mystic | ac90002ec144a6c8c89c45137265a202aeef6b583cef01223b622e10b4c4b797

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfb7a03beaf7d7fc86e7d64b823645be27b3ae8e9fada6e93ba232a6916307b3.exe
Size

1.3MB
MD5

d87222c75e0b7ee1154795ba46999ae0
SHA1

fea22aae1a7637d583c6065d68b8120e52db1b39
SHA256

cfb7a03beaf7d7fc86e7d64b823645be27b3ae8e9fada6e93ba232a6916307b3
SHA512

557c7d266abaf8dcd13fcb15a3cb69c6defdb83a821a5b2556f6dd136723910c1ee7e87b558f8441a4f813f689be28923455e0c7418c5e1da7e1687035e54377
SSDEEP

24576:qy8KbW9vlamXzWNS17TMbbR1a5l5pNAfRVybAJxTMVI9MtX:x8f8mh7TIRo5BCRQ4

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral19/memory/2004-31-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral19/memory/2004-29-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral19/memory/2004-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral19/files/0x0007000000023460-34.dat	family_redline
behavioral19/memory/2136-35-0x0000000000470000-0x00000000004AE000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
1652	TQ9xw8oP.exe
4252	VR1kk6Oz.exe
4244	GS4RY1HD.exe
3692	1tw74TE0.exe
2136	2dY059kF.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	VR1kk6Oz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	GS4RY1HD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cfb7a03beaf7d7fc86e7d64b823645be27b3ae8e9fada6e93ba232a6916307b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	TQ9xw8oP.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3692 set thread context of 2004	3692	1tw74TE0.exe	92

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2308	3692	WerFault.exe	88

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 1652	3328	cfb7a03beaf7d7fc86e7d64b823645be27b3ae8e9fada6e93ba232a6916307b3.exe	85
PID 3328 wrote to memory of 1652	3328	cfb7a03beaf7d7fc86e7d64b823645be27b3ae8e9fada6e93ba232a6916307b3.exe	85
PID 3328 wrote to memory of 1652	3328	cfb7a03beaf7d7fc86e7d64b823645be27b3ae8e9fada6e93ba232a6916307b3.exe	85
PID 1652 wrote to memory of 4252	1652	TQ9xw8oP.exe	86
PID 1652 wrote to memory of 4252	1652	TQ9xw8oP.exe	86
PID 1652 wrote to memory of 4252	1652	TQ9xw8oP.exe	86
PID 4252 wrote to memory of 4244	4252	VR1kk6Oz.exe	87
PID 4252 wrote to memory of 4244	4252	VR1kk6Oz.exe	87
PID 4252 wrote to memory of 4244	4252	VR1kk6Oz.exe	87
PID 4244 wrote to memory of 3692	4244	GS4RY1HD.exe	88
PID 4244 wrote to memory of 3692	4244	GS4RY1HD.exe	88
PID 4244 wrote to memory of 3692	4244	GS4RY1HD.exe	88
PID 3692 wrote to memory of 2004	3692	1tw74TE0.exe	92
PID 3692 wrote to memory of 2004	3692	1tw74TE0.exe	92
PID 3692 wrote to memory of 2004	3692	1tw74TE0.exe	92
PID 3692 wrote to memory of 2004	3692	1tw74TE0.exe	92
PID 3692 wrote to memory of 2004	3692	1tw74TE0.exe	92
PID 3692 wrote to memory of 2004	3692	1tw74TE0.exe	92
PID 3692 wrote to memory of 2004	3692	1tw74TE0.exe	92
PID 3692 wrote to memory of 2004	3692	1tw74TE0.exe	92
PID 3692 wrote to memory of 2004	3692	1tw74TE0.exe	92
PID 3692 wrote to memory of 2004	3692	1tw74TE0.exe	92
PID 4244 wrote to memory of 2136	4244	GS4RY1HD.exe	96
PID 4244 wrote to memory of 2136	4244	GS4RY1HD.exe	96
PID 4244 wrote to memory of 2136	4244	GS4RY1HD.exe	96

