9HO8qK.exe
228	cd4LY5hM.exe
4988	AO8Sx7hI.exe
3820	DP8rh4Gj.exe
2324	1qm89FH6.exe
336	2oJ224Wk.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6b5a910219dbef3059255fe4700c0b661a248a20051c4624275c60fcb969a4c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	cv9HO8qK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	cd4LY5hM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	AO8Sx7hI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	DP8rh4Gj.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 3236	1404	6b5a910219dbef3059255fe4700c0b661a248a20051c4624275c60fcb969a4c6.exe	83
PID 1404 wrote to memory of 3236	1404	6b5a910219dbef3059255fe4700c0b661a248a20051c4624275c60fcb969a4c6.exe	83
PID 1404 wrote to memory of 3236	1404	6b5a910219dbef3059255fe4700c0b661a248a20051c4624275c60fcb969a4c6.exe	83
PID 3236 wrote to memory of 228	3236	cv9HO8qK.exe	84
PID 3236 wrote to memory of 228	3236	cv9HO8qK.exe	84
PID 3236 wrote to memory of 228	3236	cv9HO8qK.exe	84
PID 228 wrote to memory of 4988	228	cd4LY5hM.exe	85
PID 228 wrote to memory of 4988	228	cd4LY5hM.exe	85
PID 228 wrote to memory of 4988	228	cd4LY5hM.exe	85
PID 4988 wrote to memory of 3820	4988	AO8Sx7hI.exe	87
PID 4988 wrote to memory of 3820	4988	AO8Sx7hI.exe	87
PID 4988 wrote to memory of 3820	4988	AO8Sx7hI.exe	87
PID 3820 wrote to memory of 2324	3820	DP8rh4Gj.exe	88
PID 3820 wrote to memory of 2324	3820	DP8rh4Gj.exe	88
PID 3820 wrote to memory of 2324	3820	DP8rh4Gj.exe	88
PID 3820 wrote to memory of 336	3820	DP8rh4Gj.exe	89
PID 3820 wrote to memory of 336	3820	DP8rh4Gj.exe	89
PID 3820 wrote to memory of 336	3820	DP8rh4Gj.exe	89

C:\Users\Admin\AppData\Local\Temp\6b5a910219dbef3059255fe4700c0b661a248a20051c4624275c60fcb969a4c6.exe
"C:\Users\Admin\AppData\Local\Temp\6b5a910219dbef3059255fe4700c0b661a248a20051c4624275c60fcb969a4c6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cv9HO8qK.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cv9HO8qK.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cd4LY5hM.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cd4LY5hM.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AO8Sx7hI.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AO8Sx7hI.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DP8rh4Gj.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DP8rh4Gj.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3820
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qm89FH6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qm89FH6.exe
        6⤵
        Executes dropped EXE
        
        PID:2324
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oJ224Wk.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oJ224Wk.exe
        6⤵
        Executes dropped EXE
        
        PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cv9HO8qK.exe

Filesize
1006KB

MD5
a9af4c4353d53d38b514ef4dc4b3538f

SHA1
a9b74c6499d30527a88ea150521ebb93e7aef16c

SHA256
273056dcba1c0045d5b7ab15770c83bb089412d7137c8b36c29d73199359b197

SHA512
ba99728295f1e1b7bafbdd375edcb19bd57d3f93fe740eb3e7510877d07137bef04ea5425df6706557652d3207681fa1cd0e63ebf52d7d61d00c7e06b2283a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cd4LY5hM.exe

Filesize
816KB

MD5
358dd9805905ec56688a3c711755456e

SHA1
6d05fe622ac3847b1ade2cc7be9287b3642f787d

SHA256
25f7b93d299b5b7e8a9c8a5fcd2b912a14f513e849a9e73c9bebc9f521c3680d

SHA512
c101b4e9465f1d5b57998deb43a8447787560fd1d01ab606c36205e3bce661fdac96d8a3221f3ff6903139e1ef492be33717f158f471b67d7ee36f158920e6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AO8Sx7hI.exe

Filesize
522KB

MD5
9ddcedb5add25e765e7474a4e5102fe1

SHA1
ed1876cf9438dc33a611b0c837a8b2dc8b5af6a3

SHA256
5e18851270683c303f09b8e626e0010c183b8fa527c9cf31600ec3f7e8bab3cb

SHA512
26efdd871b7c5b57289bf3455269e929da2adeac6291d70df6822692f8c6f97537f2f96551e51aa129c61405e170e0d2c4fd41a7598b60a15b7dfe13a10e7f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DP8rh4Gj.exe

Filesize
326KB

MD5
60903267de275b39c78757f50fbaa906

SHA1
8a9a40af0b34f92e6ab6ba0f8da578e06e72b1ed

SHA256
ea5ff9c031cd8cccf40c6b46ec10c71e1d03096ce789de0e7a234c3f2c186c1e

SHA512
e55c4aa16facb69bf43ba35606124e9ebcd7181586e054aacac805e7e03461eed5c0d07b0c59b173014c57456617746d54f978301a47d67dc44d668df3ac8f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qm89FH6.exe

Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oJ224Wk.exe

Filesize
221KB

MD5
96c0d828497fe03eb4230d0f71775410

SHA1
19b5c00ad0bad47de098978736cf33f38ff6335d

SHA256
052e81fe806685104560c397ccc2c4c07cdd9bd794c35d404d4099a096fe4c35

SHA512
b7c5062eb2b98e9b353215da803984345a2cd86fc180ffad3526756c57f1596d29cb771f15f213e3624a77d1eec4292991651c28b1f0d224a9c6b4bfe7771bbd

Download Submit
memory/336-38-0x0000000000E40000-0x0000000000E7E000-memory.dmp

Filesize
248KB

Download
memory/336-39-0x00000000082C0000-0x0000000008864000-memory.dmp

Filesize
5.6MB

Download
memory/336-40-0x0000000007D10000-0x0000000007DA2000-memory.dmp

Filesize
584KB

Download
memory/336-41-0x00000000031F0000-0x00000000031FA000-memory.dmp

Filesize
40KB

Download
memory/336-42-0x0000000008E90000-0x00000000094A8000-memory.dmp

Filesize
6.1MB

Download
memory/336-43-0x00000000080E0000-0x00000000081EA000-memory.dmp

Filesize
1.0MB

Download
memory/336-44-0x0000000007E30000-0x0000000007E42000-memory.dmp

Filesize
72KB

Download
memory/336-45-0x0000000007FD0000-0x000000000800C000-memory.dmp

Filesize
240KB

Download
memory/336-46-0x0000000007E70000-0x0000000007EBC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads