mystic | 5eb722b1af29eaaa64b029ffc54dddae92acbb9c1b778b6bc51551329ed241e8

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9645ca9ce715a28ec2e2bfb66f661e256335f09bba61c0b86d73a530dacb15b.exe
Size

1.1MB
MD5

d92888066793d326a49b21e7a091d25a
SHA1

e08eeaf2c76508e1fbced904177ad68f055d1344
SHA256

d9645ca9ce715a28ec2e2bfb66f661e256335f09bba61c0b86d73a530dacb15b
SHA512

3595c349657597fcc1e692226c9e5675486de21075b94d452e8729754aa1687489b5cf65f74d17f53b07f988072de09fe81a9db2c844e1f52342e988f6a9bce4
SSDEEP

24576:1yzt5x6zpWENBhJ60yaE8zyJq1h/yLj1IhU1fS8DhnGR04l2IjdeSiRA5:Qzt5xEWIbyGN1sNLhl4lDJ8R

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1uO07FG3.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2HF149GC.exe	family_redline
behavioral22/memory/3456-31-0x0000000000870000-0x00000000008AE000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

cA4Pt1WP.exeTg0Qt3GZ.exeUM3vW4jG.exe1uO07FG3.exe2HF149GC.exe

pid process

3496 cA4Pt1WP.exe
1424 Tg0Qt3GZ.exe
2332 UM3vW4jG.exe
1124 1uO07FG3.exe
3456 2HF149GC.exe

pid	process
3496	cA4Pt1WP.exe
1424	Tg0Qt3GZ.exe
2332	UM3vW4jG.exe
1124	1uO07FG3.exe
3456	2HF149GC.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d9645ca9ce715a28ec2e2bfb66f661e256335f09bba61c0b86d73a530dacb15b.execA4Pt1WP.exeTg0Qt3GZ.exeUM3vW4jG.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d9645ca9ce715a28ec2e2bfb66f661e256335f09bba61c0b86d73a530dacb15b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	cA4Pt1WP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Tg0Qt3GZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	UM3vW4jG.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

d9645ca9ce715a28ec2e2bfb66f661e256335f09bba61c0b86d73a530dacb15b.execA4Pt1WP.exeTg0Qt3GZ.exeUM3vW4jG.exe

description	pid	process	target process
PID 3260 wrote to memory of 3496	3260	d9645ca9ce715a28ec2e2bfb66f661e256335f09bba61c0b86d73a530dacb15b.exe	cA4Pt1WP.exe
PID 3260 wrote to memory of 3496	3260	d9645ca9ce715a28ec2e2bfb66f661e256335f09bba61c0b86d73a530dacb15b.exe	cA4Pt1WP.exe
PID 3260 wrote to memory of 3496	3260	d9645ca9ce715a28ec2e2bfb66f661e256335f09bba61c0b86d73a530dacb15b.exe	cA4Pt1WP.exe
PID 3496 wrote to memory of 1424	3496	cA4Pt1WP.exe	Tg0Qt3GZ.exe
PID 3496 wrote to memory of 1424	3496	cA4Pt1WP.exe	Tg0Qt3GZ.exe
PID 3496 wrote to memory of 1424	3496	cA4Pt1WP.exe	Tg0Qt3GZ.exe
PID 1424 wrote to memory of 2332	1424	Tg0Qt3GZ.exe	UM3vW4jG.exe
PID 1424 wrote to memory of 2332	1424	Tg0Qt3GZ.exe	UM3vW4jG.exe
PID 1424 wrote to memory of 2332	1424	Tg0Qt3GZ.exe	UM3vW4jG.exe
PID 2332 wrote to memory of 1124	2332	UM3vW4jG.exe	1uO07FG3.exe
PID 2332 wrote to memory of 1124	2332	UM3vW4jG.exe	1uO07FG3.exe
PID 2332 wrote to memory of 1124	2332	UM3vW4jG.exe	1uO07FG3.exe
PID 2332 wrote to memory of 3456	2332	UM3vW4jG.exe	2HF149GC.exe
PID 2332 wrote to memory of 3456	2332	UM3vW4jG.exe	2HF149GC.exe
PID 2332 wrote to memory of 3456	2332	UM3vW4jG.exe	2HF149GC.exe

C:\Users\Admin\AppData\Local\Temp\d9645ca9ce715a28ec2e2bfb66f661e256335f09bba61c0b86d73a530dacb15b.exe
"C:\Users\Admin\AppData\Local\Temp\d9645ca9ce715a28ec2e2bfb66f661e256335f09bba61c0b86d73a530dacb15b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3260

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cA4Pt1WP.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cA4Pt1WP.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3496

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tg0Qt3GZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tg0Qt3GZ.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UM3vW4jG.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UM3vW4jG.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2332

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1uO07FG3.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1uO07FG3.exe
5⤵
- Executes dropped EXE
PID:1124

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2HF149GC.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2HF149GC.exe
5⤵
- Executes dropped EXE
PID:3456

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cA4Pt1WP.exe
Filesize
942KB

MD5
fe3b9a8b0716fa57242d40630d783156

SHA1
0a730328d4a3672a561d521f2b8daa9707b1dea5

SHA256
a4a80eebdd22eab822a0796ae85ae68f04d6f8cd3384f77a780dcd850d30f0dd

SHA512
e49094cfffbeb6b3e291c7a0b0a6da7f16eadab62b6dcf7a267baee7f657ccc28ca50c9b7eddf02874af596555bc79191f5917d5af1e7203580eacc8bf42eeb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tg0Qt3GZ.exe
Filesize
514KB

MD5
6dc695291d3acffeec67ca30726db64f

SHA1
d6afeae9394aadb4039c68badbbc7c2ca3cc4ff7

SHA256
41a5e5e499c790600621de8fa1a3e7dab95fd60c84ebeef8bfa7c583c716b416

SHA512
c689906f58647f9af16f4ed80486196d5045d92e6a0af8cc7299a17662e110aa38d4cc69a8039ddec0b4def0b8475941e00bb45754064fa7a0442027115b9bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UM3vW4jG.exe
Filesize
319KB

MD5
0a4f7035e279f51d48c04c0fe1353ece

SHA1
2e4c2150c4a2989be0c4ed4d1b1bd88625aa8708

SHA256
d799883d0f8457e846b9b03a5b1d907bf274b8b42554780bc63d837d95a08977

SHA512
cae488fab30df92fc34f05b84d60b9cbc64a75c5e64ecf636e64a23369418161c47273addc107570781660bac869145f6664316d7e9cc3225e0892e496bcb02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1uO07FG3.exe
Filesize
180KB

MD5
3f305144feb3040cf41b216841537ec2

SHA1
ae9066cc3b40be6250e7e6a90bcc2de160067b84

SHA256
89fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1

SHA512
ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2HF149GC.exe
Filesize
221KB

MD5
9d3ef1f0b37bef2db8b3168b6530360f

SHA1
3ddf1aec7eb1c6f74851f34c9f822fc27b9d770d

SHA256
871a82f9478848cf7043d0fd866f7d705fed37fcf8e37ea79910120fdab3f8cd

SHA512
9b564b8d146e783539ccde557f47addb8fa0488ec4471fe0189e2e87ef5c5c0b7bb12c0e38e544ace6941bd851e685fd1406f6394d2588e4f1de16ed178014d7

Download Submit
memory/3456-31-0x0000000000870000-0x00000000008AE000-memory.dmp

Filesize
248KB

Download
memory/3456-32-0x0000000007D30000-0x00000000082D4000-memory.dmp

Filesize
5.6MB

Download
memory/3456-33-0x0000000007820000-0x00000000078B2000-memory.dmp

Filesize
584KB

Download
memory/3456-34-0x0000000002D70000-0x0000000002D7A000-memory.dmp

Filesize
40KB

Download
memory/3456-35-0x0000000008900000-0x0000000008F18000-memory.dmp

Filesize
6.1MB

Download
memory/3456-36-0x0000000007BB0000-0x0000000007CBA000-memory.dmp

Filesize
1.0MB

Download
memory/3456-37-0x00000000077D0000-0x00000000077E2000-memory.dmp

Filesize
72KB

Download
memory/3456-38-0x0000000007900000-0x000000000793C000-memory.dmp

Filesize
240KB

Download
memory/3456-39-0x0000000007940000-0x000000000798C000-memory.dmp

Filesize
304KB

Download