mystic | 3bad5318d1eadf9f6d544fc5ed49c1e737fb2db130f60b70bab6f26392c87c30

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ec7b7ec25de047e7eb1cd8f27cc8f7e111c7ac68d37c56e3938dee25147cbb3.exe
Size

1.1MB
MD5

cf1fdcfe7b25b7ebfd12dcaa33226982
SHA1

2d143f32b6229858603a3392b2d464c30c950cc3
SHA256

2ec7b7ec25de047e7eb1cd8f27cc8f7e111c7ac68d37c56e3938dee25147cbb3
SHA512

853a78a93e86582ae51e0df7ff03e94d34c3ebdf2a9e8c9f6db8460e3d603db184bdd3ff1316ac771655025a307da938f7de64540937830f939a31d3070437eb
SSDEEP

24576:oyx0bVLDdTBOpukxKa031MMxngQJhcRPR6OEMrQniGG469pMyFYWXtEB1nXg:vSVLhgpvY3CdPMpnXGLMa9EX

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral7/memory/2180-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral7/memory/2180-38-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral7/memory/2180-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral7/files/0x0007000000023426-40.dat	family_redline
behavioral7/memory/4512-42-0x0000000000ED0000-0x0000000000F0E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1220	we8oZ1YI.exe
1844	hz8Pl7ly.exe
2416	Pb2Eh0vC.exe
1996	lA9mj6jm.exe
5060	1Hz61qo9.exe
4512	2fI382HR.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2ec7b7ec25de047e7eb1cd8f27cc8f7e111c7ac68d37c56e3938dee25147cbb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	we8oZ1YI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	hz8Pl7ly.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Pb2Eh0vC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	lA9mj6jm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5060 set thread context of 2180	5060	1Hz61qo9.exe	109

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 1220	3612	2ec7b7ec25de047e7eb1cd8f27cc8f7e111c7ac68d37c56e3938dee25147cbb3.exe	82
PID 3612 wrote to memory of 1220	3612	2ec7b7ec25de047e7eb1cd8f27cc8f7e111c7ac68d37c56e3938dee25147cbb3.exe	82
PID 3612 wrote to memory of 1220	3612	2ec7b7ec25de047e7eb1cd8f27cc8f7e111c7ac68d37c56e3938dee25147cbb3.exe	82
PID 1220 wrote to memory of 1844	1220	we8oZ1YI.exe	83
PID 1220 wrote to memory of 1844	1220	we8oZ1YI.exe	83
PID 1220 wrote to memory of 1844	1220	we8oZ1YI.exe	83
PID 1844 wrote to memory of 2416	1844	hz8Pl7ly.exe	84
PID 1844 wrote to memory of 2416	1844	hz8Pl7ly.exe	84
PID 1844 wrote to memory of 2416	1844	hz8Pl7ly.exe	84
PID 2416 wrote to memory of 1996	2416	Pb2Eh0vC.exe	85
PID 2416 wrote to memory of 1996	2416	Pb2Eh0vC.exe	85
PID 2416 wrote to memory of 1996	2416	Pb2Eh0vC.exe	85
PID 1996 wrote to memory of 5060	1996	lA9mj6jm.exe	86
PID 1996 wrote to memory of 5060	1996	lA9mj6jm.exe	86
PID 1996 wrote to memory of 5060	1996	lA9mj6jm.exe	86
PID 5060 wrote to memory of 3584	5060	1Hz61qo9.exe	108
PID 5060 wrote to memory of 3584	5060	1Hz61qo9.exe	108
PID 5060 wrote to memory of 3584	5060	1Hz61qo9.exe	108
PID 5060 wrote to memory of 2180	5060	1Hz61qo9.exe	109
PID 5060 wrote to memory of 2180	5060	1Hz61qo9.exe	109
PID 5060 wrote to memory of 2180	5060	1Hz61qo9.exe	109
PID 5060 wrote to memory of 2180	5060	1Hz61qo9.exe	109
PID 5060 wrote to memory of 2180	5060	1Hz61qo9.exe	109
PID 5060 wrote to memory of 2180	5060	1Hz61qo9.exe	109
PID 5060 wrote to memory of 2180	5060	1Hz61qo9.exe	109
PID 5060 wrote to memory of 2180	5060	1Hz61qo9.exe	109
PID 5060 wrote to memory of 2180	5060	1Hz61qo9.exe	109
PID 5060 wrote to memory of 2180	5060	1Hz61qo9.exe	109
PID 1996 wrote to memory of 4512	1996	lA9mj6jm.exe	110
PID 1996 wrote to memory of 4512	1996	lA9mj6jm.exe	110
PID 1996 wrote to memory of 4512	1996	lA9mj6jm.exe	110

C:\Users\Admin\AppData\Local\Temp\2ec7b7ec25de047e7eb1cd8f27cc8f7e111c7ac68d37c56e3938dee25147cbb3.exe
"C:\Users\Admin\AppData\Local\Temp\2ec7b7ec25de047e7eb1cd8f27cc8f7e111c7ac68d37c56e3938dee25147cbb3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\we8oZ1YI.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\we8oZ1YI.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hz8Pl7ly.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hz8Pl7ly.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pb2Eh0vC.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pb2Eh0vC.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lA9mj6jm.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lA9mj6jm.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Hz61qo9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Hz61qo9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3584
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2180
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fI382HR.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fI382HR.exe
        6⤵
        Executes dropped EXE
        
        PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\we8oZ1YI.exe

Filesize
1.0MB

MD5
bf27d1667c4ee6758f5326451afb4fff

SHA1
c15485ce3e960194add29a8bf05e8f282f58cb4f

SHA256
b955ef1bf9eac85b08fd94366ee10fb3505624bc7444d19da15aed117eba2644

SHA512
635888ddd444642174b3f65a7d6adacdf51d39ae443105a362a93b31a0f3bc8d7c7c5d013df34e9fcaedd8db64cc458afcc805c0038b036f330f01f921d29762

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hz8Pl7ly.exe

Filesize
843KB

MD5
effee97ef38bab90bb75259821d66bbe

SHA1
16595d0a3ebf300495c50994346d7bee70e3c899

SHA256
3e2c24dee051257d896fb12d8157c20d2033bb05fd944e90b1e4b6e8269da310

SHA512
aa4d6fb5d25d578fad1f4b8e99846243f2cfae27efbb55c4aa92de09cdf0048e89385c53a43e8fde6cdd2131729fc66373c848e222f785071534c89c01f5fc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pb2Eh0vC.exe

Filesize
593KB

MD5
418ba3f11ed1d05774c60bd026287f01

SHA1
3bf6961cc69a02569ce4d25b1c4cc16a1bbb50ee

SHA256
848e6d8398d0d6ad846d72e186ba51b3f4420c4bb490ed98307134ef08f8f22a

SHA512
554032933221eaf0b1ebd8b4824008d8393d1aa6b9c355a76408465e5369efc6e1f52752d96fecc430bbfc35118442694cd30043630ad760a54d8f71ef94509c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lA9mj6jm.exe

Filesize
398KB

MD5
3de94dbde43f1d6587c5841449a51f6e

SHA1
bf733288e4db11e8f1a4a7486c4968ed950f141f

SHA256
4b800de99bfc0c19528860361ee250b17d57814b7a21d3bc2ab7e67bc8f42ce3

SHA512
223437a9cf3cc4f0e5aea72e7d08f4effc16f339e5debe91a0a2551d5bd1d69c7968d51e0b876e85d160ee43b79bdfc0f19326423a494dd145a8482e519e923b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Hz61qo9.exe

Filesize
320KB

MD5
da53d62cb7f4429914f463125545a252

SHA1
e6348168f0e56ea5692937d9095de80ff86de52e

SHA256
f24f5918a9316c40d6f86cd73e84190d2a7a403ef7d00c8afc68706335bfa384

SHA512
d2a0b77aa678dcb83b3c5b250e0c876ea4be5fc8d1b82472e41e3739b68257c7ed829f1e203888a5409e4e6fd593456f1d843ed688da8afa6708cc4ac33b50e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fI382HR.exe

Filesize
222KB

MD5
e687b22b87c6cfcedd7d387a28325b5d

SHA1
3d48a2e20f138c527061db613e9978b85758625c

SHA256
33a35330419716ac6ae9bb308654c4141861fc7ab639e58803c73d0dc6d4082e

SHA512
c2a1c5c4171e5dc57b98d35fc331962b946cf9f24006c5f922e299db602573153ad5a425832c3fe7a50fd28ff2664c60bde0b18f8c2ab544093ed2ce9347eedc

Download Submit
memory/2180-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2180-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2180-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4512-42-0x0000000000ED0000-0x0000000000F0E000-memory.dmp

Filesize
248KB

Download
memory/4512-43-0x00000000082C0000-0x0000000008864000-memory.dmp

Filesize
5.6MB

Download
memory/4512-44-0x0000000007DB0000-0x0000000007E42000-memory.dmp

Filesize
584KB

Download
memory/4512-45-0x0000000005310000-0x000000000531A000-memory.dmp

Filesize
40KB

Download
memory/4512-46-0x0000000008E90000-0x00000000094A8000-memory.dmp

Filesize
6.1MB

Download
memory/4512-47-0x00000000080F0000-0x00000000081FA000-memory.dmp

Filesize
1.0MB

Download
memory/4512-48-0x0000000007FE0000-0x0000000007FF2000-memory.dmp

Filesize
72KB

Download
memory/4512-49-0x0000000008040000-0x000000000807C000-memory.dmp

Filesize
240KB

Download
memory/4512-50-0x0000000008080000-0x00000000080CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads