mystic | 21675cef02c5d516a93f59d70c16d083ffa8be9792fa8f40e53212708d321c6d

Analysis

max time kernel
132s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62.exe
Size

500KB
MD5

72042dcc9c9f444364c9d752a2a6578a
SHA1

4943efa69c1ec14a4a771999fc74bea4a1a2e175
SHA256

fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62
SHA512

2a22b2f0ccfee7d97ae3e9b277bca18c3382fba44feb1ff10c5c94818edaa46ec6771021dfdb6f0f3375f52392fb35809032d3c3e0cee31c5533ba5cf7a1acfe
SSDEEP

12288:RMrhy90Iu76ZwmypXWLB21ZsWIJ4GtOcH/3jCWffGu5exQH7:YyO63y1Wg+J4xsPjJlexQH7

Score

10^/10

mystic redline jokes infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

jokes

77.91.124.82:19071

Attributes

auth_value
fb7b36b70ae30fb2b72f789037350cdb

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0107592.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5299195.exe	family_redline
behavioral20/memory/1860-18-0x0000000000510000-0x0000000000540000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

y5076685.exem0107592.exen5299195.exe

pid process

1440 y5076685.exe
1100 m0107592.exe
1860 n5299195.exe

pid	process
1440	y5076685.exe
1100	m0107592.exe
1860	n5299195.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

y5076685.exefbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5076685.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62.exey5076685.exe

description	pid	process	target process
PID 2596 wrote to memory of 1440	2596	fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62.exe	y5076685.exe
PID 2596 wrote to memory of 1440	2596	fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62.exe	y5076685.exe
PID 2596 wrote to memory of 1440	2596	fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62.exe	y5076685.exe
PID 1440 wrote to memory of 1100	1440	y5076685.exe	m0107592.exe
PID 1440 wrote to memory of 1100	1440	y5076685.exe	m0107592.exe
PID 1440 wrote to memory of 1100	1440	y5076685.exe	m0107592.exe
PID 1440 wrote to memory of 1860	1440	y5076685.exe	n5299195.exe
PID 1440 wrote to memory of 1860	1440	y5076685.exe	n5299195.exe
PID 1440 wrote to memory of 1860	1440	y5076685.exe	n5299195.exe

C:\Users\Admin\AppData\Local\Temp\fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62.exe
"C:\Users\Admin\AppData\Local\Temp\fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5076685.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5076685.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0107592.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0107592.exe
3⤵
- Executes dropped EXE
PID:1100

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5299195.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5299195.exe
3⤵
- Executes dropped EXE
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5076685.exe
Filesize
271KB

MD5
b2f5660b1ce7c18d3edc134b285b41fa

SHA1
0678e65e5b0c0d3e59400f34c9cb66850f8dc19e

SHA256
47f73032822c1ef72df0f087448efe1eada94481ee6e4768c5f46fa100670171

SHA512
5af319a397d0a5b6d6a7f1ecec58e83007f9b46f0a7c7d78de716724110f744a075e3ceef0f50cd0d55f3b234d003089b1bc46d99c8a9e82b46c9403a9520308

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m0107592.exe
Filesize
140KB

MD5
6caed0878faa02135663a489f0695837

SHA1
07e11090a704a31e844e884546935fef01596fd3

SHA256
233474b0dd9c8d945f606d5c7ec73b98f81aaf1f50175bdca2b3c38a527b8bdd

SHA512
04095c2632c86b57f68f0483b5a1b8073a0d68f45e63ee4a6f0bef9acc7ab4422c0fd9441a3b7b9d0bcccce97bd588c36d8307f18d6c72d2081dc3f5f66cdd82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5299195.exe
Filesize
174KB

MD5
234d578a34e41cfb396716325ea0fbf8

SHA1
241cdb2611155a5ab38f0b8b842cb7c5637abf75

SHA256
bf73030e7fc2d8e18227027cbad57f14164cbe64feeb3824045be2dd42b92876

SHA512
0d9da546a9728c06dc57623a7e8ac8f7f8f637cd2f1e69ba020abf03c5634cbf9dad815e7c142e9542ed0595ca8f19bb28a0ad8d15e1db204f9cb6ff23678b65

Download Submit
memory/1860-17-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/1860-18-0x0000000000510000-0x0000000000540000-memory.dmp

Filesize
192KB

Download
memory/1860-19-0x0000000002860000-0x0000000002866000-memory.dmp

Filesize
24KB

Download
memory/1860-20-0x000000000A960000-0x000000000AF78000-memory.dmp

Filesize
6.1MB

Download
memory/1860-21-0x000000000A4C0000-0x000000000A5CA000-memory.dmp

Filesize
1.0MB

Download
memory/1860-22-0x000000000A400000-0x000000000A412000-memory.dmp

Filesize
72KB

Download
memory/1860-23-0x000000000A460000-0x000000000A49C000-memory.dmp

Filesize
240KB

Download
memory/1860-24-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/1860-25-0x00000000027C0000-0x000000000280C000-memory.dmp

Filesize
304KB

Download
memory/1860-26-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/1860-27-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download