mystic | ce9955c91d6a5f9e211ecb80cc51d8025eccfe4e1398947c094c94a6e2904f18

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80af2b3540716fa5dcd664b7f7ed120e1c1aa575c2fc1e1b6ee5df1723f2ab7e.exe
Size

1.3MB
MD5

1cb0d9a73de2ed437d313f8f5e9f324b
SHA1

f4b12e8a694e5f5ccca161aebe6bd66a60474e49
SHA256

80af2b3540716fa5dcd664b7f7ed120e1c1aa575c2fc1e1b6ee5df1723f2ab7e
SHA512

aa6c85222b8ed1b49d497f7aab8e2a1ce787d9175da1594f545d414c70b818ba0f893238bcf5c7dc3c9edc0cfd2f0c3d46a1122212d73b55322a91a1369fcfe6
SSDEEP

24576:BySsRytVMlI1Melx8vHpMz9kX1tdLBzgj5MDvBAngjrjsZXo:0EjP1Mw2vW5kXHdLBEj5GvBPf0X

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mN03Gj4.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2DT458aH.exe	family_redline
behavioral10/memory/652-38-0x0000000000340000-0x000000000037E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

cO7Qr0Fy.exeaz4Gt6xL.exeZF2fP6et.exeyn9Ng4sd.exe1mN03Gj4.exe2DT458aH.exe

pid process

2448 cO7Qr0Fy.exe
1752 az4Gt6xL.exe
4060 ZF2fP6et.exe
1484 yn9Ng4sd.exe
3228 1mN03Gj4.exe
652 2DT458aH.exe

pid	process
2448	cO7Qr0Fy.exe
1752	az4Gt6xL.exe
4060	ZF2fP6et.exe
1484	yn9Ng4sd.exe
3228	1mN03Gj4.exe
652	2DT458aH.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

80af2b3540716fa5dcd664b7f7ed120e1c1aa575c2fc1e1b6ee5df1723f2ab7e.execO7Qr0Fy.exeaz4Gt6xL.exeZF2fP6et.exeyn9Ng4sd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	80af2b3540716fa5dcd664b7f7ed120e1c1aa575c2fc1e1b6ee5df1723f2ab7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	cO7Qr0Fy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	az4Gt6xL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ZF2fP6et.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	yn9Ng4sd.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

80af2b3540716fa5dcd664b7f7ed120e1c1aa575c2fc1e1b6ee5df1723f2ab7e.execO7Qr0Fy.exeaz4Gt6xL.exeZF2fP6et.exeyn9Ng4sd.exe

description	pid	process	target process
PID 1980 wrote to memory of 2448	1980	80af2b3540716fa5dcd664b7f7ed120e1c1aa575c2fc1e1b6ee5df1723f2ab7e.exe	cO7Qr0Fy.exe
PID 1980 wrote to memory of 2448	1980	80af2b3540716fa5dcd664b7f7ed120e1c1aa575c2fc1e1b6ee5df1723f2ab7e.exe	cO7Qr0Fy.exe
PID 1980 wrote to memory of 2448	1980	80af2b3540716fa5dcd664b7f7ed120e1c1aa575c2fc1e1b6ee5df1723f2ab7e.exe	cO7Qr0Fy.exe
PID 2448 wrote to memory of 1752	2448	cO7Qr0Fy.exe	az4Gt6xL.exe
PID 2448 wrote to memory of 1752	2448	cO7Qr0Fy.exe	az4Gt6xL.exe
PID 2448 wrote to memory of 1752	2448	cO7Qr0Fy.exe	az4Gt6xL.exe
PID 1752 wrote to memory of 4060	1752	az4Gt6xL.exe	ZF2fP6et.exe
PID 1752 wrote to memory of 4060	1752	az4Gt6xL.exe	ZF2fP6et.exe
PID 1752 wrote to memory of 4060	1752	az4Gt6xL.exe	ZF2fP6et.exe
PID 4060 wrote to memory of 1484	4060	ZF2fP6et.exe	yn9Ng4sd.exe
PID 4060 wrote to memory of 1484	4060	ZF2fP6et.exe	yn9Ng4sd.exe
PID 4060 wrote to memory of 1484	4060	ZF2fP6et.exe	yn9Ng4sd.exe
PID 1484 wrote to memory of 3228	1484	yn9Ng4sd.exe	1mN03Gj4.exe
PID 1484 wrote to memory of 3228	1484	yn9Ng4sd.exe	1mN03Gj4.exe
PID 1484 wrote to memory of 3228	1484	yn9Ng4sd.exe	1mN03Gj4.exe
PID 1484 wrote to memory of 652	1484	yn9Ng4sd.exe	2DT458aH.exe
PID 1484 wrote to memory of 652	1484	yn9Ng4sd.exe	2DT458aH.exe
PID 1484 wrote to memory of 652	1484	yn9Ng4sd.exe	2DT458aH.exe

C:\Users\Admin\AppData\Local\Temp\80af2b3540716fa5dcd664b7f7ed120e1c1aa575c2fc1e1b6ee5df1723f2ab7e.exe
"C:\Users\Admin\AppData\Local\Temp\80af2b3540716fa5dcd664b7f7ed120e1c1aa575c2fc1e1b6ee5df1723f2ab7e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cO7Qr0Fy.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cO7Qr0Fy.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az4Gt6xL.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az4Gt6xL.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZF2fP6et.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZF2fP6et.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4060

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\yn9Ng4sd.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\yn9Ng4sd.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mN03Gj4.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mN03Gj4.exe
6⤵
- Executes dropped EXE
PID:3228

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2DT458aH.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2DT458aH.exe
6⤵
- Executes dropped EXE
PID:652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cO7Qr0Fy.exe
Filesize
1.1MB

MD5
f2c1efbd21b16da92ea66a220c54f53a

SHA1
fae50bbec557fd7f8900aeb9cfde2b25d565fa55

SHA256
64b5fb7dc9d40b1f46e5111c8b6280ccb2335f4c6758258e2c871ef36212235c

SHA512
cfd8e3ceee36f6474b7146b44891cdfe6a4249559054151b81c242072e85b4c9861e71cec6da0b3b20311951b31b547f2edda00b7243a3269c8b981380e3df9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\az4Gt6xL.exe
Filesize
948KB

MD5
94bf79a932a32639f853cfeb512ed6cc

SHA1
2d4da2866b6bcc9c775f87925b85de8771dd42cf

SHA256
a71929dd0061609cf847cd384e75196f7649f1ba3d34a1b8af3ef7dd2885024d

SHA512
b3b48a3eadeef64cd5abf7030f006c73ceefa37a9033a53cc22c268b1aca653e917923ddf34c70e2f277bf26dbc7b523444f55e2ba1e62dc366fc8081b80c2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZF2fP6et.exe
Filesize
515KB

MD5
c41a844a5a2a8e9b2b9ad94f20327915

SHA1
29386d972209d97f5951921b24d1a4aab7e70d55

SHA256
5f4625f6051b72c898f9b8c5d963c0d53dc76852acd054ba587c99dccf2d2692

SHA512
b0ef8ea35cd42e1c4d8adc9be80426db5f5651a6b0a542497a38332a2f1a6cebd55876c78009a6bb9916e7ffc0cbfe658b0a8333cc2492c0891d3bf85ffeef6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\yn9Ng4sd.exe
Filesize
319KB

MD5
6657aed4f76a4342e3ff19a577c12dee

SHA1
d451a1f435dd39907aad27d4ac9125394c2fd8d8

SHA256
3797de7345f5d40ed0352ca56aa61cc8b033759200fbc927cef3d375e6140fea

SHA512
7499e7eb154f7b9565b6ee3fbf48460678eabc62bc4d3ed77164b398681197a0692f797b980c0ce6fd190228ddc4eceadb020906dd8b96aabe65aa60ccb7ca95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mN03Gj4.exe
Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2DT458aH.exe
Filesize
222KB

MD5
75af177974a1e1232efa9cd97fad9cae

SHA1
192b1c8304bc53dc38567447f4e4d6c2d07943f7

SHA256
d79652623b5516948257d8c066efe5426b42ddf74ceecdb8723e50b541dabd93

SHA512
504c32ef834ec81b4ad85e6e1b059411c4ff43bff982ed55cd41cd86b66f6ca2e1cbec871c475956e9ef8b1d838eaed9074ac8263a0b0cabc1d62614438a6693

Download Submit
memory/652-38-0x0000000000340000-0x000000000037E000-memory.dmp

Filesize
248KB

Download
memory/652-39-0x00000000077E0000-0x0000000007D84000-memory.dmp

Filesize
5.6MB

Download
memory/652-40-0x00000000072D0000-0x0000000007362000-memory.dmp

Filesize
584KB

Download
memory/652-41-0x00000000047B0000-0x00000000047BA000-memory.dmp

Filesize
40KB

Download
memory/652-42-0x00000000083B0000-0x00000000089C8000-memory.dmp

Filesize
6.1MB

Download
memory/652-43-0x0000000007670000-0x000000000777A000-memory.dmp

Filesize
1.0MB

Download
memory/652-44-0x0000000007290000-0x00000000072A2000-memory.dmp

Filesize
72KB

Download
memory/652-45-0x00000000074A0000-0x00000000074DC000-memory.dmp

Filesize
240KB

Download
memory/652-46-0x0000000007500000-0x000000000754C000-memory.dmp

Filesize
304KB

Download