mystic | 1aa612c673e0e8506776c3b8740894f0947bb33bd7b5f22dc14212289801a024

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01567b40cb3e924a51cbabc35a519f509543064c72cf4079446d7ffeeac19c54.exe
Size

662KB
MD5

13100505f9688c1c91f93a58863d205c
SHA1

0548ed9abfeee7127fa3d0c4968ccdd72c618b17
SHA256

01567b40cb3e924a51cbabc35a519f509543064c72cf4079446d7ffeeac19c54
SHA512

3bb4e21e179cccc6edb49230ad41679dc307d0c42f294bb6f229da731457c4b7dc908175677e3c41b76e1d51a47f6ed8d0cdf62ba35eb005b6778df038fea7ed
SSDEEP

12288:MMrWy907H3UGXCjqvR7gRizYrqlY/4cDarMZcKWKdFjZE1OA:ayEHE4CjqvpMpyMFWKdM0A

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023463-19.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023464-22.dat	family_redline
behavioral1/memory/1212-24-0x0000000000CD0000-0x0000000000D00000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
3128	y7093791.exe
2872	y2399089.exe
3048	m1583863.exe
1212	n7201633.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	01567b40cb3e924a51cbabc35a519f509543064c72cf4079446d7ffeeac19c54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y7093791.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y2399089.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 3128	1980	01567b40cb3e924a51cbabc35a519f509543064c72cf4079446d7ffeeac19c54.exe	84
PID 1980 wrote to memory of 3128	1980	01567b40cb3e924a51cbabc35a519f509543064c72cf4079446d7ffeeac19c54.exe	84
PID 1980 wrote to memory of 3128	1980	01567b40cb3e924a51cbabc35a519f509543064c72cf4079446d7ffeeac19c54.exe	84
PID 3128 wrote to memory of 2872	3128	y7093791.exe	85
PID 3128 wrote to memory of 2872	3128	y7093791.exe	85
PID 3128 wrote to memory of 2872	3128	y7093791.exe	85
PID 2872 wrote to memory of 3048	2872	y2399089.exe	86
PID 2872 wrote to memory of 3048	2872	y2399089.exe	86
PID 2872 wrote to memory of 3048	2872	y2399089.exe	86
PID 2872 wrote to memory of 1212	2872	y2399089.exe	87
PID 2872 wrote to memory of 1212	2872	y2399089.exe	87
PID 2872 wrote to memory of 1212	2872	y2399089.exe	87

C:\Users\Admin\AppData\Local\Temp\01567b40cb3e924a51cbabc35a519f509543064c72cf4079446d7ffeeac19c54.exe
"C:\Users\Admin\AppData\Local\Temp\01567b40cb3e924a51cbabc35a519f509543064c72cf4079446d7ffeeac19c54.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7093791.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7093791.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2399089.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2399089.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1583863.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1583863.exe
      4⤵
      Executes dropped EXE
      PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7201633.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7201633.exe
      4⤵
      Executes dropped EXE
      PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7093791.exe

Filesize
560KB

MD5
7822c86cce4f91517301713a87f2e8a3

SHA1
554597d01c066ba4110656015792ddbf5b6278ea

SHA256
54407c9192b8f5e935719e07c1fc459b4324bb5b12171f31540367775160f17e

SHA512
a1610717a8d7f4dc1c848ca4c9c93e20dd68120f13bb0d865ce9847305f5fe44c319f3e9751580c7e000bc067c757cb93ed1f3c2e749042d668f0bbf589b8060

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2399089.exe

Filesize
271KB

MD5
518a2b546fd498a42466363a6751c608

SHA1
b0627624730b34b97cf42cba82e8154e8789550b

SHA256
a44a165b0541ca7fcdbaf07a16be5ae13be4d38c32641f396216587f8962ff1b

SHA512
5a65b94a842ad7f2ae1056533eac1991c47a590f19f80a88dedeecdb5dceffc49d15c124d20889f498aad32bc85c6fee947e843e97051b4f257c8f6512c34bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m1583863.exe

Filesize
141KB

MD5
6335aa3c4e111b1673385148078efc3e

SHA1
6700074431759ac1c47b3cd9267cd1ace4f54287

SHA256
df54881c3963ec6a73489b2548fb6b6b3b64602df91696ca6a0b609b763c80a3

SHA512
aff2b61720ea36f14e6318417376ae30076bca367df8333bc4661ff2b4f0d4bb7e8d9d239e0899c7b7302c280582609cf5fbe83d0c2f322212af80879abbe32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n7201633.exe

Filesize
175KB

MD5
e61f0d02eaed64c7f94de8da8bace8f0

SHA1
a1e8de0bec4a92656fa8d04fefbbc5686efa6f5f

SHA256
1ac334ad40fe0fc9253f35c13f5f36b35fc46279a7be802fe4af15b5766e32ab

SHA512
294a5e14adec6eb5baff3f2d3a7b0ece1f4010355b491aa9a813feb81817dc0c4409dd71e13fa1dc915e040d4f725ff138f1d792866be4a629f3915f7ceb9928

Download Submit
memory/1212-24-0x0000000000CD0000-0x0000000000D00000-memory.dmp

Filesize
192KB

Download
memory/1212-25-0x00000000055B0000-0x00000000055B6000-memory.dmp

Filesize
24KB

Download
memory/1212-26-0x000000000B120000-0x000000000B738000-memory.dmp

Filesize
6.1MB

Download
memory/1212-27-0x000000000AC80000-0x000000000AD8A000-memory.dmp

Filesize
1.0MB

Download
memory/1212-28-0x000000000ABC0000-0x000000000ABD2000-memory.dmp

Filesize
72KB

Download
memory/1212-29-0x000000000AC20000-0x000000000AC5C000-memory.dmp

Filesize
240KB

Download
memory/1212-30-0x0000000004FA0000-0x0000000004FEC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads