mystic | 0ace97e500233accdd2c9acf29982d630386122f7629be629de7a6a782662ffa

Analysis

max time kernel
166s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ace97e500233accdd2c9acf29982d630386122f7629be629de7a6a782662ffa.exe
Size

930KB
MD5

b5b8275871d3e90880243c2f63773b44
SHA1

68cee9fcc2c3fb423e76f315e6674ad78c5aa470
SHA256

0ace97e500233accdd2c9acf29982d630386122f7629be629de7a6a782662ffa
SHA512

1797f3f8cf29ef8b3d6f487b5ed8895c8e6f52f40068af26b3a64655ca7abbb2210b530e0a445fa12db73b70fb3dc881d73ff75bb12baf12fa7c7a32797af565
SSDEEP

24576:JyGHzE2na/rmOY642zUZO1sGiNptAS3Q+oUji:8Gi/rfYYzUhGiNAQ5oUj

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4436-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4436-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4436-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4436-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4620	x8148181.exe
752	x6430449.exe
3892	x0095840.exe
4968	g9960039.exe
3568	h3478173.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0ace97e500233accdd2c9acf29982d630386122f7629be629de7a6a782662ffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8148181.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6430449.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0095840.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4968 set thread context of 4436	4968	g9960039.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2624	4436	WerFault.exe	92
5000	4968	WerFault.exe	90

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 4620	3844	0ace97e500233accdd2c9acf29982d630386122f7629be629de7a6a782662ffa.exe	86
PID 3844 wrote to memory of 4620	3844	0ace97e500233accdd2c9acf29982d630386122f7629be629de7a6a782662ffa.exe	86
PID 3844 wrote to memory of 4620	3844	0ace97e500233accdd2c9acf29982d630386122f7629be629de7a6a782662ffa.exe	86
PID 4620 wrote to memory of 752	4620	x8148181.exe	87
PID 4620 wrote to memory of 752	4620	x8148181.exe	87
PID 4620 wrote to memory of 752	4620	x8148181.exe	87
PID 752 wrote to memory of 3892	752	x6430449.exe	89
PID 752 wrote to memory of 3892	752	x6430449.exe	89
PID 752 wrote to memory of 3892	752	x6430449.exe	89
PID 3892 wrote to memory of 4968	3892	x0095840.exe	90
PID 3892 wrote to memory of 4968	3892	x0095840.exe	90
PID 3892 wrote to memory of 4968	3892	x0095840.exe	90
PID 4968 wrote to memory of 4436	4968	g9960039.exe	92
PID 4968 wrote to memory of 4436	4968	g9960039.exe	92
PID 4968 wrote to memory of 4436	4968	g9960039.exe	92
PID 4968 wrote to memory of 4436	4968	g9960039.exe	92
PID 4968 wrote to memory of 4436	4968	g9960039.exe	92
PID 4968 wrote to memory of 4436	4968	g9960039.exe	92
PID 4968 wrote to memory of 4436	4968	g9960039.exe	92
PID 4968 wrote to memory of 4436	4968	g9960039.exe	92
PID 4968 wrote to memory of 4436	4968	g9960039.exe	92
PID 4968 wrote to memory of 4436	4968	g9960039.exe	92
PID 3892 wrote to memory of 3568	3892	x0095840.exe	98
PID 3892 wrote to memory of 3568	3892	x0095840.exe	98
PID 3892 wrote to memory of 3568	3892	x0095840.exe	98

C:\Users\Admin\AppData\Local\Temp\0ace97e500233accdd2c9acf29982d630386122f7629be629de7a6a782662ffa.exe
"C:\Users\Admin\AppData\Local\Temp\0ace97e500233accdd2c9acf29982d630386122f7629be629de7a6a782662ffa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8148181.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8148181.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6430449.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6430449.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0095840.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0095840.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3892
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9960039.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9960039.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4968
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 540
        7⤵
        Program crash
        
        PID:2624
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 580
        6⤵
        Program crash
        
        PID:5000
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3478173.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3478173.exe
        5⤵
        Executes dropped EXE
        
        PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4436 -ip 4436
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4968 -ip 4968
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8148181.exe

Filesize
828KB

MD5
2cee37f7b418d91fa7b5886e696508b6

SHA1
62967c33d35ab853fefbfda14edd2ad0de4e91b2

SHA256
373bc546fe541081a6eb9b5263e6bfe4a6d17ebe2860a1647df2091be64ce04a

SHA512
90958c9d356a616b0a50771ba8664d614f1a75f28cef3411ea3d78454f8363510f369ed3dda15648c10f4c913afbfd637f2635b2abcd2308d2241570d29c4ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8148181.exe

Filesize
828KB

MD5
2cee37f7b418d91fa7b5886e696508b6

SHA1
62967c33d35ab853fefbfda14edd2ad0de4e91b2

SHA256
373bc546fe541081a6eb9b5263e6bfe4a6d17ebe2860a1647df2091be64ce04a

SHA512
90958c9d356a616b0a50771ba8664d614f1a75f28cef3411ea3d78454f8363510f369ed3dda15648c10f4c913afbfd637f2635b2abcd2308d2241570d29c4ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6430449.exe

Filesize
557KB

MD5
748d3a468294e61050acc81bbdf54e93

SHA1
dd69ab55168fa6754580494246ad9c632eb65204

SHA256
9ca4d2402efa30daed13f1b7f470c838278b3631a75fce8f8f252e177e47ecc1

SHA512
ec80dccc618812ae429ecb91030c25436cc0c5f12a775688a3f63424866266e088556a392e2cdc04820795ad1e29f9d7bc3bfa4d47a98092fa0610fd634c0986

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6430449.exe

Filesize
557KB

MD5
748d3a468294e61050acc81bbdf54e93

SHA1
dd69ab55168fa6754580494246ad9c632eb65204

SHA256
9ca4d2402efa30daed13f1b7f470c838278b3631a75fce8f8f252e177e47ecc1

SHA512
ec80dccc618812ae429ecb91030c25436cc0c5f12a775688a3f63424866266e088556a392e2cdc04820795ad1e29f9d7bc3bfa4d47a98092fa0610fd634c0986

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0095840.exe

Filesize
391KB

MD5
4670cf09188d20f44f1e5fa0a799d629

SHA1
cd4d95cb5eef8be0dd69b02eca8cb868291105b8

SHA256
fbd94623bbe6094166d921a1ae453d9152ed864dd87af31d3dfc98a799d4272f

SHA512
7cdcfa4c20a8db9b445ec17001377ec6fd6c294c9ac4ef1bf405eb69e3d4fa75158993fa07ea8f0924575c7caf137bc7cfe9572cba809986b9bac8a19740b2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0095840.exe

Filesize
391KB

MD5
4670cf09188d20f44f1e5fa0a799d629

SHA1
cd4d95cb5eef8be0dd69b02eca8cb868291105b8

SHA256
fbd94623bbe6094166d921a1ae453d9152ed864dd87af31d3dfc98a799d4272f

SHA512
7cdcfa4c20a8db9b445ec17001377ec6fd6c294c9ac4ef1bf405eb69e3d4fa75158993fa07ea8f0924575c7caf137bc7cfe9572cba809986b9bac8a19740b2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9960039.exe

Filesize
364KB

MD5
6ea7375de68b14af3a1c599cb7907a6b

SHA1
2ce6474ad65fa64454df4863fc0e6df8eaa24b59

SHA256
cd03729a839b71a48c7b2e2d68dd7c4518c48e2a194331ce8f9a45c946e10193

SHA512
1a674fc35dc6cdb6aac7cb67737281525532d9584fcbad52a485354eff40b9a89fb0d5e6985c983e5d5c4c64e7c331d23eeee9a3f2028f5ebe80398a4e1c792a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9960039.exe

Filesize
364KB

MD5
6ea7375de68b14af3a1c599cb7907a6b

SHA1
2ce6474ad65fa64454df4863fc0e6df8eaa24b59

SHA256
cd03729a839b71a48c7b2e2d68dd7c4518c48e2a194331ce8f9a45c946e10193

SHA512
1a674fc35dc6cdb6aac7cb67737281525532d9584fcbad52a485354eff40b9a89fb0d5e6985c983e5d5c4c64e7c331d23eeee9a3f2028f5ebe80398a4e1c792a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3478173.exe

Filesize
174KB

MD5
ef5a7984dd95f43496490a3320715747

SHA1
77398f675b63f81833fac193ced616397d77b1ab

SHA256
8fa6de1f03e8ffeefcd0593c9e33019481b86e7c9b395462206700306913be47

SHA512
47586c3567021b1e2166c7c7b28fb533c1851134cd2e72221263cb64ee34a956ae8a602dde2339ec082dbab4516340cad96b7225fdcbaf1f064da7dc826a2845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3478173.exe

Filesize
174KB

MD5
ef5a7984dd95f43496490a3320715747

SHA1
77398f675b63f81833fac193ced616397d77b1ab

SHA256
8fa6de1f03e8ffeefcd0593c9e33019481b86e7c9b395462206700306913be47

SHA512
47586c3567021b1e2166c7c7b28fb533c1851134cd2e72221263cb64ee34a956ae8a602dde2339ec082dbab4516340cad96b7225fdcbaf1f064da7dc826a2845

Download Submit
memory/3568-39-0x0000000005F90000-0x00000000065A8000-memory.dmp

Filesize
6.1MB

Download
memory/3568-40-0x0000000005A90000-0x0000000005B9A000-memory.dmp

Filesize
1.0MB

Download
memory/3568-46-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/3568-45-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/3568-36-0x0000000000F00000-0x0000000000F30000-memory.dmp

Filesize
192KB

Download
memory/3568-37-0x0000000074AD0000-0x0000000075280000-memory.dmp

Filesize
7.7MB

Download
memory/3568-44-0x0000000005BA0000-0x0000000005BEC000-memory.dmp

Filesize
304KB

Download
memory/3568-43-0x0000000005A30000-0x0000000005A6C000-memory.dmp

Filesize
240KB

Download
memory/3568-38-0x0000000003250000-0x0000000003256000-memory.dmp

Filesize
24KB

Download
memory/3568-41-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/3568-42-0x00000000059D0000-0x00000000059E2000-memory.dmp

Filesize
72KB

Download
memory/4436-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4436-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4436-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4436-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads