mystic | 21675cef02c5d516a93f59d70c16d083ffa8be9792fa8f40e53212708d321c6d

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8.exe
Size

756KB
MD5

60c078db5342b504d0f5d0983824a0b2
SHA1

8151eb0747f8f4902bdf7ddb288f530ed57ab26f
SHA256

545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8
SHA512

faee353e621779166a8e91bca06e8e05f919375fe3cff142e0f7a58f2a9bba738a7f81a7ce7d65adecced952b0645f9661b10a1046924a8587a36aec7881ffe3
SSDEEP

12288:kMr5y90DWI7C6LGHKHrvElVc1q7eTBplfXISkC1ghjKc1AHEjBz:VyOWhyLvoy18eV/fXpOJF

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral10/memory/1624-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral10/memory/1624-20-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral10/memory/1624-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral10/memory/1624-17-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral10/files/0x0007000000023417-16.dat	family_redline
behavioral10/memory/3216-22-0x0000000000D20000-0x0000000000D5E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
4036	sb9vA1Kv.exe
2724	1vF77Aw3.exe
3216	2Dt455GS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sb9vA1Kv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2724 set thread context of 1624	2724	1vF77Aw3.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4844	1624	WerFault.exe	90

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 4036	5040	545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8.exe	83
PID 5040 wrote to memory of 4036	5040	545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8.exe	83
PID 5040 wrote to memory of 4036	5040	545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8.exe	83
PID 4036 wrote to memory of 2724	4036	sb9vA1Kv.exe	84
PID 4036 wrote to memory of 2724	4036	sb9vA1Kv.exe	84
PID 4036 wrote to memory of 2724	4036	sb9vA1Kv.exe	84
PID 2724 wrote to memory of 3168	2724	1vF77Aw3.exe	88
PID 2724 wrote to memory of 3168	2724	1vF77Aw3.exe	88
PID 2724 wrote to memory of 3168	2724	1vF77Aw3.exe	88
PID 2724 wrote to memory of 2428	2724	1vF77Aw3.exe	89
PID 2724 wrote to memory of 2428	2724	1vF77Aw3.exe	89
PID 2724 wrote to memory of 2428	2724	1vF77Aw3.exe	89
PID 2724 wrote to memory of 1624	2724	1vF77Aw3.exe	90
PID 2724 wrote to memory of 1624	2724	1vF77Aw3.exe	90
PID 2724 wrote to memory of 1624	2724	1vF77Aw3.exe	90
PID 2724 wrote to memory of 1624	2724	1vF77Aw3.exe	90
PID 2724 wrote to memory of 1624	2724	1vF77Aw3.exe	90
PID 2724 wrote to memory of 1624	2724	1vF77Aw3.exe	90
PID 2724 wrote to memory of 1624	2724	1vF77Aw3.exe	90
PID 2724 wrote to memory of 1624	2724	1vF77Aw3.exe	90
PID 2724 wrote to memory of 1624	2724	1vF77Aw3.exe	90
PID 2724 wrote to memory of 1624	2724	1vF77Aw3.exe	90
PID 4036 wrote to memory of 3216	4036	sb9vA1Kv.exe	91
PID 4036 wrote to memory of 3216	4036	sb9vA1Kv.exe	91
PID 4036 wrote to memory of 3216	4036	sb9vA1Kv.exe	91

C:\Users\Admin\AppData\Local\Temp\545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8.exe
"C:\Users\Admin\AppData\Local\Temp\545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sb9vA1Kv.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sb9vA1Kv.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1vF77Aw3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1vF77Aw3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3168
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2428
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 204
        5⤵
        Program crash
        
        PID:4844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Dt455GS.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Dt455GS.exe
    3⤵
    - Executes dropped EXE
    PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1624 -ip 1624
1⤵
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sb9vA1Kv.exe

Filesize
560KB

MD5
1be00e9c6fee35eb79e2c2984573bb17

SHA1
99c0596be5a3a6fd53fbd758ca8fd53ea41f86e1

SHA256
6881a0e1f0c03257486e4dd058a33e97462ed4accb2629aaa8167540e58129e3

SHA512
7c6119e6a6f12e9e62111348fa9192098a962b9f5ce9b0dc188611d834db15dfe295f5a840c0279c713eb36456781cef75a0378f3937b11bf030efe27932849e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1vF77Aw3.exe

Filesize
1.0MB

MD5
5bfbb47534848bd6fbc0550a63e71756

SHA1
5e748541f656becaaef452b1591b4f39b44592e2

SHA256
f2b338792ff5ab3fd9e513d5ce8899482927efb5c89e9163ce1956007dd561b5

SHA512
3230eb6f9c2dc22158e8908dc34b69a82f6901c28b22c1d1104dfd1438403abd6db2dc1502cdd63ffaa227dd131928a3619d92bc7ee07cdf443481a8eb9e3794

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Dt455GS.exe

Filesize
222KB

MD5
6ecca75ad65251a208bc7c30e4eabf5c

SHA1
f39be3e9b4d1a4703ff9acfc49e5cc26e73e0e46

SHA256
e7bd5aed256aeca8d9d889675c63e114bb5ee241da683af8f62a8bd144aa830e

SHA512
4b55083db44976f1d96984904711d8d97b9eed9659af76eb0cdfccbcdcec93a6d5aa6dbd929283f762282e6201fd809dd94f197a1726d6f5c626dcc768b621c8

Download Submit
memory/1624-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1624-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3216-23-0x00000000080B0000-0x0000000008654000-memory.dmp

Filesize
5.6MB

Download
memory/3216-22-0x0000000000D20000-0x0000000000D5E000-memory.dmp

Filesize
248KB

Download
memory/3216-24-0x0000000007BE0000-0x0000000007C72000-memory.dmp

Filesize
584KB

Download
memory/3216-25-0x0000000005180000-0x000000000518A000-memory.dmp

Filesize
40KB

Download
memory/3216-26-0x0000000008C80000-0x0000000009298000-memory.dmp

Filesize
6.1MB

Download
memory/3216-27-0x0000000007FA0000-0x00000000080AA000-memory.dmp

Filesize
1.0MB

Download
memory/3216-28-0x0000000007E20000-0x0000000007E32000-memory.dmp

Filesize
72KB

Download
memory/3216-29-0x0000000007E80000-0x0000000007EBC000-memory.dmp

Filesize
240KB

Download
memory/3216-30-0x0000000007EC0000-0x0000000007F0C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads