mystic | 7018ff7512d58d485ca931d7ec6a267bd839ecd9c1fa672af055454f2af03809

General

Target

7018ff7512d58d485ca931d7ec6a267bd839ecd9c1fa672af055454f2af03809.exe
Size

870KB
MD5

ee58314323f63395d292ce49a0eb8b20
SHA1

3313784fc8d01fb9496e509c2d9df06797940a71
SHA256

7018ff7512d58d485ca931d7ec6a267bd839ecd9c1fa672af055454f2af03809
SHA512

4b344bcdaabf3738d33217c5892737aca68042234aa13d84b027827cd5428572b640576104f86a147bba401c680b8ef36345b504b7275ea2942f8ef89f625bc8
SSDEEP

12288:zMrky90N8Lc8A+7OKeZq/UIsS/nuxR1wZL/pTAGBfmWDDGapAMPtnyUXhB8Tg:7yTM+KgUIseuxRwGq1PtVRB8Tg

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023550-27.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023551-29.dat	family_redline
behavioral1/memory/3324-31-0x0000000000660000-0x000000000069E000-memory.dmp	family_redline

Detects executables packed with ConfuserEx Mod 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023551-29.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/3324-31-0x0000000000660000-0x000000000069E000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Executes dropped EXE 5 IoCs

pid	Process
2668	RX0jq0WL.exe
4908	bb0Zn2Lw.exe
4768	eA1ZT2qn.exe
3256	1Xi76Zx5.exe
3324	2Ph221vq.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7018ff7512d58d485ca931d7ec6a267bd839ecd9c1fa672af055454f2af03809.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	RX0jq0WL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	bb0Zn2Lw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	eA1ZT2qn.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2668	2752	7018ff7512d58d485ca931d7ec6a267bd839ecd9c1fa672af055454f2af03809.exe	88
PID 2752 wrote to memory of 2668	2752	7018ff7512d58d485ca931d7ec6a267bd839ecd9c1fa672af055454f2af03809.exe	88
PID 2752 wrote to memory of 2668	2752	7018ff7512d58d485ca931d7ec6a267bd839ecd9c1fa672af055454f2af03809.exe	88
PID 2668 wrote to memory of 4908	2668	RX0jq0WL.exe	89
PID 2668 wrote to memory of 4908	2668	RX0jq0WL.exe	89
PID 2668 wrote to memory of 4908	2668	RX0jq0WL.exe	89
PID 4908 wrote to memory of 4768	4908	bb0Zn2Lw.exe	92
PID 4908 wrote to memory of 4768	4908	bb0Zn2Lw.exe	92
PID 4908 wrote to memory of 4768	4908	bb0Zn2Lw.exe	92
PID 4768 wrote to memory of 3256	4768	eA1ZT2qn.exe	93
PID 4768 wrote to memory of 3256	4768	eA1ZT2qn.exe	93
PID 4768 wrote to memory of 3256	4768	eA1ZT2qn.exe	93
PID 4768 wrote to memory of 3324	4768	eA1ZT2qn.exe	94
PID 4768 wrote to memory of 3324	4768	eA1ZT2qn.exe	94
PID 4768 wrote to memory of 3324	4768	eA1ZT2qn.exe	94

C:\Users\Admin\AppData\Local\Temp\7018ff7512d58d485ca931d7ec6a267bd839ecd9c1fa672af055454f2af03809.exe
"C:\Users\Admin\AppData\Local\Temp\7018ff7512d58d485ca931d7ec6a267bd839ecd9c1fa672af055454f2af03809.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RX0jq0WL.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RX0jq0WL.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb0Zn2Lw.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb0Zn2Lw.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eA1ZT2qn.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eA1ZT2qn.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Xi76Zx5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Xi76Zx5.exe
        5⤵
        Executes dropped EXE
        
        PID:3256
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ph221vq.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ph221vq.exe
        5⤵
        Executes dropped EXE
        
        PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3888,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4176 /prefetch:8
1⤵
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RX0jq0WL.exe

Filesize
688KB

MD5
a1c881231254d5d151f17394f4e4f7ce

SHA1
649b0336b5cfb7a99ad24bd86b54a62cf6e23003

SHA256
fe0dfa190907b7574d2057655882331db9ce5385e983c0340563dd0258f1270d

SHA512
f14e49e14b354279802722453664de159eca4b3400727b79b2210276fc25bb35351016e18d457c179179c6b3758eeb5223a7e0cb7cc67530953b354c64b0c574

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bb0Zn2Lw.exe

Filesize
514KB

MD5
b875349e92d3a5f7a87e32e4c8229a15

SHA1
21c4bb1d48ca76a6381271241ee0cc1984c13c21

SHA256
9d3177f360b8322bb30faf449c1ce736307c511dd2fae4f904d132df25d5f7fd

SHA512
fccbc341161d63c4afb0c8c7aae1409dc525ea1ee57fea48330a000188b68163a8365f8300714272eb4438f3b6b020e6cf4dbbe3db85300f5cc40b5e2bc4b65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eA1ZT2qn.exe

Filesize
319KB

MD5
687d9afca473944e2bee3ae7036bf359

SHA1
5b527cdca8128ad4e1e59a1549b9637d494c1499

SHA256
7b9bb411597c868fbb52260adf28d41f58dc24c1a68fc2e76a218e755b2b57ca

SHA512
6a07e886197b1f475172b5c6235bab3934b322807cfa39ab27e99c7b954193ede9b05c4f10e8e92357a06f858c5b8f5f9fde1f628d6d1dd6d31f1166a9e49ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Xi76Zx5.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Ph221vq.exe

Filesize
223KB

MD5
db85ee53021b82d32efadcb32523ab36

SHA1
d0554c875e33682d00a8d7e618b81098de1fbb12

SHA256
be48f2de1a1bc8baf1fa1b0a31eda972008ffb737e213b8b42de916cd89a41a9

SHA512
6ebd46d2645dc943e3628676185c7fee94d859010765c3c1dc950b9ceb299530b298b945907fa3c5bda1fe6e85e5cf6748bb286f93671cecdbe608df4a6213e1

Download Submit
memory/3324-31-0x0000000000660000-0x000000000069E000-memory.dmp

Filesize
248KB

Download
memory/3324-32-0x0000000007AA0000-0x0000000008044000-memory.dmp

Filesize
5.6MB

Download
memory/3324-33-0x0000000007590000-0x0000000007622000-memory.dmp

Filesize
584KB

Download
memory/3324-34-0x0000000004B40000-0x0000000004B4A000-memory.dmp

Filesize
40KB

Download
memory/3324-35-0x0000000008670000-0x0000000008C88000-memory.dmp

Filesize
6.1MB

Download
memory/3324-36-0x00000000078F0000-0x00000000079FA000-memory.dmp

Filesize
1.0MB

Download
memory/3324-37-0x0000000007750000-0x0000000007762000-memory.dmp

Filesize
72KB

Download
memory/3324-38-0x00000000077E0000-0x000000000781C000-memory.dmp

Filesize
240KB

Download
memory/3324-39-0x0000000007780000-0x00000000077CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads