mystic | fb68898fc1ee1968d2f438649408cbb8854551c7efa6458a5175c462f02fda63

Analysis

max time kernel
139s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4de214f1550efd374ec68367fd536997f015281d98450fd9bab8a16d5fce87f2.exe
Size

507KB
MD5

cfafb3b6f16b43df024f7f40e7c6ee1a
SHA1

30f47ba6243552d59893105bc8e90497368b3853
SHA256

4de214f1550efd374ec68367fd536997f015281d98450fd9bab8a16d5fce87f2
SHA512

a7a08355147e240c7030614fe9e220a0f2fd096b298ccc42816980d475ca46d53f17d5b3ed41037902646f4a84e365b24eecf91e9755fcddb119d59918561797
SSDEEP

12288:ZMroy90Gmlxvyy4NY5wERz11xDb5/DgDQkYHQl4X:RyfQ4y4WLz11xDb5/DgD2X

Score

10^/10

mystic redline mrak infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5660512.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5825264.exe	family_redline
behavioral7/memory/2864-18-0x0000000000EC0000-0x0000000000EF0000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

y5604761.exem5660512.exen5825264.exe

pid process

2448 y5604761.exe
4320 m5660512.exe
2864 n5825264.exe

pid	process
2448	y5604761.exe
4320	m5660512.exe
2864	n5825264.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4de214f1550efd374ec68367fd536997f015281d98450fd9bab8a16d5fce87f2.exey5604761.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4de214f1550efd374ec68367fd536997f015281d98450fd9bab8a16d5fce87f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5604761.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4de214f1550efd374ec68367fd536997f015281d98450fd9bab8a16d5fce87f2.exey5604761.exe

description	pid	process	target process
PID 4092 wrote to memory of 2448	4092	4de214f1550efd374ec68367fd536997f015281d98450fd9bab8a16d5fce87f2.exe	y5604761.exe
PID 4092 wrote to memory of 2448	4092	4de214f1550efd374ec68367fd536997f015281d98450fd9bab8a16d5fce87f2.exe	y5604761.exe
PID 4092 wrote to memory of 2448	4092	4de214f1550efd374ec68367fd536997f015281d98450fd9bab8a16d5fce87f2.exe	y5604761.exe
PID 2448 wrote to memory of 4320	2448	y5604761.exe	m5660512.exe
PID 2448 wrote to memory of 4320	2448	y5604761.exe	m5660512.exe
PID 2448 wrote to memory of 4320	2448	y5604761.exe	m5660512.exe
PID 2448 wrote to memory of 2864	2448	y5604761.exe	n5825264.exe
PID 2448 wrote to memory of 2864	2448	y5604761.exe	n5825264.exe
PID 2448 wrote to memory of 2864	2448	y5604761.exe	n5825264.exe

C:\Users\Admin\AppData\Local\Temp\4de214f1550efd374ec68367fd536997f015281d98450fd9bab8a16d5fce87f2.exe
"C:\Users\Admin\AppData\Local\Temp\4de214f1550efd374ec68367fd536997f015281d98450fd9bab8a16d5fce87f2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4092

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5604761.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5604761.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5660512.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5660512.exe
3⤵
- Executes dropped EXE
PID:4320

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5825264.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5825264.exe
3⤵
- Executes dropped EXE
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5604761.exe

Filesize
271KB

MD5
d5cb5815a43d0862536b2e2dfe36cba2

SHA1
ededbb26fff1de88c4761b3bffb56c6bcc9c0140

SHA256
a93030fd203346f15d2259b5162a13f63e58afae82b9baf2af37ce189bab92d7

SHA512
73a8f66ab293584fc6efc0625ad30772990aaedb529c37341f99bda15eebb3f5fa0d59acef18ae03007dfb55cae3748ab3868e96238df364e4b51b740e570e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m5660512.exe

Filesize
140KB

MD5
ab154129594eb1e65ad84b90c0885244

SHA1
b356e09ca17c2bd2db4ef9bb8f297978454a38af

SHA256
4f0191cf070ee93137e07b448ff7af929bdb9146aa043adc0b775be1561039d6

SHA512
9c201a8a172206ee2c388721b6f416a94e0cd38e9a195c0b49e312b4943e8a7b5105e19336dcc3c6bcec8f00c77b1e1c3fa02fe29815bf962622e060282036fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n5825264.exe

Filesize
176KB

MD5
95d505917cfdfbae902635c883458021

SHA1
ddbae6bc9de465eb21561972a3966c4b065303ce

SHA256
1f035e9d3251383067ebacc796526f2af1e677fc203679b8f4e881128b075aaa

SHA512
0151a10fb2d78011f7ee74f6f9fb9783d9f192e51173e72a6540f240bdafc1bb7be02b423ecee76b5f1bf8681a010799d0c29b59228f3146a7ce23d13300ed23

Download Submit
memory/2864-17-0x0000000073BFE000-0x0000000073BFF000-memory.dmp

Filesize
4KB

Download
memory/2864-18-0x0000000000EC0000-0x0000000000EF0000-memory.dmp

Filesize
192KB

Download
memory/2864-19-0x00000000030D0000-0x00000000030D6000-memory.dmp

Filesize
24KB

Download
memory/2864-20-0x000000000B1D0000-0x000000000B7E8000-memory.dmp

Filesize
6.1MB

Download
memory/2864-21-0x000000000AD30000-0x000000000AE3A000-memory.dmp

Filesize
1.0MB

Download
memory/2864-22-0x000000000AC60000-0x000000000AC72000-memory.dmp

Filesize
72KB

Download
memory/2864-23-0x000000000ACC0000-0x000000000ACFC000-memory.dmp

Filesize
240KB

Download
memory/2864-24-0x0000000073BF0000-0x00000000743A0000-memory.dmp

Filesize
7.7MB

Download
memory/2864-25-0x0000000003030000-0x000000000307C000-memory.dmp

Filesize
304KB

Download
memory/2864-26-0x0000000073BFE000-0x0000000073BFF000-memory.dmp

Filesize
4KB

Download
memory/2864-27-0x0000000073BF0000-0x00000000743A0000-memory.dmp

Filesize
7.7MB

Download