mystic | 75edb521bbb0ae12b7c2c52fa6e3ed769f4e764e26b92ef2dc4d7cb78ed92fd9

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be.exe
Size

1.1MB
MD5

689af04893939e7333c5ab54564327ac
SHA1

b5a3cb2db8caf56327c79b1378e69a8ee8ddc764
SHA256

98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be
SHA512

5220957905fbe451ab40d31194e1515fc814fec6fe4284d77085dc1ba14285124d3bb37554f104db87d076341a07d84d2fd68938a5c042adf18c87f0e570e04f
SSDEEP

24576:Dy9FhmM9/epbOxTHMVL6Ehz/XKGts/RYUPVTtSMoxICJ626P0mW9P:W9fmM92pbYsVLnDK/qUV8Moc0

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Al63to5.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2By534Ok.exe	family_redline
behavioral11/memory/4508-31-0x0000000000020000-0x000000000005E000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

YB1FF8Wt.exeTk1Rz2Ys.exeaj2bZ3Op.exe1Al63to5.exe2By534Ok.exe

pid process

2668 YB1FF8Wt.exe
2344 Tk1Rz2Ys.exe
1868 aj2bZ3Op.exe
4948 1Al63to5.exe
4508 2By534Ok.exe

pid	process
2668	YB1FF8Wt.exe
2344	Tk1Rz2Ys.exe
1868	aj2bZ3Op.exe
4948	1Al63to5.exe
4508	2By534Ok.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be.exeYB1FF8Wt.exeTk1Rz2Ys.exeaj2bZ3Op.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	YB1FF8Wt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Tk1Rz2Ys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	aj2bZ3Op.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be.exeYB1FF8Wt.exeTk1Rz2Ys.exeaj2bZ3Op.exe

description	pid	process	target process
PID 4308 wrote to memory of 2668	4308	98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be.exe	YB1FF8Wt.exe
PID 4308 wrote to memory of 2668	4308	98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be.exe	YB1FF8Wt.exe
PID 4308 wrote to memory of 2668	4308	98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be.exe	YB1FF8Wt.exe
PID 2668 wrote to memory of 2344	2668	YB1FF8Wt.exe	Tk1Rz2Ys.exe
PID 2668 wrote to memory of 2344	2668	YB1FF8Wt.exe	Tk1Rz2Ys.exe
PID 2668 wrote to memory of 2344	2668	YB1FF8Wt.exe	Tk1Rz2Ys.exe
PID 2344 wrote to memory of 1868	2344	Tk1Rz2Ys.exe	aj2bZ3Op.exe
PID 2344 wrote to memory of 1868	2344	Tk1Rz2Ys.exe	aj2bZ3Op.exe
PID 2344 wrote to memory of 1868	2344	Tk1Rz2Ys.exe	aj2bZ3Op.exe
PID 1868 wrote to memory of 4948	1868	aj2bZ3Op.exe	1Al63to5.exe
PID 1868 wrote to memory of 4948	1868	aj2bZ3Op.exe	1Al63to5.exe
PID 1868 wrote to memory of 4948	1868	aj2bZ3Op.exe	1Al63to5.exe
PID 1868 wrote to memory of 4508	1868	aj2bZ3Op.exe	2By534Ok.exe
PID 1868 wrote to memory of 4508	1868	aj2bZ3Op.exe	2By534Ok.exe
PID 1868 wrote to memory of 4508	1868	aj2bZ3Op.exe	2By534Ok.exe

C:\Users\Admin\AppData\Local\Temp\98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be.exe
"C:\Users\Admin\AppData\Local\Temp\98093b29a1c396935c62384ecd9e854458334f30f82f78a59ce3c0db9ddc54be.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4308

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YB1FF8Wt.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YB1FF8Wt.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tk1Rz2Ys.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tk1Rz2Ys.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2344

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aj2bZ3Op.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aj2bZ3Op.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Al63to5.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Al63to5.exe
5⤵
- Executes dropped EXE
PID:4948

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2By534Ok.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2By534Ok.exe
5⤵
- Executes dropped EXE
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YB1FF8Wt.exe

Filesize
942KB

MD5
8165c03c6616550d5ebf0c39078245f2

SHA1
9000769858b4ba3d7b8df471d1512de379b1b784

SHA256
f0b6714b88c1a70c4d0b74cc6b8902923bf5960e14ee97e868a2502617b3d335

SHA512
076d5b62824f63cb76f45b02a07903cb657d5b9ea5667ec9101886bc5d54775255c5e4ff981a420dc25cee6ce18b417c3ff4545545fa07d69a6bc74beccc27a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tk1Rz2Ys.exe

Filesize
515KB

MD5
0eedf9996b8c26f52d71896009d0cc50

SHA1
f31ba9e5031f8c262eaf311a08371ba34c4aa2bc

SHA256
558b03ab429c0a7fc8f69ced013873e821e5e834b37deb130e80e09ade932896

SHA512
440a5038f3ed17181822526ad0d3b73545c54e4b8fe04ba945102e0cbf3bcfd591f766753603a7aeb6bb75e2903e12ca20e39ac09420e4dcbd00f600548c93ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\aj2bZ3Op.exe

Filesize
319KB

MD5
f12604f3cc88a105f73d023dffa8d94c

SHA1
143deb9c9f92f1e29b28f9ac6751fba2a9866f70

SHA256
e41316564962a634fdeccd6bb286bc0c00067058978b3bc9dceca9e3ed9d1ac4

SHA512
37a2dc2312c1a0f1f82fe1394a767a96326e3034fc4ba60224eefc5024d4d1e50186b32e183d23c6ba43ed2850513886ff3860029b6029d931159736b889e678

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Al63to5.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2By534Ok.exe

Filesize
222KB

MD5
b6ebd2573815be66b0f7fcbfdbdc0695

SHA1
696a0d9d89c74ec57b228943af8c544ce6b4ba54

SHA256
d79f5b1589fcf17335af0ddf757d65edf1b7df2d9d7808c04363acc997190ba2

SHA512
78a0ab12e3a4c2c950efe0d2f51092ed78e5b23ceef7dd718181454fe8f0ec0ebc5662896d44d43164c6cc8e68bfef5ec0b4496273fa4f476a6e323a3bfa3f7f

Download Submit
memory/4508-31-0x0000000000020000-0x000000000005E000-memory.dmp

Filesize
248KB

Download
memory/4508-32-0x00000000074D0000-0x0000000007A74000-memory.dmp

Filesize
5.6MB

Download
memory/4508-33-0x0000000006FC0000-0x0000000007052000-memory.dmp

Filesize
584KB

Download
memory/4508-34-0x0000000002360000-0x000000000236A000-memory.dmp

Filesize
40KB

Download
memory/4508-35-0x00000000080A0000-0x00000000086B8000-memory.dmp

Filesize
6.1MB

Download
memory/4508-38-0x0000000007190000-0x00000000071CC000-memory.dmp

Filesize
240KB

Download
memory/4508-37-0x0000000006F80000-0x0000000006F92000-memory.dmp

Filesize
72KB

Download
memory/4508-39-0x00000000071D0000-0x000000000721C000-memory.dmp

Filesize
304KB

Download
memory/4508-36-0x0000000007370000-0x000000000747A000-memory.dmp

Filesize
1.0MB

Download