mystic | 8cc6679c34691a07ca82dfa2e42bb4cb80b8f3283bad650d6e3818ac030c32d3

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1510cb1a4ff1f8027f8f81a2905978b60e40fed8901c2f4c5e99e35801083d7d.exe
Size

604KB
MD5

76f318321de01f842142662a0e9d1f79
SHA1

63b05b7f9760400fbd568bead10f26d7f876ba8e
SHA256

1510cb1a4ff1f8027f8f81a2905978b60e40fed8901c2f4c5e99e35801083d7d
SHA512

92b54fe8150c22eb460fb9a001989ed5ee452e66d1200c715a481151f0aac3cc63c24b6cff7bc7faaa4e0fb549dfe551c646b0e631a2b0054db7449f9808c7a8
SSDEEP

12288:OMrNy90W4zY0QqOgvZIteQdrtFyGjOC2fnNz6Cg3JdWMqUz73JHr0M:/yRGY9tndDydN2CKLpnZHQM

Score

10^/10

mystic redline mrak infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral3/files/0x0008000000023407-19.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x0007000000023408-22.dat	family_redline
behavioral3/memory/5048-24-0x00000000004D0000-0x0000000000500000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4152	y0622698.exe
2428	y5956209.exe
4632	m8344407.exe
5048	n5847433.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1510cb1a4ff1f8027f8f81a2905978b60e40fed8901c2f4c5e99e35801083d7d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0622698.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5956209.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 4152	4276	1510cb1a4ff1f8027f8f81a2905978b60e40fed8901c2f4c5e99e35801083d7d.exe	82
PID 4276 wrote to memory of 4152	4276	1510cb1a4ff1f8027f8f81a2905978b60e40fed8901c2f4c5e99e35801083d7d.exe	82
PID 4276 wrote to memory of 4152	4276	1510cb1a4ff1f8027f8f81a2905978b60e40fed8901c2f4c5e99e35801083d7d.exe	82
PID 4152 wrote to memory of 2428	4152	y0622698.exe	83
PID 4152 wrote to memory of 2428	4152	y0622698.exe	83
PID 4152 wrote to memory of 2428	4152	y0622698.exe	83
PID 2428 wrote to memory of 4632	2428	y5956209.exe	84
PID 2428 wrote to memory of 4632	2428	y5956209.exe	84
PID 2428 wrote to memory of 4632	2428	y5956209.exe	84
PID 2428 wrote to memory of 5048	2428	y5956209.exe	85
PID 2428 wrote to memory of 5048	2428	y5956209.exe	85
PID 2428 wrote to memory of 5048	2428	y5956209.exe	85

C:\Users\Admin\AppData\Local\Temp\1510cb1a4ff1f8027f8f81a2905978b60e40fed8901c2f4c5e99e35801083d7d.exe
"C:\Users\Admin\AppData\Local\Temp\1510cb1a4ff1f8027f8f81a2905978b60e40fed8901c2f4c5e99e35801083d7d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0622698.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0622698.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5956209.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5956209.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8344407.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8344407.exe
      4⤵
      Executes dropped EXE
      PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5847433.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5847433.exe
      4⤵
      Executes dropped EXE
      PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0622698.exe

Filesize
502KB

MD5
b85771359d01c15910e700b1f3bdf134

SHA1
2e5b69d78162ea5b25cc89b86a4744f16a1e7542

SHA256
d4a0902c77ce2a9ea7a788b4927ab256e0dacab422292f9bba8c053bbaa5ed5b

SHA512
4a4cc9cf7e317176c71457db9f4203d3236bb027070d9a349fec7bf65776cae3f754bd44485e728eef98d3dd60679cff873ad2fe6b948770a3351f3dc215a1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5956209.exe

Filesize
271KB

MD5
b6b436117c7787b890a7efccf9ce59e1

SHA1
b30d30cb6821bedee13763d6212e14bcd7973fc1

SHA256
71474ddab5625c23e58b1acde1b8cdc938b5730058cb424931b667d9fcd07f72

SHA512
efc290d0b170403580be7f1128f1add2f504f5617a077de78ed696ab68a1faf94613214146b326eb8d42df637e505484543c84ae185506df4ebe23e6746d01c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8344407.exe

Filesize
140KB

MD5
349d4871fd03d8a29a1874a982138564

SHA1
4faa47a04e2d4341f6c1c7d826cbb6c4ca4ba2d0

SHA256
9614532086c128958e86e9433ac4101cb4130600a9f0cc321ad1ec61bf7b8e2d

SHA512
af687c6297f281d5ef2f0e9d0d6c93fe32b6b5600e89e037a649d47b91dfcc852da673ebe852c132c038c735f73b7f71c6b9004f9aad1f8564e9069cfeb648f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5847433.exe

Filesize
176KB

MD5
92861ed4ce70f0991f94b8cdc716aa84

SHA1
7608b60bc5ea4a0d1ab8a057d6779289661fb03b

SHA256
abb47cf4b8f53660acf50c58ae537bff08a0e770282eaba133edee0be6130f88

SHA512
d00af560752776b408ea392f6b43885b14cb9724ec7d287dc032b24ea0fdac1026a5e089492025cdbac538533016685fd83d4b61bcc04c899a9f603fd1999799

Download Submit
memory/5048-24-0x00000000004D0000-0x0000000000500000-memory.dmp

Filesize
192KB

Download
memory/5048-25-0x0000000004F30000-0x0000000004F36000-memory.dmp

Filesize
24KB

Download
memory/5048-26-0x0000000005570000-0x0000000005B88000-memory.dmp

Filesize
6.1MB

Download
memory/5048-27-0x0000000005060000-0x000000000516A000-memory.dmp

Filesize
1.0MB

Download
memory/5048-28-0x0000000004F90000-0x0000000004FA2000-memory.dmp

Filesize
72KB

Download
memory/5048-29-0x0000000004FF0000-0x000000000502C000-memory.dmp

Filesize
240KB

Download
memory/5048-30-0x0000000005170000-0x00000000051BC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads