mystic | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126.exe
Size

515KB
MD5

f203dcc69457c4f08c89665d1998b068
SHA1

73cb4dc56ff1d6f5c03ff884266c758a5feb5acb
SHA256

47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126
SHA512

60bc74a72e8210868efb5fb308c8e332a62c3e599e0602f94a1c84b23bdd10153248c000d7b60f4027af526ac71636a2b524568f4173b2459a34d4f7c496c166
SSDEEP

12288:0Mrdy905AKt2UKRMv1cBjTwm/dCR2XjDC8BRh6J:ZyEwUKRMvCzgsd4

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral6/files/0x000800000002341f-11.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral6/files/0x0007000000023420-15.dat	family_redline
behavioral6/memory/4544-18-0x00000000005C0000-0x00000000005FE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
1012	UK4uc7mJ.exe
1468	1yw93zW5.exe
4544	2Gt312qW.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	UK4uc7mJ.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 1012	3388	47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126.exe	82
PID 3388 wrote to memory of 1012	3388	47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126.exe	82
PID 3388 wrote to memory of 1012	3388	47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126.exe	82
PID 1012 wrote to memory of 1468	1012	UK4uc7mJ.exe	83
PID 1012 wrote to memory of 1468	1012	UK4uc7mJ.exe	83
PID 1012 wrote to memory of 1468	1012	UK4uc7mJ.exe	83
PID 1012 wrote to memory of 4544	1012	UK4uc7mJ.exe	84
PID 1012 wrote to memory of 4544	1012	UK4uc7mJ.exe	84
PID 1012 wrote to memory of 4544	1012	UK4uc7mJ.exe	84

C:\Users\Admin\AppData\Local\Temp\47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126.exe
"C:\Users\Admin\AppData\Local\Temp\47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UK4uc7mJ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UK4uc7mJ.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1yw93zW5.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1yw93zW5.exe
    3⤵
    - Executes dropped EXE
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Gt312qW.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Gt312qW.exe
    3⤵
    - Executes dropped EXE
    PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UK4uc7mJ.exe

Filesize
319KB

MD5
c6f5b294030edb3ddb25ef7ba6834181

SHA1
099a5023c801836db35332f93e26a9a4ea576455

SHA256
ccfacfbd2fd9e1dbfff5b5ecd97fbb0c0425d4ed26df44d42f65e84a3df9d0e7

SHA512
1623f1f0e00c50d945686dbe8994810f9dafc1b62e4492a8c6805574ad422183cc4c0ab3321c1c092997053fb9256dda144bf569acd848b78fac738ec6b61bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1yw93zW5.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Gt312qW.exe

Filesize
223KB

MD5
9fcb2d09ee009580a5fca5585a2321fc

SHA1
d35192eba9d2989d41c7970cfffa5103856b8513

SHA256
09dae28fa8392a38adda2352bf092921bb342734e6a8f992f8c10cd6bd9c704d

SHA512
082ca7716a425c6fcf1aa9a397b540cd55e240f6e3ef66d8da9f2781424d86aed03dde337ee1f472c1579c8b5c371202492647b76cb34ae4a31ef577aa4c416a

Download Submit
memory/4544-17-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download
memory/4544-18-0x00000000005C0000-0x00000000005FE000-memory.dmp

Filesize
248KB

Download
memory/4544-19-0x0000000007A40000-0x0000000007FE4000-memory.dmp

Filesize
5.6MB

Download
memory/4544-20-0x0000000007490000-0x0000000007522000-memory.dmp

Filesize
584KB

Download
memory/4544-21-0x0000000004A80000-0x0000000004A8A000-memory.dmp

Filesize
40KB

Download
memory/4544-22-0x0000000008610000-0x0000000008C28000-memory.dmp

Filesize
6.1MB

Download
memory/4544-23-0x0000000007790000-0x000000000789A000-memory.dmp

Filesize
1.0MB

Download
memory/4544-24-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/4544-25-0x0000000007720000-0x000000000775C000-memory.dmp

Filesize
240KB

Download
memory/4544-26-0x00000000078A0000-0x00000000078EC000-memory.dmp

Filesize
304KB

Download
memory/4544-27-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads