mystic | fb68898fc1ee1968d2f438649408cbb8854551c7efa6458a5175c462f02fda63

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dee432d6dab18e0292eb8319fa33010db26568b716e784875a7bd4e9ea455a7.exe
Size

373KB
MD5

15f157c29571d8a426e4390328ff5f53
SHA1

ca91bab592cd28579d4ecb2aaaf6bb2c9c607e38
SHA256

7dee432d6dab18e0292eb8319fa33010db26568b716e784875a7bd4e9ea455a7
SHA512

d29be9762844647d70ded8bc115b5c83958d3f087155b2e027e2d94e85c3e0d3f473fa90b1659b706211a6495889fc4dca6861ff33dc8e58c65918425ee4a3ef
SSDEEP

6144:Kly+bnr+fp0yN90QEjVss6d52jPjeK3GwVxAIoqTP/LMAWREa2NXy:PMrTy901+1d527xOqnM1RF2Ni

Score

10^/10

mystic redline mrak infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4869489.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n6731049.exe	family_redline
behavioral15/memory/3240-18-0x0000000000EA0000-0x0000000000ED0000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

y0147028.exem4869489.exen6731049.exe

pid process

2540 y0147028.exe
1484 m4869489.exe
3240 n6731049.exe

pid	process
2540	y0147028.exe
1484	m4869489.exe
3240	n6731049.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7dee432d6dab18e0292eb8319fa33010db26568b716e784875a7bd4e9ea455a7.exey0147028.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7dee432d6dab18e0292eb8319fa33010db26568b716e784875a7bd4e9ea455a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0147028.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7dee432d6dab18e0292eb8319fa33010db26568b716e784875a7bd4e9ea455a7.exey0147028.exe

description	pid	process	target process
PID 908 wrote to memory of 2540	908	7dee432d6dab18e0292eb8319fa33010db26568b716e784875a7bd4e9ea455a7.exe	y0147028.exe
PID 908 wrote to memory of 2540	908	7dee432d6dab18e0292eb8319fa33010db26568b716e784875a7bd4e9ea455a7.exe	y0147028.exe
PID 908 wrote to memory of 2540	908	7dee432d6dab18e0292eb8319fa33010db26568b716e784875a7bd4e9ea455a7.exe	y0147028.exe
PID 2540 wrote to memory of 1484	2540	y0147028.exe	m4869489.exe
PID 2540 wrote to memory of 1484	2540	y0147028.exe	m4869489.exe
PID 2540 wrote to memory of 1484	2540	y0147028.exe	m4869489.exe
PID 2540 wrote to memory of 3240	2540	y0147028.exe	n6731049.exe
PID 2540 wrote to memory of 3240	2540	y0147028.exe	n6731049.exe
PID 2540 wrote to memory of 3240	2540	y0147028.exe	n6731049.exe

C:\Users\Admin\AppData\Local\Temp\7dee432d6dab18e0292eb8319fa33010db26568b716e784875a7bd4e9ea455a7.exe
"C:\Users\Admin\AppData\Local\Temp\7dee432d6dab18e0292eb8319fa33010db26568b716e784875a7bd4e9ea455a7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0147028.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0147028.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4869489.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4869489.exe
3⤵
- Executes dropped EXE
PID:1484

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n6731049.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n6731049.exe
3⤵
- Executes dropped EXE
PID:3240

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0147028.exe
Filesize
271KB

MD5
9334efe8bbd17d0f0f689bb892de1727

SHA1
5585539671058305c25186dfa7e2ea25440f8e42

SHA256
0305a77aa32c95abc3ebeb0ea7d0c3c061dc8f1bf7d0898fbf56787a81497f99

SHA512
738c304645f384b5ffa10e9da6457026d1f25a0b96779031de12dc1ebf9dd613f60aee9c8ecc18a86196b0c77c1084e2285de81779aa12527f47931da99f037a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4869489.exe
Filesize
140KB

MD5
c88d25275d95b5b96658ce0989b951de

SHA1
684fb207b6adb3ae524f95c21126e604e490d162

SHA256
3efeb8e626f6a5decfbd538210aeb1a204b2833c90f46a270a2565fd1975af4d

SHA512
0ca7104cc72a3c78facae947ab387b9d512792963c62caf906683c05a062988d6beb9a40a63cf098cfdf366393c53fe4bdbba950e98d0b6a7417ecfd9d6e8819

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n6731049.exe
Filesize
175KB

MD5
1ec0d9ba2e0af433b94555c72ccf27ff

SHA1
58edc95a3b37ac87b5f246845494aba3eaa5b6d0

SHA256
71b65faaa7d7a0168c5a387c376e2acf441b0505f7f0bce50003ca62de086764

SHA512
e9dac0b310ae25a9fd50091e83c0884d58ba0b7c6bbe5fdc72cac7203e6816d605101377e4ccc60ecb9f34883f29b479a12df638d8c7743180dcbe7c3fc38ff3

Download Submit
memory/3240-17-0x0000000073D2E000-0x0000000073D2F000-memory.dmp

Filesize
4KB

Download
memory/3240-18-0x0000000000EA0000-0x0000000000ED0000-memory.dmp

Filesize
192KB

Download
memory/3240-19-0x00000000057C0000-0x00000000057C6000-memory.dmp

Filesize
24KB

Download
memory/3240-20-0x0000000005EE0000-0x00000000064F8000-memory.dmp

Filesize
6.1MB

Download
memory/3240-21-0x00000000059D0000-0x0000000005ADA000-memory.dmp

Filesize
1.0MB

Download
memory/3240-22-0x0000000005810000-0x0000000005822000-memory.dmp

Filesize
72KB

Download
memory/3240-23-0x0000000073D20000-0x00000000744D0000-memory.dmp

Filesize
7.7MB

Download
memory/3240-24-0x0000000005870000-0x00000000058AC000-memory.dmp

Filesize
240KB

Download
memory/3240-25-0x00000000058D0000-0x000000000591C000-memory.dmp

Filesize
304KB

Download
memory/3240-26-0x0000000073D2E000-0x0000000073D2F000-memory.dmp

Filesize
4KB

Download
memory/3240-27-0x0000000073D20000-0x00000000744D0000-memory.dmp

Filesize
7.7MB

Download