mystic | 38abd1705448053a2cdb0b98ee9ccf33e8e31e882241f38a54fd1c45ba52a147

Analysis

max time kernel
153s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc.exe
Size

935KB
MD5

393529959f49656c9a795558ed054a56
SHA1

10cf407d485a22b9f61d1351a96c7886f2705d0c
SHA256

a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc
SHA512

4ac6953de2a0d4160f7c599fb1eb2b2c786bf5c1160557d741d7097a3d5c81b72382c9da33149cfbccfe7f19467f0a348e5b4f92f400aada64957efac5555070
SSDEEP

12288:1MrKy90jEUQB+ahcWxI4kO0QCkbHNzlRvrpLB6YpG3mYFA72sZyy0nAXH0d7ilgP:PyAEdkahR9BCMrFLYrn+H0ygK3G

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/2644-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2644-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2644-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2644-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
464	x5156724.exe
4472	x4130575.exe
2680	x4640084.exe
180	g0654549.exe
3468	h7919418.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5156724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4130575.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4640084.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 180 set thread context of 2644	180	g0654549.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
528	2644	WerFault.exe	92
3744	180	WerFault.exe	91

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 464	4484	a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc.exe	86
PID 4484 wrote to memory of 464	4484	a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc.exe	86
PID 4484 wrote to memory of 464	4484	a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc.exe	86
PID 464 wrote to memory of 4472	464	x5156724.exe	88
PID 464 wrote to memory of 4472	464	x5156724.exe	88
PID 464 wrote to memory of 4472	464	x5156724.exe	88
PID 4472 wrote to memory of 2680	4472	x4130575.exe	90
PID 4472 wrote to memory of 2680	4472	x4130575.exe	90
PID 4472 wrote to memory of 2680	4472	x4130575.exe	90
PID 2680 wrote to memory of 180	2680	x4640084.exe	91
PID 2680 wrote to memory of 180	2680	x4640084.exe	91
PID 2680 wrote to memory of 180	2680	x4640084.exe	91
PID 180 wrote to memory of 2644	180	g0654549.exe	92
PID 180 wrote to memory of 2644	180	g0654549.exe	92
PID 180 wrote to memory of 2644	180	g0654549.exe	92
PID 180 wrote to memory of 2644	180	g0654549.exe	92
PID 180 wrote to memory of 2644	180	g0654549.exe	92
PID 180 wrote to memory of 2644	180	g0654549.exe	92
PID 180 wrote to memory of 2644	180	g0654549.exe	92
PID 180 wrote to memory of 2644	180	g0654549.exe	92
PID 180 wrote to memory of 2644	180	g0654549.exe	92
PID 180 wrote to memory of 2644	180	g0654549.exe	92
PID 2680 wrote to memory of 3468	2680	x4640084.exe	100
PID 2680 wrote to memory of 3468	2680	x4640084.exe	100
PID 2680 wrote to memory of 3468	2680	x4640084.exe	100

C:\Users\Admin\AppData\Local\Temp\a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc.exe
"C:\Users\Admin\AppData\Local\Temp\a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5156724.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5156724.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4130575.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4130575.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4472
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4640084.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4640084.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0654549.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0654549.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:180
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 540
        7⤵
        Program crash
        
        PID:528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 180 -s 552
        6⤵
        Program crash
        
        PID:3744
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7919418.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7919418.exe
        5⤵
        Executes dropped EXE
        
        PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 180 -ip 180
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2644 -ip 2644
1⤵
PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5156724.exe

Filesize
833KB

MD5
0bf7f136829434a3c375b04afe87a4f1

SHA1
5c6feaad5dd3aa0dec8392b400ee9cccf23dad10

SHA256
e32358f37ff29bbfbe36d91575b955a5bfb574d97f081c8cfb4ab0f4384b4b94

SHA512
fb882ec6a8f52971146aac238f77d7af749791dd6e803f82577d57a9ff9bf313f148d22212e5849c741047b2af13acc0418f2ed891f49d3b7be85787543b19dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5156724.exe

Filesize
833KB

MD5
0bf7f136829434a3c375b04afe87a4f1

SHA1
5c6feaad5dd3aa0dec8392b400ee9cccf23dad10

SHA256
e32358f37ff29bbfbe36d91575b955a5bfb574d97f081c8cfb4ab0f4384b4b94

SHA512
fb882ec6a8f52971146aac238f77d7af749791dd6e803f82577d57a9ff9bf313f148d22212e5849c741047b2af13acc0418f2ed891f49d3b7be85787543b19dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4130575.exe

Filesize
559KB

MD5
ca0f3114e295830673920a666d86b12b

SHA1
843a86f9e50efed658d570dde5958eaa2db5cdad

SHA256
b5e278860f1ac67f8655b656d4e397521813d89258b653fbca8f8b926bb50d7c

SHA512
81fdd2c32b2510e6135baef824d749ea2175c5e341aa73ff081c0093ad9927745c046b1811aaf3dc9df085c7036310dcfce1ad7f8b9fdd31f528f3ed47483cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4130575.exe

Filesize
559KB

MD5
ca0f3114e295830673920a666d86b12b

SHA1
843a86f9e50efed658d570dde5958eaa2db5cdad

SHA256
b5e278860f1ac67f8655b656d4e397521813d89258b653fbca8f8b926bb50d7c

SHA512
81fdd2c32b2510e6135baef824d749ea2175c5e341aa73ff081c0093ad9927745c046b1811aaf3dc9df085c7036310dcfce1ad7f8b9fdd31f528f3ed47483cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4640084.exe

Filesize
393KB

MD5
d16a35d49a18fa6aa0ea71858385a0e8

SHA1
e616e31653af9292a61d5f29fedc20ab533d9119

SHA256
ab906839b241662329e5fc01c04818ab455705370aee3412fc2cfff0a8e7f2b7

SHA512
8b50d98f3aa5ba347d54188d5028b8f99658277e7cbfa09891404cb6ac253e88ba98b27c77cfee40f6c6f0d3a9b0512afc0edb5e3c1fcb851a29c096ab924ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4640084.exe

Filesize
393KB

MD5
d16a35d49a18fa6aa0ea71858385a0e8

SHA1
e616e31653af9292a61d5f29fedc20ab533d9119

SHA256
ab906839b241662329e5fc01c04818ab455705370aee3412fc2cfff0a8e7f2b7

SHA512
8b50d98f3aa5ba347d54188d5028b8f99658277e7cbfa09891404cb6ac253e88ba98b27c77cfee40f6c6f0d3a9b0512afc0edb5e3c1fcb851a29c096ab924ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0654549.exe

Filesize
380KB

MD5
929437a5c5a9a45ea960b7037e32b71d

SHA1
b6e577052e0190b65209a744de9faf361faa3633

SHA256
0da42dfcb536b9121da124409c9b72423f9fa52eb2f3f6df93e0f4884f70086f

SHA512
b34dc95cc33d90ad33072fe1fb76c25b91982f7296b866c584940b53996b68c87e376fd91cb5f1f548745c86d9bc2fca84fcee7d67c3bc8eddc75db97af39b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0654549.exe

Filesize
380KB

MD5
929437a5c5a9a45ea960b7037e32b71d

SHA1
b6e577052e0190b65209a744de9faf361faa3633

SHA256
0da42dfcb536b9121da124409c9b72423f9fa52eb2f3f6df93e0f4884f70086f

SHA512
b34dc95cc33d90ad33072fe1fb76c25b91982f7296b866c584940b53996b68c87e376fd91cb5f1f548745c86d9bc2fca84fcee7d67c3bc8eddc75db97af39b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7919418.exe

Filesize
173KB

MD5
cdcb94fb196fa578c0ef270d687dbc59

SHA1
6d79a5138651172afb20b867b81d50fbb7308ff0

SHA256
0a0380070297fa16e2bdbf4963a4bda65541b75bd50fe12e6a2cd7880601f6d6

SHA512
c412b84dfb1c7d418fcc185c8c1a8fd78a0cf0ae47078d765b4368d1322b23cecfb5a20210cffef06d4ab7ca4d6975115f5c56e687f532e4376cf1eb4bcdc3b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7919418.exe

Filesize
173KB

MD5
cdcb94fb196fa578c0ef270d687dbc59

SHA1
6d79a5138651172afb20b867b81d50fbb7308ff0

SHA256
0a0380070297fa16e2bdbf4963a4bda65541b75bd50fe12e6a2cd7880601f6d6

SHA512
c412b84dfb1c7d418fcc185c8c1a8fd78a0cf0ae47078d765b4368d1322b23cecfb5a20210cffef06d4ab7ca4d6975115f5c56e687f532e4376cf1eb4bcdc3b2

Download Submit
memory/2644-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2644-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2644-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2644-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3468-39-0x0000000005B80000-0x0000000006198000-memory.dmp

Filesize
6.1MB

Download
memory/3468-37-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/3468-38-0x0000000005510000-0x0000000005516000-memory.dmp

Filesize
24KB

Download
memory/3468-36-0x0000000000BF0000-0x0000000000C20000-memory.dmp

Filesize
192KB

Download
memory/3468-40-0x0000000005670000-0x000000000577A000-memory.dmp

Filesize
1.0MB

Download
memory/3468-42-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/3468-41-0x0000000005580000-0x0000000005592000-memory.dmp

Filesize
72KB

Download
memory/3468-43-0x00000000055E0000-0x000000000561C000-memory.dmp

Filesize
240KB

Download
memory/3468-44-0x0000000005620000-0x000000000566C000-memory.dmp

Filesize
304KB

Download
memory/3468-45-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/3468-46-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads