mystic | 4ce71244da4dd5d9b0b7535c6b62aebf516adc87a36195170af93efa3a630b9f

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe
Size

632KB
MD5

8ea60cfcbddf1b7448d201f4556c7a20
SHA1

d1ecb779d9b7a916c627c143646b17f8332ae03b
SHA256

3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b
SHA512

589bbb1c61d27b82897d7b20246b7dc436b349e849157cd49b4dfc3aecf4917c04ae2a5bb5346c03532585b02e332a840f42f675002ee2fbf27df50dcbfe8cbc
SSDEEP

12288:NMr0y90D2sd8jFNudzpwt4gelVvENE1CL3hErv1AP9:ZyycqZimXKE1CNEL1AP9

Score

10^/10

mystic redline jokes infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

jokes

77.91.124.82:19071

Attributes

auth_value
fb7b36b70ae30fb2b72f789037350cdb

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4701334.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4349609.exe	family_redline
behavioral3/memory/2940-24-0x0000000000CE0000-0x0000000000D10000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

y3648686.exey5762863.exem4701334.exen4349609.exe

pid process

1260 y3648686.exe
1304 y5762863.exe
4392 m4701334.exe
2940 n4349609.exe

pid	process
1260	y3648686.exe
1304	y5762863.exe
4392	m4701334.exe
2940	n4349609.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exey3648686.exey5762863.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3648686.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5762863.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exey3648686.exey5762863.exe

description	pid	process	target process
PID 3724 wrote to memory of 1260	3724	3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe	y3648686.exe
PID 3724 wrote to memory of 1260	3724	3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe	y3648686.exe
PID 3724 wrote to memory of 1260	3724	3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe	y3648686.exe
PID 1260 wrote to memory of 1304	1260	y3648686.exe	y5762863.exe
PID 1260 wrote to memory of 1304	1260	y3648686.exe	y5762863.exe
PID 1260 wrote to memory of 1304	1260	y3648686.exe	y5762863.exe
PID 1304 wrote to memory of 4392	1304	y5762863.exe	m4701334.exe
PID 1304 wrote to memory of 4392	1304	y5762863.exe	m4701334.exe
PID 1304 wrote to memory of 4392	1304	y5762863.exe	m4701334.exe
PID 1304 wrote to memory of 2940	1304	y5762863.exe	n4349609.exe
PID 1304 wrote to memory of 2940	1304	y5762863.exe	n4349609.exe
PID 1304 wrote to memory of 2940	1304	y5762863.exe	n4349609.exe

C:\Users\Admin\AppData\Local\Temp\3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe
"C:\Users\Admin\AppData\Local\Temp\3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3648686.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3648686.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5762863.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5762863.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4701334.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4701334.exe
4⤵
- Executes dropped EXE
PID:4392

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4349609.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4349609.exe
4⤵
- Executes dropped EXE
PID:2940

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3648686.exe
Filesize
530KB

MD5
ec64dae8c6ab85285cba66c2bd4f7678

SHA1
879deab6ab8a625588826befc5d2d24af7900a79

SHA256
b8646e9fed15d5e156655e490d81d2c43cea2d3222278cd00cfe244f606daa8d

SHA512
0bcf38962fbd7d0bed6b7281ec5b18bd671b71df7b975e248762f550ede6d02dfd116af9ca1eada4c5345469c5d991ff9c990321b118a9cd2dfc9b6a97ee4af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5762863.exe
Filesize
272KB

MD5
6999331ecf0313d532d0a1ef67b5f909

SHA1
5d1127ce376182a7e061ad6e7874c40f0721fbde

SHA256
aca16bd1637b2077311aa031d85f29c8061c70d0b20407af58a0c9ba62d11439

SHA512
b58cd50abb54fff6ae8ca249f11cbcbb909ed1b791ee771800aa00ff6d6851b9a92aa8703f493916b470a71f1c43e6febbda5e56ce33c47fafc1e88b4cd605e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m4701334.exe
Filesize
140KB

MD5
e9b49847444f0aad6df34e532a1184bb

SHA1
f4a5b8d8f97f1afee0f1d3e8b3a1b283a0cb0fab

SHA256
8a8f7acfb1a98c296a4cbbc00ff7ff5f88664c69a8b7231975f37deb63bfbe10

SHA512
93bc35576b7965b5a9e60fd263246493c218e85155ff7ef227947eb204aa58938153e5cc224642d08176a1de1b73155a9d2e95607a8c1e6225a3b9079b6257c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4349609.exe
Filesize
174KB

MD5
d1272d9e16b2f4ffee6a2778db1fb5d4

SHA1
e261c467fba1c3191d49736e19047a793ca35c83

SHA256
489e55f13774c3192cc2ccc4069c8518af806647749b8306e16cbad8f4ca04bd

SHA512
75a61ce843f70dd6d1b5e211f4ea4ae5fceaeba6ee74d658a2c0f8cde8ecc1c2b600462611ed0bd8589436673148f1f6d9d48939c17a7fc726e7f6c4c2306126

Download Submit
memory/2940-24-0x0000000000CE0000-0x0000000000D10000-memory.dmp

Filesize
192KB

Download
memory/2940-25-0x00000000054C0000-0x00000000054C6000-memory.dmp

Filesize
24KB

Download
memory/2940-26-0x0000000005C30000-0x0000000006248000-memory.dmp

Filesize
6.1MB

Download
memory/2940-27-0x0000000005730000-0x000000000583A000-memory.dmp

Filesize
1.0MB

Download
memory/2940-28-0x0000000005670000-0x0000000005682000-memory.dmp

Filesize
72KB

Download
memory/2940-29-0x00000000056D0000-0x000000000570C000-memory.dmp

Filesize
240KB

Download
memory/2940-30-0x0000000005840000-0x000000000588C000-memory.dmp

Filesize
304KB

Download