mystic | 728c49c705c2feb57d418020de79d64a70e728af8722694958b0e86a156152bf

General

Target

728c49c705c2feb57d418020de79d64a70e728af8722694958b0e86a156152bf.exe
Size

1017KB
MD5

0d9105c6c005d3c86ef90c753021550a
SHA1

16e32851b8c1e013e47e9c9527bcfeeeda468ba9
SHA256

728c49c705c2feb57d418020de79d64a70e728af8722694958b0e86a156152bf
SHA512

86c6ddbd5fd60fabc93d9d8ce0b22bda1136315e13e0feec13851a14a606057e99f4b1fa180de0264c3ea2457048bde7716556416388656385a6fbaf91606d4c
SSDEEP

24576:zyjZWkc+tgpL+IJ0I2SwBCRtVjnh/9+OEYWcXRGg:GMkeUI2PoRtVjnh/9+zYWc

Score

10^/10

mystic redline kukish discovery infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca2-33.dat	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023ca3-36.dat	family_redline
behavioral1/memory/1848-38-0x0000000000190000-0x00000000001CE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2072	IY0um4Qn.exe
4380	vj7tX4Zp.exe
1484	tu1Ge6nD.exe
1020	ZF4aW7On.exe
2260	1cE07aO2.exe
1848	2NA459Pz.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	728c49c705c2feb57d418020de79d64a70e728af8722694958b0e86a156152bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	IY0um4Qn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vj7tX4Zp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	tu1Ge6nD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ZF4aW7On.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	728c49c705c2feb57d418020de79d64a70e728af8722694958b0e86a156152bf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IY0um4Qn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vj7tX4Zp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tu1Ge6nD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZF4aW7On.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cE07aO2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2NA459Pz.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2072	640	728c49c705c2feb57d418020de79d64a70e728af8722694958b0e86a156152bf.exe	86
PID 640 wrote to memory of 2072	640	728c49c705c2feb57d418020de79d64a70e728af8722694958b0e86a156152bf.exe	86
PID 640 wrote to memory of 2072	640	728c49c705c2feb57d418020de79d64a70e728af8722694958b0e86a156152bf.exe	86
PID 2072 wrote to memory of 4380	2072	IY0um4Qn.exe	87
PID 2072 wrote to memory of 4380	2072	IY0um4Qn.exe	87
PID 2072 wrote to memory of 4380	2072	IY0um4Qn.exe	87
PID 4380 wrote to memory of 1484	4380	vj7tX4Zp.exe	88
PID 4380 wrote to memory of 1484	4380	vj7tX4Zp.exe	88
PID 4380 wrote to memory of 1484	4380	vj7tX4Zp.exe	88
PID 1484 wrote to memory of 1020	1484	tu1Ge6nD.exe	89
PID 1484 wrote to memory of 1020	1484	tu1Ge6nD.exe	89
PID 1484 wrote to memory of 1020	1484	tu1Ge6nD.exe	89
PID 1020 wrote to memory of 2260	1020	ZF4aW7On.exe	90
PID 1020 wrote to memory of 2260	1020	ZF4aW7On.exe	90
PID 1020 wrote to memory of 2260	1020	ZF4aW7On.exe	90
PID 1020 wrote to memory of 1848	1020	ZF4aW7On.exe	91
PID 1020 wrote to memory of 1848	1020	ZF4aW7On.exe	91
PID 1020 wrote to memory of 1848	1020	ZF4aW7On.exe	91

C:\Users\Admin\AppData\Local\Temp\728c49c705c2feb57d418020de79d64a70e728af8722694958b0e86a156152bf.exe
"C:\Users\Admin\AppData\Local\Temp\728c49c705c2feb57d418020de79d64a70e728af8722694958b0e86a156152bf.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IY0um4Qn.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IY0um4Qn.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vj7tX4Zp.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vj7tX4Zp.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tu1Ge6nD.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tu1Ge6nD.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZF4aW7On.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZF4aW7On.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1020
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cE07aO2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cE07aO2.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2260
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NA459Pz.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NA459Pz.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IY0um4Qn.exe

Filesize
878KB

MD5
e15021ee6c7d43a7dc42eeee4881f5cb

SHA1
d12fbcdcc91b0aaeab99daf750b16cbe04e8a590

SHA256
0446924addfa9024947381a4171b882afe64adfddd6772ff724142f7afc0ef4a

SHA512
dc0c4a904cd710cd73b5f5bc28fce76f7b7e0c92fe5d48cac8111ed189034b7d80567254dd28f6f22a3b082927288f5dcb406d97e7f73501d6c224595048b4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vj7tX4Zp.exe

Filesize
689KB

MD5
181176d50e71903715a4138112b6b7ca

SHA1
3a4d24d54e2cf0dfd8689509e334fc0b3580e715

SHA256
7306d5119e363242a4975cc75238f7ba26212bf7276ed45f488409f63fd4b853

SHA512
825acf5a2a673a78a1209c148bb1c4f9af1bbd879c14d14f25ae43bdedf66266d4fa6cb84ed8a447eba9f12669f0a54b4ab0749910bebe0547b8aecf6b2f27d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tu1Ge6nD.exe

Filesize
514KB

MD5
576bf3dbab718e6878e3143e9400b7da

SHA1
06f78f57b817e6274c75aa5a72047302398dc0e9

SHA256
ad0a7033e719105aa36557e6b4d1f4ed15105523fdb8321d1211f83e77ac7ad6

SHA512
e2bb900768fa6d37c6da38f3d45f55204617c577a1d4f024a393f450831632c3a875fa12c3e57410ef44e20324a33b7fbe442b22207e7570276a09fb2bb98c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZF4aW7On.exe

Filesize
319KB

MD5
fbfbfee2a248cef4fc7c889edba8b003

SHA1
70d5de51d429fb7f8b0d95cae774bf41d442958e

SHA256
da860f626c73bb3745196ef9d69c6a94d0d6beca6540ba9dc4ca51318eec5068

SHA512
30cb04a4371f209c85406cbe16cdfae267db232cabfb3428ca33be8d964f1f643af31167689cc0af3300d7f325a14587c8987dcb238f21719eff3ead7f302619

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cE07aO2.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NA459Pz.exe

Filesize
222KB

MD5
ffa4aee5cffec58dd53d03fba02286a1

SHA1
c0f293cd017f884de81493b1d8acef2394c26601

SHA256
34502f0782bb537182c0c1011b0c150e33458dac6405858216374bfb206b2833

SHA512
a995c0af7f214548578674c9ab3168d55dd921c0b8077fc24034e286a061476a47d3fc9e94600b64a134cc15473f7884457232c0295f0aac4fdff4a6c8f68d97

Download Submit
memory/1848-38-0x0000000000190000-0x00000000001CE000-memory.dmp

Filesize
248KB

Download
memory/1848-39-0x0000000007410000-0x00000000079B4000-memory.dmp

Filesize
5.6MB

Download
memory/1848-40-0x0000000006F50000-0x0000000006FE2000-memory.dmp

Filesize
584KB

Download
memory/1848-41-0x0000000002380000-0x000000000238A000-memory.dmp

Filesize
40KB

Download
memory/1848-42-0x0000000007FE0000-0x00000000085F8000-memory.dmp

Filesize
6.1MB

Download
memory/1848-43-0x00000000079C0000-0x0000000007ACA000-memory.dmp

Filesize
1.0MB

Download
memory/1848-44-0x0000000007040000-0x0000000007052000-memory.dmp

Filesize
72KB

Download
memory/1848-45-0x0000000007210000-0x000000000724C000-memory.dmp

Filesize
240KB

Download
memory/1848-46-0x0000000007070000-0x00000000070BC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads