mystic | 8ab296834f82cfcc09d242ca9b14991f94e5b8578e693e18cddc6e18583575ad

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a13fc9ad8cf55c496a185f18bd0a0740_NeikiAnalytics.exe
Size

692KB
MD5

a13fc9ad8cf55c496a185f18bd0a0740
SHA1

629025604464c5dccd662e3187eb32cfda1916ae
SHA256

8ab296834f82cfcc09d242ca9b14991f94e5b8578e693e18cddc6e18583575ad
SHA512

8dff6352b8503fdea23905f5dfe6008bd3354831b64e26d439c1ce5b3391c0f088b91546b69fd59ffc20db9ed1722364ddc26603edb6a2d71e7c58e234252fbd
SSDEEP

12288:QMriy90R1s6OszLz0xY1RmI7wr6MNLKY8iUk2q5N1Uv6ioJAYHyGjBXL7tvC7l:iyb2H0u06CKYTr2q5kv6LAtyft2l

Score

10^/10

mystic redline smokeloader taiga backdoor infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1980-21-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/1980-23-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/1980-22-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/1980-27-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2808-34-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	7OK5CV68.exe

Executes dropped EXE 6 IoCs

pid	Process
1792	Kr0ac48.exe
1168	tB4Aa79.exe
1184	1Tq60RU1.exe
4624	2qO8806.exe
3496	6cB9EE3.exe
4672	7OK5CV68.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a13fc9ad8cf55c496a185f18bd0a0740_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Kr0ac48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tB4Aa79.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1184 set thread context of 1980	1184	1Tq60RU1.exe	89
PID 3496 set thread context of 2808	3496	6cB9EE3.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2qO8806.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2qO8806.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2qO8806.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 1792	2576	a13fc9ad8cf55c496a185f18bd0a0740_NeikiAnalytics.exe	84
PID 2576 wrote to memory of 1792	2576	a13fc9ad8cf55c496a185f18bd0a0740_NeikiAnalytics.exe	84
PID 2576 wrote to memory of 1792	2576	a13fc9ad8cf55c496a185f18bd0a0740_NeikiAnalytics.exe	84
PID 1792 wrote to memory of 1168	1792	Kr0ac48.exe	85
PID 1792 wrote to memory of 1168	1792	Kr0ac48.exe	85
PID 1792 wrote to memory of 1168	1792	Kr0ac48.exe	85
PID 1168 wrote to memory of 1184	1168	tB4Aa79.exe	86
PID 1168 wrote to memory of 1184	1168	tB4Aa79.exe	86
PID 1168 wrote to memory of 1184	1168	tB4Aa79.exe	86
PID 1184 wrote to memory of 1980	1184	1Tq60RU1.exe	89
PID 1184 wrote to memory of 1980	1184	1Tq60RU1.exe	89
PID 1184 wrote to memory of 1980	1184	1Tq60RU1.exe	89
PID 1184 wrote to memory of 1980	1184	1Tq60RU1.exe	89
PID 1184 wrote to memory of 1980	1184	1Tq60RU1.exe	89
PID 1184 wrote to memory of 1980	1184	1Tq60RU1.exe	89
PID 1184 wrote to memory of 1980	1184	1Tq60RU1.exe	89
PID 1184 wrote to memory of 1980	1184	1Tq60RU1.exe	89
PID 1184 wrote to memory of 1980	1184	1Tq60RU1.exe	89
PID 1184 wrote to memory of 1980	1184	1Tq60RU1.exe	89
PID 1168 wrote to memory of 4624	1168	tB4Aa79.exe	91
PID 1168 wrote to memory of 4624	1168	tB4Aa79.exe	91
PID 1168 wrote to memory of 4624	1168	tB4Aa79.exe	91
PID 1792 wrote to memory of 3496	1792	Kr0ac48.exe	92
PID 1792 wrote to memory of 3496	1792	Kr0ac48.exe	92
PID 1792 wrote to memory of 3496	1792	Kr0ac48.exe	92
PID 3496 wrote to memory of 2808	3496	6cB9EE3.exe	95
PID 3496 wrote to memory of 2808	3496	6cB9EE3.exe	95
PID 3496 wrote to memory of 2808	3496	6cB9EE3.exe	95
PID 3496 wrote to memory of 2808	3496	6cB9EE3.exe	95
PID 3496 wrote to memory of 2808	3496	6cB9EE3.exe	95
PID 3496 wrote to memory of 2808	3496	6cB9EE3.exe	95
PID 3496 wrote to memory of 2808	3496	6cB9EE3.exe	95
PID 3496 wrote to memory of 2808	3496	6cB9EE3.exe	95
PID 2576 wrote to memory of 4672	2576	a13fc9ad8cf55c496a185f18bd0a0740_NeikiAnalytics.exe	96
PID 2576 wrote to memory of 4672	2576	a13fc9ad8cf55c496a185f18bd0a0740_NeikiAnalytics.exe	96
PID 2576 wrote to memory of 4672	2576	a13fc9ad8cf55c496a185f18bd0a0740_NeikiAnalytics.exe	96
PID 4672 wrote to memory of 4772	4672	7OK5CV68.exe	97
PID 4672 wrote to memory of 4772	4672	7OK5CV68.exe	97
PID 4672 wrote to memory of 4772	4672	7OK5CV68.exe	97

C:\Users\Admin\AppData\Local\Temp\a13fc9ad8cf55c496a185f18bd0a0740_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a13fc9ad8cf55c496a185f18bd0a0740_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr0ac48.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr0ac48.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB4Aa79.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB4Aa79.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Tq60RU1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Tq60RU1.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2qO8806.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2qO8806.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      PID:4624
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cB9EE3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cB9EE3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2808
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7OK5CV68.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7OK5CV68.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
    3⤵
    PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7OK5CV68.exe

Filesize
73KB

MD5
31dbec79422f7850c782baf5c6dd1dc8

SHA1
bcda7da88e921cd6aa52cfde99401454436f82e7

SHA256
c53a5a8a93fb720c8ec090b0c0d52896855d8365a09a3afb20b2f0fbcc507260

SHA512
5f3ce4e09f422ab07d6e127ed631bbb13bd3b393874e253a4a45f1312fc1ed08b6d32088957b89a3d474c3aba897e471564c71eeacd7cfcc223a0bbe0a86f415

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kr0ac48.exe

Filesize
570KB

MD5
0af34161ca9d4243fa1f23fdcef497c8

SHA1
862b0da8176bdf5568d8f56849a35cdf1564dc7a

SHA256
30270e9237ff00b79ac458db5f66e2623421a6d74cc76d7709fc2776a47c429c

SHA512
e137053997f427d4577c79d474d23cf3fdcd40a37090ffcece30843cf88041b5638db06f6d30846885bd059b3bc69750e2e3f4bff42dbf17763f8a27103c2b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cB9EE3.exe

Filesize
339KB

MD5
14d9834611ad581afcfea061652ff6cb

SHA1
802f964d0be7858eb2f1e7c6fcda03501fd1b71c

SHA256
e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60

SHA512
cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB4Aa79.exe

Filesize
334KB

MD5
49a0caef816e938196d7b827eea5032b

SHA1
6397790f3b249f647d0b085d371564d5a9e9a34d

SHA256
d04f65321cf41e992868a454ab34737ee664c5c6e9088003890a9461101bc399

SHA512
9f9adfdefc6fa618900d85d2bb0346250a4f8af6d23df79aedd7c0bddc3e2bac532172549865ecf8e90496c1d5144ba29645951440965447e5d869d7efccfe0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Tq60RU1.exe

Filesize
300KB

MD5
784667bb96ccb30c4cf44f2c5f493769

SHA1
28185165ab4dbbb4a139ae1af0bb6934ebe05c04

SHA256
1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9

SHA512
62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2qO8806.exe

Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.bat

Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
memory/1980-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1980-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-49-0x00000000085C0000-0x0000000008BD8000-memory.dmp

Filesize
6.1MB

Download
memory/2808-42-0x00000000079F0000-0x0000000007F94000-memory.dmp

Filesize
5.6MB

Download
memory/2808-43-0x00000000074E0000-0x0000000007572000-memory.dmp

Filesize
584KB

Download
memory/2808-34-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-48-0x0000000002A60000-0x0000000002A6A000-memory.dmp

Filesize
40KB

Download
memory/2808-50-0x0000000007FA0000-0x00000000080AA000-memory.dmp

Filesize
1.0MB

Download
memory/2808-51-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/2808-52-0x0000000007760000-0x000000000779C000-memory.dmp

Filesize
240KB

Download
memory/2808-53-0x00000000076F0000-0x000000000773C000-memory.dmp

Filesize
304KB

Download
memory/4624-29-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4624-30-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads