mystic | ac90002ec144a6c8c89c45137265a202aeef6b583cef01223b622e10b4c4b797

Analysis

max time kernel
137s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9270cb48ef49ae030430c2bd7e18a87fbd6d168cbe4d15f9e272f075b605d296.exe
Size

1.5MB
MD5

fe3fd68024dd5be5908f425eda17b034
SHA1

6856965d9651bd4970c3f4ca1be34913d43ae88f
SHA256

9270cb48ef49ae030430c2bd7e18a87fbd6d168cbe4d15f9e272f075b605d296
SHA512

fafe21586377d4181b4ffe6d2b31c0ed4f6de866ca375da28d49b75e4599924b410f74be907683e9b3ad2129f3bf0940a591af29fcb86521771ca9e896177366
SSDEEP

24576:xyL7EvC4xauMWNWNmVq0FFiAIqHBHufJDwTqbaaJiWJ9KM0mhIUgRwg+plfbWUgj:kLI1ZMWNWNsixqHBHufJFaaJipDmhE+m

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral11/memory/928-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral11/memory/928-38-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral11/memory/928-36-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral11/files/0x0007000000023447-40.dat	family_redline
behavioral11/memory/6132-42-0x00000000002D0000-0x000000000030E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4712	Ej5ue1yl.exe
3292	vW4up9ZY.exe
5648	gY7Xv1rg.exe
5116	ZN0ZE5uT.exe
2732	1Ep59OD9.exe
6132	2ho762xL.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vW4up9ZY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	gY7Xv1rg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ZN0ZE5uT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9270cb48ef49ae030430c2bd7e18a87fbd6d168cbe4d15f9e272f075b605d296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Ej5ue1yl.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2732 set thread context of 928	2732	1Ep59OD9.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3836	2732	WerFault.exe	87

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 4712	2188	9270cb48ef49ae030430c2bd7e18a87fbd6d168cbe4d15f9e272f075b605d296.exe	82
PID 2188 wrote to memory of 4712	2188	9270cb48ef49ae030430c2bd7e18a87fbd6d168cbe4d15f9e272f075b605d296.exe	82
PID 2188 wrote to memory of 4712	2188	9270cb48ef49ae030430c2bd7e18a87fbd6d168cbe4d15f9e272f075b605d296.exe	82
PID 4712 wrote to memory of 3292	4712	Ej5ue1yl.exe	83
PID 4712 wrote to memory of 3292	4712	Ej5ue1yl.exe	83
PID 4712 wrote to memory of 3292	4712	Ej5ue1yl.exe	83
PID 3292 wrote to memory of 5648	3292	vW4up9ZY.exe	85
PID 3292 wrote to memory of 5648	3292	vW4up9ZY.exe	85
PID 3292 wrote to memory of 5648	3292	vW4up9ZY.exe	85
PID 5648 wrote to memory of 5116	5648	gY7Xv1rg.exe	86
PID 5648 wrote to memory of 5116	5648	gY7Xv1rg.exe	86
PID 5648 wrote to memory of 5116	5648	gY7Xv1rg.exe	86
PID 5116 wrote to memory of 2732	5116	ZN0ZE5uT.exe	87
PID 5116 wrote to memory of 2732	5116	ZN0ZE5uT.exe	87
PID 5116 wrote to memory of 2732	5116	ZN0ZE5uT.exe	87
PID 2732 wrote to memory of 928	2732	1Ep59OD9.exe	90
PID 2732 wrote to memory of 928	2732	1Ep59OD9.exe	90
PID 2732 wrote to memory of 928	2732	1Ep59OD9.exe	90
PID 2732 wrote to memory of 928	2732	1Ep59OD9.exe	90
PID 2732 wrote to memory of 928	2732	1Ep59OD9.exe	90
PID 2732 wrote to memory of 928	2732	1Ep59OD9.exe	90
PID 2732 wrote to memory of 928	2732	1Ep59OD9.exe	90
PID 2732 wrote to memory of 928	2732	1Ep59OD9.exe	90
PID 2732 wrote to memory of 928	2732	1Ep59OD9.exe	90
PID 2732 wrote to memory of 928	2732	1Ep59OD9.exe	90
PID 5116 wrote to memory of 6132	5116	ZN0ZE5uT.exe	94
PID 5116 wrote to memory of 6132	5116	ZN0ZE5uT.exe	94
PID 5116 wrote to memory of 6132	5116	ZN0ZE5uT.exe	94

C:\Users\Admin\AppData\Local\Temp\9270cb48ef49ae030430c2bd7e18a87fbd6d168cbe4d15f9e272f075b605d296.exe
"C:\Users\Admin\AppData\Local\Temp\9270cb48ef49ae030430c2bd7e18a87fbd6d168cbe4d15f9e272f075b605d296.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ej5ue1yl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ej5ue1yl.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vW4up9ZY.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vW4up9ZY.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gY7Xv1rg.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gY7Xv1rg.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5648
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZN0ZE5uT.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZN0ZE5uT.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5116
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ep59OD9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ep59OD9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 564
        7⤵
        Program crash
        
        PID:3836
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ho762xL.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ho762xL.exe
        6⤵
        Executes dropped EXE
        
        PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2732 -ip 2732
1⤵
PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ej5ue1yl.exe

Filesize
1.3MB

MD5
f360ff9945205a7aa813570b0dab5b01

SHA1
0b90d442120f2db841b6ea1dac81f5ccf4611977

SHA256
836f1604f861ec6d139045bac1ecdf2260a366e84c9e26408399f8c1b319b056

SHA512
15d2dfad0cdcbc114abec7d8a197a57609a03d3cf2f60cb8cd9116766679fe6ca3d9ecb3941e3c87ae65c85ceb51d7b26b6e4817af9edb2502b96861ff7db154

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vW4up9ZY.exe

Filesize
1.2MB

MD5
075cb28d347bb8a04ebc57eee40bf93d

SHA1
547007817bcc7e2b5aa307f36893a81b73fdc4f3

SHA256
ef07177b865d965b0eb81e8319f853aa699e4f618f4581b215f1bb432aec7d31

SHA512
0bb49a71156469d33b11606608e32f899c0fafcd27cbb0b89d66e306dae4d195d6b7ebde288b0f040e04646f2ea057b4efd07fc38331d05465f307b501847b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gY7Xv1rg.exe

Filesize
763KB

MD5
12d1a5c50774eefd4d34523af10e83bc

SHA1
ea9cd736a948680364dc041423da83e599d482a4

SHA256
313457b2359d7df1b778ce253a7473dfc6794c7931933c30aecc3fe72407c10b

SHA512
e4616ea8d7850f6509fbc2b628a6691c77113d5247fdc2279bb964ee6d395cb403aa2edd299587dbaedbf9a202075a238343ead7d14a5571fec37eb44c5fed5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZN0ZE5uT.exe

Filesize
566KB

MD5
084c5acadac95a4630610a9037030da5

SHA1
e2fef2da7aa8003bb873bf085974bfe24279097e

SHA256
2b8b0d32a65d19717baae28cc0964e132c9bcfaea0ef3d5c00f48ed4ce79741a

SHA512
53750ed046707525de8de5ce44848bb4a7c4bd46a64f75f5f17cea36ee9e7791066b9c3b81be2159c4a4a23541ce14694337d65e9dcd5d46dff16de9664a22c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ep59OD9.exe

Filesize
1.1MB

MD5
8a4f92e7bae66ff53f4af5d0b94d7f0b

SHA1
4a3e2802afd48fddcad3b3badc28261aac260ea7

SHA256
791eedb3d2a4b678426283d48a53a6b1d9a1e059d5ca71c942b4b854ea4f2cc5

SHA512
1d2140f8792e3ab56e1fbd956f4b2cc7a31efa698284644a858c43e373b2053840d76870a45eeac43cae5eca9bd6b9c2b1f5704e26b0b2c0732f0bec0fe96027

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2ho762xL.exe

Filesize
222KB

MD5
f5ecf747328f6ae62e3186a62a04ce48

SHA1
2d59858b8fc49aa56bfb132abcfdcd06e0c290ab

SHA256
245f23eb091b083038df5685ed7f5a4dc0fde67ea212a90cb559c0e90a3abdc5

SHA512
6a2cf674d233d75ebc31247571241b64e074ace26586652f5810d440069bb92cd88071fa3af57181150ce01fe6ed54fde4136912d5b0e424e95f249d7f0806a2

Download Submit
memory/928-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/928-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/928-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6132-42-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/6132-43-0x0000000007570000-0x0000000007B14000-memory.dmp

Filesize
5.6MB

Download
memory/6132-44-0x00000000070A0000-0x0000000007132000-memory.dmp

Filesize
584KB

Download
memory/6132-45-0x0000000004670000-0x000000000467A000-memory.dmp

Filesize
40KB

Download
memory/6132-46-0x0000000008140000-0x0000000008758000-memory.dmp

Filesize
6.1MB

Download
memory/6132-49-0x00000000071E0000-0x000000000721C000-memory.dmp

Filesize
240KB

Download
memory/6132-48-0x0000000007180000-0x0000000007192000-memory.dmp

Filesize
72KB

Download
memory/6132-50-0x0000000007320000-0x000000000736C000-memory.dmp

Filesize
304KB

Download
memory/6132-47-0x0000000007B20000-0x0000000007C2A000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads