mystic | 3767bd9b929fb47ae3b158c424044d32b3c87ffb6efc8eb109dc1df9f3d9b053

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee34d9132ff6f1ea60e43803547dbe294602944fc0ebcf46cae0b6a5b671d28c.exe
Size

942KB
MD5

61c05ab7c728ffec4a4fb15320931746
SHA1

8d31b6e48d35a465dc8001535dde6e7a60d33926
SHA256

ee34d9132ff6f1ea60e43803547dbe294602944fc0ebcf46cae0b6a5b671d28c
SHA512

d48b900e1d1b105570cb2a79edaee451be76235d2e32d56602f362e1a2ea504ffb4feb99587be3f191ca3b59f4ba45daa612cfeb60914d285aec97e3cb537343
SSDEEP

24576:uytCBBS5OXe1djEwXNThMmQpBPT04un4E:9tVOO1dJTa1144u

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vp30zW3.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2cG189NY.exe	family_redline
behavioral19/memory/3552-24-0x0000000000E60000-0x0000000000E9E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

Ip1Gf9en.exekq5sV4ln.exe1Vp30zW3.exe2cG189NY.exe

pid process

4636 Ip1Gf9en.exe
1992 kq5sV4ln.exe
1368 1Vp30zW3.exe
3552 2cG189NY.exe

pid	process
4636	Ip1Gf9en.exe
1992	kq5sV4ln.exe
1368	1Vp30zW3.exe
3552	2cG189NY.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ee34d9132ff6f1ea60e43803547dbe294602944fc0ebcf46cae0b6a5b671d28c.exeIp1Gf9en.exekq5sV4ln.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ee34d9132ff6f1ea60e43803547dbe294602944fc0ebcf46cae0b6a5b671d28c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ip1Gf9en.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kq5sV4ln.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ee34d9132ff6f1ea60e43803547dbe294602944fc0ebcf46cae0b6a5b671d28c.exeIp1Gf9en.exekq5sV4ln.exe

description	pid	process	target process
PID 4472 wrote to memory of 4636	4472	ee34d9132ff6f1ea60e43803547dbe294602944fc0ebcf46cae0b6a5b671d28c.exe	Ip1Gf9en.exe
PID 4472 wrote to memory of 4636	4472	ee34d9132ff6f1ea60e43803547dbe294602944fc0ebcf46cae0b6a5b671d28c.exe	Ip1Gf9en.exe
PID 4472 wrote to memory of 4636	4472	ee34d9132ff6f1ea60e43803547dbe294602944fc0ebcf46cae0b6a5b671d28c.exe	Ip1Gf9en.exe
PID 4636 wrote to memory of 1992	4636	Ip1Gf9en.exe	kq5sV4ln.exe
PID 4636 wrote to memory of 1992	4636	Ip1Gf9en.exe	kq5sV4ln.exe
PID 4636 wrote to memory of 1992	4636	Ip1Gf9en.exe	kq5sV4ln.exe
PID 1992 wrote to memory of 1368	1992	kq5sV4ln.exe	1Vp30zW3.exe
PID 1992 wrote to memory of 1368	1992	kq5sV4ln.exe	1Vp30zW3.exe
PID 1992 wrote to memory of 1368	1992	kq5sV4ln.exe	1Vp30zW3.exe
PID 1992 wrote to memory of 3552	1992	kq5sV4ln.exe	2cG189NY.exe
PID 1992 wrote to memory of 3552	1992	kq5sV4ln.exe	2cG189NY.exe
PID 1992 wrote to memory of 3552	1992	kq5sV4ln.exe	2cG189NY.exe

C:\Users\Admin\AppData\Local\Temp\ee34d9132ff6f1ea60e43803547dbe294602944fc0ebcf46cae0b6a5b671d28c.exe
"C:\Users\Admin\AppData\Local\Temp\ee34d9132ff6f1ea60e43803547dbe294602944fc0ebcf46cae0b6a5b671d28c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4472

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ip1Gf9en.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ip1Gf9en.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kq5sV4ln.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kq5sV4ln.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vp30zW3.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vp30zW3.exe
4⤵
- Executes dropped EXE
PID:1368

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2cG189NY.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2cG189NY.exe
4⤵
- Executes dropped EXE
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ip1Gf9en.exe

Filesize
514KB

MD5
1c798ff387e3b50b7ff8b143799bdd94

SHA1
6e776ea6bc64b4b517d21e058356c84f49c093d2

SHA256
02210bd463a9d02898167ccc56e27c07805a9e065305523d341be479808a612e

SHA512
c26b822fdf13f50b1ac88c505a8b896e4993190f9561aaeda3180cb05c19c3e315efd9cf4f5230b1b6fe5f0a0ed0b2737d2df71d1604773f9fc05b6570550702

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kq5sV4ln.exe

Filesize
319KB

MD5
94d55ab9da2b3f506d3fe904596609fe

SHA1
d5c53b030b37b894e3964c985c7d084c38e8155e

SHA256
7cc249e32e32515cca0cfa1ca843343c0432a6bc4928fa684048646c8c6127a0

SHA512
288c9443ae633c94a4793d34c52d135ee844572e358391b7b5cf9812387623508aee31c1d6bafc4649941156ec7581bb5946784b97d58b76b2d9ea8de9f164f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Vp30zW3.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2cG189NY.exe

Filesize
221KB

MD5
607b0b2cc2d4f8f165b5f80adbdea674

SHA1
46fb7253aac4f4eac0eed069a8f9741f57856486

SHA256
1bf3c0cee3169f4a20c6f91d239163c6b0d3a4d5fddab71364a4c5a68d79bfb9

SHA512
76a8dcfe19e2d69a031df3443c9279f82e59493fc426a7039224f805daa0515fd0c0d2e324ba41ef486e67951e8d5fb7cc9dda44a8d7460d0f7b744d579aaf87

Download Submit
memory/3552-24-0x0000000000E60000-0x0000000000E9E000-memory.dmp

Filesize
248KB

Download
memory/3552-25-0x0000000008150000-0x00000000086F4000-memory.dmp

Filesize
5.6MB

Download
memory/3552-26-0x0000000007C80000-0x0000000007D12000-memory.dmp

Filesize
584KB

Download
memory/3552-27-0x00000000052A0000-0x00000000052AA000-memory.dmp

Filesize
40KB

Download
memory/3552-28-0x0000000008D20000-0x0000000009338000-memory.dmp

Filesize
6.1MB

Download
memory/3552-29-0x0000000008030000-0x000000000813A000-memory.dmp

Filesize
1.0MB

Download
memory/3552-30-0x0000000007E10000-0x0000000007E22000-memory.dmp

Filesize
72KB

Download
memory/3552-31-0x0000000007E70000-0x0000000007EAC000-memory.dmp

Filesize
240KB

Download
memory/3552-32-0x0000000007EB0000-0x0000000007EFC000-memory.dmp

Filesize
304KB

Download