mystic | 6783d80655289133bcf07e9bb79e6e9ab30ab69718c3f7bbbdc9a5cee3cc065f

Analysis

max time kernel
141s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6783d80655289133bcf07e9bb79e6e9ab30ab69718c3f7bbbdc9a5cee3cc065f.exe
Size

935KB
MD5

3b090310d7146005221ad9d254f65fa6
SHA1

4bfe867372893b1e4171828845980829154b1267
SHA256

6783d80655289133bcf07e9bb79e6e9ab30ab69718c3f7bbbdc9a5cee3cc065f
SHA512

36679deb21cede51a6b0504a71efc9a4b7c4586477d5f4a45c32e77e3e3dbb2dd7463c2d671ca90d1cab357dffd841daf07865d24b3b2ec359441955adf7bb20
SSDEEP

12288:QMrSy90eoBQlfP1eFLsQQb0qSrSwZnjOfon4sXtT7WyqxsXWjM7cDt4ktQ:Sypsgb07rSUjOf+fXUyqrjM7cDtDm

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3848-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3848-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3848-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3848-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4780	x6732039.exe
2660	x4306016.exe
4364	x1781948.exe
4460	g6988865.exe
4016	h7982950.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6783d80655289133bcf07e9bb79e6e9ab30ab69718c3f7bbbdc9a5cee3cc065f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6732039.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4306016.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1781948.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4460 set thread context of 3848	4460	g6988865.exe	89

Program crash 2 IoCs

pid	pid_target	Process	procid_target
648	4460	WerFault.exe	86
2640	3848	WerFault.exe	89

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4780	4528	6783d80655289133bcf07e9bb79e6e9ab30ab69718c3f7bbbdc9a5cee3cc065f.exe	83
PID 4528 wrote to memory of 4780	4528	6783d80655289133bcf07e9bb79e6e9ab30ab69718c3f7bbbdc9a5cee3cc065f.exe	83
PID 4528 wrote to memory of 4780	4528	6783d80655289133bcf07e9bb79e6e9ab30ab69718c3f7bbbdc9a5cee3cc065f.exe	83
PID 4780 wrote to memory of 2660	4780	x6732039.exe	84
PID 4780 wrote to memory of 2660	4780	x6732039.exe	84
PID 4780 wrote to memory of 2660	4780	x6732039.exe	84
PID 2660 wrote to memory of 4364	2660	x4306016.exe	85
PID 2660 wrote to memory of 4364	2660	x4306016.exe	85
PID 2660 wrote to memory of 4364	2660	x4306016.exe	85
PID 4364 wrote to memory of 4460	4364	x1781948.exe	86
PID 4364 wrote to memory of 4460	4364	x1781948.exe	86
PID 4364 wrote to memory of 4460	4364	x1781948.exe	86
PID 4460 wrote to memory of 4152	4460	g6988865.exe	88
PID 4460 wrote to memory of 4152	4460	g6988865.exe	88
PID 4460 wrote to memory of 4152	4460	g6988865.exe	88
PID 4460 wrote to memory of 3848	4460	g6988865.exe	89
PID 4460 wrote to memory of 3848	4460	g6988865.exe	89
PID 4460 wrote to memory of 3848	4460	g6988865.exe	89
PID 4460 wrote to memory of 3848	4460	g6988865.exe	89
PID 4460 wrote to memory of 3848	4460	g6988865.exe	89
PID 4460 wrote to memory of 3848	4460	g6988865.exe	89
PID 4460 wrote to memory of 3848	4460	g6988865.exe	89
PID 4460 wrote to memory of 3848	4460	g6988865.exe	89
PID 4460 wrote to memory of 3848	4460	g6988865.exe	89
PID 4460 wrote to memory of 3848	4460	g6988865.exe	89
PID 4364 wrote to memory of 4016	4364	x1781948.exe	98
PID 4364 wrote to memory of 4016	4364	x1781948.exe	98
PID 4364 wrote to memory of 4016	4364	x1781948.exe	98

C:\Users\Admin\AppData\Local\Temp\6783d80655289133bcf07e9bb79e6e9ab30ab69718c3f7bbbdc9a5cee3cc065f.exe
"C:\Users\Admin\AppData\Local\Temp\6783d80655289133bcf07e9bb79e6e9ab30ab69718c3f7bbbdc9a5cee3cc065f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6732039.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6732039.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4306016.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4306016.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1781948.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1781948.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4364
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6988865.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6988865.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4460
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4152
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 196
        7⤵
        Program crash
        
        PID:2640
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 584
        6⤵
        Program crash
        
        PID:648
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7982950.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7982950.exe
        5⤵
        Executes dropped EXE
        
        PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4460 -ip 4460
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3848 -ip 3848
1⤵
PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6732039.exe

Filesize
833KB

MD5
3b82e546b8f52bc27a45de5c2fac8710

SHA1
6d354f95bbb40819a501dde2d26444eb3e9256f7

SHA256
d09cb09e54d4b5c6e01e8079c30ce6a2bea8e25951dbf0cc89e5347b8912b8af

SHA512
9be6100b391f96bd43bd87c1b76d75dc9af1ff48b987496b3f429d19993a5d0f5fa4f97f1f8f6cf9078fa9d8e829c08b8dbfbfe3a99e3409719c6256acbdcafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6732039.exe

Filesize
833KB

MD5
3b82e546b8f52bc27a45de5c2fac8710

SHA1
6d354f95bbb40819a501dde2d26444eb3e9256f7

SHA256
d09cb09e54d4b5c6e01e8079c30ce6a2bea8e25951dbf0cc89e5347b8912b8af

SHA512
9be6100b391f96bd43bd87c1b76d75dc9af1ff48b987496b3f429d19993a5d0f5fa4f97f1f8f6cf9078fa9d8e829c08b8dbfbfe3a99e3409719c6256acbdcafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4306016.exe

Filesize
559KB

MD5
8001619f178b606273a784d77a6cfdbb

SHA1
7dcf79968e844d77af8aa0c053aa76a1c56f16ed

SHA256
61beda55f3053e14177051819ff5246e1960b44fc9a45d743e648e1086d9a8cf

SHA512
1b4a0fe4ca3292d166912374103bf6e1a8539d2a37ce30f6386c23ec0b765d6afb91c7587b11bafd581b9aa3dc576de0cc48825c9394b4b6c2b80f01f4323836

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4306016.exe

Filesize
559KB

MD5
8001619f178b606273a784d77a6cfdbb

SHA1
7dcf79968e844d77af8aa0c053aa76a1c56f16ed

SHA256
61beda55f3053e14177051819ff5246e1960b44fc9a45d743e648e1086d9a8cf

SHA512
1b4a0fe4ca3292d166912374103bf6e1a8539d2a37ce30f6386c23ec0b765d6afb91c7587b11bafd581b9aa3dc576de0cc48825c9394b4b6c2b80f01f4323836

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1781948.exe

Filesize
393KB

MD5
f1760c63be45366399f3e362644900d2

SHA1
2176b66ab48b5c6991783c0691d9d19b9abd29ee

SHA256
4feab7bdaf8eded6076a41839771702db23bd72a5d76f4caafb371c4e27b982b

SHA512
398e80a1f770f8c37f0ef4beeddb254b7724776b0c19b5eb4e0ddc32dccd82ad1a2f039d229400cc255ef5628c24762b5fd7ae090479b4cc19f9e19b5a4d6920

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1781948.exe

Filesize
393KB

MD5
f1760c63be45366399f3e362644900d2

SHA1
2176b66ab48b5c6991783c0691d9d19b9abd29ee

SHA256
4feab7bdaf8eded6076a41839771702db23bd72a5d76f4caafb371c4e27b982b

SHA512
398e80a1f770f8c37f0ef4beeddb254b7724776b0c19b5eb4e0ddc32dccd82ad1a2f039d229400cc255ef5628c24762b5fd7ae090479b4cc19f9e19b5a4d6920

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6988865.exe

Filesize
380KB

MD5
8a7a8c48210b648337ce5e3e50a93247

SHA1
e374fcece4b1d531e2a93d85d514d4ab3db72cbb

SHA256
7d79a1df738e4cbfb2579a0641a2dd0221c064851e444cd941507b3d19d92d9d

SHA512
0733daed7629ce0803f2d3d9e6f166f512d9866cce4d6eac9bda9d0119244ccc2b79481c76a82edfb6879b8b563f1a44b294b5a7b2d387357907dc89a0869332

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6988865.exe

Filesize
380KB

MD5
8a7a8c48210b648337ce5e3e50a93247

SHA1
e374fcece4b1d531e2a93d85d514d4ab3db72cbb

SHA256
7d79a1df738e4cbfb2579a0641a2dd0221c064851e444cd941507b3d19d92d9d

SHA512
0733daed7629ce0803f2d3d9e6f166f512d9866cce4d6eac9bda9d0119244ccc2b79481c76a82edfb6879b8b563f1a44b294b5a7b2d387357907dc89a0869332

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7982950.exe

Filesize
173KB

MD5
366c37e7e9b43ea15f361ba6cce5ac8b

SHA1
3ceff4e393cd8f0aaa514ccede3791d566e71d90

SHA256
f93fdd68dc4a19c89512a6ed6f4b35a12ea4685152bd1e2de76b7b7ce08fdfb9

SHA512
8729ac8e8814b5e42c260500cab185a32fa2034b80ce34372b2485a23b03fc7fd1a69ad29b8c23ddd56dc5378380fe09d5627272ab05b5b19a98df4863b57ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7982950.exe

Filesize
173KB

MD5
366c37e7e9b43ea15f361ba6cce5ac8b

SHA1
3ceff4e393cd8f0aaa514ccede3791d566e71d90

SHA256
f93fdd68dc4a19c89512a6ed6f4b35a12ea4685152bd1e2de76b7b7ce08fdfb9

SHA512
8729ac8e8814b5e42c260500cab185a32fa2034b80ce34372b2485a23b03fc7fd1a69ad29b8c23ddd56dc5378380fe09d5627272ab05b5b19a98df4863b57ad6

Download Submit
memory/3848-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3848-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3848-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3848-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4016-39-0x00000000057D0000-0x0000000005DE8000-memory.dmp

Filesize
6.1MB

Download
memory/4016-37-0x0000000073E10000-0x00000000745C0000-memory.dmp

Filesize
7.7MB

Download
memory/4016-38-0x0000000002B00000-0x0000000002B06000-memory.dmp

Filesize
24KB

Download
memory/4016-36-0x0000000000730000-0x0000000000760000-memory.dmp

Filesize
192KB

Download
memory/4016-40-0x00000000052C0000-0x00000000053CA000-memory.dmp

Filesize
1.0MB

Download
memory/4016-42-0x0000000002B10000-0x0000000002B20000-memory.dmp

Filesize
64KB

Download
memory/4016-41-0x0000000005200000-0x0000000005212000-memory.dmp

Filesize
72KB

Download
memory/4016-43-0x0000000005260000-0x000000000529C000-memory.dmp

Filesize
240KB

Download
memory/4016-44-0x00000000053D0000-0x000000000541C000-memory.dmp

Filesize
304KB

Download
memory/4016-45-0x0000000073E10000-0x00000000745C0000-memory.dmp

Filesize
7.7MB

Download
memory/4016-46-0x0000000002B10000-0x0000000002B20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads