mystic | 817a724375c2e66416c5742e548706f4f4aaf64f10b73e7ee1b7fd805ed3c902

Analysis

max time kernel
147s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 19:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6783d80655289133bcf07e9bb79e6e9ab30ab69718c3f7bbbdc9a5cee3cc065f.exe
Size

935KB
MD5

3b090310d7146005221ad9d254f65fa6
SHA1

4bfe867372893b1e4171828845980829154b1267
SHA256

6783d80655289133bcf07e9bb79e6e9ab30ab69718c3f7bbbdc9a5cee3cc065f
SHA512

36679deb21cede51a6b0504a71efc9a4b7c4586477d5f4a45c32e77e3e3dbb2dd7463c2d671ca90d1cab357dffd841daf07865d24b3b2ec359441955adf7bb20
SSDEEP

12288:QMrSy90eoBQlfP1eFLsQQb0qSrSwZnjOfon4sXtT7WyqxsXWjM7cDt4ktQ:Sypsgb07rSUjOf+fXUyqrjM7cDtDm

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4296-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4296-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4296-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4296-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2384	x6732039.exe
1184	x4306016.exe
3524	x1781948.exe
3480	g6988865.exe
4448	h7982950.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6783d80655289133bcf07e9bb79e6e9ab30ab69718c3f7bbbdc9a5cee3cc065f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6732039.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4306016.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1781948.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3480 set thread context of 4296	3480	g6988865.exe	91

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3384	4296	WerFault.exe	91
4644	3480	WerFault.exe	89

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2384	2472	6783d80655289133bcf07e9bb79e6e9ab30ab69718c3f7bbbdc9a5cee3cc065f.exe	86
PID 2472 wrote to memory of 2384	2472	6783d80655289133bcf07e9bb79e6e9ab30ab69718c3f7bbbdc9a5cee3cc065f.exe	86
PID 2472 wrote to memory of 2384	2472	6783d80655289133bcf07e9bb79e6e9ab30ab69718c3f7bbbdc9a5cee3cc065f.exe	86
PID 2384 wrote to memory of 1184	2384	x6732039.exe	87
PID 2384 wrote to memory of 1184	2384	x6732039.exe	87
PID 2384 wrote to memory of 1184	2384	x6732039.exe	87
PID 1184 wrote to memory of 3524	1184	x4306016.exe	88
PID 1184 wrote to memory of 3524	1184	x4306016.exe	88
PID 1184 wrote to memory of 3524	1184	x4306016.exe	88
PID 3524 wrote to memory of 3480	3524	x1781948.exe	89
PID 3524 wrote to memory of 3480	3524	x1781948.exe	89
PID 3524 wrote to memory of 3480	3524	x1781948.exe	89
PID 3480 wrote to memory of 4296	3480	g6988865.exe	91
PID 3480 wrote to memory of 4296	3480	g6988865.exe	91
PID 3480 wrote to memory of 4296	3480	g6988865.exe	91
PID 3480 wrote to memory of 4296	3480	g6988865.exe	91
PID 3480 wrote to memory of 4296	3480	g6988865.exe	91
PID 3480 wrote to memory of 4296	3480	g6988865.exe	91
PID 3480 wrote to memory of 4296	3480	g6988865.exe	91
PID 3480 wrote to memory of 4296	3480	g6988865.exe	91
PID 3480 wrote to memory of 4296	3480	g6988865.exe	91
PID 3480 wrote to memory of 4296	3480	g6988865.exe	91
PID 3524 wrote to memory of 4448	3524	x1781948.exe	101
PID 3524 wrote to memory of 4448	3524	x1781948.exe	101
PID 3524 wrote to memory of 4448	3524	x1781948.exe	101

C:\Users\Admin\AppData\Local\Temp\6783d80655289133bcf07e9bb79e6e9ab30ab69718c3f7bbbdc9a5cee3cc065f.exe
"C:\Users\Admin\AppData\Local\Temp\6783d80655289133bcf07e9bb79e6e9ab30ab69718c3f7bbbdc9a5cee3cc065f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6732039.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6732039.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4306016.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4306016.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1781948.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1781948.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3524
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6988865.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6988865.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3480
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 540
        7⤵
        Program crash
        
        PID:3384
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 572
        6⤵
        Program crash
        
        PID:4644
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7982950.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7982950.exe
        5⤵
        Executes dropped EXE
        
        PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3480 -ip 3480
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4296 -ip 4296
1⤵
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6732039.exe

Filesize
833KB

MD5
3b82e546b8f52bc27a45de5c2fac8710

SHA1
6d354f95bbb40819a501dde2d26444eb3e9256f7

SHA256
d09cb09e54d4b5c6e01e8079c30ce6a2bea8e25951dbf0cc89e5347b8912b8af

SHA512
9be6100b391f96bd43bd87c1b76d75dc9af1ff48b987496b3f429d19993a5d0f5fa4f97f1f8f6cf9078fa9d8e829c08b8dbfbfe3a99e3409719c6256acbdcafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6732039.exe

Filesize
833KB

MD5
3b82e546b8f52bc27a45de5c2fac8710

SHA1
6d354f95bbb40819a501dde2d26444eb3e9256f7

SHA256
d09cb09e54d4b5c6e01e8079c30ce6a2bea8e25951dbf0cc89e5347b8912b8af

SHA512
9be6100b391f96bd43bd87c1b76d75dc9af1ff48b987496b3f429d19993a5d0f5fa4f97f1f8f6cf9078fa9d8e829c08b8dbfbfe3a99e3409719c6256acbdcafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4306016.exe

Filesize
559KB

MD5
8001619f178b606273a784d77a6cfdbb

SHA1
7dcf79968e844d77af8aa0c053aa76a1c56f16ed

SHA256
61beda55f3053e14177051819ff5246e1960b44fc9a45d743e648e1086d9a8cf

SHA512
1b4a0fe4ca3292d166912374103bf6e1a8539d2a37ce30f6386c23ec0b765d6afb91c7587b11bafd581b9aa3dc576de0cc48825c9394b4b6c2b80f01f4323836

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4306016.exe

Filesize
559KB

MD5
8001619f178b606273a784d77a6cfdbb

SHA1
7dcf79968e844d77af8aa0c053aa76a1c56f16ed

SHA256
61beda55f3053e14177051819ff5246e1960b44fc9a45d743e648e1086d9a8cf

SHA512
1b4a0fe4ca3292d166912374103bf6e1a8539d2a37ce30f6386c23ec0b765d6afb91c7587b11bafd581b9aa3dc576de0cc48825c9394b4b6c2b80f01f4323836

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1781948.exe

Filesize
393KB

MD5
f1760c63be45366399f3e362644900d2

SHA1
2176b66ab48b5c6991783c0691d9d19b9abd29ee

SHA256
4feab7bdaf8eded6076a41839771702db23bd72a5d76f4caafb371c4e27b982b

SHA512
398e80a1f770f8c37f0ef4beeddb254b7724776b0c19b5eb4e0ddc32dccd82ad1a2f039d229400cc255ef5628c24762b5fd7ae090479b4cc19f9e19b5a4d6920

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1781948.exe

Filesize
393KB

MD5
f1760c63be45366399f3e362644900d2

SHA1
2176b66ab48b5c6991783c0691d9d19b9abd29ee

SHA256
4feab7bdaf8eded6076a41839771702db23bd72a5d76f4caafb371c4e27b982b

SHA512
398e80a1f770f8c37f0ef4beeddb254b7724776b0c19b5eb4e0ddc32dccd82ad1a2f039d229400cc255ef5628c24762b5fd7ae090479b4cc19f9e19b5a4d6920

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6988865.exe

Filesize
380KB

MD5
8a7a8c48210b648337ce5e3e50a93247

SHA1
e374fcece4b1d531e2a93d85d514d4ab3db72cbb

SHA256
7d79a1df738e4cbfb2579a0641a2dd0221c064851e444cd941507b3d19d92d9d

SHA512
0733daed7629ce0803f2d3d9e6f166f512d9866cce4d6eac9bda9d0119244ccc2b79481c76a82edfb6879b8b563f1a44b294b5a7b2d387357907dc89a0869332

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6988865.exe

Filesize
380KB

MD5
8a7a8c48210b648337ce5e3e50a93247

SHA1
e374fcece4b1d531e2a93d85d514d4ab3db72cbb

SHA256
7d79a1df738e4cbfb2579a0641a2dd0221c064851e444cd941507b3d19d92d9d

SHA512
0733daed7629ce0803f2d3d9e6f166f512d9866cce4d6eac9bda9d0119244ccc2b79481c76a82edfb6879b8b563f1a44b294b5a7b2d387357907dc89a0869332

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7982950.exe

Filesize
173KB

MD5
366c37e7e9b43ea15f361ba6cce5ac8b

SHA1
3ceff4e393cd8f0aaa514ccede3791d566e71d90

SHA256
f93fdd68dc4a19c89512a6ed6f4b35a12ea4685152bd1e2de76b7b7ce08fdfb9

SHA512
8729ac8e8814b5e42c260500cab185a32fa2034b80ce34372b2485a23b03fc7fd1a69ad29b8c23ddd56dc5378380fe09d5627272ab05b5b19a98df4863b57ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7982950.exe

Filesize
173KB

MD5
366c37e7e9b43ea15f361ba6cce5ac8b

SHA1
3ceff4e393cd8f0aaa514ccede3791d566e71d90

SHA256
f93fdd68dc4a19c89512a6ed6f4b35a12ea4685152bd1e2de76b7b7ce08fdfb9

SHA512
8729ac8e8814b5e42c260500cab185a32fa2034b80ce34372b2485a23b03fc7fd1a69ad29b8c23ddd56dc5378380fe09d5627272ab05b5b19a98df4863b57ad6

Download Submit
memory/4296-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4296-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4296-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4296-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4448-39-0x00000000056B0000-0x0000000005CC8000-memory.dmp

Filesize
6.1MB

Download
memory/4448-37-0x00000000747F0000-0x0000000074FA0000-memory.dmp

Filesize
7.7MB

Download
memory/4448-38-0x0000000002940000-0x0000000002946000-memory.dmp

Filesize
24KB

Download
memory/4448-36-0x00000000006B0000-0x00000000006E0000-memory.dmp

Filesize
192KB

Download
memory/4448-40-0x00000000051A0000-0x00000000052AA000-memory.dmp

Filesize
1.0MB

Download
memory/4448-42-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4448-41-0x0000000005030000-0x0000000005042000-memory.dmp

Filesize
72KB

Download
memory/4448-43-0x00000000050D0000-0x000000000510C000-memory.dmp

Filesize
240KB

Download
memory/4448-44-0x00000000747F0000-0x0000000074FA0000-memory.dmp

Filesize
7.7MB

Download
memory/4448-45-0x0000000005110000-0x000000000515C000-memory.dmp

Filesize
304KB

Download
memory/4448-46-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads