mystic | e3cb20023011b9406d72f39d90fa28df90e9da515843252428f7c85383232139

Analysis

max time kernel
246s
max time network
248s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 19:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e3cb20023011b9406d72f39d90fa28df90e9da515843252428f7c85383232139.exe
Size

929KB
MD5

ff37fd162b15b7eafaf0b7b821f19178
SHA1

d2515f3bd875468ce553a3b5efdfc8fcda0195b7
SHA256

e3cb20023011b9406d72f39d90fa28df90e9da515843252428f7c85383232139
SHA512

d1bceb0d3eb0e7e73717800e75cd13b030d67a2d78f4e497da83b26839420d1796c576da2f6aa87cdf81716d5d4ac4b17c3c6474eab9755c8c270b22f70bcf5c
SSDEEP

24576:cyvl+9SDkouXpcqOHCA69cYTPXTq5gigccDiqWfvf:Lvg9wkouiPmpTfT6JgE5

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3848-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3848-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3848-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3848-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4260	x1008481.exe
5072	x7986400.exe
1912	x3502606.exe
4820	g3476423.exe
3000	h4806006.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7986400.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x3502606.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e3cb20023011b9406d72f39d90fa28df90e9da515843252428f7c85383232139.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1008481.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4820 set thread context of 3848	4820	g3476423.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4848	4820	WerFault.exe	91
3400	3848	WerFault.exe	92

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 4260	4784	e3cb20023011b9406d72f39d90fa28df90e9da515843252428f7c85383232139.exe	88
PID 4784 wrote to memory of 4260	4784	e3cb20023011b9406d72f39d90fa28df90e9da515843252428f7c85383232139.exe	88
PID 4784 wrote to memory of 4260	4784	e3cb20023011b9406d72f39d90fa28df90e9da515843252428f7c85383232139.exe	88
PID 4260 wrote to memory of 5072	4260	x1008481.exe	89
PID 4260 wrote to memory of 5072	4260	x1008481.exe	89
PID 4260 wrote to memory of 5072	4260	x1008481.exe	89
PID 5072 wrote to memory of 1912	5072	x7986400.exe	90
PID 5072 wrote to memory of 1912	5072	x7986400.exe	90
PID 5072 wrote to memory of 1912	5072	x7986400.exe	90
PID 1912 wrote to memory of 4820	1912	x3502606.exe	91
PID 1912 wrote to memory of 4820	1912	x3502606.exe	91
PID 1912 wrote to memory of 4820	1912	x3502606.exe	91
PID 4820 wrote to memory of 3848	4820	g3476423.exe	92
PID 4820 wrote to memory of 3848	4820	g3476423.exe	92
PID 4820 wrote to memory of 3848	4820	g3476423.exe	92
PID 4820 wrote to memory of 3848	4820	g3476423.exe	92
PID 4820 wrote to memory of 3848	4820	g3476423.exe	92
PID 4820 wrote to memory of 3848	4820	g3476423.exe	92
PID 4820 wrote to memory of 3848	4820	g3476423.exe	92
PID 4820 wrote to memory of 3848	4820	g3476423.exe	92
PID 4820 wrote to memory of 3848	4820	g3476423.exe	92
PID 4820 wrote to memory of 3848	4820	g3476423.exe	92
PID 1912 wrote to memory of 3000	1912	x3502606.exe	105
PID 1912 wrote to memory of 3000	1912	x3502606.exe	105
PID 1912 wrote to memory of 3000	1912	x3502606.exe	105

C:\Users\Admin\AppData\Local\Temp\e3cb20023011b9406d72f39d90fa28df90e9da515843252428f7c85383232139.exe
"C:\Users\Admin\AppData\Local\Temp\e3cb20023011b9406d72f39d90fa28df90e9da515843252428f7c85383232139.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1008481.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1008481.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7986400.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7986400.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3502606.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3502606.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3476423.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3476423.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4820
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 540
        7⤵
        Program crash
        
        PID:3400
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 556
        6⤵
        Program crash
        
        PID:4848
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4806006.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4806006.exe
        5⤵
        Executes dropped EXE
        
        PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3848 -ip 3848
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4820 -ip 4820
1⤵
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1008481.exe

Filesize
827KB

MD5
fc86786b95636fedab8d25b405c17e28

SHA1
ac75de85d50d1b4b6673c91c96d13976484d28e0

SHA256
8001c7954fb3ae1960576d5de1288c67793650e2f22e08e99fcbeb3d7e133a9a

SHA512
80764d40d45826ed9f09a268e21109f2ecc4d06589f934c4ecf79e0306d5f43a9221111e952c45a5570a26c4c6a7b816ac655f954fe588dbf528e638887612d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1008481.exe

Filesize
827KB

MD5
fc86786b95636fedab8d25b405c17e28

SHA1
ac75de85d50d1b4b6673c91c96d13976484d28e0

SHA256
8001c7954fb3ae1960576d5de1288c67793650e2f22e08e99fcbeb3d7e133a9a

SHA512
80764d40d45826ed9f09a268e21109f2ecc4d06589f934c4ecf79e0306d5f43a9221111e952c45a5570a26c4c6a7b816ac655f954fe588dbf528e638887612d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7986400.exe

Filesize
556KB

MD5
abbe1197fc49a0b00aac86a204c11e12

SHA1
96adf47d3b42bcbb3a7225f7f20e060a86f3bbfa

SHA256
c1a1e542e518731a7f563ea9650f6738c494a39e4b85d1b8853dd4a66fa7dbcf

SHA512
4c13d0b2048601cfe89ef1d13147596256f6efe9574710e24c7ab69da1e988cd10eee3b474c2d3a07cb06c8ed6b04aa2807f19af867b178f7031c4bdc2e19e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7986400.exe

Filesize
556KB

MD5
abbe1197fc49a0b00aac86a204c11e12

SHA1
96adf47d3b42bcbb3a7225f7f20e060a86f3bbfa

SHA256
c1a1e542e518731a7f563ea9650f6738c494a39e4b85d1b8853dd4a66fa7dbcf

SHA512
4c13d0b2048601cfe89ef1d13147596256f6efe9574710e24c7ab69da1e988cd10eee3b474c2d3a07cb06c8ed6b04aa2807f19af867b178f7031c4bdc2e19e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3502606.exe

Filesize
390KB

MD5
4dcdf3c808cf74fc4a559c6bad4d7c4f

SHA1
9b170f9a5c7d388ac8ddc697beff3bf688086377

SHA256
f9326d03831d942f334db713e10a15a82eb75cb152ec9c72bc9e1f5305520a0b

SHA512
2fda2b25e77aed2810ce7df17245e8510b90e8d89273372328c81dd2e952521da63fcdc7dca21531b96ae7703c29cc472fc336e608272415b11163600c69dbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3502606.exe

Filesize
390KB

MD5
4dcdf3c808cf74fc4a559c6bad4d7c4f

SHA1
9b170f9a5c7d388ac8ddc697beff3bf688086377

SHA256
f9326d03831d942f334db713e10a15a82eb75cb152ec9c72bc9e1f5305520a0b

SHA512
2fda2b25e77aed2810ce7df17245e8510b90e8d89273372328c81dd2e952521da63fcdc7dca21531b96ae7703c29cc472fc336e608272415b11163600c69dbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3476423.exe

Filesize
364KB

MD5
f03c7917f162cbfbf695328899a2c303

SHA1
2678359e67bd285fba5a7d3b2b4d83fcdda53fea

SHA256
08adc45177a100c83212e697f90572d938a21942600bdb997867583a7a55f314

SHA512
74e3f61ef20077dc5804586b523a88fa152b931a7c239ea2d60fdda84cc1822a5bf40e55c83a397382a030c71b86fef0689014a4ada28832cf847f26598e6b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3476423.exe

Filesize
364KB

MD5
f03c7917f162cbfbf695328899a2c303

SHA1
2678359e67bd285fba5a7d3b2b4d83fcdda53fea

SHA256
08adc45177a100c83212e697f90572d938a21942600bdb997867583a7a55f314

SHA512
74e3f61ef20077dc5804586b523a88fa152b931a7c239ea2d60fdda84cc1822a5bf40e55c83a397382a030c71b86fef0689014a4ada28832cf847f26598e6b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4806006.exe

Filesize
173KB

MD5
24dc577e6ed5f4fb3d3699c0f0baf7c2

SHA1
e4ceee5b3d6697df1a2d72fbe3f288a499d8927c

SHA256
85e05cba02360f28cb5990933d08e6194f3a44607614aeb0dd1e9f8a3aa5382b

SHA512
632c02fe3782ff179df921d39c331147b20176e017fbf193a91245793902e0b73cce29fe204f050d1c9cb485dc27fde760bfec9615e1cf47885e9a17aad81e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4806006.exe

Filesize
173KB

MD5
24dc577e6ed5f4fb3d3699c0f0baf7c2

SHA1
e4ceee5b3d6697df1a2d72fbe3f288a499d8927c

SHA256
85e05cba02360f28cb5990933d08e6194f3a44607614aeb0dd1e9f8a3aa5382b

SHA512
632c02fe3782ff179df921d39c331147b20176e017fbf193a91245793902e0b73cce29fe204f050d1c9cb485dc27fde760bfec9615e1cf47885e9a17aad81e0a

Download Submit
memory/3000-36-0x0000000000410000-0x0000000000440000-memory.dmp

Filesize
192KB

Download
memory/3000-37-0x0000000073B30000-0x00000000742E0000-memory.dmp

Filesize
7.7MB

Download
memory/3848-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3848-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3848-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3848-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads