mystic | ddc6b496a8a25762ee7b933f47107c5553187f5846568bf68b67dd8d5f4a7548

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be3d3160582a8debaa43a4fd41c15c9912c7e9f9fd4b736991afb8ad220ebfca.exe
Size

514KB
MD5

70ab234a4b537af9627d16de319f0da5
SHA1

ef5de1d7306076827388348aac6282e3d9516b24
SHA256

be3d3160582a8debaa43a4fd41c15c9912c7e9f9fd4b736991afb8ad220ebfca
SHA512

c0d8b40faba24c6c57ed375cff1dcd25c7bb4714dd74d0b86e58ba2888261890d06bcc9b6f74a4ca6a3c80a6d198f0bfeaab85e47cbacd0e08fc6223f029947c
SSDEEP

6144:KDy+bnr+kp0yN90QEiNrLHxEB82Qu1xbEe8B9EmB7nIm4xErrJPSzarnD7ut+BEa:dMrcy90QNrLHPTu/eKEITEpSzMBF5hX

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1JY92nP7.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ol681zW.exe	family_redline
behavioral17/memory/2776-18-0x0000000000010000-0x000000000004E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

ez4LL5xJ.exe1JY92nP7.exe2Ol681zW.exe

pid process

3528 ez4LL5xJ.exe
4692 1JY92nP7.exe
2776 2Ol681zW.exe

pid	process
3528	ez4LL5xJ.exe
4692	1JY92nP7.exe
2776	2Ol681zW.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

be3d3160582a8debaa43a4fd41c15c9912c7e9f9fd4b736991afb8ad220ebfca.exeez4LL5xJ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	be3d3160582a8debaa43a4fd41c15c9912c7e9f9fd4b736991afb8ad220ebfca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ez4LL5xJ.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

be3d3160582a8debaa43a4fd41c15c9912c7e9f9fd4b736991afb8ad220ebfca.exeez4LL5xJ.exe

description	pid	process	target process
PID 3356 wrote to memory of 3528	3356	be3d3160582a8debaa43a4fd41c15c9912c7e9f9fd4b736991afb8ad220ebfca.exe	ez4LL5xJ.exe
PID 3356 wrote to memory of 3528	3356	be3d3160582a8debaa43a4fd41c15c9912c7e9f9fd4b736991afb8ad220ebfca.exe	ez4LL5xJ.exe
PID 3356 wrote to memory of 3528	3356	be3d3160582a8debaa43a4fd41c15c9912c7e9f9fd4b736991afb8ad220ebfca.exe	ez4LL5xJ.exe
PID 3528 wrote to memory of 4692	3528	ez4LL5xJ.exe	1JY92nP7.exe
PID 3528 wrote to memory of 4692	3528	ez4LL5xJ.exe	1JY92nP7.exe
PID 3528 wrote to memory of 4692	3528	ez4LL5xJ.exe	1JY92nP7.exe
PID 3528 wrote to memory of 2776	3528	ez4LL5xJ.exe	2Ol681zW.exe
PID 3528 wrote to memory of 2776	3528	ez4LL5xJ.exe	2Ol681zW.exe
PID 3528 wrote to memory of 2776	3528	ez4LL5xJ.exe	2Ol681zW.exe

C:\Users\Admin\AppData\Local\Temp\be3d3160582a8debaa43a4fd41c15c9912c7e9f9fd4b736991afb8ad220ebfca.exe
"C:\Users\Admin\AppData\Local\Temp\be3d3160582a8debaa43a4fd41c15c9912c7e9f9fd4b736991afb8ad220ebfca.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3356

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ez4LL5xJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ez4LL5xJ.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3528

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1JY92nP7.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1JY92nP7.exe
3⤵
- Executes dropped EXE
PID:4692

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ol681zW.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ol681zW.exe
3⤵
- Executes dropped EXE
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ez4LL5xJ.exe

Filesize
319KB

MD5
15d8e2d5a1a0be5f077e49733c4469e3

SHA1
318d59fcdba8753e3d878bed579e8210313b3cde

SHA256
c375cf813a4708bf27e84ac6f9801ba095d63393ca1138ab4423da96a04e3bde

SHA512
5fc9a45846d5d7776d547b888138f2a42db509975777e17c5e6459df0e240db57775a533f6bfee77af957cede56a07e4daf8e24e28ae2137f5c88ccb266505e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1JY92nP7.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ol681zW.exe

Filesize
222KB

MD5
2f9a3a311894d914db7d6e7898ca2956

SHA1
b8be4c9970b6b6ce7ba84a1717b566f419c71ab1

SHA256
9f40ad3852562d650d4c0d2b18f2afaf5151a955c5a6685e6054548f27868abb

SHA512
b066ec99209c01f84c9fd45ec76983d47f3bc1e20437c32a74a7e0798338ca22f590536c5ab54e6baf55908343293a9a888f39047f0a427b01fa794c47de8fe6

Download Submit
memory/2776-17-0x000000007485E000-0x000000007485F000-memory.dmp

Filesize
4KB

Download
memory/2776-18-0x0000000000010000-0x000000000004E000-memory.dmp

Filesize
248KB

Download
memory/2776-19-0x0000000007430000-0x00000000079D4000-memory.dmp

Filesize
5.6MB

Download
memory/2776-20-0x0000000006F20000-0x0000000006FB2000-memory.dmp

Filesize
584KB

Download
memory/2776-21-0x0000000002380000-0x000000000238A000-memory.dmp

Filesize
40KB

Download
memory/2776-22-0x0000000008000000-0x0000000008618000-memory.dmp

Filesize
6.1MB

Download
memory/2776-23-0x00000000072D0000-0x00000000073DA000-memory.dmp

Filesize
1.0MB

Download
memory/2776-25-0x0000000007170000-0x00000000071AC000-memory.dmp

Filesize
240KB

Download
memory/2776-24-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/2776-26-0x00000000071C0000-0x000000000720C000-memory.dmp

Filesize
304KB

Download
memory/2776-27-0x000000007485E000-0x000000007485F000-memory.dmp

Filesize
4KB

Download