mystic | 8f1630bc8eac64cd06bd503a82b737a5f82d3a748f9021ad1d4babb30749eb84

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126.exe
Size

515KB
MD5

f203dcc69457c4f08c89665d1998b068
SHA1

73cb4dc56ff1d6f5c03ff884266c758a5feb5acb
SHA256

47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126
SHA512

60bc74a72e8210868efb5fb308c8e332a62c3e599e0602f94a1c84b23bdd10153248c000d7b60f4027af526ac71636a2b524568f4173b2459a34d4f7c496c166
SSDEEP

12288:0Mrdy905AKt2UKRMv1cBjTwm/dCR2XjDC8BRh6J:ZyEwUKRMvCzgsd4

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1yw93zW5.exe	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Gt312qW.exe	family_redline
behavioral6/memory/3984-18-0x0000000000460000-0x000000000049E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

UK4uc7mJ.exe1yw93zW5.exe2Gt312qW.exe

pid process

2664 UK4uc7mJ.exe
3052 1yw93zW5.exe
3984 2Gt312qW.exe

pid	process
2664	UK4uc7mJ.exe
3052	1yw93zW5.exe
3984	2Gt312qW.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126.exeUK4uc7mJ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	UK4uc7mJ.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126.exeUK4uc7mJ.exe

description	pid	process	target process
PID 4268 wrote to memory of 2664	4268	47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126.exe	UK4uc7mJ.exe
PID 4268 wrote to memory of 2664	4268	47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126.exe	UK4uc7mJ.exe
PID 4268 wrote to memory of 2664	4268	47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126.exe	UK4uc7mJ.exe
PID 2664 wrote to memory of 3052	2664	UK4uc7mJ.exe	1yw93zW5.exe
PID 2664 wrote to memory of 3052	2664	UK4uc7mJ.exe	1yw93zW5.exe
PID 2664 wrote to memory of 3052	2664	UK4uc7mJ.exe	1yw93zW5.exe
PID 2664 wrote to memory of 3984	2664	UK4uc7mJ.exe	2Gt312qW.exe
PID 2664 wrote to memory of 3984	2664	UK4uc7mJ.exe	2Gt312qW.exe
PID 2664 wrote to memory of 3984	2664	UK4uc7mJ.exe	2Gt312qW.exe

C:\Users\Admin\AppData\Local\Temp\47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126.exe
"C:\Users\Admin\AppData\Local\Temp\47e26a3424119bb3474243a62c68d0c38747b303822e8e6d0198c8fc44796126.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4268

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UK4uc7mJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UK4uc7mJ.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1yw93zW5.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1yw93zW5.exe
3⤵
- Executes dropped EXE
PID:3052

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Gt312qW.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Gt312qW.exe
3⤵
- Executes dropped EXE
PID:3984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UK4uc7mJ.exe
Filesize
319KB

MD5
c6f5b294030edb3ddb25ef7ba6834181

SHA1
099a5023c801836db35332f93e26a9a4ea576455

SHA256
ccfacfbd2fd9e1dbfff5b5ecd97fbb0c0425d4ed26df44d42f65e84a3df9d0e7

SHA512
1623f1f0e00c50d945686dbe8994810f9dafc1b62e4492a8c6805574ad422183cc4c0ab3321c1c092997053fb9256dda144bf569acd848b78fac738ec6b61bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1yw93zW5.exe
Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Gt312qW.exe
Filesize
223KB

MD5
9fcb2d09ee009580a5fca5585a2321fc

SHA1
d35192eba9d2989d41c7970cfffa5103856b8513

SHA256
09dae28fa8392a38adda2352bf092921bb342734e6a8f992f8c10cd6bd9c704d

SHA512
082ca7716a425c6fcf1aa9a397b540cd55e240f6e3ef66d8da9f2781424d86aed03dde337ee1f472c1579c8b5c371202492647b76cb34ae4a31ef577aa4c416a

Download Submit
memory/3984-17-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/3984-18-0x0000000000460000-0x000000000049E000-memory.dmp

Filesize
248KB

Download
memory/3984-19-0x00000000076F0000-0x0000000007C94000-memory.dmp

Filesize
5.6MB

Download
memory/3984-20-0x0000000007220000-0x00000000072B2000-memory.dmp

Filesize
584KB

Download
memory/3984-21-0x0000000000C20000-0x0000000000C2A000-memory.dmp

Filesize
40KB

Download
memory/3984-22-0x00000000082C0000-0x00000000088D8000-memory.dmp

Filesize
6.1MB

Download
memory/3984-23-0x0000000007530000-0x000000000763A000-memory.dmp

Filesize
1.0MB

Download
memory/3984-24-0x0000000007420000-0x0000000007432000-memory.dmp

Filesize
72KB

Download
memory/3984-25-0x0000000007480000-0x00000000074BC000-memory.dmp

Filesize
240KB

Download
memory/3984-26-0x00000000074C0000-0x000000000750C000-memory.dmp

Filesize
304KB

Download
memory/3984-27-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download