mystic | 692e82b585be9ac7cc8c88f2eeb475fcf42fed96a7b5572934f45018a5f7f2d1

Analysis

max time kernel
139s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe
Size

604KB
MD5

4a49f25c21c373471295f4badcee8cd5
SHA1

dc1871d02c5f5af9ae2a0e24ff0c1cce6ef48b58
SHA256

17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a
SHA512

95261235a51c77f85d1751907cea517529a9bc6179af76ab2c494ff2f702cf265f8bee8fb60b74ab7bb8094432fa9572bed065078a133480ff3c93069347d69c
SSDEEP

12288:hMray90lso2v9t6ehpXEtFyGjjCYfHGp1Pu5UJK6PYwqbPa3Vr:vySX2v9t6lyGmm5UE6PYPbSB

Score

10^/10

mystic redline mrak infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4249757.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7689082.exe	family_redline
behavioral3/memory/4064-24-0x0000000000830000-0x0000000000860000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

y9132069.exey5858526.exem4249757.exen7689082.exe

pid process

2364 y9132069.exe
2268 y5858526.exe
3928 m4249757.exe
4064 n7689082.exe

pid	process
2364	y9132069.exe
2268	y5858526.exe
3928	m4249757.exe
4064	n7689082.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exey9132069.exey5858526.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9132069.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5858526.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exey9132069.exey5858526.exe

description	pid	process	target process
PID 2324 wrote to memory of 2364	2324	17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe	y9132069.exe
PID 2324 wrote to memory of 2364	2324	17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe	y9132069.exe
PID 2324 wrote to memory of 2364	2324	17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe	y9132069.exe
PID 2364 wrote to memory of 2268	2364	y9132069.exe	y5858526.exe
PID 2364 wrote to memory of 2268	2364	y9132069.exe	y5858526.exe
PID 2364 wrote to memory of 2268	2364	y9132069.exe	y5858526.exe
PID 2268 wrote to memory of 3928	2268	y5858526.exe	m4249757.exe
PID 2268 wrote to memory of 3928	2268	y5858526.exe	m4249757.exe
PID 2268 wrote to memory of 3928	2268	y5858526.exe	m4249757.exe
PID 2268 wrote to memory of 4064	2268	y5858526.exe	n7689082.exe
PID 2268 wrote to memory of 4064	2268	y5858526.exe	n7689082.exe
PID 2268 wrote to memory of 4064	2268	y5858526.exe	n7689082.exe

C:\Users\Admin\AppData\Local\Temp\17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe
"C:\Users\Admin\AppData\Local\Temp\17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9132069.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9132069.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5858526.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5858526.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2268

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4249757.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4249757.exe
4⤵
- Executes dropped EXE
PID:3928

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7689082.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7689082.exe
4⤵
- Executes dropped EXE
PID:4064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9132069.exe
Filesize
502KB

MD5
25e3bca86360bf2bb73c7b70061a59c3

SHA1
1cd97c06a7ccbc2358b98d0bf3af621e908f7e6f

SHA256
647ada02fb7f8a8a7faba9d10d2f777fc67b996528ff6d71abf8a2ea0b834dae

SHA512
27d057942d932005dbfd0ff1a6858e498745213bc180826d72350bc7d0d81845f5620deff3451e821d4dd1646ad4bc5d0b339dd2500f82a30ee64e60ab200ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5858526.exe
Filesize
271KB

MD5
139bb4edad53da946c1a60ea71f03baf

SHA1
59849c83d51d256c2754887d285639bc8573a643

SHA256
05eaf997c36b1e89bff34628335e547b0a9aa8f25865630ee05eeb9bacc07c72

SHA512
22d9b28876fac7d48aaf5fd8e6bdc494acedf510a8bd740a3c85e5ae127148029bb358247c99186f30d4980af4d4f82ad131e74bc42ca38fd469c4a64879805f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4249757.exe
Filesize
140KB

MD5
c8f4393642b24557d6017f13187f9aae

SHA1
e0a1c6a30b6e231d058203ad23c3e0c354280a86

SHA256
b89c878c7ef7437c591d3879e7f3d78e9219551ad031f749efed6776df808061

SHA512
b42e05231ff54ca16b8d0c5cc88fa9884895d72f987ab8b150e76a6504c62b4c73c6cda84f2a2a78d1d5a529b4b1454a8b527988d227b4daa472af88585982f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7689082.exe
Filesize
176KB

MD5
f47c0c4e7087bbf69b4cfca759c3d415

SHA1
c330561512ff8cb20054fca477262fa3484294af

SHA256
a53d48e6d0b462026a551feb3535a1a8c76fb0f8a6b482a384e59b1a470ed172

SHA512
29d033c7de833ea20f26ef701681f13ea41a12d00f65a91ed742f3ebb19467ab49fda47ee4c19e89a166566a12a8dab1f533f306271578d9dd5324104fc55176

Download Submit
memory/4064-24-0x0000000000830000-0x0000000000860000-memory.dmp

Filesize
192KB

Download
memory/4064-25-0x0000000002B20000-0x0000000002B26000-memory.dmp

Filesize
24KB

Download
memory/4064-26-0x000000000AC80000-0x000000000B298000-memory.dmp

Filesize
6.1MB

Download
memory/4064-27-0x000000000A7E0000-0x000000000A8EA000-memory.dmp

Filesize
1.0MB

Download
memory/4064-28-0x000000000A710000-0x000000000A722000-memory.dmp

Filesize
72KB

Download
memory/4064-29-0x000000000A770000-0x000000000A7AC000-memory.dmp

Filesize
240KB

Download
memory/4064-30-0x0000000004B70000-0x0000000004BBC000-memory.dmp

Filesize
304KB

Download