mystic | 2dae798f2fcb49ad5f375700dcbe54c08e9cc5c25fe542ebd7939aa5f5f023aa

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b480c9cd314e4d7d6a5d2b82b815eaccf37a30106d4a7f50993c34d6bd3466f3.exe
Size

515KB
MD5

03c0ed2484604444eec5a18b64754ecc
SHA1

fe077f4b71c43f05a140b2ab762a7b9cb792a0b7
SHA256

b480c9cd314e4d7d6a5d2b82b815eaccf37a30106d4a7f50993c34d6bd3466f3
SHA512

a64b5d4c1787131783c36c2560356341772205cb94d3231bb9c2db21efa26f311a0df36bcfa235d4d34ef0ed7d097c84cad96dd0ef50046acb50ddb7639bc4fd
SSDEEP

12288:eMrty90z99rJnLWr2DEI2EEITEpSz45sFPXtPKe:TyS9WeECdTEIzpZXpn

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1TW17AR3.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zt104fb.exe	family_redline
behavioral15/memory/5076-18-0x0000000000290000-0x00000000002CE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

ag8jf7CZ.exe1TW17AR3.exe2zt104fb.exe

pid process

988 ag8jf7CZ.exe
3760 1TW17AR3.exe
5076 2zt104fb.exe

pid	process
988	ag8jf7CZ.exe
3760	1TW17AR3.exe
5076	2zt104fb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b480c9cd314e4d7d6a5d2b82b815eaccf37a30106d4a7f50993c34d6bd3466f3.exeag8jf7CZ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b480c9cd314e4d7d6a5d2b82b815eaccf37a30106d4a7f50993c34d6bd3466f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ag8jf7CZ.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b480c9cd314e4d7d6a5d2b82b815eaccf37a30106d4a7f50993c34d6bd3466f3.exeag8jf7CZ.exe

description	pid	process	target process
PID 3436 wrote to memory of 988	3436	b480c9cd314e4d7d6a5d2b82b815eaccf37a30106d4a7f50993c34d6bd3466f3.exe	ag8jf7CZ.exe
PID 3436 wrote to memory of 988	3436	b480c9cd314e4d7d6a5d2b82b815eaccf37a30106d4a7f50993c34d6bd3466f3.exe	ag8jf7CZ.exe
PID 3436 wrote to memory of 988	3436	b480c9cd314e4d7d6a5d2b82b815eaccf37a30106d4a7f50993c34d6bd3466f3.exe	ag8jf7CZ.exe
PID 988 wrote to memory of 3760	988	ag8jf7CZ.exe	1TW17AR3.exe
PID 988 wrote to memory of 3760	988	ag8jf7CZ.exe	1TW17AR3.exe
PID 988 wrote to memory of 3760	988	ag8jf7CZ.exe	1TW17AR3.exe
PID 988 wrote to memory of 5076	988	ag8jf7CZ.exe	2zt104fb.exe
PID 988 wrote to memory of 5076	988	ag8jf7CZ.exe	2zt104fb.exe
PID 988 wrote to memory of 5076	988	ag8jf7CZ.exe	2zt104fb.exe

C:\Users\Admin\AppData\Local\Temp\b480c9cd314e4d7d6a5d2b82b815eaccf37a30106d4a7f50993c34d6bd3466f3.exe
"C:\Users\Admin\AppData\Local\Temp\b480c9cd314e4d7d6a5d2b82b815eaccf37a30106d4a7f50993c34d6bd3466f3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3436

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ag8jf7CZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ag8jf7CZ.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:988

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1TW17AR3.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1TW17AR3.exe
3⤵
- Executes dropped EXE
PID:3760

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zt104fb.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zt104fb.exe
3⤵
- Executes dropped EXE
PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ag8jf7CZ.exe
Filesize
319KB

MD5
f742b75149e26c1dde434f706769cb57

SHA1
51e785f191b95315466da0bab446f7a540dd4381

SHA256
2a2dacfd0e708911b1ff98ba06247264a80d521d8bab39a8152b87517a9c7465

SHA512
20caa3375414ef65b17d0e73d3dfec43c1e6b602e6db954db1427f8b7c7bd53c0f38c14dad4b72a6259bfb6f1469aec4e233037ddaaea8fc3883dce27c7a0859

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1TW17AR3.exe
Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zt104fb.exe
Filesize
222KB

MD5
972a2b3797e4ac6af9a6536cfa57c548

SHA1
5cb7f2397fbc056fcfcc7e41abe663e4eb994170

SHA256
78df8ff4cf54db404a614f1a046684117b03ba2bd887619cfada34f69ea13afb

SHA512
d4cd020d10c1755118bb0f6a701fb11d77f1e215866cae11485bd592f891821c48c6a701750557ad060dd61e287f2cae3ea5d887287691e74dcf9060ea7b8358

Download Submit
memory/5076-17-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download
memory/5076-18-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/5076-19-0x0000000007500000-0x0000000007AA4000-memory.dmp

Filesize
5.6MB

Download
memory/5076-20-0x0000000007030000-0x00000000070C2000-memory.dmp

Filesize
584KB

Download
memory/5076-21-0x0000000002490000-0x000000000249A000-memory.dmp

Filesize
40KB

Download
memory/5076-22-0x00000000080D0000-0x00000000086E8000-memory.dmp

Filesize
6.1MB

Download
memory/5076-23-0x0000000007AB0000-0x0000000007BBA000-memory.dmp

Filesize
1.0MB

Download
memory/5076-24-0x0000000007140000-0x0000000007152000-memory.dmp

Filesize
72KB

Download
memory/5076-25-0x00000000072C0000-0x00000000072FC000-memory.dmp

Filesize
240KB

Download
memory/5076-26-0x0000000007300000-0x000000000734C000-memory.dmp

Filesize
304KB

Download
memory/5076-27-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download