mystic | 504330db8b7d670f9fcde9039b4b8ca398861fe619ec4899bf559fee64b9c38a

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

504330db8b7d670f9fcde9039b4b8ca398861fe619ec4899bf559fee64b9c38a.exe
Size

935KB
MD5

fb85d20af246d1e6bf47d67e4afb76ef
SHA1

13ccbe50a6d809bd6577dd52002bf81669381698
SHA256

504330db8b7d670f9fcde9039b4b8ca398861fe619ec4899bf559fee64b9c38a
SHA512

447aef6d1da95545d5e1f7beaa7eb58a25f1785044550a51bafff7b8bbfec5ad2e0e05967df7e65a3b9bc423d157671108c194410b675581c94b9ebbcb84eef6
SSDEEP

24576:Ky/iFJOciGa7eVozSNUvTYZyxFRXqjIje:RaFJOciGa117YUx7H

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1452-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1452-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1452-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1452-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1484	x7561768.exe
2980	x8473714.exe
1236	x8328444.exe
1376	g8348269.exe
2408	h9618401.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8473714.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x8328444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	504330db8b7d670f9fcde9039b4b8ca398861fe619ec4899bf559fee64b9c38a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7561768.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1376 set thread context of 1452	1376	g8348269.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3868	1452	WerFault.exe	90
2704	1376	WerFault.exe	89

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1484	368	504330db8b7d670f9fcde9039b4b8ca398861fe619ec4899bf559fee64b9c38a.exe	85
PID 368 wrote to memory of 1484	368	504330db8b7d670f9fcde9039b4b8ca398861fe619ec4899bf559fee64b9c38a.exe	85
PID 368 wrote to memory of 1484	368	504330db8b7d670f9fcde9039b4b8ca398861fe619ec4899bf559fee64b9c38a.exe	85
PID 1484 wrote to memory of 2980	1484	x7561768.exe	87
PID 1484 wrote to memory of 2980	1484	x7561768.exe	87
PID 1484 wrote to memory of 2980	1484	x7561768.exe	87
PID 2980 wrote to memory of 1236	2980	x8473714.exe	88
PID 2980 wrote to memory of 1236	2980	x8473714.exe	88
PID 2980 wrote to memory of 1236	2980	x8473714.exe	88
PID 1236 wrote to memory of 1376	1236	x8328444.exe	89
PID 1236 wrote to memory of 1376	1236	x8328444.exe	89
PID 1236 wrote to memory of 1376	1236	x8328444.exe	89
PID 1376 wrote to memory of 1452	1376	g8348269.exe	90
PID 1376 wrote to memory of 1452	1376	g8348269.exe	90
PID 1376 wrote to memory of 1452	1376	g8348269.exe	90
PID 1376 wrote to memory of 1452	1376	g8348269.exe	90
PID 1376 wrote to memory of 1452	1376	g8348269.exe	90
PID 1376 wrote to memory of 1452	1376	g8348269.exe	90
PID 1376 wrote to memory of 1452	1376	g8348269.exe	90
PID 1376 wrote to memory of 1452	1376	g8348269.exe	90
PID 1376 wrote to memory of 1452	1376	g8348269.exe	90
PID 1376 wrote to memory of 1452	1376	g8348269.exe	90
PID 1236 wrote to memory of 2408	1236	x8328444.exe	96
PID 1236 wrote to memory of 2408	1236	x8328444.exe	96
PID 1236 wrote to memory of 2408	1236	x8328444.exe	96

C:\Users\Admin\AppData\Local\Temp\504330db8b7d670f9fcde9039b4b8ca398861fe619ec4899bf559fee64b9c38a.exe
"C:\Users\Admin\AppData\Local\Temp\504330db8b7d670f9fcde9039b4b8ca398861fe619ec4899bf559fee64b9c38a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:368
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7561768.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7561768.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8473714.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8473714.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8328444.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8328444.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8348269.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8348269.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1376
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 540
        7⤵
        Program crash
        
        PID:3868
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 552
        6⤵
        Program crash
        
        PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9618401.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9618401.exe
        5⤵
        Executes dropped EXE
        
        PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1452 -ip 1452
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1376 -ip 1376
1⤵
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7561768.exe

Filesize
833KB

MD5
8e14775f90b1b818b54f6b7b93724d6f

SHA1
3c09d95756154f5a75a5935de74fbaeb43ba8e96

SHA256
e21abc56354b83192fea599820d0afdfeb66805a09c9dd38f52d8e3de2c07d12

SHA512
54573eb210ad4df66fa61cc9a2913f743bd651907f84dfa6bb5fca849c78c4343776ae59d708d35cadd9ebe9b3a40463337f868f6bd014c9be04e6353249f8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7561768.exe

Filesize
833KB

MD5
8e14775f90b1b818b54f6b7b93724d6f

SHA1
3c09d95756154f5a75a5935de74fbaeb43ba8e96

SHA256
e21abc56354b83192fea599820d0afdfeb66805a09c9dd38f52d8e3de2c07d12

SHA512
54573eb210ad4df66fa61cc9a2913f743bd651907f84dfa6bb5fca849c78c4343776ae59d708d35cadd9ebe9b3a40463337f868f6bd014c9be04e6353249f8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8473714.exe

Filesize
559KB

MD5
163a736cf7fd28099ab2795a04eacd85

SHA1
f3077521b74818389af2528e02b82a9c7ff31c05

SHA256
0823a0d1160cb436ff191acd8e2a5126b4cdda8723bb7dd629b42f68da1d5604

SHA512
d985e8b5e8584bba8f6df8bd6de4875bd2ff40c6c1e80ceae3dd761d6c752c33b104d3db74f12762dbf13a6f3ea94f69ac4ee6c94fc3c1c484f8aab702d95c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8473714.exe

Filesize
559KB

MD5
163a736cf7fd28099ab2795a04eacd85

SHA1
f3077521b74818389af2528e02b82a9c7ff31c05

SHA256
0823a0d1160cb436ff191acd8e2a5126b4cdda8723bb7dd629b42f68da1d5604

SHA512
d985e8b5e8584bba8f6df8bd6de4875bd2ff40c6c1e80ceae3dd761d6c752c33b104d3db74f12762dbf13a6f3ea94f69ac4ee6c94fc3c1c484f8aab702d95c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8328444.exe

Filesize
393KB

MD5
f63753cc2f8d2ba07e98b85c3f27ae2b

SHA1
3c4c52412a360396d000bced3b1b751b14955fcf

SHA256
63fa570aba773b78b28d0a18a6f6c6dfc39cebde528710660fc7a547a694b744

SHA512
8a2f0cda3724228e19e65d7e0624fccf6165aa505311585c749d847b1fd2628706965097df52f18cf4c462f78d053de61b44236da1a404bb8a42a8c1e05f078d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8328444.exe

Filesize
393KB

MD5
f63753cc2f8d2ba07e98b85c3f27ae2b

SHA1
3c4c52412a360396d000bced3b1b751b14955fcf

SHA256
63fa570aba773b78b28d0a18a6f6c6dfc39cebde528710660fc7a547a694b744

SHA512
8a2f0cda3724228e19e65d7e0624fccf6165aa505311585c749d847b1fd2628706965097df52f18cf4c462f78d053de61b44236da1a404bb8a42a8c1e05f078d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8348269.exe

Filesize
380KB

MD5
565aca6182e662024cb89fb79483b47f

SHA1
a9b6ac9716a951db54494559f5beb582c76bddbf

SHA256
4dbb7469c1836faccb505c3f28ee11e94bbebeaccc8e896cc69ebde4e0e29be5

SHA512
5a1c8045231380a07c5d9afd042933d59cbfdbdcfa1702a9c599b279c0ed2d3e69256074d3c36cfa0f8f7e1d27f020335704a8d1168c90ad8c6fd295ea4d23e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8348269.exe

Filesize
380KB

MD5
565aca6182e662024cb89fb79483b47f

SHA1
a9b6ac9716a951db54494559f5beb582c76bddbf

SHA256
4dbb7469c1836faccb505c3f28ee11e94bbebeaccc8e896cc69ebde4e0e29be5

SHA512
5a1c8045231380a07c5d9afd042933d59cbfdbdcfa1702a9c599b279c0ed2d3e69256074d3c36cfa0f8f7e1d27f020335704a8d1168c90ad8c6fd295ea4d23e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9618401.exe

Filesize
173KB

MD5
8eb8f4f624feee6c628300ced84069e8

SHA1
ffc47952cb93312d334d6bb089ed83856a46e695

SHA256
2ccc258c7ebbf2ecb5750af102c47c44e27b03eaa6d2abfdb3fb02189e045ca0

SHA512
d4b5ef51e5bdd41cfe81e7e3d0e348ec65a562dfa3d8217da2cff7a6158a0b8fc93fe173c8dbee7e127b40bfeca949714733a074b3ec2dff51915ac5cb6a2a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9618401.exe

Filesize
173KB

MD5
8eb8f4f624feee6c628300ced84069e8

SHA1
ffc47952cb93312d334d6bb089ed83856a46e695

SHA256
2ccc258c7ebbf2ecb5750af102c47c44e27b03eaa6d2abfdb3fb02189e045ca0

SHA512
d4b5ef51e5bdd41cfe81e7e3d0e348ec65a562dfa3d8217da2cff7a6158a0b8fc93fe173c8dbee7e127b40bfeca949714733a074b3ec2dff51915ac5cb6a2a31

Download Submit
memory/1452-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1452-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1452-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1452-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2408-39-0x0000000005F40000-0x0000000006558000-memory.dmp

Filesize
6.1MB

Download
memory/2408-37-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/2408-38-0x00000000031C0000-0x00000000031C6000-memory.dmp

Filesize
24KB

Download
memory/2408-36-0x0000000000F20000-0x0000000000F50000-memory.dmp

Filesize
192KB

Download
memory/2408-40-0x0000000005A30000-0x0000000005B3A000-memory.dmp

Filesize
1.0MB

Download
memory/2408-42-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/2408-41-0x00000000058A0000-0x00000000058B2000-memory.dmp

Filesize
72KB

Download
memory/2408-43-0x0000000005920000-0x000000000595C000-memory.dmp

Filesize
240KB

Download
memory/2408-44-0x0000000005960000-0x00000000059AC000-memory.dmp

Filesize
304KB

Download
memory/2408-45-0x00000000742A0000-0x0000000074A50000-memory.dmp

Filesize
7.7MB

Download
memory/2408-46-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads