mystic | 8cc6679c34691a07ca82dfa2e42bb4cb80b8f3283bad650d6e3818ac030c32d3

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05.exe
Size

604KB
MD5

59dce709730f2f2ade77ccbf09dbfdc3
SHA1

faff86182c2b5610795196c4e42c1ff3bf5c1bb4
SHA256

6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05
SHA512

2df0843fafdfaf2db5adf8c195ba9c2eac261baa19eb7dfa6add046bba2a260298becd9185d367e2bfc363abc69ff2115f803a51665cadcd40185cb6c7af4cbb
SSDEEP

12288:wMrgy90uzPFjPfRl6Ki8tBpNAol1+4p8pC49FN5z0NfUMHOKCjw:Ay3FjRIKim7N54gAV9FN10NfrH

Score

10^/10

mystic redline mrak infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1036678.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3568974.exe	family_redline
behavioral11/memory/4400-24-0x0000000000690000-0x00000000006C0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

y5788019.exey4634208.exem1036678.exen3568974.exe

pid process

1260 y5788019.exe
216 y4634208.exe
1412 m1036678.exe
4400 n3568974.exe

pid	process
1260	y5788019.exe
216	y4634208.exe
1412	m1036678.exe
4400	n3568974.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05.exey5788019.exey4634208.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5788019.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y4634208.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05.exey5788019.exey4634208.exe

description	pid	process	target process
PID 3696 wrote to memory of 1260	3696	6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05.exe	y5788019.exe
PID 3696 wrote to memory of 1260	3696	6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05.exe	y5788019.exe
PID 3696 wrote to memory of 1260	3696	6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05.exe	y5788019.exe
PID 1260 wrote to memory of 216	1260	y5788019.exe	y4634208.exe
PID 1260 wrote to memory of 216	1260	y5788019.exe	y4634208.exe
PID 1260 wrote to memory of 216	1260	y5788019.exe	y4634208.exe
PID 216 wrote to memory of 1412	216	y4634208.exe	m1036678.exe
PID 216 wrote to memory of 1412	216	y4634208.exe	m1036678.exe
PID 216 wrote to memory of 1412	216	y4634208.exe	m1036678.exe
PID 216 wrote to memory of 4400	216	y4634208.exe	n3568974.exe
PID 216 wrote to memory of 4400	216	y4634208.exe	n3568974.exe
PID 216 wrote to memory of 4400	216	y4634208.exe	n3568974.exe

C:\Users\Admin\AppData\Local\Temp\6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05.exe
"C:\Users\Admin\AppData\Local\Temp\6e55f3939c54789579d9edaea7a64558acfd0452671c75dec280d3967cee4b05.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3696

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5788019.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5788019.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4634208.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4634208.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:216

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1036678.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1036678.exe
4⤵
- Executes dropped EXE
PID:1412

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3568974.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3568974.exe
4⤵
- Executes dropped EXE
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5788019.exe
Filesize
502KB

MD5
3e21ea6c80d9c720ea5b62d89b7ab10b

SHA1
2691f92f733b116623aa02823f9f809096f9540b

SHA256
118e3ec6483f72e11d958d743dfaad85256c2d0979cf5dec69acefaaabcd8f89

SHA512
e0ddf0ccc4aec49baedbae4d70c2221cb1710abcb2b68590d1556dde8af2e572e0b239e709fbeb420125d05b7703f044c7f0a2c4260c2e6e2cd7324492bcea32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4634208.exe
Filesize
271KB

MD5
e9b6528a6b965e8d92f0fa46552ecf45

SHA1
319155ac387f08654617820a9b3656683156fff1

SHA256
2b0f74b1ca041661d51022359cd7d75a9f10e9652874e983cab634726cc4acaf

SHA512
20a1f20560b1a8d8180abe73ea44dcd9108ca602239ba0ec666664c9f655db0a44e1a71cdb21e04b7e45e60adf2429f8f73953f2d07fa0b8c28d183f0e19d3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1036678.exe
Filesize
140KB

MD5
d6c2a76c484668ec452d03e2fa65f73d

SHA1
4d32b2a66c866d5d7e4a585bc84500229e72c138

SHA256
da95aa77c1722b526ffd21b41c9df600eda6e0cecf6e905d301d3f9ad2b2bc70

SHA512
d39f65f35744c64b6c770c4661831b40805dcea2f266da32e25903f72f010682d18ca30df2906e8a1f864ff6489b9b5256e4f44ccc9f0916d85ce7cc7018d1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3568974.exe
Filesize
176KB

MD5
ab799ac1c1738d1fe08c9883a4f50946

SHA1
59b75561f2e5e7a48b6cbf16cec2a56a47972851

SHA256
93b8bc8a7de2c6b6f17eaf32d7da670b91c6f5484380ac0bb5ebb189536e196a

SHA512
0617e340056cfa0db616029e224a9ba8a2429efabc3958de2ad43b186ba67e4066db55271eb50a5d052a43c2b92c028231682d1e36778902b4f0cde9352fd70b

Download Submit
memory/4400-24-0x0000000000690000-0x00000000006C0000-memory.dmp

Filesize
192KB

Download
memory/4400-25-0x0000000000D80000-0x0000000000D86000-memory.dmp

Filesize
24KB

Download
memory/4400-26-0x0000000005770000-0x0000000005D88000-memory.dmp

Filesize
6.1MB

Download
memory/4400-27-0x0000000005260000-0x000000000536A000-memory.dmp

Filesize
1.0MB

Download
memory/4400-28-0x0000000005150000-0x0000000005162000-memory.dmp

Filesize
72KB

Download
memory/4400-29-0x00000000051B0000-0x00000000051EC000-memory.dmp

Filesize
240KB

Download
memory/4400-30-0x0000000005200000-0x000000000524C000-memory.dmp

Filesize
304KB

Download