mystic | 1e5309add481a6658511e0165999534278c5e119856e1a111d631ca7d8d6f05b

Analysis

max time kernel
148s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e5309add481a6658511e0165999534278c5e119856e1a111d631ca7d8d6f05b.exe
Size

924KB
MD5

5517f73ecd24fa9d53627b8ce7c4cecc
SHA1

13ed6802d17741dfc57478402b8c3196b8b7aedc
SHA256

1e5309add481a6658511e0165999534278c5e119856e1a111d631ca7d8d6f05b
SHA512

81115f58bd93fa545162c14cc6a8ed13928dfed5a1a54fc30818dadc105e58a1fe8de68d29dcfdc1bb29d523e03732010b3d9a717abd570210a5f0a7d230a5ed
SSDEEP

24576:AyGSlOJbe3w7XrzNM1Q+K1NaU4K9o2Pc65GoksrZonbf:HIJbwwrrzNS8t44Pc65Go6b

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1604-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1604-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1604-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1604-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3908	x3743348.exe
1628	x9760250.exe
2168	x1374639.exe
3448	g5407336.exe
4236	h2786093.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3743348.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9760250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1374639.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1e5309add481a6658511e0165999534278c5e119856e1a111d631ca7d8d6f05b.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3448 set thread context of 1604	3448	g5407336.exe	89

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4232	3448	WerFault.exe	88
2112	1604	WerFault.exe	89

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 3908	3984	1e5309add481a6658511e0165999534278c5e119856e1a111d631ca7d8d6f05b.exe	85
PID 3984 wrote to memory of 3908	3984	1e5309add481a6658511e0165999534278c5e119856e1a111d631ca7d8d6f05b.exe	85
PID 3984 wrote to memory of 3908	3984	1e5309add481a6658511e0165999534278c5e119856e1a111d631ca7d8d6f05b.exe	85
PID 3908 wrote to memory of 1628	3908	x3743348.exe	86
PID 3908 wrote to memory of 1628	3908	x3743348.exe	86
PID 3908 wrote to memory of 1628	3908	x3743348.exe	86
PID 1628 wrote to memory of 2168	1628	x9760250.exe	87
PID 1628 wrote to memory of 2168	1628	x9760250.exe	87
PID 1628 wrote to memory of 2168	1628	x9760250.exe	87
PID 2168 wrote to memory of 3448	2168	x1374639.exe	88
PID 2168 wrote to memory of 3448	2168	x1374639.exe	88
PID 2168 wrote to memory of 3448	2168	x1374639.exe	88
PID 3448 wrote to memory of 2548	3448	g5407336.exe	91
PID 3448 wrote to memory of 2548	3448	g5407336.exe	91
PID 3448 wrote to memory of 2548	3448	g5407336.exe	91
PID 3448 wrote to memory of 1604	3448	g5407336.exe	89
PID 3448 wrote to memory of 1604	3448	g5407336.exe	89
PID 3448 wrote to memory of 1604	3448	g5407336.exe	89
PID 3448 wrote to memory of 1604	3448	g5407336.exe	89
PID 3448 wrote to memory of 1604	3448	g5407336.exe	89
PID 3448 wrote to memory of 1604	3448	g5407336.exe	89
PID 3448 wrote to memory of 1604	3448	g5407336.exe	89
PID 3448 wrote to memory of 1604	3448	g5407336.exe	89
PID 3448 wrote to memory of 1604	3448	g5407336.exe	89
PID 3448 wrote to memory of 1604	3448	g5407336.exe	89
PID 2168 wrote to memory of 4236	2168	x1374639.exe	101
PID 2168 wrote to memory of 4236	2168	x1374639.exe	101
PID 2168 wrote to memory of 4236	2168	x1374639.exe	101

C:\Users\Admin\AppData\Local\Temp\1e5309add481a6658511e0165999534278c5e119856e1a111d631ca7d8d6f05b.exe
"C:\Users\Admin\AppData\Local\Temp\1e5309add481a6658511e0165999534278c5e119856e1a111d631ca7d8d6f05b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3743348.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3743348.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9760250.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9760250.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1374639.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1374639.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5407336.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5407336.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3448
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 540
        7⤵
        Program crash
        
        PID:2112
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 572
        6⤵
        Program crash
        
        PID:4232
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2786093.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2786093.exe
        5⤵
        Executes dropped EXE
        
        PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1604 -ip 1604
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3448 -ip 3448
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3743348.exe

Filesize
827KB

MD5
a2bdeb9008519afbdd8ef590c8ff261c

SHA1
096d27ca47420909d8388c3cb69a422692de445d

SHA256
cc5b9aed0dcc11f400ac4c6e0a78e082c9f6c8742c9a8f1a18adff4d2e790d53

SHA512
f86d1b569e1149fb457dac399e821dc5460fdf4b234246d8c35915f80ae19a3212be1023f1138b12168e3ea08d81996c79bdc837b65b2ae5782b782812eab41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3743348.exe

Filesize
827KB

MD5
a2bdeb9008519afbdd8ef590c8ff261c

SHA1
096d27ca47420909d8388c3cb69a422692de445d

SHA256
cc5b9aed0dcc11f400ac4c6e0a78e082c9f6c8742c9a8f1a18adff4d2e790d53

SHA512
f86d1b569e1149fb457dac399e821dc5460fdf4b234246d8c35915f80ae19a3212be1023f1138b12168e3ea08d81996c79bdc837b65b2ae5782b782812eab41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9760250.exe

Filesize
555KB

MD5
75f3579044ec13544b03ad8b204f3af3

SHA1
64333eb93e3c0332227356287756552da3874569

SHA256
f2b5c42eb80eb6ec5accfccc42d2bfc95cc4811360eca054b6bb20e1f9cbcca0

SHA512
912fca14e2b6f598e6a0aacffd9fb36d2e3ff6ca770766281a3c9659ca45e9b3044d15b0ec704049b2235f414f3a3172fe0d37b311889bdd054627077fe97891

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9760250.exe

Filesize
555KB

MD5
75f3579044ec13544b03ad8b204f3af3

SHA1
64333eb93e3c0332227356287756552da3874569

SHA256
f2b5c42eb80eb6ec5accfccc42d2bfc95cc4811360eca054b6bb20e1f9cbcca0

SHA512
912fca14e2b6f598e6a0aacffd9fb36d2e3ff6ca770766281a3c9659ca45e9b3044d15b0ec704049b2235f414f3a3172fe0d37b311889bdd054627077fe97891

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1374639.exe

Filesize
390KB

MD5
022337ca94067630c0f67e23c6ae2fdb

SHA1
bd52b40bff15bed89742a7e7b2fba77fbce50a54

SHA256
30c50fef936eeee49bfb7a2d57a9a8796e3749dc7a5fabd9a31e99915f4507aa

SHA512
813bc92270895128cd5fefea9e122f70b4a58f253698f270a67785f29c2e50d0236d0a8637bfc2232cf7c82551db1b4719e919d14647ad0b18ea69e8dbf17b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1374639.exe

Filesize
390KB

MD5
022337ca94067630c0f67e23c6ae2fdb

SHA1
bd52b40bff15bed89742a7e7b2fba77fbce50a54

SHA256
30c50fef936eeee49bfb7a2d57a9a8796e3749dc7a5fabd9a31e99915f4507aa

SHA512
813bc92270895128cd5fefea9e122f70b4a58f253698f270a67785f29c2e50d0236d0a8637bfc2232cf7c82551db1b4719e919d14647ad0b18ea69e8dbf17b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5407336.exe

Filesize
364KB

MD5
2618cdb520871e2bd82c120e6491f5f9

SHA1
48fbc382db7e4fddb9be520d586911c5df3d62df

SHA256
6d87e18a4e0cf9876af771dafa500351b081beeb5fea9417a00328f9f859a022

SHA512
2d1f0994af72f3639dd04a1e2361b79d1a628a6eba8e9c9a662bb5c57ac518ecbf97c681ac5a526a6c30bb9d0a9a6a58338f3d1150942ca26401519d75e74702

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5407336.exe

Filesize
364KB

MD5
2618cdb520871e2bd82c120e6491f5f9

SHA1
48fbc382db7e4fddb9be520d586911c5df3d62df

SHA256
6d87e18a4e0cf9876af771dafa500351b081beeb5fea9417a00328f9f859a022

SHA512
2d1f0994af72f3639dd04a1e2361b79d1a628a6eba8e9c9a662bb5c57ac518ecbf97c681ac5a526a6c30bb9d0a9a6a58338f3d1150942ca26401519d75e74702

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2786093.exe

Filesize
173KB

MD5
2e90e143b5830eae4be93bbb189cf63c

SHA1
94fe02c63867a1219bde71fe9faaa7521644d0c6

SHA256
a0f533e4996e9b1b4a8eaa0bfd66b9475a7ac7bd3081121daa751742e7fbcd1a

SHA512
49f1de0749f8a98810644dc183852062f78bf5403e3fd168b2847da0786822e8fc40dbcf4b319e4d7c4b7c4e4ca9a5514defe5cf935641410993c5f9fb614489

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2786093.exe

Filesize
173KB

MD5
2e90e143b5830eae4be93bbb189cf63c

SHA1
94fe02c63867a1219bde71fe9faaa7521644d0c6

SHA256
a0f533e4996e9b1b4a8eaa0bfd66b9475a7ac7bd3081121daa751742e7fbcd1a

SHA512
49f1de0749f8a98810644dc183852062f78bf5403e3fd168b2847da0786822e8fc40dbcf4b319e4d7c4b7c4e4ca9a5514defe5cf935641410993c5f9fb614489

Download Submit
memory/1604-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1604-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1604-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1604-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4236-38-0x00000000028D0000-0x00000000028D6000-memory.dmp

Filesize
24KB

Download
memory/4236-37-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/4236-36-0x0000000000770000-0x00000000007A0000-memory.dmp

Filesize
192KB

Download
memory/4236-39-0x00000000056F0000-0x0000000005D08000-memory.dmp

Filesize
6.1MB

Download
memory/4236-40-0x00000000051E0000-0x00000000052EA000-memory.dmp

Filesize
1.0MB

Download
memory/4236-42-0x0000000005100000-0x0000000005112000-memory.dmp

Filesize
72KB

Download
memory/4236-41-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/4236-43-0x0000000005160000-0x000000000519C000-memory.dmp

Filesize
240KB

Download
memory/4236-44-0x00000000052F0000-0x000000000533C000-memory.dmp

Filesize
304KB

Download
memory/4236-45-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/4236-46-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads