mystic | 47203fc7445c1e0e06643f363dd7d86ccc46b70ab234e5fbfe72badfdd6704ae

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe
Size

941KB
MD5

80d8470174fb9248378b139c425b1843
SHA1

efb142c6bb25531517d5a25c04591e3fc08075a4
SHA256

59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf
SHA512

50ee796d88510be9f3999960a84061745034a1d997b12cc1fb150ca007af496f7cf81cc4b54de6db713fbbcfb2183df159d9ad9e4f27ce77a5b42939fc379f20
SSDEEP

24576:TyctOyhluqSd8Euzhsse5O7gJIEY7JptxTp:mEhluqSdGlssBytebt1

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1MR88YN2.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2wl962PO.exe	family_redline
behavioral6/memory/2684-24-0x0000000000C00000-0x0000000000C3E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

tZ0Pa9uA.exeNy7vy5Ul.exe1MR88YN2.exe2wl962PO.exe

pid process

3852 tZ0Pa9uA.exe
2600 Ny7vy5Ul.exe
516 1MR88YN2.exe
2684 2wl962PO.exe

pid	process
3852	tZ0Pa9uA.exe
2600	Ny7vy5Ul.exe
516	1MR88YN2.exe
2684	2wl962PO.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exetZ0Pa9uA.exeNy7vy5Ul.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	tZ0Pa9uA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ny7vy5Ul.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exetZ0Pa9uA.exeNy7vy5Ul.exe

description	pid	process	target process
PID 892 wrote to memory of 3852	892	59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe	tZ0Pa9uA.exe
PID 892 wrote to memory of 3852	892	59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe	tZ0Pa9uA.exe
PID 892 wrote to memory of 3852	892	59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe	tZ0Pa9uA.exe
PID 3852 wrote to memory of 2600	3852	tZ0Pa9uA.exe	Ny7vy5Ul.exe
PID 3852 wrote to memory of 2600	3852	tZ0Pa9uA.exe	Ny7vy5Ul.exe
PID 3852 wrote to memory of 2600	3852	tZ0Pa9uA.exe	Ny7vy5Ul.exe
PID 2600 wrote to memory of 516	2600	Ny7vy5Ul.exe	1MR88YN2.exe
PID 2600 wrote to memory of 516	2600	Ny7vy5Ul.exe	1MR88YN2.exe
PID 2600 wrote to memory of 516	2600	Ny7vy5Ul.exe	1MR88YN2.exe
PID 2600 wrote to memory of 2684	2600	Ny7vy5Ul.exe	2wl962PO.exe
PID 2600 wrote to memory of 2684	2600	Ny7vy5Ul.exe	2wl962PO.exe
PID 2600 wrote to memory of 2684	2600	Ny7vy5Ul.exe	2wl962PO.exe

C:\Users\Admin\AppData\Local\Temp\59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe
"C:\Users\Admin\AppData\Local\Temp\59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tZ0Pa9uA.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tZ0Pa9uA.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3852

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ny7vy5Ul.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ny7vy5Ul.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1MR88YN2.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1MR88YN2.exe
4⤵
- Executes dropped EXE
PID:516

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2wl962PO.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2wl962PO.exe
4⤵
- Executes dropped EXE
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3444,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8
1⤵
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tZ0Pa9uA.exe

Filesize
514KB

MD5
84d419f371b17c35212a3c7208661fea

SHA1
af813b9dcc9ee822a6ba5da4426a8387b5fdf8db

SHA256
ad68a7f5de07da0e6e8524f866efea5e8f17a002ed580910f1c420b7036338f2

SHA512
e0ac236514d6093305c539b1cc4d2c7cab1afb0696c430952aee2d957589a382fb5f208c5dcf6c374d4f002bb4d69f0e33141257623d359850346aa478f489d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ny7vy5Ul.exe

Filesize
319KB

MD5
98681488c0719933ab6ccdbb8c23fa12

SHA1
ba1b726f2188407b3be6f2cecb972fa0ccb135e7

SHA256
07c0d1d76f888e5137173ec34041605fff9d79afe69aeef7896f90198b958354

SHA512
da38edb43416e8f81370059c322e8424790707dedd5821aa74884005f1cf884aabff025e2a80fbebe1ab82101ceb18475a9e57b21ccb4222b156888a5598e8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1MR88YN2.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2wl962PO.exe

Filesize
222KB

MD5
430e5b490f8c865c346017ce8deb72af

SHA1
a5d7ec4e5a4f4a19c8cfc6fc9c2edd27593c21d2

SHA256
16dd6bc2a8f2e4d9e8a5fea17c85536fd8c577c6d6edebe6feea8bda68d76923

SHA512
5940c1ba17c548f50923e715aa13bd6072cf82eae502a59191f93d3969de49f6c4f05ef0c07ee8d37dd6c2deae6863116b45a30d11fc74d0602133669fe32df6

Download Submit
memory/2684-24-0x0000000000C00000-0x0000000000C3E000-memory.dmp

Filesize
248KB

Download
memory/2684-25-0x0000000007F70000-0x0000000008514000-memory.dmp

Filesize
5.6MB

Download
memory/2684-26-0x00000000079C0000-0x0000000007A52000-memory.dmp

Filesize
584KB

Download
memory/2684-27-0x0000000002DF0000-0x0000000002DFA000-memory.dmp

Filesize
40KB

Download
memory/2684-28-0x0000000008B40000-0x0000000009158000-memory.dmp

Filesize
6.1MB

Download
memory/2684-29-0x0000000007C90000-0x0000000007D9A000-memory.dmp

Filesize
1.0MB

Download
memory/2684-30-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

Filesize
72KB

Download
memory/2684-31-0x0000000007C20000-0x0000000007C5C000-memory.dmp

Filesize
240KB

Download
memory/2684-32-0x0000000007DA0000-0x0000000007DEC000-memory.dmp

Filesize
304KB

Download