mystic | 5e831beab1114ac9acd665a6dc93e4478c72f9985bcae804c34864e3b6ee4705

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe
Size

272KB
MD5

879e06303a2636b4c3b88503f6cd952d
SHA1

8b78f4c17f8dffb2228370cd0b529fa815938848
SHA256

4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7
SHA512

37322096ded08c4fc7caba304546f228af2046e166bd128107a12de4dad5bf2734470fec537df33b32e2d03cf656444ab383fb64b211e96dcec938d9ceadb95f
SSDEEP

6144:KVy+bnr+gp0yN90QEvd3Y9nO/kYADFwomNsRjq1jGjg:PMrMy90Vdo9nOqDFwomNi4jGjg

Score

10^/10

mystic redline moner infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

moner

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m1193163.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5349986.exe	family_redline
behavioral8/memory/3232-11-0x00000000007F0000-0x0000000000820000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

m1193163.exen5349986.exe

pid process

4956 m1193163.exe
3232 n5349986.exe

pid	process
4956	m1193163.exe
3232	n5349986.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe

description	pid	process	target process
PID 2924 wrote to memory of 4956	2924	4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe	m1193163.exe
PID 2924 wrote to memory of 4956	2924	4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe	m1193163.exe
PID 2924 wrote to memory of 4956	2924	4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe	m1193163.exe
PID 2924 wrote to memory of 3232	2924	4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe	n5349986.exe
PID 2924 wrote to memory of 3232	2924	4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe	n5349986.exe
PID 2924 wrote to memory of 3232	2924	4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe	n5349986.exe

C:\Users\Admin\AppData\Local\Temp\4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe
"C:\Users\Admin\AppData\Local\Temp\4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m1193163.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m1193163.exe
2⤵
- Executes dropped EXE
PID:4956

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5349986.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5349986.exe
2⤵
- Executes dropped EXE
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m1193163.exe

Filesize
142KB

MD5
616731d9183297d6db5b7335d8e16dc6

SHA1
855242f52398c850bc5c36fffd381f25df4199e2

SHA256
6067181e030c53b76935fdf2a4743abd7bfb3372d813bb951814a8e2b8a101f2

SHA512
6278b65b370507089ce13e452d880a5833b46736f6cdd858fb7f971674f9fea15c674eba6b82facc6f99d0eba014121fa9b825a87e32ab6d3caa099eea64d31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5349986.exe

Filesize
174KB

MD5
881614486f8ddb4fc8c1eb2fe69f16ac

SHA1
1787622c9ef7aeb342d29357f03f984bf3997163

SHA256
4e23c2e491c16c6718e160e9a7c2430359ca72e3254471370ae8b20400aabd7d

SHA512
81742a3573f2180072ce4d6fe4263945b9186a275ef7af56759f5637047388812c1a8ee912d9440cba70544b2e2d204dccce4a0b6ec37a2e18bdf6c1fb5bf1f6

Download Submit
memory/3232-10-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/3232-11-0x00000000007F0000-0x0000000000820000-memory.dmp

Filesize
192KB

Download
memory/3232-12-0x0000000002D80000-0x0000000002D86000-memory.dmp

Filesize
24KB

Download
memory/3232-13-0x000000000AC90000-0x000000000B2A8000-memory.dmp

Filesize
6.1MB

Download
memory/3232-14-0x000000000A7A0000-0x000000000A8AA000-memory.dmp

Filesize
1.0MB

Download
memory/3232-15-0x000000000A6E0000-0x000000000A6F2000-memory.dmp

Filesize
72KB

Download
memory/3232-17-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/3232-16-0x000000000A740000-0x000000000A77C000-memory.dmp

Filesize
240KB

Download
memory/3232-18-0x0000000002BD0000-0x0000000002C1C000-memory.dmp

Filesize
304KB

Download
memory/3232-19-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/3232-20-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download