mystic | 9874024432d4a4dc4017d0ebf9773eaea78b9aea747dfbe995938af4b572eb38

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af3432152c514465fb36f13137bae3206443814e6398ebe72ca129d56edcd08d.exe
Size

918KB
MD5

56cdba87bcc5804d404098869b844a90
SHA1

2bd2f5db4c77f6c10988d82c8da316eb766dc7b9
SHA256

af3432152c514465fb36f13137bae3206443814e6398ebe72ca129d56edcd08d
SHA512

a20fdff62ab3f1abd82937e7be987a549b68bdfe02cdf26bed82850d3ca9f9a4ded8324808dd6e93bad8ffb3f2e83db387460c75208b528c5d6c439e8506e380
SSDEEP

12288:fMrsy90GXeQX658y7lzrLZJFsYIjHf3UI/P4zONjpbfLhDPDSvJeR6maLZZulS:XyiQq58Cl9J4jHcI/PaWBf4o0N0S

Score

10^/10

mystic redline luska infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

luska

77.91.124.55:19071

Attributes

auth_value
a6797888f51a88afbfd8854a79ac9357

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral17/memory/3028-28-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral17/memory/3028-31-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral17/memory/3028-29-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0619132.exe	family_redline
behavioral17/memory/5076-35-0x0000000000FB0000-0x0000000000FE0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

x5402654.exex3676888.exex4023578.exeg3391768.exeh0619132.exe

pid process

4560 x5402654.exe
912 x3676888.exe
3612 x4023578.exe
1796 g3391768.exe
5076 h0619132.exe

pid	process
4560	x5402654.exe
912	x3676888.exe
3612	x4023578.exe
1796	g3391768.exe
5076	h0619132.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

af3432152c514465fb36f13137bae3206443814e6398ebe72ca129d56edcd08d.exex5402654.exex3676888.exex4023578.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	af3432152c514465fb36f13137bae3206443814e6398ebe72ca129d56edcd08d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5402654.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3676888.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4023578.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g3391768.exe

description pid process target process

PID 1796 set thread context of 3028 1796 g3391768.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3248 1796 WerFault.exe g3391768.exe

description	pid	process	target process
PID 1796 set thread context of 3028	1796	g3391768.exe	AppLaunch.exe

pid	pid_target	process	target process
3248	1796	WerFault.exe	g3391768.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

af3432152c514465fb36f13137bae3206443814e6398ebe72ca129d56edcd08d.exex5402654.exex3676888.exex4023578.exeg3391768.exe

description	pid	process	target process
PID 1212 wrote to memory of 4560	1212	af3432152c514465fb36f13137bae3206443814e6398ebe72ca129d56edcd08d.exe	x5402654.exe
PID 1212 wrote to memory of 4560	1212	af3432152c514465fb36f13137bae3206443814e6398ebe72ca129d56edcd08d.exe	x5402654.exe
PID 1212 wrote to memory of 4560	1212	af3432152c514465fb36f13137bae3206443814e6398ebe72ca129d56edcd08d.exe	x5402654.exe
PID 4560 wrote to memory of 912	4560	x5402654.exe	x3676888.exe
PID 4560 wrote to memory of 912	4560	x5402654.exe	x3676888.exe
PID 4560 wrote to memory of 912	4560	x5402654.exe	x3676888.exe
PID 912 wrote to memory of 3612	912	x3676888.exe	x4023578.exe
PID 912 wrote to memory of 3612	912	x3676888.exe	x4023578.exe
PID 912 wrote to memory of 3612	912	x3676888.exe	x4023578.exe
PID 3612 wrote to memory of 1796	3612	x4023578.exe	g3391768.exe
PID 3612 wrote to memory of 1796	3612	x4023578.exe	g3391768.exe
PID 3612 wrote to memory of 1796	3612	x4023578.exe	g3391768.exe
PID 1796 wrote to memory of 3028	1796	g3391768.exe	AppLaunch.exe
PID 1796 wrote to memory of 3028	1796	g3391768.exe	AppLaunch.exe
PID 1796 wrote to memory of 3028	1796	g3391768.exe	AppLaunch.exe
PID 1796 wrote to memory of 3028	1796	g3391768.exe	AppLaunch.exe
PID 1796 wrote to memory of 3028	1796	g3391768.exe	AppLaunch.exe
PID 1796 wrote to memory of 3028	1796	g3391768.exe	AppLaunch.exe
PID 1796 wrote to memory of 3028	1796	g3391768.exe	AppLaunch.exe
PID 1796 wrote to memory of 3028	1796	g3391768.exe	AppLaunch.exe
PID 1796 wrote to memory of 3028	1796	g3391768.exe	AppLaunch.exe
PID 1796 wrote to memory of 3028	1796	g3391768.exe	AppLaunch.exe
PID 3612 wrote to memory of 5076	3612	x4023578.exe	h0619132.exe
PID 3612 wrote to memory of 5076	3612	x4023578.exe	h0619132.exe
PID 3612 wrote to memory of 5076	3612	x4023578.exe	h0619132.exe

C:\Users\Admin\AppData\Local\Temp\af3432152c514465fb36f13137bae3206443814e6398ebe72ca129d56edcd08d.exe
"C:\Users\Admin\AppData\Local\Temp\af3432152c514465fb36f13137bae3206443814e6398ebe72ca129d56edcd08d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5402654.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5402654.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3676888.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3676888.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4023578.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4023578.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3612
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3391768.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3391768.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1796
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 140
        6⤵
        Program crash
        
        PID:3248
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0619132.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0619132.exe
        5⤵
        Executes dropped EXE
        
        PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1796 -ip 1796
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5402654.exe

Filesize
827KB

MD5
ae900830d76b3a0e92656e799d000b40

SHA1
a6a41ab8eb354912385377f6d85f4df640f20c63

SHA256
1a58b516e32e9dfa94bb88c015eb809c78b726db0fc197d6e02897d82e4dc8e9

SHA512
c3cd8bc076cc81a14256797d9dd7793aaf33d264946c8164fe947e060dff221150e489508b6320dac4700bbdf10037e161669ae13e14a14c1a35aba60857d64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3676888.exe

Filesize
556KB

MD5
a6156c498665816ff8e9ab71779cb28c

SHA1
09cb5c62f11bd9830408d675f3c63e210d88c9a1

SHA256
62514edcbcdbe96e3b7184c3005d6ebbaddd3a37b8b02b0ca5ee5a23db34f719

SHA512
a5751a95c32622af4084c38fd725cc75f73a80e97c3dc9c9cc5de9366602d10c921168ec66f71ae5badbe814104954a86cbeb15093dddfeb7b2980ee27487162

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4023578.exe

Filesize
390KB

MD5
7e2e7dc70f56df548232a9dd7556bdb9

SHA1
9fc6a5235b7795d8c562ac7e52d332d6b25b3d6c

SHA256
4bde3e1dee15f8b586369b6a11cc40ac734abd8c9a4d72022dc045bf81eeb0ba

SHA512
2868f38842b06ee86b7a7d8bbe6f4d796bdbe837f65f642a63f8f2da98667f526ff589c77b4466551658122f560edf86ed01df137aae6ad88e3c1d4806bffef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3391768.exe

Filesize
356KB

MD5
e46b86cc64667be01bbf33c5082c6ede

SHA1
b0ebf488952ea67b44db24a2addd621486386acb

SHA256
0a397c3992e710686f9305edd1c441b9802ba1d6ed8eb5c7da6c25bbafc75e69

SHA512
7e10ab88d0b3fbbb3427e9e816fbb7fc9f251ad1b8b6babe60212049878c119a9d5ed5ed2a6d1fe07292201c976accf783a9444cc2d159a8545e88e9cdac208d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0619132.exe

Filesize
174KB

MD5
3fc04c2663ebf50c1c36280a51f0719b

SHA1
4ba492fb247024512393153720277015bc59e041

SHA256
683750e659e7e2d9a97a0abf5955f1231ea78b5dda12423a418051a368869902

SHA512
e34395edaf5239b20437de2959940a419ab3fb2d8f775f5215d84c60d546f4a398a16117f04e656e03b88755d0e98ba1a24209450dbb45fb2bd1740ce5cd2a78

Download Submit
memory/3028-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3028-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3028-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5076-35-0x0000000000FB0000-0x0000000000FE0000-memory.dmp

Filesize
192KB

Download
memory/5076-36-0x00000000033E0000-0x00000000033E6000-memory.dmp

Filesize
24KB

Download
memory/5076-37-0x000000000B480000-0x000000000BA98000-memory.dmp

Filesize
6.1MB

Download
memory/5076-38-0x000000000AF70000-0x000000000B07A000-memory.dmp

Filesize
1.0MB

Download
memory/5076-39-0x000000000AEA0000-0x000000000AEB2000-memory.dmp

Filesize
72KB

Download
memory/5076-40-0x000000000AF00000-0x000000000AF3C000-memory.dmp

Filesize
240KB

Download
memory/5076-41-0x0000000005420000-0x000000000546C000-memory.dmp

Filesize
304KB

Download