C:\Users\Admin\AppData\Local\Temp\cfb7a03beaf7d7fc86e7d64b823645be27b3ae8e9fada6e93ba232a6916307b3.exe
"C:\Users\Admin\AppData\Local\Temp\cfb7a03beaf7d7fc86e7d64b823645be27b3ae8e9fada6e93ba232a6916307b3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TQ9xw8oP.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TQ9xw8oP.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VR1kk6Oz.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VR1kk6Oz.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GS4RY1HD.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GS4RY1HD.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4244
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tw74TE0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tw74TE0.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3692
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2004
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 576
        6⤵
        Program crash
        
        PID:2308
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2dY059kF.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2dY059kF.exe
        5⤵
        Executes dropped EXE
        
        PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3692 -ip 3692
1⤵
PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TQ9xw8oP.exe

Filesize
1.2MB

MD5
99b668d67c0eea205d55da84481144fa

SHA1
fd1bdbb03c0b1cf6366a7a74d48379c4706ccc9f

SHA256
bddf201c67dd6090f0a44e9cb09d3aefeef4dd346face09a221f5cd754c79c9f

SHA512
485b3f960377edf9501bb25e9bec3ef90b73eb7b3ef43d627307f139e674e103a0c5619b05175811ef925b4a0a55086c53495bb1c7288a0186ecb91e542b9aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VR1kk6Oz.exe

Filesize
763KB

MD5
0231681c862302d5b341a57ee944e75a

SHA1
2a1524923e8c986513e2bc2b1eabc45900f4f8ed

SHA256
88490da92a374a01e4c7ad663a05664a44471d79a68b9462709595a7266db6f7

SHA512
2ed9378d671f054fb7d4c9d50b1931c552ce6fbb410af09d6ba3a39eae3f7fde1b5e98594ed6565d83f6cde3b960734f9cd87e1d947ffc6239cd55c1040c0555

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GS4RY1HD.exe

Filesize
566KB

MD5
cf5b9b197b7e4b5d408fb8b5cb8af72b

SHA1
19cb0123f99b07bbf45bb621ed12d7e3a984fa09

SHA256
f1970b53064235bc384526bb503d8b005661181683c1dfa51b292fa915bded76

SHA512
f40adaa30ba4313620516e242918bc0c50d8be73a11cbeff1f5f20fc14721b304d176ae8c0b85e028742edf841cabf066e02118c3fede8736a237e5985d27511

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1tw74TE0.exe

Filesize
1.1MB

MD5
867e598165335f3fc082b6cc46d8631c

SHA1
3e764ed093d916dee0699f96e7f12619eace1e52

SHA256
d178feb501b68a5b6f0783f4ce6e08bd87615e6bea357558f27685e2fe08b5ba

SHA512
dcf0b83c99219b99d925eb92af41ffb9431e3c2a3ca0ec6dc326c50587383e8bd431787e79467b254f9f9af81a116c82f1dc04784a7674b35c0e552745cff9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2dY059kF.exe

Filesize
222KB

MD5
6eff6d7934195282e8ea0682567af89a

SHA1
c28c9cec248750a42fce4606430ae46067735c94

SHA256
5bcb2c2dba60a6d521f6359c8c7655a8ea64a7fc12c1e59c4214f0318638365e

SHA512
190766fb60f52a6ffd159712425b8c2647fe9bfa0ce8da2063638fd1e06b393826d9c31c80c92336c611388b7177ecac59965a279d78a6aaee21e9a6afe06d18

Download Submit
memory/2004-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-35-0x0000000000470000-0x00000000004AE000-memory.dmp

Filesize
248KB

Download
memory/2136-37-0x0000000007340000-0x00000000073D2000-memory.dmp

Filesize
584KB

Download
memory/2136-36-0x0000000007850000-0x0000000007DF4000-memory.dmp

Filesize
5.6MB

Download
memory/2136-38-0x0000000002790000-0x000000000279A000-memory.dmp

Filesize
40KB

Download
memory/2136-39-0x0000000008420000-0x0000000008A38000-memory.dmp

Filesize
6.1MB

Download
memory/2136-40-0x0000000007680000-0x000000000778A000-memory.dmp

Filesize
1.0MB

Download
memory/2136-42-0x00000000075C0000-0x00000000075FC000-memory.dmp

Filesize
240KB

Download
memory/2136-41-0x0000000007560000-0x0000000007572000-memory.dmp

Filesize
72KB

Download
memory/2136-43-0x0000000007600000-0x000000000764C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads