mystic | be3323c3b2bd6ba736703199d528de6bf1396e8a7c6b9b58e4ca31fda43b00e0

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bbc6ca8610d7090cfeb2b3f3881a2526ac3f729f2cd3e749168fb38991b525b.exe
Size

1.3MB
MD5

2225c03c5bb14e2e02f8d888252d3d12
SHA1

326be1965a1539524141ea1a5707a157c7d4d5f5
SHA256

9bbc6ca8610d7090cfeb2b3f3881a2526ac3f729f2cd3e749168fb38991b525b
SHA512

3fa39ee0552ce33bad2327d2f4f59be2e11452b011292e3795db32b53a50a71b4350f8d92021b5fd068fa7dc2c12f93dd78487f3f24035ca420ddbe2a0391f92
SSDEEP

24576:5y0LMN4FQFK9kCT0ROmvezfvKo3kqva6i3+V5O66s2kd9sR5gfyTBpTSMj68wM8W:s0LbFlqvBmr1kqyvslASSgfy9UMjHwD

Score

10^/10

mystic redline lutyr infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

lutyr

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gs84zQ2.exe mystic_family
Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Zk641Kf.exe family_redline
behavioral14/memory/2612-38-0x0000000000DB0000-0x0000000000DEE000-memory.dmp family_redline
Executes dropped EXE 6 IoCs

Processes:

nj4yr8zq.exeHl0Ia4Xo.exeOT0zY3Ac.exeAZ0Tf2sG.exe1gs84zQ2.exe2Zk641Kf.exe

pid process

3232 nj4yr8zq.exe
4652 Hl0Ia4Xo.exe
3824 OT0zY3Ac.exe
2812 AZ0Tf2sG.exe
1336 1gs84zQ2.exe
2612 2Zk641Kf.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gs84zQ2.exe	mystic_family

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Zk641Kf.exe	family_redline
behavioral14/memory/2612-38-0x0000000000DB0000-0x0000000000DEE000-memory.dmp	family_redline

pid	process
3232	nj4yr8zq.exe
4652	Hl0Ia4Xo.exe
3824	OT0zY3Ac.exe
2812	AZ0Tf2sG.exe
1336	1gs84zQ2.exe
2612	2Zk641Kf.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9bbc6ca8610d7090cfeb2b3f3881a2526ac3f729f2cd3e749168fb38991b525b.exenj4yr8zq.exeHl0Ia4Xo.exeOT0zY3Ac.exeAZ0Tf2sG.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9bbc6ca8610d7090cfeb2b3f3881a2526ac3f729f2cd3e749168fb38991b525b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nj4yr8zq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Hl0Ia4Xo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	OT0zY3Ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	AZ0Tf2sG.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

9bbc6ca8610d7090cfeb2b3f3881a2526ac3f729f2cd3e749168fb38991b525b.exenj4yr8zq.exeHl0Ia4Xo.exeOT0zY3Ac.exeAZ0Tf2sG.exe

description	pid	process	target process
PID 4308 wrote to memory of 3232	4308	9bbc6ca8610d7090cfeb2b3f3881a2526ac3f729f2cd3e749168fb38991b525b.exe	nj4yr8zq.exe
PID 4308 wrote to memory of 3232	4308	9bbc6ca8610d7090cfeb2b3f3881a2526ac3f729f2cd3e749168fb38991b525b.exe	nj4yr8zq.exe
PID 4308 wrote to memory of 3232	4308	9bbc6ca8610d7090cfeb2b3f3881a2526ac3f729f2cd3e749168fb38991b525b.exe	nj4yr8zq.exe
PID 3232 wrote to memory of 4652	3232	nj4yr8zq.exe	Hl0Ia4Xo.exe
PID 3232 wrote to memory of 4652	3232	nj4yr8zq.exe	Hl0Ia4Xo.exe
PID 3232 wrote to memory of 4652	3232	nj4yr8zq.exe	Hl0Ia4Xo.exe
PID 4652 wrote to memory of 3824	4652	Hl0Ia4Xo.exe	OT0zY3Ac.exe
PID 4652 wrote to memory of 3824	4652	Hl0Ia4Xo.exe	OT0zY3Ac.exe
PID 4652 wrote to memory of 3824	4652	Hl0Ia4Xo.exe	OT0zY3Ac.exe
PID 3824 wrote to memory of 2812	3824	OT0zY3Ac.exe	AZ0Tf2sG.exe
PID 3824 wrote to memory of 2812	3824	OT0zY3Ac.exe	AZ0Tf2sG.exe
PID 3824 wrote to memory of 2812	3824	OT0zY3Ac.exe	AZ0Tf2sG.exe
PID 2812 wrote to memory of 1336	2812	AZ0Tf2sG.exe	1gs84zQ2.exe
PID 2812 wrote to memory of 1336	2812	AZ0Tf2sG.exe	1gs84zQ2.exe
PID 2812 wrote to memory of 1336	2812	AZ0Tf2sG.exe	1gs84zQ2.exe
PID 2812 wrote to memory of 2612	2812	AZ0Tf2sG.exe	2Zk641Kf.exe
PID 2812 wrote to memory of 2612	2812	AZ0Tf2sG.exe	2Zk641Kf.exe
PID 2812 wrote to memory of 2612	2812	AZ0Tf2sG.exe	2Zk641Kf.exe

C:\Users\Admin\AppData\Local\Temp\9bbc6ca8610d7090cfeb2b3f3881a2526ac3f729f2cd3e749168fb38991b525b.exe
"C:\Users\Admin\AppData\Local\Temp\9bbc6ca8610d7090cfeb2b3f3881a2526ac3f729f2cd3e749168fb38991b525b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4308

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nj4yr8zq.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nj4yr8zq.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Hl0Ia4Xo.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Hl0Ia4Xo.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4652

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OT0zY3Ac.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OT0zY3Ac.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3824

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AZ0Tf2sG.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AZ0Tf2sG.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gs84zQ2.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gs84zQ2.exe
6⤵
- Executes dropped EXE
PID:1336

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Zk641Kf.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Zk641Kf.exe
6⤵
- Executes dropped EXE
PID:2612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nj4yr8zq.exe
Filesize
1.2MB

MD5
bdb6c0ef90a90db380cccc43eabdea68

SHA1
dbc09f37ddc2c3e198d96fdc88fc19c5384e308c

SHA256
13dcdff00505d67249c8829830e2255eefaa24ea740bb1080874963763e9c8d2

SHA512
0bec1f51b8f08c64deda1a3b3bea70ad06f3faa15da4757d71ce906d36e8789fb42e89a1b0aad49e0ae3daad8ee6b8ef37314f45470d07ab8d8abc072dde36dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Hl0Ia4Xo.exe
Filesize
1.0MB

MD5
b8f67da3d18ae902823fb8dc214f7ea0

SHA1
772723c653234ebddcbb694673220c562f3204a7

SHA256
d893aafc151cb9844bc61bab4eeac2b6d72bb1e5da29ed5ac6992b2414c2a534

SHA512
127ad7630a73d691ddecf41c3234a1e9b7f199516ca2b58a2b440faf79909092c7affb7bae8c6bf658c45db3bfd1aff662715c1ffaac22fe4ff84f4f91dfa658

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OT0zY3Ac.exe
Filesize
522KB

MD5
79c6d74cd49f423ed2557a23e26a13ec

SHA1
8c75ad65571c9ac786fe230b4674169f7bd11ff5

SHA256
6a488f94cc48228eaf52eae27828e12987bb44a2dda1046a8bf56c846655a303

SHA512
d405e41b67a51903c56085b63919632e4f11c0d59766cacf03a1305a8c97e2bbc36f17ce0335f1d5105927538e84a07d067b3c81d17602cbe0ee0ab5a213034d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AZ0Tf2sG.exe
Filesize
326KB

MD5
99f0be4cb2f1f8389c193ad86510bf63

SHA1
b7e2fccbc6037b0ef01aedce2a499d2b7855deb0

SHA256
2d9d0c2b54cf579136f4d9c7c90119962cf8530753d8c4453e41a69d861196de

SHA512
45826ee2ee8c4af4eb50fd21759e018f27e7bdd22977525bdc5e55085e847a3099f00206273db131753bf9e67ec3532ad70d2b0e14b1256a3c72232a7e7ba258

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gs84zQ2.exe
Filesize
190KB

MD5
a6656e3d6d06c8ce9cbb4b6952553c20

SHA1
af45103616dc896da5ee4268fd5f9483b5b97c1c

SHA256
fec303b128c44607654c078736b96d2762722f51b6c473dfe5415158fd83718b

SHA512
f53f2214d3f192a352b2a93c66d91988a41a5ab9dbf15edd62ea8ce38da8a732114e3c46526d4dc6f3132330913b1acb90fa11ff454a1520d117149a86678d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Zk641Kf.exe
Filesize
221KB

MD5
46ebd974a5837ecbe5f28a9245f70188

SHA1
7136e53cb3a02fca9434b035ca7cd0e87af65c26

SHA256
9a8a9c591836f06c1c972e2953c91518344e6cba1c442aca9a93c5b796d92ed9

SHA512
012fa679718df16d46f49a195d2c6e061e7b402145039296d822dbdd31dc51b21270d17d1272b919b7376e2e4a173aa7a16bd9218ac8a1713498476c865be4b4

Download Submit
memory/2612-38-0x0000000000DB0000-0x0000000000DEE000-memory.dmp

Filesize
248KB

Download
memory/2612-39-0x00000000081F0000-0x0000000008794000-memory.dmp

Filesize
5.6MB

Download
memory/2612-40-0x0000000007CE0000-0x0000000007D72000-memory.dmp

Filesize
584KB

Download
memory/2612-41-0x00000000031E0000-0x00000000031EA000-memory.dmp

Filesize
40KB

Download
memory/2612-42-0x0000000008DC0000-0x00000000093D8000-memory.dmp

Filesize
6.1MB

Download
memory/2612-43-0x0000000007FB0000-0x00000000080BA000-memory.dmp

Filesize
1.0MB

Download
memory/2612-44-0x0000000007EC0000-0x0000000007ED2000-memory.dmp

Filesize
72KB

Download
memory/2612-45-0x0000000007F20000-0x0000000007F5C000-memory.dmp

Filesize
240KB

Download
memory/2612-46-0x0000000007F60000-0x0000000007FAC000-memory.dmp

Filesize
304KB

Download