mystic | d64417efc2f9cdac087ed24241c32ea6e972024ee7a05b6c5f1a001fd3534e62

Analysis

max time kernel
142s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d64417efc2f9cdac087ed24241c32ea6e972024ee7a05b6c5f1a001fd3534e62.exe
Size

934KB
MD5

b8819997a74132370ddd92cc57a26969
SHA1

23fd7702316f1c4a9a1e0b7a44a9fd96d21a911b
SHA256

d64417efc2f9cdac087ed24241c32ea6e972024ee7a05b6c5f1a001fd3534e62
SHA512

73160cc685a6165f2d7305006bae5b3dbd54499c94bbd09ea9d692466192e1dcb4daba868c05adbc761b08149a14d03f3e478a0f45a7ce498b879ac500e30c65
SSDEEP

24576:FyJlmmXDP1rkCO5HOBS6lJ4LhYz8W135OF9wU:gJZ4RHkLYw13U

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1248-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1248-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1248-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1248-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4140	x1817901.exe
3296	x5832306.exe
4380	x7212747.exe
3276	g0378297.exe
1536	h8940384.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7212747.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d64417efc2f9cdac087ed24241c32ea6e972024ee7a05b6c5f1a001fd3534e62.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1817901.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5832306.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3276 set thread context of 1248	3276	g0378297.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2168	1248	WerFault.exe	92
4120	3276	WerFault.exe	87

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 4140	2712	d64417efc2f9cdac087ed24241c32ea6e972024ee7a05b6c5f1a001fd3534e62.exe	83
PID 2712 wrote to memory of 4140	2712	d64417efc2f9cdac087ed24241c32ea6e972024ee7a05b6c5f1a001fd3534e62.exe	83
PID 2712 wrote to memory of 4140	2712	d64417efc2f9cdac087ed24241c32ea6e972024ee7a05b6c5f1a001fd3534e62.exe	83
PID 4140 wrote to memory of 3296	4140	x1817901.exe	84
PID 4140 wrote to memory of 3296	4140	x1817901.exe	84
PID 4140 wrote to memory of 3296	4140	x1817901.exe	84
PID 3296 wrote to memory of 4380	3296	x5832306.exe	86
PID 3296 wrote to memory of 4380	3296	x5832306.exe	86
PID 3296 wrote to memory of 4380	3296	x5832306.exe	86
PID 4380 wrote to memory of 3276	4380	x7212747.exe	87
PID 4380 wrote to memory of 3276	4380	x7212747.exe	87
PID 4380 wrote to memory of 3276	4380	x7212747.exe	87
PID 3276 wrote to memory of 1248	3276	g0378297.exe	92
PID 3276 wrote to memory of 1248	3276	g0378297.exe	92
PID 3276 wrote to memory of 1248	3276	g0378297.exe	92
PID 3276 wrote to memory of 1248	3276	g0378297.exe	92
PID 3276 wrote to memory of 1248	3276	g0378297.exe	92
PID 3276 wrote to memory of 1248	3276	g0378297.exe	92
PID 3276 wrote to memory of 1248	3276	g0378297.exe	92
PID 3276 wrote to memory of 1248	3276	g0378297.exe	92
PID 3276 wrote to memory of 1248	3276	g0378297.exe	92
PID 3276 wrote to memory of 1248	3276	g0378297.exe	92
PID 4380 wrote to memory of 1536	4380	x7212747.exe	95
PID 4380 wrote to memory of 1536	4380	x7212747.exe	95
PID 4380 wrote to memory of 1536	4380	x7212747.exe	95

C:\Users\Admin\AppData\Local\Temp\d64417efc2f9cdac087ed24241c32ea6e972024ee7a05b6c5f1a001fd3534e62.exe
"C:\Users\Admin\AppData\Local\Temp\d64417efc2f9cdac087ed24241c32ea6e972024ee7a05b6c5f1a001fd3534e62.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1817901.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1817901.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5832306.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5832306.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7212747.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7212747.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4380
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0378297.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0378297.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3276
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 540
        7⤵
        Program crash
        
        PID:2168
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 572
        6⤵
        Program crash
        
        PID:4120
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8940384.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8940384.exe
        5⤵
        Executes dropped EXE
        
        PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3276 -ip 3276
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1248 -ip 1248
1⤵
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1817901.exe

Filesize
832KB

MD5
b0c11903c66b7d130df0dae7d0c889be

SHA1
976907351b1c18da48f6603d621275d5a3adece3

SHA256
27cb85bb0c8d8345da94dacbd79620c5500f39000c3229b6fbfcfc35017033a8

SHA512
f90962d069cf2f86651a47d46543a47d469b4732bd31847ffe3c9062cef00b866dd2c0d1f1033efefbb4aa8ccac74f77ba6d64b83c94553ecfaeb5ffc28fa11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1817901.exe

Filesize
832KB

MD5
b0c11903c66b7d130df0dae7d0c889be

SHA1
976907351b1c18da48f6603d621275d5a3adece3

SHA256
27cb85bb0c8d8345da94dacbd79620c5500f39000c3229b6fbfcfc35017033a8

SHA512
f90962d069cf2f86651a47d46543a47d469b4732bd31847ffe3c9062cef00b866dd2c0d1f1033efefbb4aa8ccac74f77ba6d64b83c94553ecfaeb5ffc28fa11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5832306.exe

Filesize
558KB

MD5
b361e1beec16554711673e6d6b28a749

SHA1
1d65846efed9d51ea4501b4d1da2c1ee28bfa9f3

SHA256
addb0f463047182f035e6c04ff4c3ff293ad494179ba9529b7e500b96c76de86

SHA512
c4b8ea6f465f4e79c2b125a0f4ba5e96ac363ec48717bf4d1bbdce6790b90818af2b6822c676926a90e485543f62795cd869d951a6de3822e75325e94a8c5f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5832306.exe

Filesize
558KB

MD5
b361e1beec16554711673e6d6b28a749

SHA1
1d65846efed9d51ea4501b4d1da2c1ee28bfa9f3

SHA256
addb0f463047182f035e6c04ff4c3ff293ad494179ba9529b7e500b96c76de86

SHA512
c4b8ea6f465f4e79c2b125a0f4ba5e96ac363ec48717bf4d1bbdce6790b90818af2b6822c676926a90e485543f62795cd869d951a6de3822e75325e94a8c5f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7212747.exe

Filesize
393KB

MD5
2f751196debb85ecbe9d79411b95786b

SHA1
19ed964768986c92e4a74d41fefb8c7838e07a05

SHA256
eefb0e83dc501bb4dd7c8ae97c51916c21ede210c2e9c7cae2f61d7b99d46160

SHA512
2cddc840d48f579bffd837674ba7f8f7a95c0cad1199f0bed762a40a61cd99859a15c1ceb118b39436c9a6fe333fca29dbaa0ff51718d4f4b53808ee1f45402a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7212747.exe

Filesize
393KB

MD5
2f751196debb85ecbe9d79411b95786b

SHA1
19ed964768986c92e4a74d41fefb8c7838e07a05

SHA256
eefb0e83dc501bb4dd7c8ae97c51916c21ede210c2e9c7cae2f61d7b99d46160

SHA512
2cddc840d48f579bffd837674ba7f8f7a95c0cad1199f0bed762a40a61cd99859a15c1ceb118b39436c9a6fe333fca29dbaa0ff51718d4f4b53808ee1f45402a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0378297.exe

Filesize
380KB

MD5
780f86cf94115548d1b764c64fcbabda

SHA1
ce1046b4eddf351bcd4ba7aea794b0158d1c4716

SHA256
e74d8be5f9af33c159a61233d294535870d3a84ca0bdc965221bdcecb3ba5237

SHA512
8dadf947b610c50e1e727f272d47e0565efc3f35dd9b4e3b5d4acfb0db8753e293f64266f89375f680c49ff885b30c19bd29980b473da0eb86001437fe85af83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0378297.exe

Filesize
380KB

MD5
780f86cf94115548d1b764c64fcbabda

SHA1
ce1046b4eddf351bcd4ba7aea794b0158d1c4716

SHA256
e74d8be5f9af33c159a61233d294535870d3a84ca0bdc965221bdcecb3ba5237

SHA512
8dadf947b610c50e1e727f272d47e0565efc3f35dd9b4e3b5d4acfb0db8753e293f64266f89375f680c49ff885b30c19bd29980b473da0eb86001437fe85af83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8940384.exe

Filesize
173KB

MD5
951e583e6eb7e576c88d3d5d3aec3973

SHA1
5a0e3b112a993b5f66979bfd4623ceb6ce5b3f15

SHA256
4ce208de894cb753e544019e62358da420439e7b00abfa72fb82df8f3fe9d4a4

SHA512
888d81fb0a6bcf11500057a4540ce6a90c84b56ade8cf70fdc64e4447bb2aa7e0edd3c71e126d02c36c6e63d457c5e518e631dd9cc2fca530320152c6413a9d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8940384.exe

Filesize
173KB

MD5
951e583e6eb7e576c88d3d5d3aec3973

SHA1
5a0e3b112a993b5f66979bfd4623ceb6ce5b3f15

SHA256
4ce208de894cb753e544019e62358da420439e7b00abfa72fb82df8f3fe9d4a4

SHA512
888d81fb0a6bcf11500057a4540ce6a90c84b56ade8cf70fdc64e4447bb2aa7e0edd3c71e126d02c36c6e63d457c5e518e631dd9cc2fca530320152c6413a9d6

Download Submit
memory/1248-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1248-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1248-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1248-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1536-39-0x000000000AEA0000-0x000000000B4B8000-memory.dmp

Filesize
6.1MB

Download
memory/1536-36-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/1536-38-0x0000000002D50000-0x0000000002D56000-memory.dmp

Filesize
24KB

Download
memory/1536-37-0x0000000000B40000-0x0000000000B70000-memory.dmp

Filesize
192KB

Download
memory/1536-40-0x000000000A9B0000-0x000000000AABA000-memory.dmp

Filesize
1.0MB

Download
memory/1536-42-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/1536-41-0x000000000A8F0000-0x000000000A902000-memory.dmp

Filesize
72KB

Download
memory/1536-43-0x000000000A950000-0x000000000A98C000-memory.dmp

Filesize
240KB

Download
memory/1536-44-0x000000000AAC0000-0x000000000AB0C000-memory.dmp

Filesize
304KB

Download
memory/1536-45-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/1536-46-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads