mystic | ffe8fa0cf1ed446eeb9dc6eef440d6e2121396f13b66e26a431adcd9f2d605e3

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a717651d7fa6766bf2853b11671e7a5465fd6b8d88661bb92df08a819e765da0.exe
Size

514KB
MD5

64213f2dcc8b5d22b389dba89f44cc7b
SHA1

c2cc89dea6afc99231930fb1aef87d168d7cb4ed
SHA256

a717651d7fa6766bf2853b11671e7a5465fd6b8d88661bb92df08a819e765da0
SHA512

24f6726d7a91ee02dedd3a3052746c203044e33435dda9be41fa4b2554a3e31cec36380043d9944baf24e6af37b94329611693f8cdb81cedbe5523e590acd06c
SSDEEP

12288:xMrzy9083raexrx0W0GEEITEpSzvEzoJ19xO:+yPpkjXdTEIzvEzoPu

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral20/files/0x0008000000023453-12.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral20/files/0x0007000000023454-15.dat	family_redline
behavioral20/memory/3652-18-0x0000000000590000-0x00000000005CE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
1036	zr9fv9Ji.exe
4080	1pA58RS7.exe
3652	2fL576Vo.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zr9fv9Ji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a717651d7fa6766bf2853b11671e7a5465fd6b8d88661bb92df08a819e765da0.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1036	1552	a717651d7fa6766bf2853b11671e7a5465fd6b8d88661bb92df08a819e765da0.exe	83
PID 1552 wrote to memory of 1036	1552	a717651d7fa6766bf2853b11671e7a5465fd6b8d88661bb92df08a819e765da0.exe	83
PID 1552 wrote to memory of 1036	1552	a717651d7fa6766bf2853b11671e7a5465fd6b8d88661bb92df08a819e765da0.exe	83
PID 1036 wrote to memory of 4080	1036	zr9fv9Ji.exe	84
PID 1036 wrote to memory of 4080	1036	zr9fv9Ji.exe	84
PID 1036 wrote to memory of 4080	1036	zr9fv9Ji.exe	84
PID 1036 wrote to memory of 3652	1036	zr9fv9Ji.exe	85
PID 1036 wrote to memory of 3652	1036	zr9fv9Ji.exe	85
PID 1036 wrote to memory of 3652	1036	zr9fv9Ji.exe	85

C:\Users\Admin\AppData\Local\Temp\a717651d7fa6766bf2853b11671e7a5465fd6b8d88661bb92df08a819e765da0.exe
"C:\Users\Admin\AppData\Local\Temp\a717651d7fa6766bf2853b11671e7a5465fd6b8d88661bb92df08a819e765da0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zr9fv9Ji.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zr9fv9Ji.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pA58RS7.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pA58RS7.exe
    3⤵
    - Executes dropped EXE
    PID:4080
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2fL576Vo.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2fL576Vo.exe
    3⤵
    - Executes dropped EXE
    PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zr9fv9Ji.exe

Filesize
319KB

MD5
c399eee6e0944fc61164a535b63eada1

SHA1
c4459465ae68d3b68c3758b47bc3f566cdfffa48

SHA256
a14c0a7f067bf401c3730a698e4ecda9593f824fa07fc718b35f1bb8d8304dbd

SHA512
0a736b300cdfd663e567b57a1ec6d5567a2bdcbd3f06c33fb3d062a549468de54c49a8939f8fab2bfb17dd82429a215828b4bd4a1beb9986991f18d7f6905e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1pA58RS7.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2fL576Vo.exe

Filesize
221KB

MD5
7955949978bc26de2959d92da8650fe2

SHA1
24bac7adbdf0d4cd75dfe82819f17377fb617c2d

SHA256
a105f795d61095506ff9cd3ac0313f46ff03afab01181b7c944c73d85190477f

SHA512
3067ef5d03fc4f6c96a594a32ed5de2bafd4d5f959beebfebb0181a03c1dcd224b7a07c27e8929fcda8bcae6b7b8cdea67203ff1a71f84aedc5f8406a10c6c1f

Download Submit
memory/3652-17-0x000000007401E000-0x000000007401F000-memory.dmp

Filesize
4KB

Download
memory/3652-18-0x0000000000590000-0x00000000005CE000-memory.dmp

Filesize
248KB

Download
memory/3652-19-0x0000000007810000-0x0000000007DB4000-memory.dmp

Filesize
5.6MB

Download
memory/3652-20-0x0000000007310000-0x00000000073A2000-memory.dmp

Filesize
584KB

Download
memory/3652-21-0x0000000002760000-0x000000000276A000-memory.dmp

Filesize
40KB

Download
memory/3652-22-0x00000000083E0000-0x00000000089F8000-memory.dmp

Filesize
6.1MB

Download
memory/3652-23-0x00000000076C0000-0x00000000077CA000-memory.dmp

Filesize
1.0MB

Download
memory/3652-24-0x0000000007540000-0x0000000007552000-memory.dmp

Filesize
72KB

Download
memory/3652-25-0x00000000075B0000-0x00000000075EC000-memory.dmp

Filesize
240KB

Download
memory/3652-26-0x00000000075F0000-0x000000000763C000-memory.dmp

Filesize
304KB

Download
memory/3652-27-0x000000007401E000-0x000000007401F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads