mystic | 8ee265740e734e664a806025412118c1398e5fd5de8de7844c913c144f497faa

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

515ca9dbb061a01c8da21c552a76dd53c58fa94f5421a2b5792e2e37137ab470.exe
Size

1.0MB
MD5

bd7ad2e2ad434827a8fd3915ae015b09
SHA1

77ac094e9c4cf9e705fc48600903dfb87aa03861
SHA256

515ca9dbb061a01c8da21c552a76dd53c58fa94f5421a2b5792e2e37137ab470
SHA512

0a96a53a9ade93ae9339d03f746dfc76982be6bda99f4e1e7363c319d846c3ae0fd24a599cc03ca21bba7a2f6003d1553d92831b8cc76f878a5fc6b0ddb6e167
SSDEEP

24576:iy85RKOIjbKQM9fsA6rYsswJi4KxkdmagQ8Y4EjfJ:J8WB890vF5ukcdxYPj

Score

10^/10

mystic redline narik evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

narik

77.91.124.82:19071

Attributes

auth_value
07924f5ef90576eb64faea857b8ba3e5

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral3/files/0x00070000000233e8-68.dat	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	q3999924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q3999924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q3999924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q3999924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q3999924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q3999924.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x00070000000233e5-71.dat	family_redline
behavioral3/memory/3948-73-0x00000000007F0000-0x0000000000820000-memory.dmp	family_redline

Executes dropped EXE 7 IoCs

pid	Process
1572	z8935150.exe
3256	z0859311.exe
4504	z6493950.exe
4992	z6216449.exe
3572	q3999924.exe
4388	r5625798.exe
3948	s8089084.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	q3999924.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	q3999924.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	515ca9dbb061a01c8da21c552a76dd53c58fa94f5421a2b5792e2e37137ab470.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z8935150.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0859311.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z6493950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z6216449.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3572	q3999924.exe
3572	q3999924.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3572	q3999924.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1572	1604	515ca9dbb061a01c8da21c552a76dd53c58fa94f5421a2b5792e2e37137ab470.exe	82
PID 1604 wrote to memory of 1572	1604	515ca9dbb061a01c8da21c552a76dd53c58fa94f5421a2b5792e2e37137ab470.exe	82
PID 1604 wrote to memory of 1572	1604	515ca9dbb061a01c8da21c552a76dd53c58fa94f5421a2b5792e2e37137ab470.exe	82
PID 1572 wrote to memory of 3256	1572	z8935150.exe	83
PID 1572 wrote to memory of 3256	1572	z8935150.exe	83
PID 1572 wrote to memory of 3256	1572	z8935150.exe	83
PID 3256 wrote to memory of 4504	3256	z0859311.exe	84
PID 3256 wrote to memory of 4504	3256	z0859311.exe	84
PID 3256 wrote to memory of 4504	3256	z0859311.exe	84
PID 4504 wrote to memory of 4992	4504	z6493950.exe	85
PID 4504 wrote to memory of 4992	4504	z6493950.exe	85
PID 4504 wrote to memory of 4992	4504	z6493950.exe	85
PID 4992 wrote to memory of 3572	4992	z6216449.exe	86
PID 4992 wrote to memory of 3572	4992	z6216449.exe	86
PID 4992 wrote to memory of 3572	4992	z6216449.exe	86
PID 4992 wrote to memory of 4388	4992	z6216449.exe	91
PID 4992 wrote to memory of 4388	4992	z6216449.exe	91
PID 4992 wrote to memory of 4388	4992	z6216449.exe	91
PID 4504 wrote to memory of 3948	4504	z6493950.exe	92
PID 4504 wrote to memory of 3948	4504	z6493950.exe	92
PID 4504 wrote to memory of 3948	4504	z6493950.exe	92

C:\Users\Admin\AppData\Local\Temp\515ca9dbb061a01c8da21c552a76dd53c58fa94f5421a2b5792e2e37137ab470.exe
"C:\Users\Admin\AppData\Local\Temp\515ca9dbb061a01c8da21c552a76dd53c58fa94f5421a2b5792e2e37137ab470.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8935150.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8935150.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0859311.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0859311.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6493950.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6493950.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4504
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6216449.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6216449.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4992
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3999924.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3999924.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5625798.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5625798.exe
        6⤵
        Executes dropped EXE
        
        PID:4388
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8089084.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8089084.exe
        5⤵
        Executes dropped EXE
        
        PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8935150.exe

Filesize
934KB

MD5
e10489890fcc08d6fb09031581d4274d

SHA1
0d2aff786eea1cb5c2660c218cac76130af24749

SHA256
e6f62db3fc63a75a88293f843c6150c94e428505e9869cea17369b3639e54723

SHA512
a7f02d4d2aeaffe18ccb099d595bac2808928be4f951005e27b3fce51a42dfaa42979d49259f7a1a0294eb102a782b5f63c866b18ecf33eb132ae78f385a86d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0859311.exe

Filesize
708KB

MD5
8035349678c36a88ada1141dee374443

SHA1
dedf9ea4bef2ac8305a2888ecfec088cf70b4df6

SHA256
97e83c298bb43aa78fc45ffe37b2b5d5a6a0d3d2a5133fc501587fa046480770

SHA512
d1c12e1ebb97a35eaec55bd1e29d1a138d4adbaaa8e60c89dda8820de1e5b0aa0adaed17e4af30083193becfef5df3fbbf25e1ea5fce02ed7fb71c0b75e2caf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6493950.exe

Filesize
481KB

MD5
af9f480a56127be468e01bebc476fabe

SHA1
b3a2899b9e11709dcc9095d72ac1c524a942f790

SHA256
ab633be1c170f3c0630f087fec91f9230aabd27c841dfb5f2065cdc35a99dd66

SHA512
10a91fe844b8efc3d8d3403ad20b15ba0577193788293a5d0ccd31c9dba4d204b336849939d1f9a935574c912921cfb0b3bce634a8b843d12716e60d5376765a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8089084.exe

Filesize
174KB

MD5
06f5490c87d349cdaf895412bcb76241

SHA1
a9b586262af627adfaff28891e02d4cfb91121e3

SHA256
6d1e456b6e6984e97636cabca99e572185316978847c22ccbdd717aabf405c88

SHA512
c8b1eef6406aa61befc303d4379f2ccc7d093c9d45a92a44981e26147134424a80b59e006bae7c9367de18eaf6ae013a7290e957941945ca781bcdff8847b90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6216449.exe

Filesize
325KB

MD5
81e106fdd0a91cb7cf6a401d10c4c78d

SHA1
043e74a6f9f23953d8b9e2d0334b561459af87c4

SHA256
81747062ec1d74102af8e587b30aa089c3da4f3d9fd9bec3bf2152abc911794a

SHA512
74c820774cefa34d5f8c15fe5049b6c6fd37055657b825a0707e6e4879fe1c98a5a0f786400c0ef29d00b517a4ee85fabfe10df24ee29e96844e194847a5deac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3999924.exe

Filesize
184KB

MD5
76c19fcba327f4003bc04c91707f6f1a

SHA1
82c526254045dc699244c1f61283b4fecdb2e2cf

SHA256
0f4bf2d15877718ab9ea500e3127827a4c9f524e7349193543b8e799c7d0aff0

SHA512
d9dff63a02a840f66f8c7a986fefa7ad0ce77c119f6fb62073001773bcbe3b2f95fe8c23b588f6436f42e54b781637bc35bd943add9f24d34238ce851ffabd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5625798.exe

Filesize
141KB

MD5
e08a67d6cce20f6e03b56972702a75a8

SHA1
5b5b12101821823205103ff505da9c6b563c8a33

SHA256
5ec5721701879cccc9e1c79e87ec27630e32e82e3ec3173e4dc73b987c11becc

SHA512
0bf6aff56a732ebc795f050a7fa2a686202044662e05546f932ab1a6e847c4822f1da6b7baae3f3c36ea99f010a3a2b5ea7c6a474209ef9eb55e867dd46c967b

Download Submit
memory/3572-63-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/3572-39-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/3572-61-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/3572-59-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/3572-57-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/3572-55-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/3572-53-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/3572-51-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/3572-49-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/3572-47-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/3572-45-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/3572-43-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/3572-41-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/3572-65-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/3572-38-0x00000000023C0000-0x00000000023D6000-memory.dmp

Filesize
88KB

Download
memory/3572-36-0x00000000049C0000-0x0000000004F64000-memory.dmp

Filesize
5.6MB

Download
memory/3572-37-0x00000000023C0000-0x00000000023DC000-memory.dmp

Filesize
112KB

Download
memory/3572-35-0x0000000002340000-0x000000000235E000-memory.dmp

Filesize
120KB

Download
memory/3948-73-0x00000000007F0000-0x0000000000820000-memory.dmp

Filesize
192KB

Download
memory/3948-74-0x0000000002980000-0x0000000002986000-memory.dmp

Filesize
24KB

Download
memory/3948-75-0x0000000005760000-0x0000000005D78000-memory.dmp

Filesize
6.1MB

Download
memory/3948-76-0x0000000005250000-0x000000000535A000-memory.dmp

Filesize
1.0MB

Download
memory/3948-77-0x0000000005180000-0x0000000005192000-memory.dmp

Filesize
72KB

Download
memory/3948-78-0x00000000051E0000-0x000000000521C000-memory.dmp

Filesize
240KB

Download
memory/3948-79-0x0000000005360000-0x00000000053AC000-memory.dmp

Filesize
304KB

Download