mystic | d66c5907218da0e1082f3a1318226d1c5bab6bd1ebb57b034a817b4c35495ac8

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ab135934b017c0850bc323f91ac4cecbc3640903406ed3576ec0747ded9e6fe.exe
Size

373KB
MD5

288cac03ce7b5c3aa5272c2f90620147
SHA1

610d6ea082a6dcac1812a8fcf7654fde3e807ec7
SHA256

9ab135934b017c0850bc323f91ac4cecbc3640903406ed3576ec0747ded9e6fe
SHA512

e48b31059b16d3bb4792be2c17d0d814bd5a1ce9b7669408f2df17675a113e6a7adb7f64a20740ed13077f75efc7c6a4f2f82534d6b61294775c9bff078ac047
SSDEEP

6144:Kyy+bnr+Vp0yN90QE9WhSSFCpPTbTenECVcZ6rV1YC1wjZXwcuXLfbaHVT:SMr1y90/uZ0rbAV1xwZwcubgJ

Score

10^/10

mystic redline mrak infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral13/files/0x0008000000023436-12.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral13/files/0x0007000000023437-15.dat	family_redline
behavioral13/memory/3128-18-0x0000000000320000-0x0000000000350000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
3328	y2225908.exe
4760	m3249507.exe
3128	n2666764.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9ab135934b017c0850bc323f91ac4cecbc3640903406ed3576ec0747ded9e6fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2225908.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 3328	2428	9ab135934b017c0850bc323f91ac4cecbc3640903406ed3576ec0747ded9e6fe.exe	83
PID 2428 wrote to memory of 3328	2428	9ab135934b017c0850bc323f91ac4cecbc3640903406ed3576ec0747ded9e6fe.exe	83
PID 2428 wrote to memory of 3328	2428	9ab135934b017c0850bc323f91ac4cecbc3640903406ed3576ec0747ded9e6fe.exe	83
PID 3328 wrote to memory of 4760	3328	y2225908.exe	84
PID 3328 wrote to memory of 4760	3328	y2225908.exe	84
PID 3328 wrote to memory of 4760	3328	y2225908.exe	84
PID 3328 wrote to memory of 3128	3328	y2225908.exe	85
PID 3328 wrote to memory of 3128	3328	y2225908.exe	85
PID 3328 wrote to memory of 3128	3328	y2225908.exe	85

C:\Users\Admin\AppData\Local\Temp\9ab135934b017c0850bc323f91ac4cecbc3640903406ed3576ec0747ded9e6fe.exe
"C:\Users\Admin\AppData\Local\Temp\9ab135934b017c0850bc323f91ac4cecbc3640903406ed3576ec0747ded9e6fe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2225908.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2225908.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m3249507.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m3249507.exe
    3⤵
    - Executes dropped EXE
    PID:4760
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n2666764.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n2666764.exe
    3⤵
    - Executes dropped EXE
    PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2225908.exe

Filesize
271KB

MD5
d10de05425f2fdf56a5084becf441520

SHA1
581e3e4c6968b03090601044df691b1a0df94c74

SHA256
884d422328c92f625a96a7845252e2f179dd4f54e80938268b1c80efd0cf5d30

SHA512
9f06cb1db76c86eacad4205979708f1ce0ae1915cef87614a14fe0e6d66e939643ce4cd91f089197a3d1562e5aa85f6097783f58ce2a584c5a5f54740ac1b5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m3249507.exe

Filesize
140KB

MD5
70f05849174e88bb7fb3189698687cef

SHA1
29e871decab9ff0b0eb342a0a52324876a997280

SHA256
4575f9b7338e80a5a4371d3e05d5ef313a3818b9318db2f5eb4a0735f3b0e5e8

SHA512
1887bf0151304dd9101556ccac6eff77dd19c9f6edce9cc96faf1d9fb1cc35a067bda404b8ed7ceabb3c21725075c43f51b8151e9b67b6f738a24848ff0e6b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n2666764.exe

Filesize
176KB

MD5
363933bcd4c3aa7683b54343057381a5

SHA1
3a86182f064f9a0f254c07384bc945aac238adc3

SHA256
21d27a9080c37164044489429f73ae67b25bcb866407dbf785de65f5cf92c7ab

SHA512
0c0a82e99a35575f779b995a83b18e0db684d219bfff08960d276b1cefd9278a413ec10b5197f91d426850674ef6732660e73e11480876c002f809cf1ec2ebd3

Download Submit
memory/3128-17-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/3128-18-0x0000000000320000-0x0000000000350000-memory.dmp

Filesize
192KB

Download
memory/3128-19-0x00000000024C0000-0x00000000024C6000-memory.dmp

Filesize
24KB

Download
memory/3128-20-0x0000000005320000-0x0000000005938000-memory.dmp

Filesize
6.1MB

Download
memory/3128-21-0x0000000004E10000-0x0000000004F1A000-memory.dmp

Filesize
1.0MB

Download
memory/3128-22-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/3128-23-0x0000000004D00000-0x0000000004D3C000-memory.dmp

Filesize
240KB

Download
memory/3128-24-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download
memory/3128-25-0x0000000004D50000-0x0000000004D9C000-memory.dmp

Filesize
304KB

Download
memory/3128-26-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/3128-27-0x0000000074290000-0x0000000074A40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads