mystic | ac90002ec144a6c8c89c45137265a202aeef6b583cef01223b622e10b4c4b797

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8f22cd34cb4e25f9de8ac7d851976b70c81c9f756ba7be65cd8408823b8e916.exe
Size

1.5MB
MD5

61e04eb078ed0e96fc2a097335c3634e
SHA1

b98a488dc86eb0314665ae372a71ad0b8d345b34
SHA256

f8f22cd34cb4e25f9de8ac7d851976b70c81c9f756ba7be65cd8408823b8e916
SHA512

1c6654ded80c7fd95c829259f0f08d35a0a4d4f6456454cc0f0989adfd342b92eac1b89e43e9c37658674c4f567373d154db925955779eb9fb5dbd0260af54db
SSDEEP

24576:nUymkWGEDMu+H/8/BGOnfQiUUSj5AW83bOxRbx4Yk+lHyF+k7w:jDWnDMu+H/YBGyQinC563bOxRbxdBW+y

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral21/memory/1240-38-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral21/memory/1240-36-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral21/memory/1240-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral21/files/0x0007000000023458-41.dat	family_redline
behavioral21/memory/868-42-0x0000000000A50000-0x0000000000A8E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4228	RJ7EI2Kt.exe
4508	vx0ak1mw.exe
3992	VZ7Uv8Gk.exe
1676	eD6je2CL.exe
888	1uU34qo9.exe
868	2kU870bD.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	RJ7EI2Kt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vx0ak1mw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	VZ7Uv8Gk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	eD6je2CL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f8f22cd34cb4e25f9de8ac7d851976b70c81c9f756ba7be65cd8408823b8e916.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 888 set thread context of 1240	888	1uU34qo9.exe	97

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 4228	3956	f8f22cd34cb4e25f9de8ac7d851976b70c81c9f756ba7be65cd8408823b8e916.exe	83
PID 3956 wrote to memory of 4228	3956	f8f22cd34cb4e25f9de8ac7d851976b70c81c9f756ba7be65cd8408823b8e916.exe	83
PID 3956 wrote to memory of 4228	3956	f8f22cd34cb4e25f9de8ac7d851976b70c81c9f756ba7be65cd8408823b8e916.exe	83
PID 4228 wrote to memory of 4508	4228	RJ7EI2Kt.exe	84
PID 4228 wrote to memory of 4508	4228	RJ7EI2Kt.exe	84
PID 4228 wrote to memory of 4508	4228	RJ7EI2Kt.exe	84
PID 4508 wrote to memory of 3992	4508	vx0ak1mw.exe	85
PID 4508 wrote to memory of 3992	4508	vx0ak1mw.exe	85
PID 4508 wrote to memory of 3992	4508	vx0ak1mw.exe	85
PID 3992 wrote to memory of 1676	3992	VZ7Uv8Gk.exe	86
PID 3992 wrote to memory of 1676	3992	VZ7Uv8Gk.exe	86
PID 3992 wrote to memory of 1676	3992	VZ7Uv8Gk.exe	86
PID 1676 wrote to memory of 888	1676	eD6je2CL.exe	87
PID 1676 wrote to memory of 888	1676	eD6je2CL.exe	87
PID 1676 wrote to memory of 888	1676	eD6je2CL.exe	87
PID 888 wrote to memory of 1240	888	1uU34qo9.exe	97
PID 888 wrote to memory of 1240	888	1uU34qo9.exe	97
PID 888 wrote to memory of 1240	888	1uU34qo9.exe	97
PID 888 wrote to memory of 1240	888	1uU34qo9.exe	97
PID 888 wrote to memory of 1240	888	1uU34qo9.exe	97
PID 888 wrote to memory of 1240	888	1uU34qo9.exe	97
PID 888 wrote to memory of 1240	888	1uU34qo9.exe	97
PID 888 wrote to memory of 1240	888	1uU34qo9.exe	97
PID 888 wrote to memory of 1240	888	1uU34qo9.exe	97
PID 888 wrote to memory of 1240	888	1uU34qo9.exe	97
PID 1676 wrote to memory of 868	1676	eD6je2CL.exe	98
PID 1676 wrote to memory of 868	1676	eD6je2CL.exe	98
PID 1676 wrote to memory of 868	1676	eD6je2CL.exe	98

C:\Users\Admin\AppData\Local\Temp\f8f22cd34cb4e25f9de8ac7d851976b70c81c9f756ba7be65cd8408823b8e916.exe
"C:\Users\Admin\AppData\Local\Temp\f8f22cd34cb4e25f9de8ac7d851976b70c81c9f756ba7be65cd8408823b8e916.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RJ7EI2Kt.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RJ7EI2Kt.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vx0ak1mw.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vx0ak1mw.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VZ7Uv8Gk.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VZ7Uv8Gk.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3992
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\eD6je2CL.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\eD6je2CL.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uU34qo9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uU34qo9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1240
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kU870bD.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kU870bD.exe
        6⤵
        Executes dropped EXE
        
        PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RJ7EI2Kt.exe

Filesize
1.3MB

MD5
e27b3a567465e512a3b4fce128c2e045

SHA1
0e96a387eebe5683eaa1d116fccb230471eeb0cc

SHA256
f0a8f17dea18b175a0c667be5d896291f666ac7980f7a40f9ec75a4fc60ea8be

SHA512
51994c6108ce5ddb4bdd6ae027c066bfbb2b15f1f64ef21d331621e6a0eb2b0618d0a39c655f377489961f97a65817ac116461a827457dec3a0b8e5a7dbc2861

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vx0ak1mw.exe

Filesize
1.2MB

MD5
e2ca39b3fc484e256871c7e64d25bc9d

SHA1
80e65b78eb859de1a974b355336c7a493e7c9c87

SHA256
31e64046f1c15da6458b55914d42d6dd5c01d042904e611182b2cc7b9f7ab22c

SHA512
16bc8e246e32bd2768bad1fa1d716397984bf59661692edc4ef49e6101c5068b4f5e38d01907331d3eb385dc64cbdb9fdc33200533d484daf3ab8ba5518e464e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VZ7Uv8Gk.exe

Filesize
761KB

MD5
57b20529d7f76ce9adb9a25e8a26edf6

SHA1
749b931102219e6e12d4c1ed16f4668e379a2ad7

SHA256
ad6c1d56a84ae48eb2acfb2973f583b0d27e82a888af258d804ab529c36b1a85

SHA512
ddd77a403a6975fed28a9611e9edfc6c612cb49d87144e563dbddba5b47f737c1bea9f560ba1fd985b16c6c02cafc9d6f7104916c521e577885cc0b4cb7cd752

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\eD6je2CL.exe

Filesize
565KB

MD5
51e6549d9eb54c1dcad7e86d137b20c8

SHA1
acaae6388a3977d9342bce73c7ffab606af79488

SHA256
9bd4dd70136551b7f9322ccebc72fca2d3f8357e3785e7abc9e429824cf0f17e

SHA512
45a411b60509129c911ecc9cab4b6d9d662d07413a03d58eaa801a8a01f08a7c210d2c0460c740a75c56768909329204569771a5b292af3c5d5f56a1e21b20da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1uU34qo9.exe

Filesize
1.1MB

MD5
481429fac3dec037f7a61552633ae565

SHA1
6dcde270327e662ff674f742f8d10e4f9c38ddb0

SHA256
4395965be03968e3e657473d446b3abea9963aae1241e37d5a3a374933cafd33

SHA512
bf1d5c5db7e119937d8fd063c38f012852dde531c0d31d89aa8fe348e8a02ca0f52c8cd9c55e268c5d3a69ba3658be65b30d300383d39f08509079a1fbe4ca09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kU870bD.exe

Filesize
221KB

MD5
d075d2724e86c8cd928a8305a846a1b8

SHA1
d68bbe4b84a1b67a08953d6c19be5b06a8ae7d35

SHA256
367259bbbf6a67b124962897252bb65d8378ca575a756b893d241f24099c3926

SHA512
f2a255daae5aa56bd30f7cc6adc52d152f53fa7584e574dfda57d5ec84372d7db4320e55b112f3bde8dd7557c77c4e5a77ca5e2c49f6653721a048d8cb9830ac

Download Submit
memory/868-45-0x0000000002C80000-0x0000000002C8A000-memory.dmp

Filesize
40KB

Download
memory/868-44-0x0000000007830000-0x00000000078C2000-memory.dmp

Filesize
584KB

Download
memory/868-43-0x0000000007D40000-0x00000000082E4000-memory.dmp

Filesize
5.6MB

Download
memory/868-42-0x0000000000A50000-0x0000000000A8E000-memory.dmp

Filesize
248KB

Download
memory/868-46-0x0000000008910000-0x0000000008F28000-memory.dmp

Filesize
6.1MB

Download
memory/868-49-0x0000000007AA0000-0x0000000007ADC000-memory.dmp

Filesize
240KB

Download
memory/868-48-0x0000000007910000-0x0000000007922000-memory.dmp

Filesize
72KB

Download
memory/868-47-0x0000000007BB0000-0x0000000007CBA000-memory.dmp

Filesize
1.0MB

Download
memory/868-50-0x0000000007940000-0x000000000798C000-memory.dmp

Filesize
304KB

Download
memory/1240-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads