mystic | be3323c3b2bd6ba736703199d528de6bf1396e8a7c6b9b58e4ca31fda43b00e0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a22013e24eeee6554ffcf19b609bfeede13c94b56b9432fbdd25b9cdebaab609.exe
Size

958KB
MD5

4ad1e312b136f5dd68262f68956e8eb2
SHA1

bf6029901839942b3becfcab9d2b40bb90b46aa2
SHA256

a22013e24eeee6554ffcf19b609bfeede13c94b56b9432fbdd25b9cdebaab609
SHA512

65daf9d1b3fe2b401fad5a89611bf33798feea6d701bb54852360593b16f39e94e502f2ccc5ddf7581929f069e511ce78f1a45b552e7638280e07829137302d4
SSDEEP

12288:oMrfy909VUE3/HgdPY5VZEcVM3VFE481hDVaLldi52tiIDayvr/JOCvVvq9Qj0W6:3yAfHgdPY5/4P9AZ+ftibCvViC96

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 1 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Yi26qy9.exe mystic_family
Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Av466Gj.exe family_redline
behavioral15/memory/4152-24-0x00000000001B0000-0x00000000001EE000-memory.dmp family_redline
Executes dropped EXE 4 IoCs

Processes:

Rz4UK7aI.exeIo4vk1So.exe1Yi26qy9.exe2Av466Gj.exe

pid process

3580 Rz4UK7aI.exe
3628 Io4vk1So.exe
3336 1Yi26qy9.exe
4152 2Av466Gj.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Yi26qy9.exe	mystic_family

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Av466Gj.exe	family_redline
behavioral15/memory/4152-24-0x00000000001B0000-0x00000000001EE000-memory.dmp	family_redline

pid	process
3580	Rz4UK7aI.exe
3628	Io4vk1So.exe
3336	1Yi26qy9.exe
4152	2Av466Gj.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Io4vk1So.exea22013e24eeee6554ffcf19b609bfeede13c94b56b9432fbdd25b9cdebaab609.exeRz4UK7aI.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Io4vk1So.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a22013e24eeee6554ffcf19b609bfeede13c94b56b9432fbdd25b9cdebaab609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Rz4UK7aI.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a22013e24eeee6554ffcf19b609bfeede13c94b56b9432fbdd25b9cdebaab609.exeRz4UK7aI.exeIo4vk1So.exe

description	pid	process	target process
PID 3960 wrote to memory of 3580	3960	a22013e24eeee6554ffcf19b609bfeede13c94b56b9432fbdd25b9cdebaab609.exe	Rz4UK7aI.exe
PID 3960 wrote to memory of 3580	3960	a22013e24eeee6554ffcf19b609bfeede13c94b56b9432fbdd25b9cdebaab609.exe	Rz4UK7aI.exe
PID 3960 wrote to memory of 3580	3960	a22013e24eeee6554ffcf19b609bfeede13c94b56b9432fbdd25b9cdebaab609.exe	Rz4UK7aI.exe
PID 3580 wrote to memory of 3628	3580	Rz4UK7aI.exe	Io4vk1So.exe
PID 3580 wrote to memory of 3628	3580	Rz4UK7aI.exe	Io4vk1So.exe
PID 3580 wrote to memory of 3628	3580	Rz4UK7aI.exe	Io4vk1So.exe
PID 3628 wrote to memory of 3336	3628	Io4vk1So.exe	1Yi26qy9.exe
PID 3628 wrote to memory of 3336	3628	Io4vk1So.exe	1Yi26qy9.exe
PID 3628 wrote to memory of 3336	3628	Io4vk1So.exe	1Yi26qy9.exe
PID 3628 wrote to memory of 4152	3628	Io4vk1So.exe	2Av466Gj.exe
PID 3628 wrote to memory of 4152	3628	Io4vk1So.exe	2Av466Gj.exe
PID 3628 wrote to memory of 4152	3628	Io4vk1So.exe	2Av466Gj.exe

C:\Users\Admin\AppData\Local\Temp\a22013e24eeee6554ffcf19b609bfeede13c94b56b9432fbdd25b9cdebaab609.exe
"C:\Users\Admin\AppData\Local\Temp\a22013e24eeee6554ffcf19b609bfeede13c94b56b9432fbdd25b9cdebaab609.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rz4UK7aI.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rz4UK7aI.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3580

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Io4vk1So.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Io4vk1So.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3628

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Yi26qy9.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Yi26qy9.exe
4⤵
- Executes dropped EXE
PID:3336

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Av466Gj.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Av466Gj.exe
4⤵
- Executes dropped EXE
PID:4152

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rz4UK7aI.exe
Filesize
524KB

MD5
f6f1079f2f1f431a07a0f38d94eb119c

SHA1
ce4380a8502aaa5cfb4daa415f0f7899c5f17ca1

SHA256
f191c21038b4ed5ff71948476aac8ac2e148fc9b69e59ce649e91e7392eb241b

SHA512
27f390408671dc3b1d899c7b8f5e0cc93edd450557981fb563efeb07f7bd7c6fd1b91ce9d007c237b1b815d75e0e3ec75321a73b6dd9cb75a557a18dadf0b1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Io4vk1So.exe
Filesize
324KB

MD5
51e2cea8a22fbec57cc0e831e96fd462

SHA1
602a2c35fbbfa7169a4aa84c42248801331dd75c

SHA256
29b1760366159610f981c96b5a1f167377daf242506001461dfb21bc6d9bd0d4

SHA512
2bbc55a5e5cda105fa74e8883f2238cf59cf2b43a6d63449ae94617994c3d0b6fc8a09b86a09f2f81cacbc2838e2bbe54c74f814634f50044389daa26b43c316

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Yi26qy9.exe
Filesize
186KB

MD5
3a24a41f3044d90555f6cdea0f2533f8

SHA1
25a1913e9e41dd13039d023a5f63a050256c72ca

SHA256
5e900b7d563b6dc3f5c5db7386ae7ea83ec512b1a72a1cac6d16d17110a90253

SHA512
8d12aca702a3f81329fe0dad30b28269fd9933b5493e8d978080fbee9b66a1727b76b6230d910a9cda1ca68141b55ef7b63fd3f7de077eb453da7d8b44f5b837

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Av466Gj.exe
Filesize
222KB

MD5
9e0956c42728e4942da2f703075f1b7e

SHA1
4bdaf4fb7d0a7cbd873e99cdb5f4ccad9a0ad321

SHA256
f790216de2ae2f24f9accb9bd06e7d692b6c6b9f2cf58fd612c6365ea7138544

SHA512
a5e27914dff7258e372b51061bf075bdb1f1769881faf9adf185a56dd8a8b9f6cbe27a62100965cd40159f9aebb92a14b74a6078e60e8a7cba7920f3cd7b7c2e

Download Submit
memory/4152-24-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/4152-25-0x00000000075B0000-0x0000000007B54000-memory.dmp

Filesize
5.6MB

Download
memory/4152-26-0x00000000070B0000-0x0000000007142000-memory.dmp

Filesize
584KB

Download
memory/4152-27-0x0000000004680000-0x000000000468A000-memory.dmp

Filesize
40KB

Download
memory/4152-28-0x0000000008180000-0x0000000008798000-memory.dmp

Filesize
6.1MB

Download
memory/4152-29-0x0000000007380000-0x000000000748A000-memory.dmp

Filesize
1.0MB

Download
memory/4152-30-0x00000000072A0000-0x00000000072B2000-memory.dmp

Filesize
72KB

Download
memory/4152-31-0x0000000007300000-0x000000000733C000-memory.dmp

Filesize
240KB

Download
memory/4152-32-0x0000000007490000-0x00000000074DC000-memory.dmp

Filesize
304KB

Download