mystic | 8f7ecfcea350d8e91e6bb9083833f37b57aa78d15022b68c407055e2463bd982

Analysis

max time kernel
146s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e52fb58b8a7d4f8b7eea558e3f50385d34e76f92baeede9698343046ba3273f1.exe
Size

1.5MB
MD5

8fde3216e73d756d94ba8e15320501fa
SHA1

247978fa6f3bb3f35054d83b48d7a9c53d32e85c
SHA256

e52fb58b8a7d4f8b7eea558e3f50385d34e76f92baeede9698343046ba3273f1
SHA512

2ef546b5120aa44843ba0333082306f818bed77c64a274eeabb26a0e1f020016eedddcc0cdb074caf08c0d236ebe3ae17fc6e6c0e188e3d221c307a5a3e3731e
SSDEEP

24576:NyFZjHfm47W10kxzv7SDFyMr8JC0dzCHDRwTeFq9HA7Yxm5NPwl:ozjHfm4aTxzv7SYcMASTaQxm5NI

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral17/memory/2872-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral17/memory/2872-40-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral17/memory/2872-38-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xt303sh.exe	family_redline
behavioral17/memory/1944-42-0x00000000006C0000-0x00000000006FE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

hM8MO0HH.exeTV0Xa7Bv.exeBg7ip6MY.exeJM7zm1Od.exe1pZ36YP1.exe2xt303sh.exe

pid process

2540 hM8MO0HH.exe
5016 TV0Xa7Bv.exe
3908 Bg7ip6MY.exe
2772 JM7zm1Od.exe
3252 1pZ36YP1.exe
1944 2xt303sh.exe

pid	process
2540	hM8MO0HH.exe
5016	TV0Xa7Bv.exe
3908	Bg7ip6MY.exe
2772	JM7zm1Od.exe
3252	1pZ36YP1.exe
1944	2xt303sh.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TV0Xa7Bv.exeBg7ip6MY.exeJM7zm1Od.exee52fb58b8a7d4f8b7eea558e3f50385d34e76f92baeede9698343046ba3273f1.exehM8MO0HH.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	TV0Xa7Bv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Bg7ip6MY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	JM7zm1Od.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e52fb58b8a7d4f8b7eea558e3f50385d34e76f92baeede9698343046ba3273f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	hM8MO0HH.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1pZ36YP1.exe

description pid process target process

PID 3252 set thread context of 2872 3252 1pZ36YP1.exe AppLaunch.exe

description	pid	process	target process
PID 3252 set thread context of 2872	3252	1pZ36YP1.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

e52fb58b8a7d4f8b7eea558e3f50385d34e76f92baeede9698343046ba3273f1.exehM8MO0HH.exeTV0Xa7Bv.exeBg7ip6MY.exeJM7zm1Od.exe1pZ36YP1.exe

description	pid	process	target process
PID 4984 wrote to memory of 2540	4984	e52fb58b8a7d4f8b7eea558e3f50385d34e76f92baeede9698343046ba3273f1.exe	hM8MO0HH.exe
PID 4984 wrote to memory of 2540	4984	e52fb58b8a7d4f8b7eea558e3f50385d34e76f92baeede9698343046ba3273f1.exe	hM8MO0HH.exe
PID 4984 wrote to memory of 2540	4984	e52fb58b8a7d4f8b7eea558e3f50385d34e76f92baeede9698343046ba3273f1.exe	hM8MO0HH.exe
PID 2540 wrote to memory of 5016	2540	hM8MO0HH.exe	TV0Xa7Bv.exe
PID 2540 wrote to memory of 5016	2540	hM8MO0HH.exe	TV0Xa7Bv.exe
PID 2540 wrote to memory of 5016	2540	hM8MO0HH.exe	TV0Xa7Bv.exe
PID 5016 wrote to memory of 3908	5016	TV0Xa7Bv.exe	Bg7ip6MY.exe
PID 5016 wrote to memory of 3908	5016	TV0Xa7Bv.exe	Bg7ip6MY.exe
PID 5016 wrote to memory of 3908	5016	TV0Xa7Bv.exe	Bg7ip6MY.exe
PID 3908 wrote to memory of 2772	3908	Bg7ip6MY.exe	JM7zm1Od.exe
PID 3908 wrote to memory of 2772	3908	Bg7ip6MY.exe	JM7zm1Od.exe
PID 3908 wrote to memory of 2772	3908	Bg7ip6MY.exe	JM7zm1Od.exe
PID 2772 wrote to memory of 3252	2772	JM7zm1Od.exe	1pZ36YP1.exe
PID 2772 wrote to memory of 3252	2772	JM7zm1Od.exe	1pZ36YP1.exe
PID 2772 wrote to memory of 3252	2772	JM7zm1Od.exe	1pZ36YP1.exe
PID 3252 wrote to memory of 1436	3252	1pZ36YP1.exe	AppLaunch.exe
PID 3252 wrote to memory of 1436	3252	1pZ36YP1.exe	AppLaunch.exe
PID 3252 wrote to memory of 1436	3252	1pZ36YP1.exe	AppLaunch.exe
PID 3252 wrote to memory of 2872	3252	1pZ36YP1.exe	AppLaunch.exe
PID 3252 wrote to memory of 2872	3252	1pZ36YP1.exe	AppLaunch.exe
PID 3252 wrote to memory of 2872	3252	1pZ36YP1.exe	AppLaunch.exe
PID 3252 wrote to memory of 2872	3252	1pZ36YP1.exe	AppLaunch.exe
PID 3252 wrote to memory of 2872	3252	1pZ36YP1.exe	AppLaunch.exe
PID 3252 wrote to memory of 2872	3252	1pZ36YP1.exe	AppLaunch.exe
PID 3252 wrote to memory of 2872	3252	1pZ36YP1.exe	AppLaunch.exe
PID 3252 wrote to memory of 2872	3252	1pZ36YP1.exe	AppLaunch.exe
PID 3252 wrote to memory of 2872	3252	1pZ36YP1.exe	AppLaunch.exe
PID 3252 wrote to memory of 2872	3252	1pZ36YP1.exe	AppLaunch.exe
PID 2772 wrote to memory of 1944	2772	JM7zm1Od.exe	2xt303sh.exe
PID 2772 wrote to memory of 1944	2772	JM7zm1Od.exe	2xt303sh.exe
PID 2772 wrote to memory of 1944	2772	JM7zm1Od.exe	2xt303sh.exe

C:\Users\Admin\AppData\Local\Temp\e52fb58b8a7d4f8b7eea558e3f50385d34e76f92baeede9698343046ba3273f1.exe
"C:\Users\Admin\AppData\Local\Temp\e52fb58b8a7d4f8b7eea558e3f50385d34e76f92baeede9698343046ba3273f1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hM8MO0HH.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hM8MO0HH.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV0Xa7Bv.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV0Xa7Bv.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5016

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Bg7ip6MY.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Bg7ip6MY.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3908

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JM7zm1Od.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JM7zm1Od.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pZ36YP1.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pZ36YP1.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xt303sh.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xt303sh.exe
6⤵
- Executes dropped EXE
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hM8MO0HH.exe
Filesize
1.3MB

MD5
1c0d9af819cf3897dba318dfdd3f2144

SHA1
de965fc89f14faff830011170e9907ac404941ee

SHA256
84b80038724ed8b3b0a2c4d4ab9f8ff63f6cafda1ed0501aa62b12ee3e21a141

SHA512
bf116742ec44216191670877703b8ae86ff54267d794ad68e3bc5d5b5c2e9ab7d57c4ce44c33e5bcf3c48bbca7987046a40d32a6d48fb51f7b9ff79361335a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV0Xa7Bv.exe
Filesize
1.2MB

MD5
61e454b7082a71aa961ae347e18f7ace

SHA1
4034c83996f018e6f61fbfc55f908c7b27360223

SHA256
f41f53cdc3886c1309baa7fdf6abf4ba4451c975d88aeb61d53066cdecf7160e

SHA512
0a73f7f274e544ee1727cc3ffef900b6344ef4113461226f9cea6a870f71a1aefb4febb5c5aa855bd76989e166ebf9f8b0a70afd033359721bea125becdc6dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Bg7ip6MY.exe
Filesize
761KB

MD5
ddb027bd044817d47ab24044373323c5

SHA1
51b220bacd81d1e6e007941fb7cd9e6fd49c1b7b

SHA256
25333906f25486771d7c537a3530aeffeb64792729fe713bd1c4d2f5dc6b44cd

SHA512
90d20a58f498b2e69706fc767ce9cbf4ff5a3791ead3dbd76fc57c8a79c5c031a8ca97eaa13e0dcb961622e49ead3965c80df8d3416d4a7541bc066bc8d2b3f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JM7zm1Od.exe
Filesize
565KB

MD5
b74cfc0a0207c582921e896638d0741f

SHA1
61a4550862c494d7051dd2b4af093df37b4d59e6

SHA256
2bd117e1a78c5f98156f91a4aa479de25795d26f21bd9780bdb981c373a0238a

SHA512
e904c8c659a31fe189a3818fc1e5f5a02ec8d6701c2795b6461ebababa2e227a86493e0f7268d1fdbdbd5aa48ff5d8944f9eb8dbed1d9dcf759a256ad388f575

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pZ36YP1.exe
Filesize
1.1MB

MD5
35675cf37bd56208a02fef8ca5ef9ae6

SHA1
cf4698b94a76490f3bad33806f3596b7909fe5ac

SHA256
726c63af44686aa39f64a6af8916bb7cb226be2882b8c1c81941305b597887aa

SHA512
f0d8013ab8ffd6667bcaa34391e80250f34f25d8a6872a2d20084b092b0fe8002f261001fa25876ecb6dd2ba7b2e25cba292e1b74282b3c3b0f36072c4b00f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xt303sh.exe
Filesize
221KB

MD5
1d2cb41ec32c0bd63299dc264427f10c

SHA1
cac5b6f4b6f6470b39874a55bad9f95eb3e7b4ee

SHA256
29cdc6560875c26c691b5f34244d4d52c4c12c5150e64abac0c2f2206623fb84

SHA512
1815588ae3f5aeb4ab780d53a028a895a97ad08cde91f946db68a3e8c14f4907d2b98866f9b67839a6331c6a871640751bbb1db040d3492fee4e93e4be5c3351

Download Submit
memory/1944-45-0x0000000004A60000-0x0000000004A6A000-memory.dmp

Filesize
40KB

Download
memory/1944-42-0x00000000006C0000-0x00000000006FE000-memory.dmp

Filesize
248KB

Download
memory/1944-43-0x00000000079E0000-0x0000000007F84000-memory.dmp

Filesize
5.6MB

Download
memory/1944-44-0x00000000074D0000-0x0000000007562000-memory.dmp

Filesize
584KB

Download
memory/1944-46-0x00000000085B0000-0x0000000008BC8000-memory.dmp

Filesize
6.1MB

Download
memory/1944-47-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/1944-48-0x00000000076B0000-0x00000000076C2000-memory.dmp

Filesize
72KB

Download
memory/1944-49-0x0000000007840000-0x000000000787C000-memory.dmp

Filesize
240KB

Download
memory/1944-50-0x0000000007880000-0x00000000078CC000-memory.dmp

Filesize
304KB

Download
memory/2872-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download