mystic | 122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b

Analysis

max time kernel
144s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe
Size

2.5MB
MD5

2f7f146caa6b89738f522f714eead088
SHA1

6a54ffc979a13f1d2ec86af63de97db5ffeb0126
SHA256

122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b
SHA512

61a4692ae87401c64792d1195cee1b0a9e8b0c84409689fb1129dcab46718193adafaa2317a3cb3a94e9951e018a39d635ce8ec5ffec8687ee2c44926645d5a8
SSDEEP

49152:MktzA0pHxVZkV6a3vJQyf+74G/w3eL+n9:Mktz1kscGGv

Score

10^/10

mystic redline ramon infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

ramon

77.91.124.82:19071

Attributes

auth_value
3197576965d9513f115338c233015b40

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016ce8-32.dat	family_mystic
behavioral1/files/0x0008000000016ce8-35.dat	family_mystic
behavioral1/files/0x0008000000016ce8-36.dat	family_mystic
behavioral1/files/0x0008000000016ce8-37.dat	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2704	y3499828.exe
1980	m2402832.exe
1336	n9109208.exe

Loads dropped DLL 6 IoCs

pid	Process
2100	AppLaunch.exe
2704	y3499828.exe
2704	y3499828.exe
1980	m2402832.exe
2704	y3499828.exe
1336	n9109208.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3499828.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 2100	2020	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	29

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2100	2020	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	29
PID 2020 wrote to memory of 2100	2020	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	29
PID 2020 wrote to memory of 2100	2020	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	29
PID 2020 wrote to memory of 2100	2020	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	29
PID 2020 wrote to memory of 2100	2020	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	29
PID 2020 wrote to memory of 2100	2020	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	29
PID 2020 wrote to memory of 2100	2020	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	29
PID 2020 wrote to memory of 2100	2020	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	29
PID 2020 wrote to memory of 2100	2020	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	29
PID 2020 wrote to memory of 2100	2020	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	29
PID 2020 wrote to memory of 2100	2020	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	29
PID 2020 wrote to memory of 2100	2020	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	29
PID 2020 wrote to memory of 2100	2020	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	29
PID 2020 wrote to memory of 2100	2020	122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe	29
PID 2100 wrote to memory of 2704	2100	AppLaunch.exe	30
PID 2100 wrote to memory of 2704	2100	AppLaunch.exe	30
PID 2100 wrote to memory of 2704	2100	AppLaunch.exe	30
PID 2100 wrote to memory of 2704	2100	AppLaunch.exe	30
PID 2100 wrote to memory of 2704	2100	AppLaunch.exe	30
PID 2100 wrote to memory of 2704	2100	AppLaunch.exe	30
PID 2100 wrote to memory of 2704	2100	AppLaunch.exe	30
PID 2704 wrote to memory of 1980	2704	y3499828.exe	31
PID 2704 wrote to memory of 1980	2704	y3499828.exe	31
PID 2704 wrote to memory of 1980	2704	y3499828.exe	31
PID 2704 wrote to memory of 1980	2704	y3499828.exe	31
PID 2704 wrote to memory of 1980	2704	y3499828.exe	31
PID 2704 wrote to memory of 1980	2704	y3499828.exe	31
PID 2704 wrote to memory of 1980	2704	y3499828.exe	31
PID 2704 wrote to memory of 1336	2704	y3499828.exe	32
PID 2704 wrote to memory of 1336	2704	y3499828.exe	32
PID 2704 wrote to memory of 1336	2704	y3499828.exe	32
PID 2704 wrote to memory of 1336	2704	y3499828.exe	32
PID 2704 wrote to memory of 1336	2704	y3499828.exe	32
PID 2704 wrote to memory of 1336	2704	y3499828.exe	32
PID 2704 wrote to memory of 1336	2704	y3499828.exe	32

C:\Users\Admin\AppData\Local\Temp\122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe
"C:\Users\Admin\AppData\Local\Temp\122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3499828.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3499828.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2402832.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2402832.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9109208.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9109208.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3499828.exe

Filesize
271KB

MD5
b603e22cb2e5a96c44580842b8378a87

SHA1
a42a2b3638dcd10c5b9b7cf9ca1e5f6860702abe

SHA256
1bf4f35f6278d56c1f7151bf3313b763968ff07664bbcf7cd26f9dff6857eabb

SHA512
cd2aaabe25fbff836195f266135ea72b40187897091db667ea46ef03888a4b2159de6d1fe24878c84e31ed812caebca43b751458812a6db32f5be81f8f40135b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3499828.exe

Filesize
271KB

MD5
b603e22cb2e5a96c44580842b8378a87

SHA1
a42a2b3638dcd10c5b9b7cf9ca1e5f6860702abe

SHA256
1bf4f35f6278d56c1f7151bf3313b763968ff07664bbcf7cd26f9dff6857eabb

SHA512
cd2aaabe25fbff836195f266135ea72b40187897091db667ea46ef03888a4b2159de6d1fe24878c84e31ed812caebca43b751458812a6db32f5be81f8f40135b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2402832.exe

Filesize
140KB

MD5
0f7d89bd2b2cab8f2bb7e75d8cf5d045

SHA1
5ae7f5d816d4aa6405e5bbe46130e376392e86e6

SHA256
c788623dd0900281d25113197c2e2dbff1167b9cddde370cfa84db775ee9ae60

SHA512
2ba626e55274414525a05d719d13d2718be93688ba18f72bc208db255b4d3a621c2e66a9706b3344d0b58d18419b10417a263766cf6d40e00f408cad97449754

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2402832.exe

Filesize
140KB

MD5
0f7d89bd2b2cab8f2bb7e75d8cf5d045

SHA1
5ae7f5d816d4aa6405e5bbe46130e376392e86e6

SHA256
c788623dd0900281d25113197c2e2dbff1167b9cddde370cfa84db775ee9ae60

SHA512
2ba626e55274414525a05d719d13d2718be93688ba18f72bc208db255b4d3a621c2e66a9706b3344d0b58d18419b10417a263766cf6d40e00f408cad97449754

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9109208.exe

Filesize
174KB

MD5
c5a3567146b7c2b169e457502caa6116

SHA1
01c96aa80b1a84766b6f74b18c0d3312448e42a0

SHA256
8f7fdca3cf5a7a59f2ae53a7ae3263df9b1cdb601ea94dde03fb29c3e958602c

SHA512
14ddf5218e027f38c8e62635b4044ac9da0b0f1133e6846f89b6dfb63658ed7571cf92f560789ff846152a50b29340be1c9e43c423828c7f33151b290cf9d3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9109208.exe

Filesize
174KB

MD5
c5a3567146b7c2b169e457502caa6116

SHA1
01c96aa80b1a84766b6f74b18c0d3312448e42a0

SHA256
8f7fdca3cf5a7a59f2ae53a7ae3263df9b1cdb601ea94dde03fb29c3e958602c

SHA512
14ddf5218e027f38c8e62635b4044ac9da0b0f1133e6846f89b6dfb63658ed7571cf92f560789ff846152a50b29340be1c9e43c423828c7f33151b290cf9d3fa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3499828.exe

Filesize
271KB

MD5
b603e22cb2e5a96c44580842b8378a87

SHA1
a42a2b3638dcd10c5b9b7cf9ca1e5f6860702abe

SHA256
1bf4f35f6278d56c1f7151bf3313b763968ff07664bbcf7cd26f9dff6857eabb

SHA512
cd2aaabe25fbff836195f266135ea72b40187897091db667ea46ef03888a4b2159de6d1fe24878c84e31ed812caebca43b751458812a6db32f5be81f8f40135b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3499828.exe

Filesize
271KB

MD5
b603e22cb2e5a96c44580842b8378a87

SHA1
a42a2b3638dcd10c5b9b7cf9ca1e5f6860702abe

SHA256
1bf4f35f6278d56c1f7151bf3313b763968ff07664bbcf7cd26f9dff6857eabb

SHA512
cd2aaabe25fbff836195f266135ea72b40187897091db667ea46ef03888a4b2159de6d1fe24878c84e31ed812caebca43b751458812a6db32f5be81f8f40135b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2402832.exe

Filesize
140KB

MD5
0f7d89bd2b2cab8f2bb7e75d8cf5d045

SHA1
5ae7f5d816d4aa6405e5bbe46130e376392e86e6

SHA256
c788623dd0900281d25113197c2e2dbff1167b9cddde370cfa84db775ee9ae60

SHA512
2ba626e55274414525a05d719d13d2718be93688ba18f72bc208db255b4d3a621c2e66a9706b3344d0b58d18419b10417a263766cf6d40e00f408cad97449754

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2402832.exe

Filesize
140KB

MD5
0f7d89bd2b2cab8f2bb7e75d8cf5d045

SHA1
5ae7f5d816d4aa6405e5bbe46130e376392e86e6

SHA256
c788623dd0900281d25113197c2e2dbff1167b9cddde370cfa84db775ee9ae60

SHA512
2ba626e55274414525a05d719d13d2718be93688ba18f72bc208db255b4d3a621c2e66a9706b3344d0b58d18419b10417a263766cf6d40e00f408cad97449754

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9109208.exe

Filesize
174KB

MD5
c5a3567146b7c2b169e457502caa6116

SHA1
01c96aa80b1a84766b6f74b18c0d3312448e42a0

SHA256
8f7fdca3cf5a7a59f2ae53a7ae3263df9b1cdb601ea94dde03fb29c3e958602c

SHA512
14ddf5218e027f38c8e62635b4044ac9da0b0f1133e6846f89b6dfb63658ed7571cf92f560789ff846152a50b29340be1c9e43c423828c7f33151b290cf9d3fa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9109208.exe

Filesize
174KB

MD5
c5a3567146b7c2b169e457502caa6116

SHA1
01c96aa80b1a84766b6f74b18c0d3312448e42a0

SHA256
8f7fdca3cf5a7a59f2ae53a7ae3263df9b1cdb601ea94dde03fb29c3e958602c

SHA512
14ddf5218e027f38c8e62635b4044ac9da0b0f1133e6846f89b6dfb63658ed7571cf92f560789ff846152a50b29340be1c9e43c423828c7f33151b290cf9d3fa

Download Submit
memory/1336-45-0x00000000004A0000-0x00000000004A6000-memory.dmp

Filesize
24KB

Download
memory/1336-44-0x0000000000BF0000-0x0000000000C20000-memory.dmp

Filesize
192KB

Download
memory/2100-2-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2100-12-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2100-11-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2100-10-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2100-17-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2100-8-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2100-4-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2100-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2100-6-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2100-14-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2100-16-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2100-46-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads