mystic | fb68898fc1ee1968d2f438649408cbb8854551c7efa6458a5175c462f02fda63

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62325240aae3c7c9afa8a69fb248924b6c42b1aa556bfb2b52c84490eef10afc.exe
Size

1.5MB
MD5

769c5f3bb0882e4699008264e30d36a1
SHA1

6f723c5ab29eb3e7300d51f736c5be4f39cb0060
SHA256

62325240aae3c7c9afa8a69fb248924b6c42b1aa556bfb2b52c84490eef10afc
SHA512

33a36445bca5c6afbb1fa03b88ebb932560c61966e3b9dc480e72f52775d49141c292221ecc403471dbaf891417cc10e6a821bc40cb4474075d5406d52141273
SSDEEP

24576:IyIFT2Rph5Zm9B6zpHDDI/hdhEIOTYRqpQy165616OKXwzxYlUdA1LZFPwi+Lmu:PIQp/Zm9B6zZDDU1EhlpQyR6OKAxlAZ4

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral10/memory/1916-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral10/memory/1916-39-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral10/memory/1916-37-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CP180Ut.exe	family_redline
behavioral10/memory/1396-42-0x00000000002F0000-0x000000000032E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

yL6mK6eC.exeuI7fQ3nw.exeDw1FD8kU.exeUm9eq2GR.exe1je93UZ9.exe2CP180Ut.exe

pid process

3972 yL6mK6eC.exe
1268 uI7fQ3nw.exe
3536 Dw1FD8kU.exe
1420 Um9eq2GR.exe
2820 1je93UZ9.exe
1396 2CP180Ut.exe

pid	process
3972	yL6mK6eC.exe
1268	uI7fQ3nw.exe
3536	Dw1FD8kU.exe
1420	Um9eq2GR.exe
2820	1je93UZ9.exe
1396	2CP180Ut.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

62325240aae3c7c9afa8a69fb248924b6c42b1aa556bfb2b52c84490eef10afc.exeyL6mK6eC.exeuI7fQ3nw.exeDw1FD8kU.exeUm9eq2GR.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	62325240aae3c7c9afa8a69fb248924b6c42b1aa556bfb2b52c84490eef10afc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	yL6mK6eC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	uI7fQ3nw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Dw1FD8kU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Um9eq2GR.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1je93UZ9.exe

description pid process target process

PID 2820 set thread context of 1916 2820 1je93UZ9.exe AppLaunch.exe

description	pid	process	target process
PID 2820 set thread context of 1916	2820	1je93UZ9.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

62325240aae3c7c9afa8a69fb248924b6c42b1aa556bfb2b52c84490eef10afc.exeyL6mK6eC.exeuI7fQ3nw.exeDw1FD8kU.exeUm9eq2GR.exe1je93UZ9.exe

description	pid	process	target process
PID 4548 wrote to memory of 3972	4548	62325240aae3c7c9afa8a69fb248924b6c42b1aa556bfb2b52c84490eef10afc.exe	yL6mK6eC.exe
PID 4548 wrote to memory of 3972	4548	62325240aae3c7c9afa8a69fb248924b6c42b1aa556bfb2b52c84490eef10afc.exe	yL6mK6eC.exe
PID 4548 wrote to memory of 3972	4548	62325240aae3c7c9afa8a69fb248924b6c42b1aa556bfb2b52c84490eef10afc.exe	yL6mK6eC.exe
PID 3972 wrote to memory of 1268	3972	yL6mK6eC.exe	uI7fQ3nw.exe
PID 3972 wrote to memory of 1268	3972	yL6mK6eC.exe	uI7fQ3nw.exe
PID 3972 wrote to memory of 1268	3972	yL6mK6eC.exe	uI7fQ3nw.exe
PID 1268 wrote to memory of 3536	1268	uI7fQ3nw.exe	Dw1FD8kU.exe
PID 1268 wrote to memory of 3536	1268	uI7fQ3nw.exe	Dw1FD8kU.exe
PID 1268 wrote to memory of 3536	1268	uI7fQ3nw.exe	Dw1FD8kU.exe
PID 3536 wrote to memory of 1420	3536	Dw1FD8kU.exe	Um9eq2GR.exe
PID 3536 wrote to memory of 1420	3536	Dw1FD8kU.exe	Um9eq2GR.exe
PID 3536 wrote to memory of 1420	3536	Dw1FD8kU.exe	Um9eq2GR.exe
PID 1420 wrote to memory of 2820	1420	Um9eq2GR.exe	1je93UZ9.exe
PID 1420 wrote to memory of 2820	1420	Um9eq2GR.exe	1je93UZ9.exe
PID 1420 wrote to memory of 2820	1420	Um9eq2GR.exe	1je93UZ9.exe
PID 2820 wrote to memory of 1916	2820	1je93UZ9.exe	AppLaunch.exe
PID 2820 wrote to memory of 1916	2820	1je93UZ9.exe	AppLaunch.exe
PID 2820 wrote to memory of 1916	2820	1je93UZ9.exe	AppLaunch.exe
PID 2820 wrote to memory of 1916	2820	1je93UZ9.exe	AppLaunch.exe
PID 2820 wrote to memory of 1916	2820	1je93UZ9.exe	AppLaunch.exe
PID 2820 wrote to memory of 1916	2820	1je93UZ9.exe	AppLaunch.exe
PID 2820 wrote to memory of 1916	2820	1je93UZ9.exe	AppLaunch.exe
PID 2820 wrote to memory of 1916	2820	1je93UZ9.exe	AppLaunch.exe
PID 2820 wrote to memory of 1916	2820	1je93UZ9.exe	AppLaunch.exe
PID 2820 wrote to memory of 1916	2820	1je93UZ9.exe	AppLaunch.exe
PID 1420 wrote to memory of 1396	1420	Um9eq2GR.exe	2CP180Ut.exe
PID 1420 wrote to memory of 1396	1420	Um9eq2GR.exe	2CP180Ut.exe
PID 1420 wrote to memory of 1396	1420	Um9eq2GR.exe	2CP180Ut.exe

C:\Users\Admin\AppData\Local\Temp\62325240aae3c7c9afa8a69fb248924b6c42b1aa556bfb2b52c84490eef10afc.exe
"C:\Users\Admin\AppData\Local\Temp\62325240aae3c7c9afa8a69fb248924b6c42b1aa556bfb2b52c84490eef10afc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4548

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yL6mK6eC.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yL6mK6eC.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3972

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uI7fQ3nw.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uI7fQ3nw.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Dw1FD8kU.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Dw1FD8kU.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3536

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Um9eq2GR.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Um9eq2GR.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1je93UZ9.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1je93UZ9.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CP180Ut.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CP180Ut.exe
6⤵
- Executes dropped EXE
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yL6mK6eC.exe
Filesize
1.3MB

MD5
b3fd5b950355c2ad92495f4fcca8ea39

SHA1
6fb6cbc37e3c05ee284e6f6087d08bef71338429

SHA256
7e78d2117bbf4a4a289abd4f79b22ba1ad5f1eb076e4a7cfaa060ab198ee690d

SHA512
0074527e076f95f19dff27e5101387c9dbaf4981e3df8284815360d9ccee16b5f2c52b75dd4e217e5cb5f63f191de6f8cfb1c69f85b4d57925b7019dbf49c14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\uI7fQ3nw.exe
Filesize
1.2MB

MD5
61115dde23a6c9429dc7d8bbe162dde7

SHA1
30a13fda5c82d5d04a51871acae34ef977001809

SHA256
01cc79ab563e7d27b8eb4a730fa56539a2cb8b3b25b1506dec704668214a7b34

SHA512
3ae83e044bbb22803dcd814b6bef94bad414e99cefa55fc886840dbf39c7bacc7f85ec569a7a0b6ffb42f9fad42dd58797b26dd057c957ebffd1c46ad295bb7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Dw1FD8kU.exe
Filesize
761KB

MD5
17655ff6edc79587c9aa6ef99883c3e0

SHA1
a8720013b372cc43dacd1e6ecae922f5b5918f5f

SHA256
dc7d0d934c62e50f69a6aa060a20481c0b327a0632022ecf6c51e7ec8e7e4563

SHA512
e70c0c06c892ec53157bea6d2fa5af14a6abe4546545c129c8e55fa9ef1eaa73d8ed48fee7952055824c27094553b39488602cd520ea599333b89c49ed5b463a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Um9eq2GR.exe
Filesize
565KB

MD5
e2302329d01ae955795ede582273171b

SHA1
64fc3d0e5561cd176f4500b5326de0011cb3aed4

SHA256
46460c62434b8e25223b4179bf82d7043c55fc73758312cd9ac4657c0f8c81c1

SHA512
7bbebf6e8d17a15c934858cd707b0a5b5a39bec2e3e898a7c6f8d087beb21f1de384208832dd8b88709357b74073624ea3f4fa2981bed7b4c838a1040e147905

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1je93UZ9.exe
Filesize
1.1MB

MD5
18be64614949916f40acacb3c5cd9b02

SHA1
65b5332f7670a7ecd05c462c787998ed62efbb5f

SHA256
debfa1e1e3c98e309dbbc16c977a0c878f5e7815b0aa8049472ff0fde9d93408

SHA512
9c60e478c2c991ccd0749ad9400e72afc49e5f03938169d78d16ef5c04940f6f4bd07da12de68968dd7f67e70a537a35921d574ace0b984e6b7499d95da1e2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CP180Ut.exe
Filesize
222KB

MD5
e77ec6d6a200632655bba72e14b289d8

SHA1
3e164d4f6ff5b6b7d4b6a966624b879f57299325

SHA256
45b2b885c6d5616952fe2d1744cc0658fa59a36f36b2e1ef629e3cda99233a9a

SHA512
54723050d178c7ee60063921b837145e277cca144293684208cca3f9c2d86739d4a303c986297c892330e89e13fe0cc4b8479ef3a251c25c8d935bca5fff3e65

Download Submit
memory/1396-45-0x0000000004740000-0x000000000474A000-memory.dmp

Filesize
40KB

Download
memory/1396-42-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1396-43-0x0000000007690000-0x0000000007C34000-memory.dmp

Filesize
5.6MB

Download
memory/1396-44-0x00000000071C0000-0x0000000007252000-memory.dmp

Filesize
584KB

Download
memory/1396-46-0x0000000008260000-0x0000000008878000-memory.dmp

Filesize
6.1MB

Download
memory/1396-47-0x0000000007510000-0x000000000761A000-memory.dmp

Filesize
1.0MB

Download
memory/1396-48-0x0000000007400000-0x0000000007412000-memory.dmp

Filesize
72KB

Download
memory/1396-49-0x0000000007460000-0x000000000749C000-memory.dmp

Filesize
240KB

Download
memory/1396-50-0x00000000074A0000-0x00000000074EC000-memory.dmp

Filesize
304KB

Download
memory/1916-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download