mystic | 92023f346ccc819d9c52da2af751cda1bc5396b5d745c68d99d1d2ff99db093a

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7a2b48b9e169ff5a481fe8fb2f4f1d9a8ce2a823d5e2140cb1f264b7f525175.exe
Size

1016KB
MD5

286b046acf10fcab8312990c2302253e
SHA1

a55e3416e33d7ecae7c6d96d44ff385b71c3113d
SHA256

e7a2b48b9e169ff5a481fe8fb2f4f1d9a8ce2a823d5e2140cb1f264b7f525175
SHA512

fffd0ed3f0f62d2b407c92fe79696f914392b94746f4360b1f82abf41e2b10032ae9f9dd2bfd5e5149f7549000bf86cdcf08ffe1abc360bc48f91e74fbc83786
SSDEEP

24576:jyqCSgOXmr0c9la2uAR30pUy08WuRzEsk3PV:2qCe2Qqla2RR30pfoR/

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Sl13ip6.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ba529yJ.exe	family_redline
behavioral19/memory/1016-38-0x0000000000B50000-0x0000000000B8E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

Xh6St0Ul.exeQe6do1ok.exekU0cl4Oj.exeek4ZG8py.exe1Sl13ip6.exe2Ba529yJ.exe

pid process

5064 Xh6St0Ul.exe
1764 Qe6do1ok.exe
2440 kU0cl4Oj.exe
4792 ek4ZG8py.exe
1200 1Sl13ip6.exe
1016 2Ba529yJ.exe

pid	process
5064	Xh6St0Ul.exe
1764	Qe6do1ok.exe
2440	kU0cl4Oj.exe
4792	ek4ZG8py.exe
1200	1Sl13ip6.exe
1016	2Ba529yJ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ek4ZG8py.exee7a2b48b9e169ff5a481fe8fb2f4f1d9a8ce2a823d5e2140cb1f264b7f525175.exeXh6St0Ul.exeQe6do1ok.exekU0cl4Oj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ek4ZG8py.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e7a2b48b9e169ff5a481fe8fb2f4f1d9a8ce2a823d5e2140cb1f264b7f525175.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Xh6St0Ul.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Qe6do1ok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kU0cl4Oj.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

e7a2b48b9e169ff5a481fe8fb2f4f1d9a8ce2a823d5e2140cb1f264b7f525175.exeXh6St0Ul.exeQe6do1ok.exekU0cl4Oj.exeek4ZG8py.exe

description	pid	process	target process
PID 3984 wrote to memory of 5064	3984	e7a2b48b9e169ff5a481fe8fb2f4f1d9a8ce2a823d5e2140cb1f264b7f525175.exe	Xh6St0Ul.exe
PID 3984 wrote to memory of 5064	3984	e7a2b48b9e169ff5a481fe8fb2f4f1d9a8ce2a823d5e2140cb1f264b7f525175.exe	Xh6St0Ul.exe
PID 3984 wrote to memory of 5064	3984	e7a2b48b9e169ff5a481fe8fb2f4f1d9a8ce2a823d5e2140cb1f264b7f525175.exe	Xh6St0Ul.exe
PID 5064 wrote to memory of 1764	5064	Xh6St0Ul.exe	Qe6do1ok.exe
PID 5064 wrote to memory of 1764	5064	Xh6St0Ul.exe	Qe6do1ok.exe
PID 5064 wrote to memory of 1764	5064	Xh6St0Ul.exe	Qe6do1ok.exe
PID 1764 wrote to memory of 2440	1764	Qe6do1ok.exe	kU0cl4Oj.exe
PID 1764 wrote to memory of 2440	1764	Qe6do1ok.exe	kU0cl4Oj.exe
PID 1764 wrote to memory of 2440	1764	Qe6do1ok.exe	kU0cl4Oj.exe
PID 2440 wrote to memory of 4792	2440	kU0cl4Oj.exe	ek4ZG8py.exe
PID 2440 wrote to memory of 4792	2440	kU0cl4Oj.exe	ek4ZG8py.exe
PID 2440 wrote to memory of 4792	2440	kU0cl4Oj.exe	ek4ZG8py.exe
PID 4792 wrote to memory of 1200	4792	ek4ZG8py.exe	1Sl13ip6.exe
PID 4792 wrote to memory of 1200	4792	ek4ZG8py.exe	1Sl13ip6.exe
PID 4792 wrote to memory of 1200	4792	ek4ZG8py.exe	1Sl13ip6.exe
PID 4792 wrote to memory of 1016	4792	ek4ZG8py.exe	2Ba529yJ.exe
PID 4792 wrote to memory of 1016	4792	ek4ZG8py.exe	2Ba529yJ.exe
PID 4792 wrote to memory of 1016	4792	ek4ZG8py.exe	2Ba529yJ.exe

C:\Users\Admin\AppData\Local\Temp\e7a2b48b9e169ff5a481fe8fb2f4f1d9a8ce2a823d5e2140cb1f264b7f525175.exe
"C:\Users\Admin\AppData\Local\Temp\e7a2b48b9e169ff5a481fe8fb2f4f1d9a8ce2a823d5e2140cb1f264b7f525175.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xh6St0Ul.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xh6St0Ul.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qe6do1ok.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qe6do1ok.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kU0cl4Oj.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kU0cl4Oj.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek4ZG8py.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek4ZG8py.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4792

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Sl13ip6.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Sl13ip6.exe
6⤵
- Executes dropped EXE
PID:1200

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ba529yJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ba529yJ.exe
6⤵
- Executes dropped EXE
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xh6St0Ul.exe
Filesize
877KB

MD5
ec07ad53821060d37ad05f319f5a2927

SHA1
58f73507c2024a32b2c8009a07c3dabcf050fb60

SHA256
79ba9ea286d0e0dc17ec865c89ac19a237f31fd06fa28690be30d85cad9d45fb

SHA512
f5e3cc4ff1f3f1ac764bc714a6f299ef6a062e77755a3fe7b5701521bf40a25ed958275291bb94b9e701e8790db8f3d79ecd8783583b087b235a9492c35698f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qe6do1ok.exe
Filesize
688KB

MD5
08410707afadfee7f0baf5ceb3db8cdc

SHA1
4305cdfe839d981e4d2d8b93cc92b43f1b0cf0f4

SHA256
6f10520f4ff85ab04806165cdf79a74a582492a151f247fb45e98a96e55a9387

SHA512
6091a174ec1c1215eb1840a6bdbcea7e193ede7b16f39b4101cabe25caf735f690ecef195d239fee4326396744b28e51781d23a4a63570a4391a63c80c03dade

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kU0cl4Oj.exe
Filesize
514KB

MD5
925df86b5801700466e4694487ca4953

SHA1
fbcc1ffbeaae72116228b79038760a5e47336803

SHA256
b75f8962f2ade09495ca2fbcaa2c3de625da9b9a0efca46d4a0fe99f398260ea

SHA512
0c85dce0e50e9e0f7670de7aea9871392a33c6b7b3b19a3c09e42fd81d241af56cc596446e208f987a21edc7ddabfc65c7084b7c44c20581dd39d2081f49afbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek4ZG8py.exe
Filesize
319KB

MD5
c7604b7075e7b1ae7423f8da740bcbc6

SHA1
f48215acf06e14ba3f26f06fad35c7390e2e7d38

SHA256
adaa673e886dcfa4fd41a52b3caa3dbea6d779260ff15312c05c922433aa5d4a

SHA512
1422cf29fd69939697fac7c3bb4470806f8d83ca9eb6c0ae13234df892a5304183a24d93420d7b68f55eb0384377dab703a5310298449cccb9d418b52a86ef5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Sl13ip6.exe
Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ba529yJ.exe
Filesize
223KB

MD5
89d57277e6e8ee84e475d13ba0f2345f

SHA1
4072057be6312bcf9a2a8d3b28fe167d39ec73c0

SHA256
6d0afae3c495bbc7d09487b961771d7c835bffad41776a31c3333c91120084a7

SHA512
c3668653f7fdfb0446811c974c5c7b8bc91afa808ae72cb2487b6c299188f32bfde5d6c6e0307dee53560a1b6abc77a5a30d1d014d031e189e742b5d7ba186a6

Download Submit
memory/1016-38-0x0000000000B50000-0x0000000000B8E000-memory.dmp

Filesize
248KB

Download
memory/1016-39-0x0000000007F80000-0x0000000008524000-memory.dmp

Filesize
5.6MB

Download
memory/1016-40-0x0000000007A70000-0x0000000007B02000-memory.dmp

Filesize
584KB

Download
memory/1016-41-0x0000000002E40000-0x0000000002E4A000-memory.dmp

Filesize
40KB

Download
memory/1016-42-0x0000000008B50000-0x0000000009168000-memory.dmp

Filesize
6.1MB

Download
memory/1016-43-0x0000000007D80000-0x0000000007E8A000-memory.dmp

Filesize
1.0MB

Download
memory/1016-44-0x0000000007C70000-0x0000000007C82000-memory.dmp

Filesize
72KB

Download
memory/1016-45-0x0000000007CD0000-0x0000000007D0C000-memory.dmp

Filesize
240KB

Download
memory/1016-46-0x0000000007D10000-0x0000000007D5C000-memory.dmp

Filesize
304KB

Download