mystic | 3c91163ea40ad7e35bac48ded16235cfe9003c914f570e27b4e2d7b3c9c46c05

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a261c92b0b446427af23fff63de38b1bb4489b888aac5ae088afbe7c6f827c5a.exe
Size

1.2MB
MD5

ea5a087c245b19dca3060424ceeb20cb
SHA1

acd89091e8e6a88a660f8148e18014909e01cbdd
SHA256

a261c92b0b446427af23fff63de38b1bb4489b888aac5ae088afbe7c6f827c5a
SHA512

43684dea22127c5a3954077fb562eb7fc862302b8e23b8d0c4385cdaf4b2870589a62e0d53435a38d0a3e8f95c7540d58e972559581cfd3837e9fc588e3439c6
SSDEEP

24576:4yaKZsgacS0JNKedv2onMdoygB6B0muVQMa4LtlSNiVupM:/hsgacS03KEuoYoHhmu/a4xlS

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dB90go9.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lh658YQ.exe	family_redline
behavioral13/memory/2284-38-0x0000000000470000-0x00000000004AE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

yB3il5TU.exePi8xO5cg.exehL5Kw3Ll.exeWS6lv4zQ.exe1dB90go9.exe2lh658YQ.exe

pid process

4260 yB3il5TU.exe
1348 Pi8xO5cg.exe
4452 hL5Kw3Ll.exe
768 WS6lv4zQ.exe
3836 1dB90go9.exe
2284 2lh658YQ.exe

pid	process
4260	yB3il5TU.exe
1348	Pi8xO5cg.exe
4452	hL5Kw3Ll.exe
768	WS6lv4zQ.exe
3836	1dB90go9.exe
2284	2lh658YQ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WS6lv4zQ.exea261c92b0b446427af23fff63de38b1bb4489b888aac5ae088afbe7c6f827c5a.exeyB3il5TU.exePi8xO5cg.exehL5Kw3Ll.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	WS6lv4zQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a261c92b0b446427af23fff63de38b1bb4489b888aac5ae088afbe7c6f827c5a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	yB3il5TU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Pi8xO5cg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	hL5Kw3Ll.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

a261c92b0b446427af23fff63de38b1bb4489b888aac5ae088afbe7c6f827c5a.exeyB3il5TU.exePi8xO5cg.exehL5Kw3Ll.exeWS6lv4zQ.exe

description	pid	process	target process
PID 4912 wrote to memory of 4260	4912	a261c92b0b446427af23fff63de38b1bb4489b888aac5ae088afbe7c6f827c5a.exe	yB3il5TU.exe
PID 4912 wrote to memory of 4260	4912	a261c92b0b446427af23fff63de38b1bb4489b888aac5ae088afbe7c6f827c5a.exe	yB3il5TU.exe
PID 4912 wrote to memory of 4260	4912	a261c92b0b446427af23fff63de38b1bb4489b888aac5ae088afbe7c6f827c5a.exe	yB3il5TU.exe
PID 4260 wrote to memory of 1348	4260	yB3il5TU.exe	Pi8xO5cg.exe
PID 4260 wrote to memory of 1348	4260	yB3il5TU.exe	Pi8xO5cg.exe
PID 4260 wrote to memory of 1348	4260	yB3il5TU.exe	Pi8xO5cg.exe
PID 1348 wrote to memory of 4452	1348	Pi8xO5cg.exe	hL5Kw3Ll.exe
PID 1348 wrote to memory of 4452	1348	Pi8xO5cg.exe	hL5Kw3Ll.exe
PID 1348 wrote to memory of 4452	1348	Pi8xO5cg.exe	hL5Kw3Ll.exe
PID 4452 wrote to memory of 768	4452	hL5Kw3Ll.exe	WS6lv4zQ.exe
PID 4452 wrote to memory of 768	4452	hL5Kw3Ll.exe	WS6lv4zQ.exe
PID 4452 wrote to memory of 768	4452	hL5Kw3Ll.exe	WS6lv4zQ.exe
PID 768 wrote to memory of 3836	768	WS6lv4zQ.exe	1dB90go9.exe
PID 768 wrote to memory of 3836	768	WS6lv4zQ.exe	1dB90go9.exe
PID 768 wrote to memory of 3836	768	WS6lv4zQ.exe	1dB90go9.exe
PID 768 wrote to memory of 2284	768	WS6lv4zQ.exe	2lh658YQ.exe
PID 768 wrote to memory of 2284	768	WS6lv4zQ.exe	2lh658YQ.exe
PID 768 wrote to memory of 2284	768	WS6lv4zQ.exe	2lh658YQ.exe

C:\Users\Admin\AppData\Local\Temp\a261c92b0b446427af23fff63de38b1bb4489b888aac5ae088afbe7c6f827c5a.exe
"C:\Users\Admin\AppData\Local\Temp\a261c92b0b446427af23fff63de38b1bb4489b888aac5ae088afbe7c6f827c5a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4912

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yB3il5TU.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yB3il5TU.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4260

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pi8xO5cg.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pi8xO5cg.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hL5Kw3Ll.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hL5Kw3Ll.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WS6lv4zQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WS6lv4zQ.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dB90go9.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dB90go9.exe
6⤵
- Executes dropped EXE
PID:3836

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lh658YQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lh658YQ.exe
6⤵
- Executes dropped EXE
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yB3il5TU.exe
Filesize
1.1MB

MD5
96085fd8bf620f23f0921649701dbfc3

SHA1
14108f6ac7b35c4b05d4aa057899de19eaa79e40

SHA256
2d326a19cf31d2cd90f6136c5001b6c4ebb04666710ba630e77521fa76930885

SHA512
bb8d1d6df99296b2797d7c9c01e2bd6ab15e2c46dd296d3032f28a1f276ab78f8fcd2df78c3d05a7aa29358c31dfa33a7a234150ad66a9077866fdc74a88965a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pi8xO5cg.exe
Filesize
926KB

MD5
f0b4d25910eb7f5ffa4677bc4b31801c

SHA1
aae7f545ce74669c28c1f88c8469bfa0fa560ebd

SHA256
e5af4a340b7d5bdfdc93d5164ea8f6d834472de845ee868a93af8ea06595bee8

SHA512
4b977b6a6c86824d6f7d762c54e775447a676d6de08aeb42ddae512ba8104b072383891864b2e3599d4f2658ea5d39178068006a4120e9da96647be63fb0654d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hL5Kw3Ll.exe
Filesize
514KB

MD5
249ff9155d577cb12fdbb534565ea04c

SHA1
b95de00dee3eeb073f9b9202922e78d3d6517142

SHA256
71f54c3a517f08e1d847f8906bc6197cc5a92a8b26df50557b3e05f579bca21f

SHA512
27b32db4a4185fd9596981ff712092a8a359d88da9247f3cef2ac4c3238d8477a4c2296a30aa479147bd75dfdfe5abae796d4151a9cdaaea7704906d76d24de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WS6lv4zQ.exe
Filesize
319KB

MD5
c2c23f0f3d5763d5a4d208a378dd6957

SHA1
255ab1e23775fe39fa06b85a50f66e8853b5749f

SHA256
003e9b419d92c68dac183f27514552147e15b2a34181caa412f0aec00f9b7bf7

SHA512
8bf525b3bf59637c1bae025d1ba39896d3b01900d8dc6645d633cbf4dc3ea942d0885e5ac421a4e910bee9c77cb1fba80f23892aa2c529ec874045c52ead55ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dB90go9.exe
Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lh658YQ.exe
Filesize
221KB

MD5
278a8dd873cd7c46439078dca89131ad

SHA1
8bf9c0e0ecabb7d4d46d341c429712db31d04f2c

SHA256
8fdff28c1c8bfd963d80539f72f979a503fc5fc0764b488ae9425258c04c6676

SHA512
8fdd5e67c8dcf495faa02f86903e1654a00967fc1407fac14a877bc0a2182fb6f94e3360707614f8c6ab4425a22d501dd5cdb2028000b3e0c6b2d31ee9f30b92

Download Submit
memory/2284-38-0x0000000000470000-0x00000000004AE000-memory.dmp

Filesize
248KB

Download
memory/2284-39-0x0000000007950000-0x0000000007EF4000-memory.dmp

Filesize
5.6MB

Download
memory/2284-40-0x00000000073A0000-0x0000000007432000-memory.dmp

Filesize
584KB

Download
memory/2284-41-0x00000000049E0000-0x00000000049EA000-memory.dmp

Filesize
40KB

Download
memory/2284-42-0x0000000008520000-0x0000000008B38000-memory.dmp

Filesize
6.1MB

Download
memory/2284-43-0x0000000007740000-0x000000000784A000-memory.dmp

Filesize
1.0MB

Download
memory/2284-44-0x0000000007550000-0x0000000007562000-memory.dmp

Filesize
72KB

Download
memory/2284-45-0x00000000075C0000-0x00000000075FC000-memory.dmp

Filesize
240KB

Download
memory/2284-46-0x0000000007630000-0x000000000767C000-memory.dmp

Filesize
304KB

Download