mystic | ac90002ec144a6c8c89c45137265a202aeef6b583cef01223b622e10b4c4b797

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bad97858db5dda89342aa20cee6db489fa0f6859c8723e24cac79ffb85811e8e.exe
Size

609KB
MD5

991a01dc2f24d959e954facd3333af95
SHA1

358d3fea9e3d609db40a663a1e1649b3ebe01aed
SHA256

bad97858db5dda89342aa20cee6db489fa0f6859c8723e24cac79ffb85811e8e
SHA512

254fb0615c4800690e65f69e1c8f6f1ca4072cb684d26928f95c1983e590e02a7fc935d973b8fdc2aeec31fc976cd163c49da923cee56de6c51b1532d1114e2d
SSDEEP

12288:GMr+y9067bv7ep0xO1z7KUQLrVuhX12NZ7W3m1wR0Br0zyFxPNeZ4D8:sy3nvE0xFhuhX12y2iaBr0zyXPN/D8

Score

10^/10

mystic redline mrak infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral16/files/0x00080000000234ae-19.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral16/files/0x00070000000234af-22.dat	family_redline
behavioral16/memory/3580-24-0x0000000000A70000-0x0000000000AA0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4368	y8844011.exe
2868	y9013260.exe
2708	m2443223.exe
3580	n1392921.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9013260.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bad97858db5dda89342aa20cee6db489fa0f6859c8723e24cac79ffb85811e8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8844011.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4368	4604	bad97858db5dda89342aa20cee6db489fa0f6859c8723e24cac79ffb85811e8e.exe	83
PID 4604 wrote to memory of 4368	4604	bad97858db5dda89342aa20cee6db489fa0f6859c8723e24cac79ffb85811e8e.exe	83
PID 4604 wrote to memory of 4368	4604	bad97858db5dda89342aa20cee6db489fa0f6859c8723e24cac79ffb85811e8e.exe	83
PID 4368 wrote to memory of 2868	4368	y8844011.exe	84
PID 4368 wrote to memory of 2868	4368	y8844011.exe	84
PID 4368 wrote to memory of 2868	4368	y8844011.exe	84
PID 2868 wrote to memory of 2708	2868	y9013260.exe	85
PID 2868 wrote to memory of 2708	2868	y9013260.exe	85
PID 2868 wrote to memory of 2708	2868	y9013260.exe	85
PID 2868 wrote to memory of 3580	2868	y9013260.exe	86
PID 2868 wrote to memory of 3580	2868	y9013260.exe	86
PID 2868 wrote to memory of 3580	2868	y9013260.exe	86

C:\Users\Admin\AppData\Local\Temp\bad97858db5dda89342aa20cee6db489fa0f6859c8723e24cac79ffb85811e8e.exe
"C:\Users\Admin\AppData\Local\Temp\bad97858db5dda89342aa20cee6db489fa0f6859c8723e24cac79ffb85811e8e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8844011.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8844011.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9013260.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9013260.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2443223.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2443223.exe
      4⤵
      Executes dropped EXE
      PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1392921.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1392921.exe
      4⤵
      Executes dropped EXE
      PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8844011.exe

Filesize
507KB

MD5
f1f83880a4f8de9095014c0ec483b8bd

SHA1
7a7e779f838c15d8db2e5d8aae4c20ab1e90a147

SHA256
d56c0dc88910624287bba720d3455318f1c12b4ccce08a7974982a0e740786b9

SHA512
f1e5e4306c9e08ff7afab8fcefa2e1e85e5c08761a4458146119c6d74d310ada42731a976fbb37aa6bbc663953e3242992ca4f6f0b64f7052dc66f2113e210e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9013260.exe

Filesize
271KB

MD5
637c262210b21517e676efea3ce7f2b6

SHA1
063776c6a362b64680ba0d15d25b3aa65511de0c

SHA256
1815b98d1273fd94a6fa064ef4204e79733201e47b12a74846df6ab0577e19f1

SHA512
7a96d993a107247062dd2b1473ca0cc645394ddea9dcedfc224fc0170404d96054d6f08fb234f21e9019f460bda499558b28e8ac85af48eba7ad1f5dcefa8a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m2443223.exe

Filesize
140KB

MD5
d94577d33dcedd1a088a53c6344a324c

SHA1
871764ef7831fad4e2fe0bb164f60d5f4689d328

SHA256
ee1022efd13d165ed11781f5d09187e9909a3f8ed0ced30c6d8e2127b6006f9f

SHA512
fd9cf920e299b406efa2f1fe00a0813e233dc33e01f32d71705c09edd18a6d616ead8cea2efc662eb647512f8481cc43c7a0b0df927389bff8e61e481356bfdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n1392921.exe

Filesize
176KB

MD5
d001113c3aaa5a412bb3f678b81fb233

SHA1
7bd85c7bc0a7d8db3c8a3a9db1a5c3063735b755

SHA256
ea7be1854f7ab24b077f57ab9f67d83d825965de07c5635917ee437fc7ce2bbe

SHA512
e5d79e806c12647d4f6755f4b77e1eca436a0567f0691a927f67c17da6e0931d821efe18e047816f1d6072411f689fdbdee8725324fa5dafbb3314b385a74b03

Download Submit
memory/3580-24-0x0000000000A70000-0x0000000000AA0000-memory.dmp

Filesize
192KB

Download
memory/3580-25-0x0000000001360000-0x0000000001366000-memory.dmp

Filesize
24KB

Download
memory/3580-26-0x0000000005A30000-0x0000000006048000-memory.dmp

Filesize
6.1MB

Download
memory/3580-27-0x0000000005520000-0x000000000562A000-memory.dmp

Filesize
1.0MB

Download
memory/3580-28-0x00000000052E0000-0x00000000052F2000-memory.dmp

Filesize
72KB

Download
memory/3580-29-0x0000000005450000-0x000000000548C000-memory.dmp

Filesize
240KB

Download
memory/3580-30-0x00000000054A0000-0x00000000054EC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads