mystic | c35b2a353f3f737fd5d522bda8150c7fe11a4c4773ad1702d174b480462784c6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810.exe
Size

1.0MB
MD5

61d4845e02006e934527cd4703e90b07
SHA1

0b22149b814404ca6f23a55db2b0fd4f03e9f7ee
SHA256

4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810
SHA512

47d1517c5e537e90df2ef1c11193992cc7da9e242dc2cc2238643abffc1f92a63fb9cde89658f80633dd20174dbae2e9eca48947ab573b40f49012320aa8e888
SSDEEP

24576:xyCEn0G0jYadh62kOcE++vHldKAzUvk43i6OhqbT:kCEn0JjthByoHLNAvSjqb

Score

10^/10

mystic redline narik evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

narik

77.91.124.82:19071

Attributes

auth_value
07924f5ef90576eb64faea857b8ba3e5

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0279475.exe	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

q7909319.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q7909319.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q7909319.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q7909319.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	q7909319.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q7909319.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q7909319.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7454159.exe	family_redline
behavioral4/memory/1788-73-0x0000000000DD0000-0x0000000000E00000-memory.dmp	family_redline

Executes dropped EXE 7 IoCs

Processes:

z1560207.exez7263287.exez7085338.exez3981529.exeq7909319.exer0279475.exes7454159.exe

pid process

624 z1560207.exe
3572 z7263287.exe
4952 z7085338.exe
464 z3981529.exe
4636 q7909319.exe
5008 r0279475.exe
1788 s7454159.exe

pid	process
624	z1560207.exe
3572	z7263287.exe
4952	z7085338.exe
464	z3981529.exe
4636	q7909319.exe
5008	r0279475.exe
1788	s7454159.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

q7909319.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	q7909319.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	q7909319.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

z3981529.exe4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810.exez1560207.exez7263287.exez7085338.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z3981529.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1560207.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7263287.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z7085338.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2596 sc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

q7909319.exe

pid process

4636 q7909319.exe
4636 q7909319.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

q7909319.exe

description pid process

Token: SeDebugPrivilege 4636 q7909319.exe

pid	process
2596	sc.exe

pid	process
4636	q7909319.exe
4636	q7909319.exe

description	pid	process
Token: SeDebugPrivilege	4636	q7909319.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810.exez1560207.exez7263287.exez7085338.exez3981529.exe

description	pid	process	target process
PID 916 wrote to memory of 624	916	4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810.exe	z1560207.exe
PID 916 wrote to memory of 624	916	4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810.exe	z1560207.exe
PID 916 wrote to memory of 624	916	4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810.exe	z1560207.exe
PID 624 wrote to memory of 3572	624	z1560207.exe	z7263287.exe
PID 624 wrote to memory of 3572	624	z1560207.exe	z7263287.exe
PID 624 wrote to memory of 3572	624	z1560207.exe	z7263287.exe
PID 3572 wrote to memory of 4952	3572	z7263287.exe	z7085338.exe
PID 3572 wrote to memory of 4952	3572	z7263287.exe	z7085338.exe
PID 3572 wrote to memory of 4952	3572	z7263287.exe	z7085338.exe
PID 4952 wrote to memory of 464	4952	z7085338.exe	z3981529.exe
PID 4952 wrote to memory of 464	4952	z7085338.exe	z3981529.exe
PID 4952 wrote to memory of 464	4952	z7085338.exe	z3981529.exe
PID 464 wrote to memory of 4636	464	z3981529.exe	q7909319.exe
PID 464 wrote to memory of 4636	464	z3981529.exe	q7909319.exe
PID 464 wrote to memory of 4636	464	z3981529.exe	q7909319.exe
PID 464 wrote to memory of 5008	464	z3981529.exe	r0279475.exe
PID 464 wrote to memory of 5008	464	z3981529.exe	r0279475.exe
PID 464 wrote to memory of 5008	464	z3981529.exe	r0279475.exe
PID 4952 wrote to memory of 1788	4952	z7085338.exe	s7454159.exe
PID 4952 wrote to memory of 1788	4952	z7085338.exe	s7454159.exe
PID 4952 wrote to memory of 1788	4952	z7085338.exe	s7454159.exe

C:\Users\Admin\AppData\Local\Temp\4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810.exe
"C:\Users\Admin\AppData\Local\Temp\4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1560207.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1560207.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7263287.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7263287.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3572

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7085338.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7085338.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4952

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3981529.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3981529.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:464

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7909319.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7909319.exe
6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0279475.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0279475.exe
6⤵
- Executes dropped EXE
PID:5008

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7454159.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7454159.exe
5⤵
- Executes dropped EXE
PID:1788

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1560207.exe

Filesize
933KB

MD5
cd95be2e70de537f6c25fd9b9ba8198d

SHA1
7a669b99c64b7e11e195eede0e28f83ec743d016

SHA256
523026a63cdc7b6796bd13fff885b34f5499edd607423cb9819e906a38ea7f21

SHA512
3808abe18e337044e4f3b877aff45034b127dfa976be04c860d79d85483ffd75f03348806afa316a5d62267fb72b142ad61d23593f061f214c6982e87643e023

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7263287.exe

Filesize
708KB

MD5
19cb8141a615be2648a9b2d9bd3266b1

SHA1
ab11162830d4ab8204cbaf78c0221b0227008620

SHA256
3d287dcb5837cb5f73cc0c83b615f802b7630c8d6edd4a4ef36fed5163e6d5fb

SHA512
8f7afd83f78d6c26024670c82670c4578015d664883071839598e44e7739a7e70503ccc0f5a381c3dae4aa2b0f421ee98fac5271447ace2bc155814efbd5d120

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7085338.exe

Filesize
482KB

MD5
aebc2d53e93d68529288f87de8e61497

SHA1
9e0db9ac16c71347e398bfff2c8eb5c4b862defd

SHA256
6dfd65efb2f26729172d5a9eeabef87f820991a73bd33fb14a4f3b4fb5e106b7

SHA512
f5d96a5785a43b55223d00969c44568ee814e460ea2bc9f52eb14ebe5e38b79f7827def66ec37cf0231f2a429db9d4bb380abe863d3f505d4162a49225e9a4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7454159.exe

Filesize
174KB

MD5
9ca2a939485c004de7216277b50014eb

SHA1
b52520eed2f1cb48d7125bd4b29bda45816d5d99

SHA256
1cbd00edb7fe58ca78e1f0c40b6ed4c6bfe8b07cd15950009d2d8593785d14db

SHA512
bd8b6549fe1f73bf963269d812d1bfad8588b85683e8c5f5e49ec3eab7438620469f4caf95ced945f74d18fb2fe420e5d451d749913f20d542c6fd22c1f1d681

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3981529.exe

Filesize
325KB

MD5
a2c6c53327f067d2e8d790e1a5f2d137

SHA1
36b3e638e5966354b10a0caa90489b15ba355070

SHA256
1a4686f0efcf05c0f318759d14b3c37ca181ef08eddfc5059f72332b2cc99541

SHA512
01e6f91888cede86934546adf7af861219d6e6c6cbb4961410cb132890f92f4fa75577f6a55de9815cf599115ca41f9c0cdddd5a2b12a1f8a64c32f3b1b0a1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7909319.exe

Filesize
184KB

MD5
68b49b85e77061b6370ba7934897414d

SHA1
003eab06dd19d12aa8d4c6ca2c65e096e5408d8c

SHA256
9dbf47894144a9c8d68c329e7832a48e82817941b96eb38cffbd3b2a8645d201

SHA512
f092c8b18f56e33e34d2e08df6956330645f9e27867f36e8fb700a48980ae42e734f6a9a91462e691241ae7eed6c7b8e4a64db1f022d67e876ecb852eaa5b086

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0279475.exe

Filesize
141KB

MD5
de38582a55bb3cf592afa411e14bdea6

SHA1
fb97f241910b138433986e83263ecee75b91de84

SHA256
9ca5152e18984464ac7d9f537f13516d18bc3baf5a4c9889729e0538fe5e4d3a

SHA512
32055d93664f61af1d9b8ea0d987a1fa4843569cad366a4453633a549084ff116423aa6e78291b8471644695d1aaa94ea25b6724b0965f86251380de73468549

Download Submit
memory/1788-78-0x00000000057C0000-0x00000000057FC000-memory.dmp

Filesize
240KB

Download
memory/1788-77-0x0000000005760000-0x0000000005772000-memory.dmp

Filesize
72KB

Download
memory/1788-76-0x0000000005870000-0x000000000597A000-memory.dmp

Filesize
1.0MB

Download
memory/1788-75-0x0000000005D80000-0x0000000006398000-memory.dmp

Filesize
6.1MB

Download
memory/1788-74-0x0000000002FE0000-0x0000000002FE6000-memory.dmp

Filesize
24KB

Download
memory/1788-73-0x0000000000DD0000-0x0000000000E00000-memory.dmp

Filesize
192KB

Download
memory/1788-79-0x0000000005800000-0x000000000584C000-memory.dmp

Filesize
304KB

Download
memory/4636-65-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4636-52-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4636-47-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4636-45-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4636-43-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4636-41-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4636-39-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4636-38-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4636-63-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4636-49-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4636-53-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4636-55-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4636-57-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4636-59-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4636-62-0x0000000004F50000-0x0000000004F66000-memory.dmp

Filesize
88KB

Download
memory/4636-37-0x0000000004F50000-0x0000000004F6C000-memory.dmp

Filesize
112KB

Download
memory/4636-36-0x0000000004960000-0x0000000004F04000-memory.dmp

Filesize
5.6MB

Download
memory/4636-35-0x00000000023D0000-0x00000000023EE000-memory.dmp

Filesize
120KB

Download