mystic | 3cc30911c3eb32deaf5fb8bc4dfe2ca6abbafa106ab4c16e8ff25a715c1fe7e7

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d68d381e45f27176b76095693f986c42472611f4598e13b214a1c40acc89834.exe
Size

1.2MB
MD5

56a2f2d0890ff16eb044b0a5778e7867
SHA1

72ba83d1c6ed4ffaf733b1568d0d6398dbec43fc
SHA256

4d68d381e45f27176b76095693f986c42472611f4598e13b214a1c40acc89834
SHA512

115bd5b7617d63697c0de243e1e3b6544708d50c5a6d5c160765b838992ceb73b73f19016135e7fd1c0e2d70200c5e769e162952bda324a651d34f1eff72c9a8
SSDEEP

24576:dy2i20A1nLmftA2TpmFJeqRzEhzasUml7gGt0ssGXyQl4Fj:42eA1WbTp8RKesUIzl4

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral6/files/0x000800000002344d-33.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral6/files/0x000700000002344e-37.dat	family_redline
behavioral6/memory/4020-38-0x0000000000940000-0x000000000097E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2088	WK5Yf1iK.exe
4008	eL7Mc1rX.exe
2544	hC7yA0mj.exe
1604	Od7MZ3XC.exe
4580	1Fe38NP6.exe
4020	2Vk043xR.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	WK5Yf1iK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	eL7Mc1rX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	hC7yA0mj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Od7MZ3XC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4d68d381e45f27176b76095693f986c42472611f4598e13b214a1c40acc89834.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 2088	1836	4d68d381e45f27176b76095693f986c42472611f4598e13b214a1c40acc89834.exe	82
PID 1836 wrote to memory of 2088	1836	4d68d381e45f27176b76095693f986c42472611f4598e13b214a1c40acc89834.exe	82
PID 1836 wrote to memory of 2088	1836	4d68d381e45f27176b76095693f986c42472611f4598e13b214a1c40acc89834.exe	82
PID 2088 wrote to memory of 4008	2088	WK5Yf1iK.exe	83
PID 2088 wrote to memory of 4008	2088	WK5Yf1iK.exe	83
PID 2088 wrote to memory of 4008	2088	WK5Yf1iK.exe	83
PID 4008 wrote to memory of 2544	4008	eL7Mc1rX.exe	84
PID 4008 wrote to memory of 2544	4008	eL7Mc1rX.exe	84
PID 4008 wrote to memory of 2544	4008	eL7Mc1rX.exe	84
PID 2544 wrote to memory of 1604	2544	hC7yA0mj.exe	85
PID 2544 wrote to memory of 1604	2544	hC7yA0mj.exe	85
PID 2544 wrote to memory of 1604	2544	hC7yA0mj.exe	85
PID 1604 wrote to memory of 4580	1604	Od7MZ3XC.exe	86
PID 1604 wrote to memory of 4580	1604	Od7MZ3XC.exe	86
PID 1604 wrote to memory of 4580	1604	Od7MZ3XC.exe	86
PID 1604 wrote to memory of 4020	1604	Od7MZ3XC.exe	88
PID 1604 wrote to memory of 4020	1604	Od7MZ3XC.exe	88
PID 1604 wrote to memory of 4020	1604	Od7MZ3XC.exe	88

C:\Users\Admin\AppData\Local\Temp\4d68d381e45f27176b76095693f986c42472611f4598e13b214a1c40acc89834.exe
"C:\Users\Admin\AppData\Local\Temp\4d68d381e45f27176b76095693f986c42472611f4598e13b214a1c40acc89834.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WK5Yf1iK.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WK5Yf1iK.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eL7Mc1rX.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eL7Mc1rX.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hC7yA0mj.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hC7yA0mj.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Od7MZ3XC.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Od7MZ3XC.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fe38NP6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fe38NP6.exe
        6⤵
        Executes dropped EXE
        
        PID:4580
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vk043xR.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vk043xR.exe
        6⤵
        Executes dropped EXE
        
        PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WK5Yf1iK.exe

Filesize
1.1MB

MD5
16725fedfc49ba1be97e18220ba2c787

SHA1
f86eea0028485bb788b36b0f245bb13dc84dfc7d

SHA256
6a9700449887e1f244cc02eca06d0450a78ebb2b393f42b112baab24156e9dcf

SHA512
e5cef759f1556ed977c6a9c01b1fb69832a09cbeb8795f7bb2b57c19ef25ed45ff949856b5aac9effbea7abdc6d3f857766a855ec0278c4daa3b6de192a092d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eL7Mc1rX.exe

Filesize
926KB

MD5
74ffdaf96c6c56e8fca4a0ff8e5c5399

SHA1
942fc316546da9e2aff6f1cc89d8b23f656d53c1

SHA256
70ec60a0f2a853bd91349181777c7f030f27abcee2daa6d831f20d7db6942874

SHA512
b3ba49ac2ca6f873ecd609c3205d8b9ecd3a1fb4cf1835e610f49180046141c65773ba044b29b12b58d344359e9abd6282856a9ea5671416b9b01616f5030f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hC7yA0mj.exe

Filesize
514KB

MD5
f8d8b6b88a03f0e0ff960b953a71fa4c

SHA1
8628f3cf550090ace33055c438770ed184658572

SHA256
05091afc417e803179873e9dd77b4131c55254b69354a37bea9d3411dafc4a6a

SHA512
f53f9c460dbea49b0eb878a82d3bb37ad70c1c0c92a279418626372ff02e9ac7406b6332ce486444381723288f8c92b5ffeeef0e54a5f6d8963de18573f386c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Od7MZ3XC.exe

Filesize
319KB

MD5
af899db5291cf24333078a2175735cf5

SHA1
66561e7cc08c59ee086276bcc4e5808993cd592c

SHA256
4173573dbcb601c1032c724129ce45c636ad0e5af7a3db7105d9a1688fa09e5e

SHA512
405a905228a5bc90a3e907c7bc5ce04745877366adfd80eb577f6170fdcdbdb0a0e6134fbfeb34395c64d70f6ef4fd85acb7fd2cedf2976d727df806c713b50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Fe38NP6.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vk043xR.exe

Filesize
221KB

MD5
b358391b15b41904af22b0302c89730f

SHA1
7bfe110ae187a202d4858cb78af17d15e1378333

SHA256
e9a4fc1d7e5ff21dc8a3046fa93fcd77d9081b199ff1e63d22faa6d49a5d3017

SHA512
fe45f58db5040c47acbe8f037881961c360614cd4637fb7dcebe936d1bd549585ada49382e72153167f74a6570521d85fba3d5777ed3a9cb98debde4d3a43ca4

Download Submit
memory/4020-38-0x0000000000940000-0x000000000097E000-memory.dmp

Filesize
248KB

Download
memory/4020-39-0x0000000007BB0000-0x0000000008154000-memory.dmp

Filesize
5.6MB

Download
memory/4020-40-0x0000000007700000-0x0000000007792000-memory.dmp

Filesize
584KB

Download
memory/4020-41-0x0000000002C80000-0x0000000002C8A000-memory.dmp

Filesize
40KB

Download
memory/4020-42-0x0000000008780000-0x0000000008D98000-memory.dmp

Filesize
6.1MB

Download
memory/4020-43-0x0000000008160000-0x000000000826A000-memory.dmp

Filesize
1.0MB

Download
memory/4020-44-0x00000000078F0000-0x0000000007902000-memory.dmp

Filesize
72KB

Download
memory/4020-45-0x0000000007950000-0x000000000798C000-memory.dmp

Filesize
240KB

Download
memory/4020-46-0x00000000079A0000-0x00000000079EC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads