mystic | 5e831beab1114ac9acd665a6dc93e4478c72f9985bcae804c34864e3b6ee4705

Analysis

max time kernel
139s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b82c1f093a07f8365a76b180a16ceba720e598167e3d606f93fedc39de6692b3.exe
Size

662KB
MD5

441dbfe6cff970ac7fd9fcb546cf25fd
SHA1

ba15aa518bd0ca2cedb40ad34d6666ffd3140189
SHA256

b82c1f093a07f8365a76b180a16ceba720e598167e3d606f93fedc39de6692b3
SHA512

ffb290650d09bb84d4b26714900bf634946f2d59ee58d34a9cb0b0f7de60ad668c98051ff7a7525af783c66f9da2fcdc4f15d28235bddcbb9d4e115a060d209c
SSDEEP

12288:3Mr7y90IDiZtPnBBH6pHM61eiSEmXrMf6DxqfSKZ8rUqwHHaUVHCA+6z:gyXDin8TSEm7Mf6Dxv9U5HjHCA3z

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3750771.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2094883.exe	family_redline
behavioral14/memory/1616-24-0x0000000000920000-0x0000000000950000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

y9243453.exey2385054.exem3750771.exen2094883.exe

pid process

2720 y9243453.exe
1872 y2385054.exe
4780 m3750771.exe
1616 n2094883.exe

pid	process
2720	y9243453.exe
1872	y2385054.exe
4780	m3750771.exe
1616	n2094883.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b82c1f093a07f8365a76b180a16ceba720e598167e3d606f93fedc39de6692b3.exey9243453.exey2385054.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b82c1f093a07f8365a76b180a16ceba720e598167e3d606f93fedc39de6692b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9243453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y2385054.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b82c1f093a07f8365a76b180a16ceba720e598167e3d606f93fedc39de6692b3.exey9243453.exey2385054.exe

description	pid	process	target process
PID 3320 wrote to memory of 2720	3320	b82c1f093a07f8365a76b180a16ceba720e598167e3d606f93fedc39de6692b3.exe	y9243453.exe
PID 3320 wrote to memory of 2720	3320	b82c1f093a07f8365a76b180a16ceba720e598167e3d606f93fedc39de6692b3.exe	y9243453.exe
PID 3320 wrote to memory of 2720	3320	b82c1f093a07f8365a76b180a16ceba720e598167e3d606f93fedc39de6692b3.exe	y9243453.exe
PID 2720 wrote to memory of 1872	2720	y9243453.exe	y2385054.exe
PID 2720 wrote to memory of 1872	2720	y9243453.exe	y2385054.exe
PID 2720 wrote to memory of 1872	2720	y9243453.exe	y2385054.exe
PID 1872 wrote to memory of 4780	1872	y2385054.exe	m3750771.exe
PID 1872 wrote to memory of 4780	1872	y2385054.exe	m3750771.exe
PID 1872 wrote to memory of 4780	1872	y2385054.exe	m3750771.exe
PID 1872 wrote to memory of 1616	1872	y2385054.exe	n2094883.exe
PID 1872 wrote to memory of 1616	1872	y2385054.exe	n2094883.exe
PID 1872 wrote to memory of 1616	1872	y2385054.exe	n2094883.exe

C:\Users\Admin\AppData\Local\Temp\b82c1f093a07f8365a76b180a16ceba720e598167e3d606f93fedc39de6692b3.exe
"C:\Users\Admin\AppData\Local\Temp\b82c1f093a07f8365a76b180a16ceba720e598167e3d606f93fedc39de6692b3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3320

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9243453.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9243453.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2385054.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2385054.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3750771.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3750771.exe
4⤵
- Executes dropped EXE
PID:4780

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2094883.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2094883.exe
4⤵
- Executes dropped EXE
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9243453.exe

Filesize
560KB

MD5
120bcd7493ab4e6bd6389436a277b972

SHA1
3b5ac06c52e6e24bab9dfe2387e7741bd78cb8be

SHA256
99fd9572dfb6d9524e76d811da8e40c29615dbbef62c942badfd443296c0fd7e

SHA512
0c7e8fc09bede0e774d8ee023c322378ce49060413d8dc2e5eff6c5715b3079d7d073d80497e02adc659e46d0927be14f56bc78b67c2de8747f9bbb239d588d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2385054.exe

Filesize
272KB

MD5
cbe391c264b36a0233aa4d86c3894faf

SHA1
33035110b8538a91eb3a6d604637f8f3c71d724c

SHA256
6c9753564a1784464077b45d1346cfd0be08046eefa70eefec79501a9f95ed3e

SHA512
e0b160182c3a270c5a893f8157c0d7aafde1a1d89f4be221e8e70bf1b3d0205d952e14a9d1704899cc35f5a281f55d3778348be73b56f4bae37de73a569b05f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3750771.exe

Filesize
142KB

MD5
ea634814dfd0f80fe0503a18d08da465

SHA1
83d2c652438c33ebcf939378acc8a0a54b96d252

SHA256
c6ea226aac0dd1016fbf01851430a39fedc1104b74c84a4eda99314918495339

SHA512
863bc2888db2344e3253b515727026f4c07030b25308b553546085d3e95e9fef7d2c76cdcdaedf741de152d2628b938004ba2d1b7b9bc07641b0f6a78da695cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2094883.exe

Filesize
174KB

MD5
508e85b9b04836901acc62ad9fe3224b

SHA1
d6b8d996bed0545c7bcd6a5592734d00bd00bd7b

SHA256
cb1a28fc3f0d930b80745a0a9fe5a6eee7420313bc991e0d31f4b38e57b79a32

SHA512
8a22925014dd8d143f7d6adb826e4ad8a6fe6d0d4cdfe0d62c9c3ad837876996090323bf70e3c338771a8a5cece5915b172fd399f486baff72565d102152207e

Download Submit
memory/1616-24-0x0000000000920000-0x0000000000950000-memory.dmp

Filesize
192KB

Download
memory/1616-25-0x0000000005200000-0x0000000005206000-memory.dmp

Filesize
24KB

Download
memory/1616-26-0x000000000AC30000-0x000000000B248000-memory.dmp

Filesize
6.1MB

Download
memory/1616-27-0x000000000A790000-0x000000000A89A000-memory.dmp

Filesize
1.0MB

Download
memory/1616-28-0x000000000A6D0000-0x000000000A6E2000-memory.dmp

Filesize
72KB

Download
memory/1616-29-0x000000000A730000-0x000000000A76C000-memory.dmp

Filesize
240KB

Download
memory/1616-30-0x0000000002BB0000-0x0000000002BFC000-memory.dmp

Filesize
304KB

Download