mystic | d66c5907218da0e1082f3a1318226d1c5bab6bd1ebb57b034a817b4c35495ac8

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1106a57fdfdae9114d2bb44bdacc87ca3cae04161d58f6a7da3ec41e1aa098a5.exe
Size

1.2MB
MD5

3dbb95f86f886cdbafb2d8989c1cc77c
SHA1

f0c053c9b02c0cd21a321ce5c57950b0040c7aa7
SHA256

1106a57fdfdae9114d2bb44bdacc87ca3cae04161d58f6a7da3ec41e1aa098a5
SHA512

a0aa590779c2f4e6c4dc3c360047623c5e919eac9219b252c74d634a7f5e654ac1d265e7b18a9783daa722f7c59fd351b3084f7deccbae09dad6ae493cb38683
SSDEEP

24576:syYxMgtVHWO2xYNKZPT1VXEFgb8vjy3s8mHUYIzq3ga/6dPy4a6zri:bYxMgtNW9aNKZPT0Fgb8m3qHUZW9iI4H

Score

10^/10

mystic redline mrak infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002343b-39.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023438-42.dat	family_redline
behavioral2/memory/4560-43-0x0000000000DF0000-0x0000000000E20000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	saves.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	l8465121.exe

Executes dropped EXE 9 IoCs

pid	Process
2820	y7567951.exe
2688	y3343301.exe
3416	y9485469.exe
1400	l8465121.exe
3284	saves.exe
1284	m4983873.exe
4560	n8431052.exe
1852	saves.exe
3636	saves.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1106a57fdfdae9114d2bb44bdacc87ca3cae04161d58f6a7da3ec41e1aa098a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7567951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y3343301.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y9485469.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4100	schtasks.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 2820	4840	1106a57fdfdae9114d2bb44bdacc87ca3cae04161d58f6a7da3ec41e1aa098a5.exe	82
PID 4840 wrote to memory of 2820	4840	1106a57fdfdae9114d2bb44bdacc87ca3cae04161d58f6a7da3ec41e1aa098a5.exe	82
PID 4840 wrote to memory of 2820	4840	1106a57fdfdae9114d2bb44bdacc87ca3cae04161d58f6a7da3ec41e1aa098a5.exe	82
PID 2820 wrote to memory of 2688	2820	y7567951.exe	83
PID 2820 wrote to memory of 2688	2820	y7567951.exe	83
PID 2820 wrote to memory of 2688	2820	y7567951.exe	83
PID 2688 wrote to memory of 3416	2688	y3343301.exe	84
PID 2688 wrote to memory of 3416	2688	y3343301.exe	84
PID 2688 wrote to memory of 3416	2688	y3343301.exe	84
PID 3416 wrote to memory of 1400	3416	y9485469.exe	85
PID 3416 wrote to memory of 1400	3416	y9485469.exe	85
PID 3416 wrote to memory of 1400	3416	y9485469.exe	85
PID 1400 wrote to memory of 3284	1400	l8465121.exe	87
PID 1400 wrote to memory of 3284	1400	l8465121.exe	87
PID 1400 wrote to memory of 3284	1400	l8465121.exe	87
PID 3416 wrote to memory of 1284	3416	y9485469.exe	88
PID 3416 wrote to memory of 1284	3416	y9485469.exe	88
PID 3416 wrote to memory of 1284	3416	y9485469.exe	88
PID 2688 wrote to memory of 4560	2688	y3343301.exe	89
PID 2688 wrote to memory of 4560	2688	y3343301.exe	89
PID 2688 wrote to memory of 4560	2688	y3343301.exe	89
PID 3284 wrote to memory of 4100	3284	saves.exe	91
PID 3284 wrote to memory of 4100	3284	saves.exe	91
PID 3284 wrote to memory of 4100	3284	saves.exe	91
PID 3284 wrote to memory of 3260	3284	saves.exe	92
PID 3284 wrote to memory of 3260	3284	saves.exe	92
PID 3284 wrote to memory of 3260	3284	saves.exe	92
PID 3260 wrote to memory of 3312	3260	cmd.exe	95
PID 3260 wrote to memory of 3312	3260	cmd.exe	95
PID 3260 wrote to memory of 3312	3260	cmd.exe	95
PID 3260 wrote to memory of 2228	3260	cmd.exe	96
PID 3260 wrote to memory of 2228	3260	cmd.exe	96
PID 3260 wrote to memory of 2228	3260	cmd.exe	96
PID 3260 wrote to memory of 868	3260	cmd.exe	97
PID 3260 wrote to memory of 868	3260	cmd.exe	97
PID 3260 wrote to memory of 868	3260	cmd.exe	97
PID 3260 wrote to memory of 3280	3260	cmd.exe	98
PID 3260 wrote to memory of 3280	3260	cmd.exe	98
PID 3260 wrote to memory of 3280	3260	cmd.exe	98
PID 3260 wrote to memory of 2752	3260	cmd.exe	99
PID 3260 wrote to memory of 2752	3260	cmd.exe	99
PID 3260 wrote to memory of 2752	3260	cmd.exe	99
PID 3260 wrote to memory of 2232	3260	cmd.exe	100
PID 3260 wrote to memory of 2232	3260	cmd.exe	100
PID 3260 wrote to memory of 2232	3260	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\1106a57fdfdae9114d2bb44bdacc87ca3cae04161d58f6a7da3ec41e1aa098a5.exe
"C:\Users\Admin\AppData\Local\Temp\1106a57fdfdae9114d2bb44bdacc87ca3cae04161d58f6a7da3ec41e1aa098a5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7567951.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7567951.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3343301.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3343301.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9485469.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9485469.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3416
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l8465121.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l8465121.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1400
      - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        8⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        8⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        8⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        8⤵
        
        PID:2232
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4983873.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4983873.exe
        5⤵
        Executes dropped EXE
        
        PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8431052.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8431052.exe
      4⤵
      Executes dropped EXE
      PID:4560

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:1852

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7567951.exe

Filesize
1.1MB

MD5
c5bfb59dd701caa311304acef6585b8b

SHA1
a18d7900b6573c9ce0650540c1fde57ec9f40f51

SHA256
86ed46a0e21997d49914c62ecef7f2fd29e204eb87e34658b1d4fb78f148775a

SHA512
8dda0bc5bbe96fa56bf1e43bb3e1024e3d89d44908080c8e7168f29ae42734886c11acde501e5819cb32f27c9822bd8ddbf869da6b1e67ae3e97628fa2abdfc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3343301.exe

Filesize
476KB

MD5
ba0d7e47961cf5fb3b4a5adfec4e0392

SHA1
10333db3835a2c6e56b3ddd27b5a60eb9f6b5389

SHA256
475a09928d288d7cf5a08659e12c6bd2d94d0579ae73443be6ed6582ed63ccf9

SHA512
fe1c4f4f3dd7e2f4f55432f6c96787e2682133cb1418d11a016b996d831cee72b1fd069e720c5da6f0fbc3c75cf3347b38720837edd28258b5190d99464f134c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n8431052.exe

Filesize
174KB

MD5
119b084d5956063306fde45fadf72466

SHA1
2b8bea8aba3f09c11e59d6c434a7fb6138ea5739

SHA256
8f1dda7eb66be0b00f7cd37fc659a0da7a08cc060eb856c55785a3d981da7702

SHA512
26ae6fdeec8a5ee10b271ea33962ebbcbdfd6ac77ca51c9026bbf2704872094ce4bebe94a768924630dbee470110a97f926803d26b2f3de2a3e00d92e084896a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9485469.exe

Filesize
320KB

MD5
1bcb4feb03597dbcd10059960e911715

SHA1
5b3a050a10c8a1320f3f11efe6945678ed971548

SHA256
6754436976e27bcfc682262bc92870efee32ee83c4ceddb6463026bd50d978b4

SHA512
2ff6a2ade90f8ea62148566d6d163d7faf0972a447d707c982c3a35b5b24f495e90d0a2af96c73d9fae05d6dd8ed8804dbe35d3357f637d88324fca84730748f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4983873.exe

Filesize
142KB

MD5
44e4d037549ce81646d8b1ed27099838

SHA1
3e591daf09975f6a57399046955d5311f846f404

SHA256
29f8aa2b754db03097e619fd7c5d5382f7e86e02b468f700ad0ed6bd23b99eee

SHA512
35933260ffeac9d4dfa4e14874666e938d73b989dd590c7a4a10a67ad99bcadaa4d71fadd6b0a8412d4577e62ce8430fa82e0f1b1c59a043b606ac70f9c6856b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
337KB

MD5
40fd643e530e3997172c8be9528119f4

SHA1
0eeea47830afc04351d5fd8270e06d0c4fc8a75c

SHA256
5029c7232396a6bdde2491a844493ab01293c1815b4de0839ed1e0ea12de2a30

SHA512
d696724b63c9ab9c2438206bc6aa58f500a60e9bcd950bee44acb246cf9d74b3641174d540a186f31379a9ee9bca897948f821a66b5f79a785e8c119094fe38e

Download Submit
memory/4560-43-0x0000000000DF0000-0x0000000000E20000-memory.dmp

Filesize
192KB

Download
memory/4560-44-0x0000000005710000-0x0000000005716000-memory.dmp

Filesize
24KB

Download
memory/4560-45-0x0000000005E60000-0x0000000006478000-memory.dmp

Filesize
6.1MB

Download
memory/4560-46-0x0000000005980000-0x0000000005A8A000-memory.dmp

Filesize
1.0MB

Download
memory/4560-47-0x00000000058B0000-0x00000000058C2000-memory.dmp

Filesize
72KB

Download
memory/4560-48-0x0000000005910000-0x000000000594C000-memory.dmp

Filesize
240KB

Download
memory/4560-49-0x0000000005A90000-0x0000000005ADC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads