mystic | 4ce71244da4dd5d9b0b7535c6b62aebf516adc87a36195170af93efa3a630b9f

Analysis

max time kernel
135s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e.exe
Size

560KB
MD5

e33cdbc5e331ebac127457d9f86cc333
SHA1

e68a3a2e09be0b07c15a393d85dde5c60a470f83
SHA256

e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e
SHA512

e2749e074ad8c94569a8e235d93afadd9cccea987846cf21c2884ffafd7b67636f40eae5fd2776b347deaf0d18d0265813751118f4d27897337fbb40264cfe80
SSDEEP

12288:wMrWy90a5klj6cFrzDnDi/w1rbChP+xqaQJk4Uy:2y7uocxu/wBChP+vQJkby

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6940787.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n1873930.exe	family_redline
behavioral19/memory/5076-18-0x0000000000BF0000-0x0000000000C20000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

y2459422.exem6940787.exen1873930.exe

pid process

4452 y2459422.exe
4204 m6940787.exe
5076 n1873930.exe

pid	process
4452	y2459422.exe
4204	m6940787.exe
5076	n1873930.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e.exey2459422.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2459422.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e.exey2459422.exe

description	pid	process	target process
PID 3160 wrote to memory of 4452	3160	e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e.exe	y2459422.exe
PID 3160 wrote to memory of 4452	3160	e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e.exe	y2459422.exe
PID 3160 wrote to memory of 4452	3160	e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e.exe	y2459422.exe
PID 4452 wrote to memory of 4204	4452	y2459422.exe	m6940787.exe
PID 4452 wrote to memory of 4204	4452	y2459422.exe	m6940787.exe
PID 4452 wrote to memory of 4204	4452	y2459422.exe	m6940787.exe
PID 4452 wrote to memory of 5076	4452	y2459422.exe	n1873930.exe
PID 4452 wrote to memory of 5076	4452	y2459422.exe	n1873930.exe
PID 4452 wrote to memory of 5076	4452	y2459422.exe	n1873930.exe

C:\Users\Admin\AppData\Local\Temp\e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e.exe
"C:\Users\Admin\AppData\Local\Temp\e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2459422.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2459422.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6940787.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6940787.exe
3⤵
- Executes dropped EXE
PID:4204

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n1873930.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n1873930.exe
3⤵
- Executes dropped EXE
PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2459422.exe

Filesize
271KB

MD5
ef94f8945c1824069b2f8ab30f114f9c

SHA1
16a161e09b08cad1aec22a81bfa658f657926e9a

SHA256
51cd74986c74e48f7392b110f1f809a3ceaccfe8508a2cfdf268559ed208c1aa

SHA512
958fb3fddc8608ca00504507c2bbd458e1ccfbf97aca42c0442a714c7993e74cb9439b5e88cf678b5bb7996b405cee2d89e083c0470179427e8f9f487307413c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6940787.exe

Filesize
141KB

MD5
51ec9feadc61d87811e2e6d874c759ca

SHA1
75050b463b458f1a12ef43732902cf4db42ea9cf

SHA256
11ad410288a38428c3846d583e8862e29c3ecbab7ea71544f8878a2394c09490

SHA512
241f06ccffeecbfbc461bd541a5061df6064932aa0a5f155514c91b24fd1eb8aef3f277b13faf8f65d47eff20fd40aea81bfcfd299a7e7f66fb74022c19da8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n1873930.exe

Filesize
175KB

MD5
f878367040e4e23c79f42f0d7e6e54dc

SHA1
d7e4b730df4c92d1ec718d660d8954ac62798ea2

SHA256
230017719667a4da628823d92d352f0c2ecaeb6288feb5724d7561076f653cf0

SHA512
db87e8ec180492ccfbc937776de595fcea867f2b61a10809551fd5306e5c404003aaf39c49d5d45b9f0c38dc6854dddbf8a41a59053e1862be64ffb03a7a514d

Download Submit
memory/5076-17-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/5076-18-0x0000000000BF0000-0x0000000000C20000-memory.dmp

Filesize
192KB

Download
memory/5076-19-0x0000000002E30000-0x0000000002E36000-memory.dmp

Filesize
24KB

Download
memory/5076-20-0x000000000B0D0000-0x000000000B6E8000-memory.dmp

Filesize
6.1MB

Download
memory/5076-21-0x000000000ABC0000-0x000000000ACCA000-memory.dmp

Filesize
1.0MB

Download
memory/5076-22-0x000000000AAE0000-0x000000000AAF2000-memory.dmp

Filesize
72KB

Download
memory/5076-23-0x000000000AB40000-0x000000000AB7C000-memory.dmp

Filesize
240KB

Download
memory/5076-24-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/5076-25-0x0000000002D90000-0x0000000002DDC000-memory.dmp

Filesize
304KB

Download
memory/5076-26-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/5076-27-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download