mystic | 9874024432d4a4dc4017d0ebf9773eaea78b9aea747dfbe995938af4b572eb38

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d6ab7a20c1331b0189166b1cb07916ad2565031332833b346f8e5728ba48833.exe
Size

1.3MB
MD5

b1014daa354c943ac07bd77ccbb36ba0
SHA1

6308a52ccad0d1aa5d78d6b543c517029297d0da
SHA256

6d6ab7a20c1331b0189166b1cb07916ad2565031332833b346f8e5728ba48833
SHA512

fa222739128e3ac2ec1d7c5730f0748bd67c5886445157f7517f87088096bd190773805721c52abc21ba998f85ae0f377edb52b1445eaed0a53b25b9c932d6c8
SSDEEP

24576:GyV82uVrfLBvFlIW7F9lymuQg0qx+wkKcCg8QsQdGiHibyue3teeQHW:VVIhzBFlIWpJyGCg8lQl0Xe9FQ

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral10/memory/3040-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral10/memory/3040-36-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral10/memory/3040-38-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral10/files/0x0007000000023460-40.dat	family_redline
behavioral10/memory/4944-42-0x00000000008D0000-0x000000000090E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1568	DU0GV2ro.exe
4232	Ai6vW5qG.exe
3408	hV6MS9sj.exe
1120	vF0rA2UI.exe
2556	1Tm22sn6.exe
4944	2Wu191OC.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	DU0GV2ro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ai6vW5qG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	hV6MS9sj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	vF0rA2UI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6d6ab7a20c1331b0189166b1cb07916ad2565031332833b346f8e5728ba48833.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2556 set thread context of 3040	2556	1Tm22sn6.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4116	2556	WerFault.exe	88

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 1568	3048	6d6ab7a20c1331b0189166b1cb07916ad2565031332833b346f8e5728ba48833.exe	84
PID 3048 wrote to memory of 1568	3048	6d6ab7a20c1331b0189166b1cb07916ad2565031332833b346f8e5728ba48833.exe	84
PID 3048 wrote to memory of 1568	3048	6d6ab7a20c1331b0189166b1cb07916ad2565031332833b346f8e5728ba48833.exe	84
PID 1568 wrote to memory of 4232	1568	DU0GV2ro.exe	85
PID 1568 wrote to memory of 4232	1568	DU0GV2ro.exe	85
PID 1568 wrote to memory of 4232	1568	DU0GV2ro.exe	85
PID 4232 wrote to memory of 3408	4232	Ai6vW5qG.exe	86
PID 4232 wrote to memory of 3408	4232	Ai6vW5qG.exe	86
PID 4232 wrote to memory of 3408	4232	Ai6vW5qG.exe	86
PID 3408 wrote to memory of 1120	3408	hV6MS9sj.exe	87
PID 3408 wrote to memory of 1120	3408	hV6MS9sj.exe	87
PID 3408 wrote to memory of 1120	3408	hV6MS9sj.exe	87
PID 1120 wrote to memory of 2556	1120	vF0rA2UI.exe	88
PID 1120 wrote to memory of 2556	1120	vF0rA2UI.exe	88
PID 1120 wrote to memory of 2556	1120	vF0rA2UI.exe	88
PID 2556 wrote to memory of 3040	2556	1Tm22sn6.exe	90
PID 2556 wrote to memory of 3040	2556	1Tm22sn6.exe	90
PID 2556 wrote to memory of 3040	2556	1Tm22sn6.exe	90
PID 2556 wrote to memory of 3040	2556	1Tm22sn6.exe	90
PID 2556 wrote to memory of 3040	2556	1Tm22sn6.exe	90
PID 2556 wrote to memory of 3040	2556	1Tm22sn6.exe	90
PID 2556 wrote to memory of 3040	2556	1Tm22sn6.exe	90
PID 2556 wrote to memory of 3040	2556	1Tm22sn6.exe	90
PID 2556 wrote to memory of 3040	2556	1Tm22sn6.exe	90
PID 2556 wrote to memory of 3040	2556	1Tm22sn6.exe	90
PID 1120 wrote to memory of 4944	1120	vF0rA2UI.exe	95
PID 1120 wrote to memory of 4944	1120	vF0rA2UI.exe	95
PID 1120 wrote to memory of 4944	1120	vF0rA2UI.exe	95

C:\Users\Admin\AppData\Local\Temp\6d6ab7a20c1331b0189166b1cb07916ad2565031332833b346f8e5728ba48833.exe
"C:\Users\Admin\AppData\Local\Temp\6d6ab7a20c1331b0189166b1cb07916ad2565031332833b346f8e5728ba48833.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DU0GV2ro.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DU0GV2ro.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ai6vW5qG.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ai6vW5qG.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hV6MS9sj.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hV6MS9sj.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3408
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vF0rA2UI.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vF0rA2UI.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1120
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tm22sn6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tm22sn6.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 580
        7⤵
        Program crash
        
        PID:4116
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Wu191OC.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Wu191OC.exe
        6⤵
        Executes dropped EXE
        
        PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2556 -ip 2556
1⤵
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DU0GV2ro.exe

Filesize
1.1MB

MD5
46c74c67e68161be405cb33896f3b06c

SHA1
dec1a2268c4448fadb7a9e4f7df0214727451b59

SHA256
2b9747d7ccf39f8782498aa96553e4c5012947cefbcf761ca6eb6389e331c090

SHA512
d771b8f38437bb3798e70ce508a0a5821cd5a2aa36584c8807117543826bc4b366157e69c2a2862d3412e6a8cef01849f67cdc20fea5ca95c73980a16e13148f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ai6vW5qG.exe

Filesize
951KB

MD5
57e4d1525720e839e43fbb55a62859d4

SHA1
408834c4613b7897a8935026b044048c7aa0f524

SHA256
1ab83d9e2769c703b1d6d0be131ecd39acb0a35607166cc623ff46b941987eb1

SHA512
31cbac57f17718163278c8c9fb59ed9dc85e19815a32379605088527737660c00ef5436dca7b774193bf61072388e55657ab2173bb4190c2e3ac2041edd645a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hV6MS9sj.exe

Filesize
648KB

MD5
910ee6352080e426ba3b40702996373a

SHA1
e9c0b4a272f618740d76b7712bb15b22358fb64b

SHA256
1342d3e9fb35595663b199db5254d30a7cec6476f767117784367e61a4c19708

SHA512
2edd9d78ecdf3a7ee27ab4218ae3ea55fe64a460f5bf1e6ce87514845c55605508b5af91db42c2c4d9ad3f6a25044e0784c7303064736c0fb7deaa3df79b9cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vF0rA2UI.exe

Filesize
452KB

MD5
bfb875022368f94bd37d189b6726d21e

SHA1
d8a6f8f608c12016016c2ad41d51794f448501be

SHA256
24578a40fe94df08bad3bbf32d8e3087ac9aae19ea01577cd7261975fda36798

SHA512
4cf2da5fa84e8b11f7a74395e9e9b86b39f5aefc78ab46a842d3230424d48d74a5e475fc04e5a0d032497dc7894ef0a97ec7f9f3ddfbacb533ded04d46eca547

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Tm22sn6.exe

Filesize
449KB

MD5
464384f130df5eff2bb2ea3331659866

SHA1
5aa26db0536f2e6e500dd35270ec63cf2b5583c9

SHA256
74fa5d855c8c2ba4aac904d81fbfdb0d6b8fffcca9f8cae1ab72f7675db44b08

SHA512
6dd90705568cc6fd34a7d63b4df05554bcdef0d4577ca4a34c648c924ab807a55b42053733d34d2a34e146060b1c8fc27e76d2515eceeeee1d3a1f534dc4db6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Wu191OC.exe

Filesize
222KB

MD5
5cfec1c7fce7f18a95d3e72661991c32

SHA1
7c77d2b4751f3f131d20fece42db72b29657c8ab

SHA256
e562dd8c2eed155b73e52946d1be66a8aef01bb41a332983073aa730112b6ff6

SHA512
75949f34766b59bc9289d2a77b20aba7b49ae90ef8a8dfdd47628a5916a51c10b1bfa9ebb0a77ea448d328b09a83933660371f97df4273523cb9175171ae98a5

Download Submit
memory/3040-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-42-0x00000000008D0000-0x000000000090E000-memory.dmp

Filesize
248KB

Download
memory/4944-43-0x0000000007BE0000-0x0000000008184000-memory.dmp

Filesize
5.6MB

Download
memory/4944-44-0x00000000076D0000-0x0000000007762000-memory.dmp

Filesize
584KB

Download
memory/4944-45-0x0000000004C60000-0x0000000004C6A000-memory.dmp

Filesize
40KB

Download
memory/4944-46-0x00000000087B0000-0x0000000008DC8000-memory.dmp

Filesize
6.1MB

Download
memory/4944-47-0x0000000007A70000-0x0000000007B7A000-memory.dmp

Filesize
1.0MB

Download
memory/4944-48-0x0000000007880000-0x0000000007892000-memory.dmp

Filesize
72KB

Download
memory/4944-49-0x00000000078E0000-0x000000000791C000-memory.dmp

Filesize
240KB

Download
memory/4944-50-0x0000000007960000-0x00000000079AC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads