mystic | 8f7ecfcea350d8e91e6bb9083833f37b57aa78d15022b68c407055e2463bd982

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecfbac56ff2c59238da4332d5cd1561d05a08ac0d65b57b9caf329f063fc939e.exe
Size

758KB
MD5

e5b6df1e49aa76560da57cbe8824d952
SHA1

126481033c7d6ae68352cba3199b045c9e1f37a8
SHA256

ecfbac56ff2c59238da4332d5cd1561d05a08ac0d65b57b9caf329f063fc939e
SHA512

18cea250d8b200f14a5f6e84732365429c43659a53a49e1126ad4de027600465739b45b987d4813deb85cdcb2bcb744fbdd48d6d8e400877bfabe79dc05cd373
SSDEEP

12288:KMr4y90NR5ht6Xs6zqRBEIYdIZU5bH+pOR4tG0+LczQaniPyjXQ6:6ycPwc62rEhoU9HkkTcQaiPqXR

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral18/memory/748-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral18/memory/748-15-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral18/memory/748-17-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral18/memory/748-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2oB155sa.exe	family_redline
behavioral18/memory/5080-22-0x00000000005E0000-0x000000000061E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Vs7zY4Bi.exe1Aw00nu7.exe2oB155sa.exe

pid process

2852 Vs7zY4Bi.exe
4732 1Aw00nu7.exe
5080 2oB155sa.exe

pid	process
2852	Vs7zY4Bi.exe
4732	1Aw00nu7.exe
5080	2oB155sa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ecfbac56ff2c59238da4332d5cd1561d05a08ac0d65b57b9caf329f063fc939e.exeVs7zY4Bi.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ecfbac56ff2c59238da4332d5cd1561d05a08ac0d65b57b9caf329f063fc939e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Vs7zY4Bi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Aw00nu7.exe

description pid process target process

PID 4732 set thread context of 748 4732 1Aw00nu7.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4636 748 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 4732 set thread context of 748	4732	1Aw00nu7.exe	AppLaunch.exe

pid	pid_target	process	target process
4636	748	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

ecfbac56ff2c59238da4332d5cd1561d05a08ac0d65b57b9caf329f063fc939e.exeVs7zY4Bi.exe1Aw00nu7.exe

description	pid	process	target process
PID 3352 wrote to memory of 2852	3352	ecfbac56ff2c59238da4332d5cd1561d05a08ac0d65b57b9caf329f063fc939e.exe	Vs7zY4Bi.exe
PID 3352 wrote to memory of 2852	3352	ecfbac56ff2c59238da4332d5cd1561d05a08ac0d65b57b9caf329f063fc939e.exe	Vs7zY4Bi.exe
PID 3352 wrote to memory of 2852	3352	ecfbac56ff2c59238da4332d5cd1561d05a08ac0d65b57b9caf329f063fc939e.exe	Vs7zY4Bi.exe
PID 2852 wrote to memory of 4732	2852	Vs7zY4Bi.exe	1Aw00nu7.exe
PID 2852 wrote to memory of 4732	2852	Vs7zY4Bi.exe	1Aw00nu7.exe
PID 2852 wrote to memory of 4732	2852	Vs7zY4Bi.exe	1Aw00nu7.exe
PID 4732 wrote to memory of 748	4732	1Aw00nu7.exe	AppLaunch.exe
PID 4732 wrote to memory of 748	4732	1Aw00nu7.exe	AppLaunch.exe
PID 4732 wrote to memory of 748	4732	1Aw00nu7.exe	AppLaunch.exe
PID 4732 wrote to memory of 748	4732	1Aw00nu7.exe	AppLaunch.exe
PID 4732 wrote to memory of 748	4732	1Aw00nu7.exe	AppLaunch.exe
PID 4732 wrote to memory of 748	4732	1Aw00nu7.exe	AppLaunch.exe
PID 4732 wrote to memory of 748	4732	1Aw00nu7.exe	AppLaunch.exe
PID 4732 wrote to memory of 748	4732	1Aw00nu7.exe	AppLaunch.exe
PID 4732 wrote to memory of 748	4732	1Aw00nu7.exe	AppLaunch.exe
PID 4732 wrote to memory of 748	4732	1Aw00nu7.exe	AppLaunch.exe
PID 2852 wrote to memory of 5080	2852	Vs7zY4Bi.exe	2oB155sa.exe
PID 2852 wrote to memory of 5080	2852	Vs7zY4Bi.exe	2oB155sa.exe
PID 2852 wrote to memory of 5080	2852	Vs7zY4Bi.exe	2oB155sa.exe

C:\Users\Admin\AppData\Local\Temp\ecfbac56ff2c59238da4332d5cd1561d05a08ac0d65b57b9caf329f063fc939e.exe
"C:\Users\Admin\AppData\Local\Temp\ecfbac56ff2c59238da4332d5cd1561d05a08ac0d65b57b9caf329f063fc939e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3352

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vs7zY4Bi.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vs7zY4Bi.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2852

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Aw00nu7.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Aw00nu7.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 540
5⤵
- Program crash
PID:4636

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2oB155sa.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2oB155sa.exe
3⤵
- Executes dropped EXE
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 748 -ip 748
1⤵
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vs7zY4Bi.exe
Filesize
561KB

MD5
29546f2aa741e5c56b4e77c987b9c0b4

SHA1
f9720c56baaf531ec212be04c03bf8eca1fa5959

SHA256
694c75e70e8c02f24f797282f1814080d51269da0bb2b1cbdf39c33543ab7790

SHA512
e27e6b4ef11f61a5a00cb25d55b99c02a5fc2c3bcf11e52c6b05fa9ed1e4538e5697ba830bb8a7ccce9e4449713785944c11edcb41df706c2959c9fe8e475233

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Aw00nu7.exe
Filesize
1.1MB

MD5
9c8f9e3d1f24bfdcc701bb3dd6405f21

SHA1
cd9b6795dfd32620ead722ed054172605f0cc8bf

SHA256
26e12264ca4249474a04e0acb6f1d79546dc538c9f8f85401d2f6e16c3ee597c

SHA512
1d6c59f8224fad4ce5d2629e1c79c2e394d3c44140f5f40fa7e6342ab5d0e7bf0d78feefc3df789b75414ab7ed437231513694151156dff0583957a98eca616c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2oB155sa.exe
Filesize
222KB

MD5
e5d1d21c42122a71644ffeab3dbf5768

SHA1
813a25061b52894c0dbceb83f75eb70930bd1456

SHA256
6aa09677e8dac8b55ab106e78e2ae8de43bdac2b5e2e581e3c173f35f9968e46

SHA512
9de95e01d4797fcac143de14e2ad9a89b8642cfb5053ffa35078c5566735e84ef3a6f81129bbcdaabb6fee024f4f23d0e2911abb38ac986eeaa69adf479c89f2

Download Submit
memory/748-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/748-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5080-23-0x0000000007A00000-0x0000000007FA4000-memory.dmp

Filesize
5.6MB

Download
memory/5080-22-0x00000000005E0000-0x000000000061E000-memory.dmp

Filesize
248KB

Download
memory/5080-24-0x0000000007450000-0x00000000074E2000-memory.dmp

Filesize
584KB

Download
memory/5080-25-0x0000000002A40000-0x0000000002A4A000-memory.dmp

Filesize
40KB

Download
memory/5080-26-0x00000000085D0000-0x0000000008BE8000-memory.dmp

Filesize
6.1MB

Download
memory/5080-27-0x00000000077C0000-0x00000000078CA000-memory.dmp

Filesize
1.0MB

Download
memory/5080-28-0x0000000005060000-0x0000000005072000-memory.dmp

Filesize
72KB

Download
memory/5080-29-0x0000000007530000-0x000000000756C000-memory.dmp

Filesize
240KB

Download
memory/5080-30-0x00000000076B0000-0x00000000076FC000-memory.dmp

Filesize
304KB

Download