mystic | e660be79de0932d6c5c0f1b65dc5d842ed790962625d5dd8731c30f46ae264a2

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a833f1e2a239f2ae11656b13c90eb1a39d92f5fca65599dbebd1081f208469a.exe
Size

663KB
MD5

e566265d78c322e23d79116152198543
SHA1

ada98af08c225f8f2cdb456ffdb402fa64acc860
SHA256

8a833f1e2a239f2ae11656b13c90eb1a39d92f5fca65599dbebd1081f208469a
SHA512

3a1f0ded8a5d16a4b70995a95deca0fe260f415cbe442a223d78498f5805996e760569c9c76a52b5bd6c9e6ae811f36d62ec4d9bb3c1b04efe52f95a24b3e7c4
SSDEEP

12288:SMrdy90qsvZCjRWhybFwloA2WdotkaZHtr7OBu63VhdAzVQm6vF1sQ0OU2l8N:zyiCjRWhKwoAVmt/ZHoBRV6um6vFzzpa

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3152502.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0608902.exe	family_redline
behavioral21/memory/1936-24-0x0000000000710000-0x0000000000740000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

y8390855.exey5324066.exem3152502.exen0608902.exe

pid process

844 y8390855.exe
1696 y5324066.exe
1912 m3152502.exe
1936 n0608902.exe

pid	process
844	y8390855.exe
1696	y5324066.exe
1912	m3152502.exe
1936	n0608902.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8a833f1e2a239f2ae11656b13c90eb1a39d92f5fca65599dbebd1081f208469a.exey8390855.exey5324066.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8a833f1e2a239f2ae11656b13c90eb1a39d92f5fca65599dbebd1081f208469a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8390855.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5324066.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8a833f1e2a239f2ae11656b13c90eb1a39d92f5fca65599dbebd1081f208469a.exey8390855.exey5324066.exe

description	pid	process	target process
PID 4292 wrote to memory of 844	4292	8a833f1e2a239f2ae11656b13c90eb1a39d92f5fca65599dbebd1081f208469a.exe	y8390855.exe
PID 4292 wrote to memory of 844	4292	8a833f1e2a239f2ae11656b13c90eb1a39d92f5fca65599dbebd1081f208469a.exe	y8390855.exe
PID 4292 wrote to memory of 844	4292	8a833f1e2a239f2ae11656b13c90eb1a39d92f5fca65599dbebd1081f208469a.exe	y8390855.exe
PID 844 wrote to memory of 1696	844	y8390855.exe	y5324066.exe
PID 844 wrote to memory of 1696	844	y8390855.exe	y5324066.exe
PID 844 wrote to memory of 1696	844	y8390855.exe	y5324066.exe
PID 1696 wrote to memory of 1912	1696	y5324066.exe	m3152502.exe
PID 1696 wrote to memory of 1912	1696	y5324066.exe	m3152502.exe
PID 1696 wrote to memory of 1912	1696	y5324066.exe	m3152502.exe
PID 1696 wrote to memory of 1936	1696	y5324066.exe	n0608902.exe
PID 1696 wrote to memory of 1936	1696	y5324066.exe	n0608902.exe
PID 1696 wrote to memory of 1936	1696	y5324066.exe	n0608902.exe

C:\Users\Admin\AppData\Local\Temp\8a833f1e2a239f2ae11656b13c90eb1a39d92f5fca65599dbebd1081f208469a.exe
"C:\Users\Admin\AppData\Local\Temp\8a833f1e2a239f2ae11656b13c90eb1a39d92f5fca65599dbebd1081f208469a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8390855.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8390855.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5324066.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5324066.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3152502.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3152502.exe
      4⤵
      Executes dropped EXE
      PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0608902.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0608902.exe
      4⤵
      Executes dropped EXE
      PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8390855.exe

Filesize
561KB

MD5
304c9d40729a7fb0fbc5a380cf94cdb4

SHA1
9b59feadea64565e7a40188d8a42b125bcf376f6

SHA256
01755ab368fd538bce50aaa60265a7235e48e1d6fec7184b2912cc112de5b6ce

SHA512
c0bfceba787a125e54f626d70849013f62724fa296eb73c747b53a1feb1f7e2d8361323b69525bc88ae5a408a558a8224d5c56245860c38fd068c37bd854b60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5324066.exe

Filesize
271KB

MD5
2fe0c90de568916c62deddb0bf730669

SHA1
9ec191f7ad140c789be6b08446d17d7f34d7b644

SHA256
fcc23c4a1caf2fd64416057bdadc1a8dec123f4930523bcc1116cac7d567296d

SHA512
c50185423bc3de0288da4e5449374d8cd5001e89c1e877aac2e7fe3bdf2524ca25879493ce46a6b63f9edc5622ffb5269300a2c046354a2edd361dae58333392

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3152502.exe

Filesize
142KB

MD5
39c382fe364b342c118c8538156d499e

SHA1
8a6862e0553520bca9b174602d5e1a578de31c1a

SHA256
07b50199d2f98122655d9a6fe356d1975ad14e5479a8f40afd447d3a719b476c

SHA512
9c4482b301f349dbfb912038dbf6e541a5d53048e818fec50e6fcc3abf33ce459a0b035b7b28579af12f0673721d0499336931c7ccf78710dfad60d86b1bd788

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n0608902.exe

Filesize
175KB

MD5
23a10ff096cc4d8eb4529ad84cf1f660

SHA1
2f243ccfb857f0eca536423ef61714310cd3459d

SHA256
fb3750808c4b4e58c52ed51a69d6881102c2aeddd25e812252356aaa97d9fc23

SHA512
f195c0b196c455d5f21dfa4e0e2340dfc599a5fa9418875c97442e8c7443740f5c18a06fd9f692abc3433976f522a255e9a60c78f218273495fab9c6df1eaa40

Download Submit
memory/1936-24-0x0000000000710000-0x0000000000740000-memory.dmp

Filesize
192KB

Download
memory/1936-25-0x00000000028F0000-0x00000000028F6000-memory.dmp

Filesize
24KB

Download
memory/1936-26-0x000000000AAB0000-0x000000000B0C8000-memory.dmp

Filesize
6.1MB

Download
memory/1936-27-0x000000000A5A0000-0x000000000A6AA000-memory.dmp

Filesize
1.0MB

Download
memory/1936-28-0x000000000A4C0000-0x000000000A4D2000-memory.dmp

Filesize
72KB

Download
memory/1936-29-0x000000000A520000-0x000000000A55C000-memory.dmp

Filesize
240KB

Download
memory/1936-30-0x0000000004AA0000-0x0000000004AEC000-memory.dmp

Filesize
304KB

Download