mystic | 65affc8699d9413e3016717cf224871127d4e8b346d42ae888abe5f0469e414e

Analysis

max time kernel
155s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65affc8699d9413e3016717cf224871127d4e8b346d42ae888abe5f0469e414e.exe
Size

943KB
MD5

6adc6ada2339ac051903999bc36faf3b
SHA1

d03e60cb7c43b8af22028b9acb3bf6ef9c69d3c1
SHA256

65affc8699d9413e3016717cf224871127d4e8b346d42ae888abe5f0469e414e
SHA512

c73faa5d52818fd0ffab0ff273b96e3745f22e3b90321ef099617b895b1187245f16d7bb820ea415b1fbe62d4dc34b2c3ffa7786bf7d69abcf8933c4b3d00187
SSDEEP

12288:ZMrMy90mejTjWI3jJlZ6Ra6wKX+6FTiVvGe3TBErdyqDXOF5rpFSwxKqzAh2Jpvb:dyWjNMRa6wJUm5BdSyRrpFflNsItt

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/2176-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2176-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2176-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2176-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4860	x8014184.exe
5024	x0507411.exe
3548	x5379935.exe
644	g3149978.exe
3060	h3957248.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	65affc8699d9413e3016717cf224871127d4e8b346d42ae888abe5f0469e414e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8014184.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0507411.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x5379935.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 644 set thread context of 2176	644	g3149978.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
628	644	WerFault.exe	91
4100	2176	WerFault.exe	93

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 4860	4188	65affc8699d9413e3016717cf224871127d4e8b346d42ae888abe5f0469e414e.exe	88
PID 4188 wrote to memory of 4860	4188	65affc8699d9413e3016717cf224871127d4e8b346d42ae888abe5f0469e414e.exe	88
PID 4188 wrote to memory of 4860	4188	65affc8699d9413e3016717cf224871127d4e8b346d42ae888abe5f0469e414e.exe	88
PID 4860 wrote to memory of 5024	4860	x8014184.exe	89
PID 4860 wrote to memory of 5024	4860	x8014184.exe	89
PID 4860 wrote to memory of 5024	4860	x8014184.exe	89
PID 5024 wrote to memory of 3548	5024	x0507411.exe	90
PID 5024 wrote to memory of 3548	5024	x0507411.exe	90
PID 5024 wrote to memory of 3548	5024	x0507411.exe	90
PID 3548 wrote to memory of 644	3548	x5379935.exe	91
PID 3548 wrote to memory of 644	3548	x5379935.exe	91
PID 3548 wrote to memory of 644	3548	x5379935.exe	91
PID 644 wrote to memory of 5056	644	g3149978.exe	92
PID 644 wrote to memory of 5056	644	g3149978.exe	92
PID 644 wrote to memory of 5056	644	g3149978.exe	92
PID 644 wrote to memory of 2176	644	g3149978.exe	93
PID 644 wrote to memory of 2176	644	g3149978.exe	93
PID 644 wrote to memory of 2176	644	g3149978.exe	93
PID 644 wrote to memory of 2176	644	g3149978.exe	93
PID 644 wrote to memory of 2176	644	g3149978.exe	93
PID 644 wrote to memory of 2176	644	g3149978.exe	93
PID 644 wrote to memory of 2176	644	g3149978.exe	93
PID 644 wrote to memory of 2176	644	g3149978.exe	93
PID 644 wrote to memory of 2176	644	g3149978.exe	93
PID 644 wrote to memory of 2176	644	g3149978.exe	93
PID 3548 wrote to memory of 3060	3548	x5379935.exe	100
PID 3548 wrote to memory of 3060	3548	x5379935.exe	100
PID 3548 wrote to memory of 3060	3548	x5379935.exe	100

C:\Users\Admin\AppData\Local\Temp\65affc8699d9413e3016717cf224871127d4e8b346d42ae888abe5f0469e414e.exe
"C:\Users\Admin\AppData\Local\Temp\65affc8699d9413e3016717cf224871127d4e8b346d42ae888abe5f0469e414e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8014184.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8014184.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0507411.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0507411.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5379935.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5379935.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3548
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3149978.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3149978.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:644
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5056
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 540
        7⤵
        Program crash
        
        PID:4100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 584
        6⤵
        Program crash
        
        PID:628
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3957248.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3957248.exe
        5⤵
        Executes dropped EXE
        
        PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 644 -ip 644
1⤵
PID:484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2176 -ip 2176
1⤵
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8014184.exe

Filesize
840KB

MD5
6b6b3f8c9d927f682bcfe61d691975ad

SHA1
3372eff8f464750c93d9760728cdac0bff3667f0

SHA256
c37ad17236cb25a065ac7cdbef925d8019c0dab9c9de0f25c337f46331eb8113

SHA512
0badf2cba3c7991f8e18bf361bce4ac4ea616619fee21ce5e8465207af82bba05948577e9a78126e6da1366f75477439fe04a4a8036f14c676299207a4b880c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8014184.exe

Filesize
840KB

MD5
6b6b3f8c9d927f682bcfe61d691975ad

SHA1
3372eff8f464750c93d9760728cdac0bff3667f0

SHA256
c37ad17236cb25a065ac7cdbef925d8019c0dab9c9de0f25c337f46331eb8113

SHA512
0badf2cba3c7991f8e18bf361bce4ac4ea616619fee21ce5e8465207af82bba05948577e9a78126e6da1366f75477439fe04a4a8036f14c676299207a4b880c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0507411.exe

Filesize
563KB

MD5
928d21209f6f55e643983d0a6f67a6ef

SHA1
77ad9e90256cca3d295297b3eb11fd731f00f89a

SHA256
3aa14dcb8162faf16c0766546c4adf1796ae60272c43d4e4ff8e1598aaeb2a9c

SHA512
035393d743df98f16d594283dc8cc72fce8bdd9dcd9dd175e79675a1637252324147903269e9f18cf402f6fb4f917f20bf6ea3cff27527329c1c8ad5561bc781

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0507411.exe

Filesize
563KB

MD5
928d21209f6f55e643983d0a6f67a6ef

SHA1
77ad9e90256cca3d295297b3eb11fd731f00f89a

SHA256
3aa14dcb8162faf16c0766546c4adf1796ae60272c43d4e4ff8e1598aaeb2a9c

SHA512
035393d743df98f16d594283dc8cc72fce8bdd9dcd9dd175e79675a1637252324147903269e9f18cf402f6fb4f917f20bf6ea3cff27527329c1c8ad5561bc781

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5379935.exe

Filesize
397KB

MD5
28cb9be91ce739456924b29576ed6c1f

SHA1
7a1da9c629e658e80ff86f677a0c8ac95f08fd93

SHA256
bf72065e27e4c425f64c84b029d15fef07105565faf31cc947c03f6d0c043572

SHA512
4b8281c0ddaf457b4cff82f80cea1cc23ae2f01ecf90e21ab8c2580ae33dc54bb3c2a01c032e84b9e1aa05a1e89fadc1239eb19a419a1910ecc3e20bf482de33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5379935.exe

Filesize
397KB

MD5
28cb9be91ce739456924b29576ed6c1f

SHA1
7a1da9c629e658e80ff86f677a0c8ac95f08fd93

SHA256
bf72065e27e4c425f64c84b029d15fef07105565faf31cc947c03f6d0c043572

SHA512
4b8281c0ddaf457b4cff82f80cea1cc23ae2f01ecf90e21ab8c2580ae33dc54bb3c2a01c032e84b9e1aa05a1e89fadc1239eb19a419a1910ecc3e20bf482de33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3149978.exe

Filesize
379KB

MD5
f09f02eea4e05534b673ea1eb54999f1

SHA1
dfe9ebbe4a3a2da11236ade6c1da153130446e2f

SHA256
a52570ed3932795ef2b4d9af2e1d3b232135ae6a49a55cd0c1789a77ce9c39d2

SHA512
4c1b638c846e3a6322d672be79b08473e54da2e1d05e0ecc14163b1b09148f72869b38c059c881a6021a866139a5d9955561786420ad4d27c1baa6d4c48da5ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3149978.exe

Filesize
379KB

MD5
f09f02eea4e05534b673ea1eb54999f1

SHA1
dfe9ebbe4a3a2da11236ade6c1da153130446e2f

SHA256
a52570ed3932795ef2b4d9af2e1d3b232135ae6a49a55cd0c1789a77ce9c39d2

SHA512
4c1b638c846e3a6322d672be79b08473e54da2e1d05e0ecc14163b1b09148f72869b38c059c881a6021a866139a5d9955561786420ad4d27c1baa6d4c48da5ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3957248.exe

Filesize
174KB

MD5
9354ccdebdddd851b0b62b3f0c3e2885

SHA1
c5b010296713c2c516dedd6d63ef47f15d30c699

SHA256
19d9a3e4ae7a62618a30c4dd44c98bfcf4a3d4378d99dae85f3758a24e5452ae

SHA512
15f73299633d2f88ad1088edd28657163faea10e793a6d2891cc1ad4bfa92f0329e1858aabb5b81511c157f0720dac9952d0970a498831ad47ba533f9b308108

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3957248.exe

Filesize
174KB

MD5
9354ccdebdddd851b0b62b3f0c3e2885

SHA1
c5b010296713c2c516dedd6d63ef47f15d30c699

SHA256
19d9a3e4ae7a62618a30c4dd44c98bfcf4a3d4378d99dae85f3758a24e5452ae

SHA512
15f73299633d2f88ad1088edd28657163faea10e793a6d2891cc1ad4bfa92f0329e1858aabb5b81511c157f0720dac9952d0970a498831ad47ba533f9b308108

Download Submit
memory/2176-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2176-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2176-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2176-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3060-39-0x00000000025B0000-0x00000000025B6000-memory.dmp

Filesize
24KB

Download
memory/3060-37-0x0000000000180000-0x00000000001B0000-memory.dmp

Filesize
192KB

Download
memory/3060-38-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/3060-36-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/3060-40-0x000000000A860000-0x000000000AE78000-memory.dmp

Filesize
6.1MB

Download
memory/3060-41-0x000000000A350000-0x000000000A45A000-memory.dmp

Filesize
1.0MB

Download
memory/3060-42-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/3060-43-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/3060-44-0x000000000A240000-0x000000000A27C000-memory.dmp

Filesize
240KB

Download
memory/3060-45-0x000000000A280000-0x000000000A2CC000-memory.dmp

Filesize
304KB

Download
memory/3060-46-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads