mystic | dcf4e78aa4f4a43375e6c66a708f11e84986bd1f7bacc1564324e028fcba76f4

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a95d0a23b0c5bde5da2656477d19360bb7e1014fc2da653fed9ec6dd0b31cfb5.exe
Size

515KB
MD5

5f070576d61ba1ed306f4d7cc7b04623
SHA1

4b5bbf436410a471f30e5d57c61320baaab2eabd
SHA256

a95d0a23b0c5bde5da2656477d19360bb7e1014fc2da653fed9ec6dd0b31cfb5
SHA512

a2e2d8f6130d38a26503dc76bc6629fb28f21d8a673a189b2adeb7fdce7dc50c49f079eed7bb9df5d193adde52dece7303d6f47178559edb13b983e8f79370fb
SSDEEP

12288:8Mrvy90vNkAXNmiI9rjbt7PofGEEITEpSzdGYT1rvH5A:ryod4/FtQdTEIz3FvH5A

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral12/files/0x0008000000023421-11.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral12/files/0x0007000000023422-15.dat	family_redline
behavioral12/memory/1468-18-0x0000000000A50000-0x0000000000A8E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2960	vR3JM1Ux.exe
4356	1SZ06VN7.exe
1468	2FC916Ch.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a95d0a23b0c5bde5da2656477d19360bb7e1014fc2da653fed9ec6dd0b31cfb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vR3JM1Ux.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2960	1748	a95d0a23b0c5bde5da2656477d19360bb7e1014fc2da653fed9ec6dd0b31cfb5.exe	83
PID 1748 wrote to memory of 2960	1748	a95d0a23b0c5bde5da2656477d19360bb7e1014fc2da653fed9ec6dd0b31cfb5.exe	83
PID 1748 wrote to memory of 2960	1748	a95d0a23b0c5bde5da2656477d19360bb7e1014fc2da653fed9ec6dd0b31cfb5.exe	83
PID 2960 wrote to memory of 4356	2960	vR3JM1Ux.exe	84
PID 2960 wrote to memory of 4356	2960	vR3JM1Ux.exe	84
PID 2960 wrote to memory of 4356	2960	vR3JM1Ux.exe	84
PID 2960 wrote to memory of 1468	2960	vR3JM1Ux.exe	85
PID 2960 wrote to memory of 1468	2960	vR3JM1Ux.exe	85
PID 2960 wrote to memory of 1468	2960	vR3JM1Ux.exe	85

C:\Users\Admin\AppData\Local\Temp\a95d0a23b0c5bde5da2656477d19360bb7e1014fc2da653fed9ec6dd0b31cfb5.exe
"C:\Users\Admin\AppData\Local\Temp\a95d0a23b0c5bde5da2656477d19360bb7e1014fc2da653fed9ec6dd0b31cfb5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vR3JM1Ux.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vR3JM1Ux.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1SZ06VN7.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1SZ06VN7.exe
    3⤵
    - Executes dropped EXE
    PID:4356
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2FC916Ch.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2FC916Ch.exe
    3⤵
    - Executes dropped EXE
    PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vR3JM1Ux.exe

Filesize
319KB

MD5
3b1b8dca7235227a075b703eedd6dbe7

SHA1
7833dacd058cf6dbcf6c63f89f3303cf70c64385

SHA256
24e73a0a1a5b8b6a11fd2ca1bbf58d8954a7893c3598475da0fb40cd314019a2

SHA512
af890a76c5ecab57a707deaac65d21fbec5eff8785cfe8fa38d9ee94cb9d3045d8c8894cc5ebadd18e96411eaef65345cc54ccf1d91de2c6692b389d21fb2f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1SZ06VN7.exe

Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2FC916Ch.exe

Filesize
222KB

MD5
b26c93370a3f2f9f928b9670f293429d

SHA1
c8a6af0a6eee87231f6c8f32271bf420038558b6

SHA256
7fcc1f520adf83544b2ab2114db545ac29166c8c24ce89f9e04bb6ad43e62fc4

SHA512
e8b864117541ff8a217bf9058c013120b545f0631985d0b217c37f9dc5f0ff64ec7a54a05b1aa2c577d0956c5c1c346385ff6af33838ffa790ccf012c250cbc9

Download Submit
memory/1468-17-0x00000000744BE000-0x00000000744BF000-memory.dmp

Filesize
4KB

Download
memory/1468-18-0x0000000000A50000-0x0000000000A8E000-memory.dmp

Filesize
248KB

Download
memory/1468-19-0x0000000007E20000-0x00000000083C4000-memory.dmp

Filesize
5.6MB

Download
memory/1468-20-0x0000000007870000-0x0000000007902000-memory.dmp

Filesize
584KB

Download
memory/1468-21-0x0000000004ED0000-0x0000000004EDA000-memory.dmp

Filesize
40KB

Download
memory/1468-22-0x00000000089F0000-0x0000000009008000-memory.dmp

Filesize
6.1MB

Download
memory/1468-23-0x0000000007C20000-0x0000000007D2A000-memory.dmp

Filesize
1.0MB

Download
memory/1468-24-0x0000000007B50000-0x0000000007B62000-memory.dmp

Filesize
72KB

Download
memory/1468-25-0x0000000007BB0000-0x0000000007BEC000-memory.dmp

Filesize
240KB

Download
memory/1468-26-0x0000000007D30000-0x0000000007D7C000-memory.dmp

Filesize
304KB

Download
memory/1468-27-0x00000000744BE000-0x00000000744BF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads