mystic | fb68898fc1ee1968d2f438649408cbb8854551c7efa6458a5175c462f02fda63

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

160cf91bb49336d03ce250710ca49b29f76f5f8f37ef5aafda22ed8e547bed9b.exe
Size

503KB
MD5

1cdcd0418b5ed6de8f5ce0e268c264da
SHA1

5af6604444d6a85e87847fda3197b156aa18b2ab
SHA256

160cf91bb49336d03ce250710ca49b29f76f5f8f37ef5aafda22ed8e547bed9b
SHA512

b43523de650f5ab97079966778997fe6f3b4129684110463d40e2d077038156008ba9071e699d3711bbd503e4c43929945b3d862f9c28aa71ac3b948316f597b
SSDEEP

12288:jMrHy90TxDvhnlYPLgRtFyGjKCufuntSdGIOPd/k2yHsvcIXm:YyApBlYs5y3+tSAIO5jzvI

Score

10^/10

mystic redline mrak infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2623904.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n2306408.exe	family_redline
behavioral3/memory/1656-18-0x0000000000330000-0x0000000000360000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

y8346850.exem2623904.exen2306408.exe

pid process

4680 y8346850.exe
3984 m2623904.exe
1656 n2306408.exe

pid	process
4680	y8346850.exe
3984	m2623904.exe
1656	n2306408.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

160cf91bb49336d03ce250710ca49b29f76f5f8f37ef5aafda22ed8e547bed9b.exey8346850.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	160cf91bb49336d03ce250710ca49b29f76f5f8f37ef5aafda22ed8e547bed9b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8346850.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

160cf91bb49336d03ce250710ca49b29f76f5f8f37ef5aafda22ed8e547bed9b.exey8346850.exe

description	pid	process	target process
PID 1252 wrote to memory of 4680	1252	160cf91bb49336d03ce250710ca49b29f76f5f8f37ef5aafda22ed8e547bed9b.exe	y8346850.exe
PID 1252 wrote to memory of 4680	1252	160cf91bb49336d03ce250710ca49b29f76f5f8f37ef5aafda22ed8e547bed9b.exe	y8346850.exe
PID 1252 wrote to memory of 4680	1252	160cf91bb49336d03ce250710ca49b29f76f5f8f37ef5aafda22ed8e547bed9b.exe	y8346850.exe
PID 4680 wrote to memory of 3984	4680	y8346850.exe	m2623904.exe
PID 4680 wrote to memory of 3984	4680	y8346850.exe	m2623904.exe
PID 4680 wrote to memory of 3984	4680	y8346850.exe	m2623904.exe
PID 4680 wrote to memory of 1656	4680	y8346850.exe	n2306408.exe
PID 4680 wrote to memory of 1656	4680	y8346850.exe	n2306408.exe
PID 4680 wrote to memory of 1656	4680	y8346850.exe	n2306408.exe

C:\Users\Admin\AppData\Local\Temp\160cf91bb49336d03ce250710ca49b29f76f5f8f37ef5aafda22ed8e547bed9b.exe
"C:\Users\Admin\AppData\Local\Temp\160cf91bb49336d03ce250710ca49b29f76f5f8f37ef5aafda22ed8e547bed9b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8346850.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8346850.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4680

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2623904.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2623904.exe
3⤵
- Executes dropped EXE
PID:3984

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n2306408.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n2306408.exe
3⤵
- Executes dropped EXE
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8346850.exe
Filesize
271KB

MD5
f52468a6eb8e00f613a65f9bab7ad03b

SHA1
7ba69474844acf089509b0f34ab2eb5b43bf55fb

SHA256
b66f88322c866f46af6aa76b7e7ec12fc7dae8d69b72f3ed4f95723d2169a816

SHA512
468deb6dc1d95ea7ca49297db9709c341cce31151a1e8f3d40408fc99556728b538df496d100c607a72d1eed0ed9574b165d69720d240842d6258086d8d02df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2623904.exe
Filesize
140KB

MD5
852de0b6807b2d48e7c4e5b24b5751e2

SHA1
38d39904e599a229a1027b78c9a7043d6391eec1

SHA256
e3c4d2d2bc1ef87f8d7ebafe75a7731a524a342c8678e9e0ba246481bf703085

SHA512
20c4a26367b8b43b88e1d46112402440a366f13a1205347dcb942a5feac91af843f1ad298a2febbcec3e3f033361b1f12ff55c861ec40c23f03982d982f18bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n2306408.exe
Filesize
176KB

MD5
196a17aa1ca403bc29697cc9c537a369

SHA1
d4dc0ea2b60b898c91312d5dc90930a42752f056

SHA256
37f1cc5cb7b9769dfb74984e64a21b598187207b52c74fae6464b5056c62e6d2

SHA512
4adffb02a868cf9bb6f6f3641fd5d88a62ad42919a8cc9c61d1cf8cb999ea4120c45d976c85f9eeb52aa2d8dfdc8a24941764a53e39636431c9ebd9757e77cd7

Download Submit
memory/1656-17-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/1656-18-0x0000000000330000-0x0000000000360000-memory.dmp

Filesize
192KB

Download
memory/1656-19-0x0000000002630000-0x0000000002636000-memory.dmp

Filesize
24KB

Download
memory/1656-20-0x000000000A620000-0x000000000AC38000-memory.dmp

Filesize
6.1MB

Download
memory/1656-21-0x000000000A1A0000-0x000000000A2AA000-memory.dmp

Filesize
1.0MB

Download
memory/1656-22-0x000000000A0D0000-0x000000000A0E2000-memory.dmp

Filesize
72KB

Download
memory/1656-23-0x000000000A130000-0x000000000A16C000-memory.dmp

Filesize
240KB

Download
memory/1656-24-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/1656-25-0x0000000004670000-0x00000000046BC000-memory.dmp

Filesize
304KB

Download
memory/1656-26-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/1656-27-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download