mystic | 4ce71244da4dd5d9b0b7535c6b62aebf516adc87a36195170af93efa3a630b9f

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe
Size

632KB
MD5

d08c8cb40ccb8a4d4ed7085f0fcac3e5
SHA1

2475d4395f39cbc5a9937537078fe78bca37248b
SHA256

f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b
SHA512

fafa3c5059b04bded85ac86a46c1dfdcbc2e7c781d573248e5e7008d6e5a751eeb4764244cc8aa0d76a59adf21fa8837e8c8a8f195d835674866d22039097cf3
SSDEEP

12288:4MrZy90XTnuGCUTLvPQdsFfPay8HC7UZTcsCJ+53D//Uw94d6Yqlrf8eCSXT:ByCHx/XQ0fPa67UVcDJ+53L/Uw94d2lj

Score

10^/10

mystic redline jokes infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

jokes

77.91.124.82:19071

Attributes

auth_value
fb7b36b70ae30fb2b72f789037350cdb

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0121212.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3001777.exe	family_redline
behavioral21/memory/4232-24-0x00000000000C0000-0x00000000000F0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

y2397778.exey4776523.exem0121212.exen3001777.exe

pid process

3888 y2397778.exe
3880 y4776523.exe
880 m0121212.exe
4232 n3001777.exe

pid	process
3888	y2397778.exe
3880	y4776523.exe
880	m0121212.exe
4232	n3001777.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

y2397778.exey4776523.exef9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y2397778.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y4776523.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exey2397778.exey4776523.exe

description	pid	process	target process
PID 224 wrote to memory of 3888	224	f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe	y2397778.exe
PID 224 wrote to memory of 3888	224	f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe	y2397778.exe
PID 224 wrote to memory of 3888	224	f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe	y2397778.exe
PID 3888 wrote to memory of 3880	3888	y2397778.exe	y4776523.exe
PID 3888 wrote to memory of 3880	3888	y2397778.exe	y4776523.exe
PID 3888 wrote to memory of 3880	3888	y2397778.exe	y4776523.exe
PID 3880 wrote to memory of 880	3880	y4776523.exe	m0121212.exe
PID 3880 wrote to memory of 880	3880	y4776523.exe	m0121212.exe
PID 3880 wrote to memory of 880	3880	y4776523.exe	m0121212.exe
PID 3880 wrote to memory of 4232	3880	y4776523.exe	n3001777.exe
PID 3880 wrote to memory of 4232	3880	y4776523.exe	n3001777.exe
PID 3880 wrote to memory of 4232	3880	y4776523.exe	n3001777.exe

C:\Users\Admin\AppData\Local\Temp\f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe
"C:\Users\Admin\AppData\Local\Temp\f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2397778.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2397778.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4776523.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4776523.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0121212.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0121212.exe
      4⤵
      Executes dropped EXE
      PID:880
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3001777.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3001777.exe
      4⤵
      Executes dropped EXE
      PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2397778.exe

Filesize
530KB

MD5
5061a0d7d94d44fc5bbb962df410c108

SHA1
0cafcc2ac6f78b0210c7ce506058358863b67488

SHA256
094d87cd8fd3cc88f324f680eac4e338bb582eb504eb5b68606ba35d6d387576

SHA512
a17a41883fb3eb27288058d30c9a0c0b0a1b6297b2870c635b2c687ac38b841459ae50eb6ea92e61f016f0f09990775433071432aa2284c5c4d3ae15be3e5703

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4776523.exe

Filesize
272KB

MD5
8eba0485ac0a7780fa377c00808ad6b8

SHA1
c936a0476c63df488bcf97053ff5809f5871b363

SHA256
a5bd07211cadf84bce70fd372c65b356ec90df6be3f201eee00943c9406e5c79

SHA512
490e67f41d00cc4ec7c76e91ff2b98ce664a74d307affb14637d02203a3410ba73e4b5302d4643350af44bed00cc50ad1d6dc0670e9e452a93ec6fc80cd8ff9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0121212.exe

Filesize
140KB

MD5
92ad6c4dea02f75c3599d4c1f737b929

SHA1
193e468583e2793a03c2fbfa111237a8a81a71f9

SHA256
8b8bac8aced57e0f790a95915537402dee9d80e4ca3f1a6e96662df86a7b4dcf

SHA512
a1cba18844e3b1aa618a32768958b96d7ad58dffef5aa4e14eafb1ed4a32d74a1384b95590f5689d65115fe2221faca244301e8d641caedb1c77f5bc1904f95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3001777.exe

Filesize
174KB

MD5
06d07aa95fc4f476fe3813ee31e1b54c

SHA1
04680450a32772111945b06876395f45af500cf1

SHA256
090cf3a3f853381105376d3a1d12351c503000f2e8742359c0cb179cb82508fc

SHA512
3290f1d11b6b4c891179bb08a6f7ce38088e5a5b851eba167c6807ba5938af6bc33ac7a4b895a97e4896cb9fee49523d0686b0913dc5345e9286b30fcd292568

Download Submit
memory/4232-24-0x00000000000C0000-0x00000000000F0000-memory.dmp

Filesize
192KB

Download
memory/4232-25-0x0000000000880000-0x0000000000886000-memory.dmp

Filesize
24KB

Download
memory/4232-26-0x0000000005180000-0x0000000005798000-memory.dmp

Filesize
6.1MB

Download
memory/4232-27-0x0000000004C70000-0x0000000004D7A000-memory.dmp

Filesize
1.0MB

Download
memory/4232-28-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/4232-29-0x0000000004BF0000-0x0000000004C2C000-memory.dmp

Filesize
240KB

Download
memory/4232-30-0x0000000004D80000-0x0000000004DCC000-memory.dmp

Filesize
304KB

Download