mystic | 176abc5d4c53fc1397a77e15c4028591fc335ce9464a700eddd56742d55dd10d

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50.exe
Size

271KB
MD5

ba78821a6f2c5c4158fea6a6a4c0c427
SHA1

a4f2b37c174c9fc479d688c043256734f3cc19b3
SHA256

4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50
SHA512

2c7d660f57336357c6e73b6e53183c784e779b9cc87e44f614b2af18b862847cde6abddd004d5fb5daa820204b5e3e189a31a3f21a7b8a63eafc6d2d2488f624
SSDEEP

6144:K2y+bnr+Bp0yN90QExd3Y9n1/kY4cswkcjV8:uMrly90/do9n19D5V8

Score

10^/10

mystic redline virad infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7098585.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5861173.exe	family_redline
behavioral10/memory/1520-11-0x00000000003F0000-0x0000000000420000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

m7098585.exen5861173.exe

pid process

1904 m7098585.exe
1520 n5861173.exe

pid	process
1904	m7098585.exe
1520	n5861173.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50.exe

description	pid	process	target process
PID 2640 wrote to memory of 1904	2640	4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50.exe	m7098585.exe
PID 2640 wrote to memory of 1904	2640	4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50.exe	m7098585.exe
PID 2640 wrote to memory of 1904	2640	4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50.exe	m7098585.exe
PID 2640 wrote to memory of 1520	2640	4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50.exe	n5861173.exe
PID 2640 wrote to memory of 1520	2640	4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50.exe	n5861173.exe
PID 2640 wrote to memory of 1520	2640	4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50.exe	n5861173.exe

C:\Users\Admin\AppData\Local\Temp\4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50.exe
"C:\Users\Admin\AppData\Local\Temp\4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7098585.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7098585.exe
2⤵
- Executes dropped EXE
PID:1904

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5861173.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5861173.exe
2⤵
- Executes dropped EXE
PID:1520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7098585.exe
Filesize
141KB

MD5
eadf400cacae35bdae68bc9f9e8ccddb

SHA1
27e45e2e78cf6c5d2f6f58a9bd6936a150d03d54

SHA256
019ee525ab666ed94941bee7e0f66420c126b3c35d0ded32551f345b56dfa725

SHA512
893f4f4ba61d50519c5949f0c31bf741cd9bb5c0125c588b1e62ff358e35ded859f4e30dc67076fe45fa78b462eab914c9c90a215b435270e2747d516f2ccaf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n5861173.exe
Filesize
175KB

MD5
369f29522f78ef1c78dc94bca8e14bdf

SHA1
59f8839250fcbbdc03722d290e190aff26f93177

SHA256
96d5b3537a1ba4bd54dc8308caa10d4c98859390a544fa523f98003aa6b72861

SHA512
e90cea1952bebb6d2f506df48f9cc1d643274f9db2558bcfd7bafe64a001cc18c61960b21eb3c237636e58fad0dfebd8d662e3d7f61936cb24e4739f309ade0f

Download Submit
memory/1520-10-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/1520-11-0x00000000003F0000-0x0000000000420000-memory.dmp

Filesize
192KB

Download
memory/1520-12-0x0000000004B90000-0x0000000004B96000-memory.dmp

Filesize
24KB

Download
memory/1520-13-0x000000000A6E0000-0x000000000ACF8000-memory.dmp

Filesize
6.1MB

Download
memory/1520-14-0x000000000A260000-0x000000000A36A000-memory.dmp

Filesize
1.0MB

Download
memory/1520-15-0x000000000A1A0000-0x000000000A1B2000-memory.dmp

Filesize
72KB

Download
memory/1520-16-0x000000000A200000-0x000000000A23C000-memory.dmp

Filesize
240KB

Download
memory/1520-17-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/1520-18-0x0000000004690000-0x00000000046DC000-memory.dmp

Filesize
304KB

Download
memory/1520-19-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/1520-20-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download