mystic | cc5e37d73955fc0316a074c4b20f0296dee40952f8d275b2c6c6eb4eb0947059

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b618a9cedf57a29c508359374db294c624b68a83d6b7b01f154cd25515b3777f.exe
Size

514KB
MD5

d24fc153514f465665aeb87afce202e2
SHA1

bebd7242e149c1df0840e0970379591a96a00ddc
SHA256

b618a9cedf57a29c508359374db294c624b68a83d6b7b01f154cd25515b3777f
SHA512

bbf65202c6001b58bd4fcfb4fbb69368df9befb3015324d4be17a8facd75d535c2ac9a02fcdb1741889fb223b3f8e1b5536cf24f1b1ca661d34fb0fa7a1efe17
SSDEEP

12288:HMrvy909AEAh/NT/igEITEpSzu8DBQ0ctCHHM6x:wyZFNT/ddTEIz+0TTx

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Kr70Qv6.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ly017IJ.exe	family_redline
behavioral13/memory/4384-18-0x0000000000670000-0x00000000006AE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Ga4pH9nL.exe1Kr70Qv6.exe2ly017IJ.exe

pid process

4564 Ga4pH9nL.exe
2144 1Kr70Qv6.exe
4384 2ly017IJ.exe

pid	process
4564	Ga4pH9nL.exe
2144	1Kr70Qv6.exe
4384	2ly017IJ.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ga4pH9nL.exeb618a9cedf57a29c508359374db294c624b68a83d6b7b01f154cd25515b3777f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ga4pH9nL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b618a9cedf57a29c508359374db294c624b68a83d6b7b01f154cd25515b3777f.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

b618a9cedf57a29c508359374db294c624b68a83d6b7b01f154cd25515b3777f.exeGa4pH9nL.exe

description	pid	process	target process
PID 2188 wrote to memory of 4564	2188	b618a9cedf57a29c508359374db294c624b68a83d6b7b01f154cd25515b3777f.exe	Ga4pH9nL.exe
PID 2188 wrote to memory of 4564	2188	b618a9cedf57a29c508359374db294c624b68a83d6b7b01f154cd25515b3777f.exe	Ga4pH9nL.exe
PID 2188 wrote to memory of 4564	2188	b618a9cedf57a29c508359374db294c624b68a83d6b7b01f154cd25515b3777f.exe	Ga4pH9nL.exe
PID 4564 wrote to memory of 2144	4564	Ga4pH9nL.exe	1Kr70Qv6.exe
PID 4564 wrote to memory of 2144	4564	Ga4pH9nL.exe	1Kr70Qv6.exe
PID 4564 wrote to memory of 2144	4564	Ga4pH9nL.exe	1Kr70Qv6.exe
PID 4564 wrote to memory of 4384	4564	Ga4pH9nL.exe	2ly017IJ.exe
PID 4564 wrote to memory of 4384	4564	Ga4pH9nL.exe	2ly017IJ.exe
PID 4564 wrote to memory of 4384	4564	Ga4pH9nL.exe	2ly017IJ.exe

C:\Users\Admin\AppData\Local\Temp\b618a9cedf57a29c508359374db294c624b68a83d6b7b01f154cd25515b3777f.exe
"C:\Users\Admin\AppData\Local\Temp\b618a9cedf57a29c508359374db294c624b68a83d6b7b01f154cd25515b3777f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ga4pH9nL.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ga4pH9nL.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Kr70Qv6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Kr70Qv6.exe
    3⤵
    - Executes dropped EXE
    PID:2144
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ly017IJ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ly017IJ.exe
    3⤵
    - Executes dropped EXE
    PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ga4pH9nL.exe

Filesize
319KB

MD5
a7b2d6beeb1142a7d4037ffd3422d25d

SHA1
b6056916138807be03d65e08c8fb9398d76fd7b0

SHA256
f0e4aa890c584ad69a47345e1fd364f46c26677a8518da5f2598d5cb5fe68dd4

SHA512
113770c214df95944f1b2bbeac802c3bd4235e3cfb3ff74fdce03449c20bbbbb4b45f74cbc5931ae9a373903c095be7ed22f45e8a8eb140fa69284b5597bf128

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Kr70Qv6.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ly017IJ.exe

Filesize
221KB

MD5
ff4f6299ec97cec525769f1270ecbe33

SHA1
e54fdfb7c21a94e0db907f1b8499a361009daaf3

SHA256
c07b6515162ce6c2aec88dbc20dbed84fd8fd6c7a623df79b423398156600f1c

SHA512
29e52d182c48a10a67bd81a7c8b53b1c4dd7620ddd24a878a02f34a67916309ef96ffc21fbd92dc863e34745dd72acfdda5a24c3ae8bf675352db1d25d2ed117

Download Submit
memory/4384-17-0x0000000073EDE000-0x0000000073EDF000-memory.dmp

Filesize
4KB

Download
memory/4384-18-0x0000000000670000-0x00000000006AE000-memory.dmp

Filesize
248KB

Download
memory/4384-19-0x00000000079A0000-0x0000000007F44000-memory.dmp

Filesize
5.6MB

Download
memory/4384-20-0x0000000007490000-0x0000000007522000-memory.dmp

Filesize
584KB

Download
memory/4384-21-0x0000000007450000-0x000000000745A000-memory.dmp

Filesize
40KB

Download
memory/4384-24-0x00000000076E0000-0x00000000076F2000-memory.dmp

Filesize
72KB

Download
memory/4384-23-0x00000000077D0000-0x00000000078DA000-memory.dmp

Filesize
1.0MB

Download
memory/4384-25-0x0000000007740000-0x000000000777C000-memory.dmp

Filesize
240KB

Download
memory/4384-22-0x0000000008570000-0x0000000008B88000-memory.dmp

Filesize
6.1MB

Download
memory/4384-26-0x0000000007780000-0x00000000077CC000-memory.dmp

Filesize
304KB

Download
memory/4384-27-0x0000000073EDE000-0x0000000073EDF000-memory.dmp

Filesize
4KB

Download