mystic | 14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d

Analysis

max time kernel
178s
max time network
315s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d.exe
Size

929KB
MD5

299cd7a2e02c1750355def68009a316e
SHA1

1940e007e036b2491e3167792dd13adb74dd231c
SHA256

14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d
SHA512

0182a16b0990007d380e7a6d02390d27c094e4801f5607053597ed8f6c8afab9aa95373e041c47b7d22d588d0528d42e62ed75922bd3f524ae72938fc7412e04
SSDEEP

24576:pyN6kW2AV6b/11GMCW29D6SKE/yWah3n4:cXWBO/vCWCeRJ

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1028-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1028-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1028-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1028-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
636	x7746723.exe
2684	x1697115.exe
536	x9833609.exe
3856	g1472671.exe
4668	h2124964.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7746723.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1697115.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9833609.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3856 set thread context of 1028	3856	g1472671.exe	94

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4112	1028	WerFault.exe	94
1140	1028	WerFault.exe	94
544	3856	WerFault.exe	90

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 636	4588	14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d.exe	86
PID 4588 wrote to memory of 636	4588	14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d.exe	86
PID 4588 wrote to memory of 636	4588	14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d.exe	86
PID 636 wrote to memory of 2684	636	x7746723.exe	88
PID 636 wrote to memory of 2684	636	x7746723.exe	88
PID 636 wrote to memory of 2684	636	x7746723.exe	88
PID 2684 wrote to memory of 536	2684	x1697115.exe	89
PID 2684 wrote to memory of 536	2684	x1697115.exe	89
PID 2684 wrote to memory of 536	2684	x1697115.exe	89
PID 536 wrote to memory of 3856	536	x9833609.exe	90
PID 536 wrote to memory of 3856	536	x9833609.exe	90
PID 536 wrote to memory of 3856	536	x9833609.exe	90
PID 3856 wrote to memory of 1028	3856	g1472671.exe	94
PID 3856 wrote to memory of 1028	3856	g1472671.exe	94
PID 3856 wrote to memory of 1028	3856	g1472671.exe	94
PID 3856 wrote to memory of 1028	3856	g1472671.exe	94
PID 3856 wrote to memory of 1028	3856	g1472671.exe	94
PID 3856 wrote to memory of 1028	3856	g1472671.exe	94
PID 3856 wrote to memory of 1028	3856	g1472671.exe	94
PID 3856 wrote to memory of 1028	3856	g1472671.exe	94
PID 3856 wrote to memory of 1028	3856	g1472671.exe	94
PID 3856 wrote to memory of 1028	3856	g1472671.exe	94
PID 1028 wrote to memory of 4112	1028	AppLaunch.exe	99
PID 1028 wrote to memory of 4112	1028	AppLaunch.exe	99
PID 1028 wrote to memory of 4112	1028	AppLaunch.exe	99
PID 536 wrote to memory of 4668	536	x9833609.exe	104
PID 536 wrote to memory of 4668	536	x9833609.exe	104
PID 536 wrote to memory of 4668	536	x9833609.exe	104

C:\Users\Admin\AppData\Local\Temp\14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d.exe
"C:\Users\Admin\AppData\Local\Temp\14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7746723.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7746723.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1697115.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1697115.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9833609.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9833609.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:536
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1472671.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1472671.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3856
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 540
        7⤵
        Program crash
        
        PID:4112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 540
        7⤵
        Program crash
        
        PID:1140
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 580
        6⤵
        Program crash
        
        PID:544
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2124964.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2124964.exe
        5⤵
        Executes dropped EXE
        
        PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3856 -ip 3856
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1028 -ip 1028
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7746723.exe

Filesize
827KB

MD5
c3fdb3b40ca2d65e2e4af55bce498de2

SHA1
9d151d7809273f241835d541a2a2977861196137

SHA256
7b452398ec5d8d7b96497e8825b207f55d5e5b710120508325773a27cb162e4a

SHA512
7155d7a6e58a8b574cd964261477eb3e936939e3837356e7efe594f84ab2802a7569c19c9daf265afd72080c7524388ca80c448da07439ef811386c7a69513ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7746723.exe

Filesize
827KB

MD5
c3fdb3b40ca2d65e2e4af55bce498de2

SHA1
9d151d7809273f241835d541a2a2977861196137

SHA256
7b452398ec5d8d7b96497e8825b207f55d5e5b710120508325773a27cb162e4a

SHA512
7155d7a6e58a8b574cd964261477eb3e936939e3837356e7efe594f84ab2802a7569c19c9daf265afd72080c7524388ca80c448da07439ef811386c7a69513ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1697115.exe

Filesize
556KB

MD5
c33744d8cad19bfd740ce6cabcb9f1ac

SHA1
3675b10687c7ddd481a0d0fc1d39366a5fe4be3e

SHA256
bee2bb9ebd6874d9ff991a9ca87a1d4aea05fe048f1fb267b14e598183654175

SHA512
c9024a67cf9a071ea1143adf84951c4f07579bb8fd027020656e1de9212a616e758ee3eeb256b9fc88fb625cb700e3e20e229710c7ab8005b09c8ec66150a9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1697115.exe

Filesize
556KB

MD5
c33744d8cad19bfd740ce6cabcb9f1ac

SHA1
3675b10687c7ddd481a0d0fc1d39366a5fe4be3e

SHA256
bee2bb9ebd6874d9ff991a9ca87a1d4aea05fe048f1fb267b14e598183654175

SHA512
c9024a67cf9a071ea1143adf84951c4f07579bb8fd027020656e1de9212a616e758ee3eeb256b9fc88fb625cb700e3e20e229710c7ab8005b09c8ec66150a9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9833609.exe

Filesize
390KB

MD5
933339ff4765f9e3630baed076868467

SHA1
c6b708b7f9f98278d87a1c6ec87921ddb4c217b7

SHA256
105a2d1aff2df1fc57b8f8856fe1510ae920588d178186337b16145fcf7ba003

SHA512
3eaae45c982559afbdc331a5556f9848377523e98d46ea9b0c29762496ffb0f560132312b7e62a4664835b53e11a09212bf1b9018259f8f19a89c1d43ad0fb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9833609.exe

Filesize
390KB

MD5
933339ff4765f9e3630baed076868467

SHA1
c6b708b7f9f98278d87a1c6ec87921ddb4c217b7

SHA256
105a2d1aff2df1fc57b8f8856fe1510ae920588d178186337b16145fcf7ba003

SHA512
3eaae45c982559afbdc331a5556f9848377523e98d46ea9b0c29762496ffb0f560132312b7e62a4664835b53e11a09212bf1b9018259f8f19a89c1d43ad0fb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1472671.exe

Filesize
364KB

MD5
4e1c7fbe3241183f21f6c7a072c0e6f2

SHA1
94c6fef9d18edee7ac9a5f7e34426a19b6ac66ac

SHA256
4ae13bd7742258b4d5a7c0b584ffa5528fb716c39effb970872a7d7206059ae7

SHA512
19af1f44c93dd6f93ae8de060b4bde3e3ca4d009249d1f52908673161fa53ccc1c30d5fdf50e41b7b296b384310f75d075fe11b966f3e932a1b4745a424f8992

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1472671.exe

Filesize
364KB

MD5
4e1c7fbe3241183f21f6c7a072c0e6f2

SHA1
94c6fef9d18edee7ac9a5f7e34426a19b6ac66ac

SHA256
4ae13bd7742258b4d5a7c0b584ffa5528fb716c39effb970872a7d7206059ae7

SHA512
19af1f44c93dd6f93ae8de060b4bde3e3ca4d009249d1f52908673161fa53ccc1c30d5fdf50e41b7b296b384310f75d075fe11b966f3e932a1b4745a424f8992

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2124964.exe

Filesize
174KB

MD5
7e4c41523355a20df5aec47e8bcb7662

SHA1
956e017a956c98c54b8c0cd42043c8fc8182dc3f

SHA256
981781d0bff90f633f405b4961ae84e5268be233e68750e81fcc16b67f74dcd7

SHA512
a08db4f9f6feb1446ea742a6bbfde59aade8c69849c227db4863e46d2560c3772fc0c9630bcdd01f344cdb203061cc9b3d61a3f16e598a5c928d3716c306919d

Download Submit
memory/1028-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1028-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1028-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1028-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads