mystic | 168773a80b7139041f523acc4f3f8893af24bfc2834124b92f3ba9d29f535600

Analysis

max time kernel
149s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 16:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

168773a80b7139041f523acc4f3f8893af24bfc2834124b92f3ba9d29f535600.exe
Size

929KB
MD5

8956e752d308694b1d1c076aa0f01382
SHA1

c574c2f08e08eabff5d2596cfc1f15361c9159a5
SHA256

168773a80b7139041f523acc4f3f8893af24bfc2834124b92f3ba9d29f535600
SHA512

1b79a0d3147db43c398efdb10abe651268108f3921b46c2eaaf0419221e8c6c6750760d69b460bd03ff9c4d8c2e74a83179128bb244a472e5f6d613e340d25d8
SSDEEP

12288:+Mr7y90OiXqgiZCQSU57qewBRPPTABw2LgqitgKkp3kGCe6j5aE4PRbWV71c2Up0:Jy/eqn4BU5YP8m2LgnuhKiPNWc/E

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3880-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3880-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3880-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3880-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4012	x9620043.exe
4516	x8273733.exe
4412	x0305732.exe
1928	g1601036.exe
1692	h2767224.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	168773a80b7139041f523acc4f3f8893af24bfc2834124b92f3ba9d29f535600.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9620043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8273733.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0305732.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 3880	1928	g1601036.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2872	3880	WerFault.exe	93
4704	1928	WerFault.exe	90

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 4012	4352	168773a80b7139041f523acc4f3f8893af24bfc2834124b92f3ba9d29f535600.exe	86
PID 4352 wrote to memory of 4012	4352	168773a80b7139041f523acc4f3f8893af24bfc2834124b92f3ba9d29f535600.exe	86
PID 4352 wrote to memory of 4012	4352	168773a80b7139041f523acc4f3f8893af24bfc2834124b92f3ba9d29f535600.exe	86
PID 4012 wrote to memory of 4516	4012	x9620043.exe	88
PID 4012 wrote to memory of 4516	4012	x9620043.exe	88
PID 4012 wrote to memory of 4516	4012	x9620043.exe	88
PID 4516 wrote to memory of 4412	4516	x8273733.exe	89
PID 4516 wrote to memory of 4412	4516	x8273733.exe	89
PID 4516 wrote to memory of 4412	4516	x8273733.exe	89
PID 4412 wrote to memory of 1928	4412	x0305732.exe	90
PID 4412 wrote to memory of 1928	4412	x0305732.exe	90
PID 4412 wrote to memory of 1928	4412	x0305732.exe	90
PID 1928 wrote to memory of 4020	1928	g1601036.exe	92
PID 1928 wrote to memory of 4020	1928	g1601036.exe	92
PID 1928 wrote to memory of 4020	1928	g1601036.exe	92
PID 1928 wrote to memory of 3880	1928	g1601036.exe	93
PID 1928 wrote to memory of 3880	1928	g1601036.exe	93
PID 1928 wrote to memory of 3880	1928	g1601036.exe	93
PID 1928 wrote to memory of 3880	1928	g1601036.exe	93
PID 1928 wrote to memory of 3880	1928	g1601036.exe	93
PID 1928 wrote to memory of 3880	1928	g1601036.exe	93
PID 1928 wrote to memory of 3880	1928	g1601036.exe	93
PID 1928 wrote to memory of 3880	1928	g1601036.exe	93
PID 1928 wrote to memory of 3880	1928	g1601036.exe	93
PID 1928 wrote to memory of 3880	1928	g1601036.exe	93
PID 4412 wrote to memory of 1692	4412	x0305732.exe	102
PID 4412 wrote to memory of 1692	4412	x0305732.exe	102
PID 4412 wrote to memory of 1692	4412	x0305732.exe	102

C:\Users\Admin\AppData\Local\Temp\168773a80b7139041f523acc4f3f8893af24bfc2834124b92f3ba9d29f535600.exe
"C:\Users\Admin\AppData\Local\Temp\168773a80b7139041f523acc4f3f8893af24bfc2834124b92f3ba9d29f535600.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9620043.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9620043.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8273733.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8273733.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0305732.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0305732.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4412
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1601036.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1601036.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4020
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 540
        7⤵
        Program crash
        
        PID:2872
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 572
        6⤵
        Program crash
        
        PID:4704
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2767224.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2767224.exe
        5⤵
        Executes dropped EXE
        
        PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3880 -ip 3880
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1928 -ip 1928
1⤵
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9620043.exe

Filesize
827KB

MD5
c3075674df03e557a00287a7c414eb68

SHA1
90723978257625ada7ffed9908dc9a30f58ee4a0

SHA256
0b829fa0ab536f8de9f07293406eb0aab4c38849612467ee1b30cfe757c57639

SHA512
633b76d70727da212bdf586cb15698f7d935cf5749307dcdfd5c226221d653592563e22368d032d8bbf97c164db7ce1e601d01d274822bff03d2f460f11e5d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9620043.exe

Filesize
827KB

MD5
c3075674df03e557a00287a7c414eb68

SHA1
90723978257625ada7ffed9908dc9a30f58ee4a0

SHA256
0b829fa0ab536f8de9f07293406eb0aab4c38849612467ee1b30cfe757c57639

SHA512
633b76d70727da212bdf586cb15698f7d935cf5749307dcdfd5c226221d653592563e22368d032d8bbf97c164db7ce1e601d01d274822bff03d2f460f11e5d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8273733.exe

Filesize
556KB

MD5
d94288950e2ef0596036f5ef6b77a310

SHA1
f9540c3415b9422d875e606a72abdda583bf8e4e

SHA256
0945175da00d2d09184978ca7e8f5ebef3222ddeaff36340ce46e3021588a4b9

SHA512
a04552cbb75f541a16ff7d1b7482cd5e44238994825ca9fde9b82f2c176506e4e94790979a26fd841830ecb0f6ff8927eea199e096e0b39c3a4817e8217b2be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8273733.exe

Filesize
556KB

MD5
d94288950e2ef0596036f5ef6b77a310

SHA1
f9540c3415b9422d875e606a72abdda583bf8e4e

SHA256
0945175da00d2d09184978ca7e8f5ebef3222ddeaff36340ce46e3021588a4b9

SHA512
a04552cbb75f541a16ff7d1b7482cd5e44238994825ca9fde9b82f2c176506e4e94790979a26fd841830ecb0f6ff8927eea199e096e0b39c3a4817e8217b2be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0305732.exe

Filesize
390KB

MD5
1ae714532a0132d06842852c8fa831b0

SHA1
ad600c9876a000de7636996463e4690bd3bb41b5

SHA256
a0d3cf05a613ec8f8c85b3a0ca05e5bd0d18d951abffb5af1ff7da197b7ff716

SHA512
195fc4847fa062a139dcbe68c1b9d82bb8e9b7d7073274ef4d8a6fad2e06dd8f648ba2e5d20c0fa17771dc1de1759653a1864ed7283674cd378305731ccb8e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0305732.exe

Filesize
390KB

MD5
1ae714532a0132d06842852c8fa831b0

SHA1
ad600c9876a000de7636996463e4690bd3bb41b5

SHA256
a0d3cf05a613ec8f8c85b3a0ca05e5bd0d18d951abffb5af1ff7da197b7ff716

SHA512
195fc4847fa062a139dcbe68c1b9d82bb8e9b7d7073274ef4d8a6fad2e06dd8f648ba2e5d20c0fa17771dc1de1759653a1864ed7283674cd378305731ccb8e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1601036.exe

Filesize
364KB

MD5
48eb9cffae6a74a23b42a15adbda7636

SHA1
0a04d0aa7b600efea3893d17b0f7782388856177

SHA256
03caca496bb9752a775e8e1f64f979b554dee16fa2fae0bc7f8c7acb2e17c9ba

SHA512
d124bd004b2130fb16b27a64faa35fb12f25dd1ef89a28cb601cb3d8f1c36fc821d145c163ea952e16d3b9e2eec702ee44220173e21d6c588968f44928a066c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1601036.exe

Filesize
364KB

MD5
48eb9cffae6a74a23b42a15adbda7636

SHA1
0a04d0aa7b600efea3893d17b0f7782388856177

SHA256
03caca496bb9752a775e8e1f64f979b554dee16fa2fae0bc7f8c7acb2e17c9ba

SHA512
d124bd004b2130fb16b27a64faa35fb12f25dd1ef89a28cb601cb3d8f1c36fc821d145c163ea952e16d3b9e2eec702ee44220173e21d6c588968f44928a066c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2767224.exe

Filesize
173KB

MD5
0a1f97e96b4e8cf90ac27737258409da

SHA1
67256eb5c44e0dad889975e31f18ef528f0d1c80

SHA256
634044b21d789075bbd8a484f7d4f1ffcee90dcd3236f179394db9a9333fe5b8

SHA512
aed91cd9a4589699df881e14c2ff513cfa382927e35c7fd46a3539a150426e147f5f9e21e63f1c097bd43731cf1471dcab8f107993d2045fe90aa05bff7277af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2767224.exe

Filesize
173KB

MD5
0a1f97e96b4e8cf90ac27737258409da

SHA1
67256eb5c44e0dad889975e31f18ef528f0d1c80

SHA256
634044b21d789075bbd8a484f7d4f1ffcee90dcd3236f179394db9a9333fe5b8

SHA512
aed91cd9a4589699df881e14c2ff513cfa382927e35c7fd46a3539a150426e147f5f9e21e63f1c097bd43731cf1471dcab8f107993d2045fe90aa05bff7277af

Download Submit
memory/1692-39-0x0000000005B90000-0x00000000061A8000-memory.dmp

Filesize
6.1MB

Download
memory/1692-42-0x00000000055B0000-0x00000000055C2000-memory.dmp

Filesize
72KB

Download
memory/1692-46-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/1692-45-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/1692-36-0x0000000000AE0000-0x0000000000B10000-memory.dmp

Filesize
192KB

Download
memory/1692-37-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/1692-44-0x0000000005790000-0x00000000057DC000-memory.dmp

Filesize
304KB

Download
memory/1692-40-0x0000000005680000-0x000000000578A000-memory.dmp

Filesize
1.0MB

Download
memory/1692-38-0x0000000005540000-0x0000000005546000-memory.dmp

Filesize
24KB

Download
memory/1692-41-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/1692-43-0x0000000005610000-0x000000000564C000-memory.dmp

Filesize
240KB

Download
memory/3880-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3880-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3880-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3880-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads