mystic | 8cc6679c34691a07ca82dfa2e42bb4cb80b8f3283bad650d6e3818ac030c32d3

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32de0993bcf732baddd380146e8009f4e004108cb7883b6e48fcbc5c9e48ca1e.exe
Size

1.2MB
MD5

3cd4c28fa62c0cf93bf3eca5ef90e439
SHA1

c6e956a087f43a24e4d6cf421a78b5671e9213b7
SHA256

32de0993bcf732baddd380146e8009f4e004108cb7883b6e48fcbc5c9e48ca1e
SHA512

46a98da1e17c64052fa36ea544a8e8cfdd9b67735d441fc00c3b4917299393fceee61f61a1e024a0d0d375800d929e837c47099a8425d010b07d1353a4b7fec6
SSDEEP

24576:PyeumwYs4AEjgXoSz+CGOOFmYWmZetNk84ps1Yu812Y:agZJaSCGOO1J3

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral7/memory/2276-21-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral7/memory/2276-22-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral7/memory/2276-23-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral7/memory/2276-25-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2fO859kL.exe	family_redline
behavioral7/memory/2968-29-0x00000000005B0000-0x00000000005EE000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

rl1kg6QI.exeWm1Vv3hD.exe1VP36lc6.exe2fO859kL.exe

pid process

4260 rl1kg6QI.exe
5044 Wm1Vv3hD.exe
4120 1VP36lc6.exe
2968 2fO859kL.exe

pid	process
4260	rl1kg6QI.exe
5044	Wm1Vv3hD.exe
4120	1VP36lc6.exe
2968	2fO859kL.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

32de0993bcf732baddd380146e8009f4e004108cb7883b6e48fcbc5c9e48ca1e.exerl1kg6QI.exeWm1Vv3hD.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	32de0993bcf732baddd380146e8009f4e004108cb7883b6e48fcbc5c9e48ca1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	rl1kg6QI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Wm1Vv3hD.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1VP36lc6.exe

description pid process target process

PID 4120 set thread context of 2276 4120 1VP36lc6.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5056 4120 WerFault.exe 1VP36lc6.exe

description	pid	process	target process
PID 4120 set thread context of 2276	4120	1VP36lc6.exe	AppLaunch.exe

pid	pid_target	process	target process
5056	4120	WerFault.exe	1VP36lc6.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

32de0993bcf732baddd380146e8009f4e004108cb7883b6e48fcbc5c9e48ca1e.exerl1kg6QI.exeWm1Vv3hD.exe1VP36lc6.exe

description	pid	process	target process
PID 2124 wrote to memory of 4260	2124	32de0993bcf732baddd380146e8009f4e004108cb7883b6e48fcbc5c9e48ca1e.exe	rl1kg6QI.exe
PID 2124 wrote to memory of 4260	2124	32de0993bcf732baddd380146e8009f4e004108cb7883b6e48fcbc5c9e48ca1e.exe	rl1kg6QI.exe
PID 2124 wrote to memory of 4260	2124	32de0993bcf732baddd380146e8009f4e004108cb7883b6e48fcbc5c9e48ca1e.exe	rl1kg6QI.exe
PID 4260 wrote to memory of 5044	4260	rl1kg6QI.exe	Wm1Vv3hD.exe
PID 4260 wrote to memory of 5044	4260	rl1kg6QI.exe	Wm1Vv3hD.exe
PID 4260 wrote to memory of 5044	4260	rl1kg6QI.exe	Wm1Vv3hD.exe
PID 5044 wrote to memory of 4120	5044	Wm1Vv3hD.exe	1VP36lc6.exe
PID 5044 wrote to memory of 4120	5044	Wm1Vv3hD.exe	1VP36lc6.exe
PID 5044 wrote to memory of 4120	5044	Wm1Vv3hD.exe	1VP36lc6.exe
PID 4120 wrote to memory of 2276	4120	1VP36lc6.exe	AppLaunch.exe
PID 4120 wrote to memory of 2276	4120	1VP36lc6.exe	AppLaunch.exe
PID 4120 wrote to memory of 2276	4120	1VP36lc6.exe	AppLaunch.exe
PID 4120 wrote to memory of 2276	4120	1VP36lc6.exe	AppLaunch.exe
PID 4120 wrote to memory of 2276	4120	1VP36lc6.exe	AppLaunch.exe
PID 4120 wrote to memory of 2276	4120	1VP36lc6.exe	AppLaunch.exe
PID 4120 wrote to memory of 2276	4120	1VP36lc6.exe	AppLaunch.exe
PID 4120 wrote to memory of 2276	4120	1VP36lc6.exe	AppLaunch.exe
PID 4120 wrote to memory of 2276	4120	1VP36lc6.exe	AppLaunch.exe
PID 4120 wrote to memory of 2276	4120	1VP36lc6.exe	AppLaunch.exe
PID 5044 wrote to memory of 2968	5044	Wm1Vv3hD.exe	2fO859kL.exe
PID 5044 wrote to memory of 2968	5044	Wm1Vv3hD.exe	2fO859kL.exe
PID 5044 wrote to memory of 2968	5044	Wm1Vv3hD.exe	2fO859kL.exe

C:\Users\Admin\AppData\Local\Temp\32de0993bcf732baddd380146e8009f4e004108cb7883b6e48fcbc5c9e48ca1e.exe
"C:\Users\Admin\AppData\Local\Temp\32de0993bcf732baddd380146e8009f4e004108cb7883b6e48fcbc5c9e48ca1e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2124

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rl1kg6QI.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rl1kg6QI.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4260

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wm1Vv3hD.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wm1Vv3hD.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5044

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1VP36lc6.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1VP36lc6.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 584
5⤵
- Program crash
PID:5056

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2fO859kL.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2fO859kL.exe
4⤵
- Executes dropped EXE
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4120 -ip 4120
1⤵
PID:4716

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rl1kg6QI.exe
Filesize
763KB

MD5
8b1bbc64f50355395bcb1a5db47c745f

SHA1
d3d57a9c7287325bf4f93b069db72ada20c5922b

SHA256
828e120503deee9d6ef83b6e26c95671e95086f760aab0aa8e6cc1bdb8ed06e7

SHA512
a6e1f1ca3da8a5a22e5963d0c52ea6dceaf5227581d2d09267f9ff5f1344cce840265b1ef4d2ef4017a1981f311bc81444549cc42a33df09f96ec9315379c5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Wm1Vv3hD.exe
Filesize
567KB

MD5
78213866ad15926c9ea68fe266e35680

SHA1
7a84af9b69999f36879f8f109f2aceb8cbccd356

SHA256
8eceae7113c0962ccadb013a725105ef56a5e1ade3224a8940175ec5b4597ad0

SHA512
5eae3aaddaa217f1042c82e77cc61ae439d595d733d6bc89bf11392f9858be7aced1aeeeb1987726fa0ee7fa525e5452fc45995f99243e5f5ab3ba842f751a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1VP36lc6.exe
Filesize
1.1MB

MD5
4ddfa486d37c166d7f8028d716e183a1

SHA1
0483954e904196b29207bad18bfcfc600d010131

SHA256
f3f79ebd412f4e7e5d854c17f4180c6245ae051bc04501473e631d31fbbbfa2f

SHA512
42ede28d0211888ae336ef18f09cb506afd3b7d5f5669f8693100aa0cfbca5a30374ae2a8289ab42b2fadbd5630a9d25117dfaf3e900548b270da634bf7fa31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2fO859kL.exe
Filesize
222KB

MD5
a260dc6564e820b08801e5d6cc832025

SHA1
d41fba701bac791a17603fae8dff964b97369e67

SHA256
9a967fc09ae600774f30dedaaf3378a064082e617132d7414728df288f8dad47

SHA512
f650440c7bfdbafbf838ba5d38aee2b1442e116cb53117d5f8019ab6d0549e9077a5bf74364db88657c5b95440a8c1bb920cb17e185fac0e44ee28b2b4de4d97

Download Submit
memory/2276-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-29-0x00000000005B0000-0x00000000005EE000-memory.dmp

Filesize
248KB

Download
memory/2968-30-0x00000000077E0000-0x0000000007D84000-memory.dmp

Filesize
5.6MB

Download
memory/2968-31-0x0000000007330000-0x00000000073C2000-memory.dmp

Filesize
584KB

Download
memory/2968-32-0x0000000002760000-0x000000000276A000-memory.dmp

Filesize
40KB

Download
memory/2968-33-0x00000000083B0000-0x00000000089C8000-memory.dmp

Filesize
6.1MB

Download
memory/2968-34-0x0000000007D90000-0x0000000007E9A000-memory.dmp

Filesize
1.0MB

Download
memory/2968-35-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/2968-36-0x0000000007720000-0x000000000775C000-memory.dmp

Filesize
240KB

Download
memory/2968-37-0x0000000007760000-0x00000000077AC000-memory.dmp

Filesize
304KB

Download