mystic | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85.exe
Size

1.5MB
MD5

425c8308ba915888c763598588323ac2
SHA1

9410ce870c4ce520e471918f4aae9483b41c6b07
SHA256

92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85
SHA512

01ab83ce85b80e525c78b09b80092154fb7546340e848706e1ca2d4133b41e04725bbca849fa5c2c1e9eab4fbcf2a181e2eb86a7e8d5ec190f1caf25da3a7436
SSDEEP

24576:ZyRdA6tQPlsQxiyNcQwRZxDbV8Gubb2XY04aiWWcREuLBu1uAhzOkZ86+Hy:MRdAHlsQxiMwfRJ8Gkw4HtYBu1ucCy8n

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral13/memory/4932-36-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral13/memory/4932-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral13/memory/4932-38-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral13/files/0x00070000000233e0-40.dat	family_redline
behavioral13/memory/2180-42-0x0000000000950000-0x000000000098E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4848	xM5zw6Ii.exe
3796	PD7nI5CD.exe
428	El2Fn6xo.exe
4340	zM0Xm0bU.exe
2140	1UM42uf1.exe
2180	2nV349DO.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	PD7nI5CD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	El2Fn6xo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	zM0Xm0bU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	xM5zw6Ii.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 4932	2140	1UM42uf1.exe	90

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 4848	2932	92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85.exe	82
PID 2932 wrote to memory of 4848	2932	92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85.exe	82
PID 2932 wrote to memory of 4848	2932	92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85.exe	82
PID 4848 wrote to memory of 3796	4848	xM5zw6Ii.exe	83
PID 4848 wrote to memory of 3796	4848	xM5zw6Ii.exe	83
PID 4848 wrote to memory of 3796	4848	xM5zw6Ii.exe	83
PID 3796 wrote to memory of 428	3796	PD7nI5CD.exe	85
PID 3796 wrote to memory of 428	3796	PD7nI5CD.exe	85
PID 3796 wrote to memory of 428	3796	PD7nI5CD.exe	85
PID 428 wrote to memory of 4340	428	El2Fn6xo.exe	87
PID 428 wrote to memory of 4340	428	El2Fn6xo.exe	87
PID 428 wrote to memory of 4340	428	El2Fn6xo.exe	87
PID 4340 wrote to memory of 2140	4340	zM0Xm0bU.exe	88
PID 4340 wrote to memory of 2140	4340	zM0Xm0bU.exe	88
PID 4340 wrote to memory of 2140	4340	zM0Xm0bU.exe	88
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	90
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	90
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	90
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	90
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	90
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	90
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	90
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	90
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	90
PID 2140 wrote to memory of 4932	2140	1UM42uf1.exe	90
PID 4340 wrote to memory of 2180	4340	zM0Xm0bU.exe	91
PID 4340 wrote to memory of 2180	4340	zM0Xm0bU.exe	91
PID 4340 wrote to memory of 2180	4340	zM0Xm0bU.exe	91

C:\Users\Admin\AppData\Local\Temp\92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85.exe
"C:\Users\Admin\AppData\Local\Temp\92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xM5zw6Ii.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xM5zw6Ii.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PD7nI5CD.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PD7nI5CD.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\El2Fn6xo.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\El2Fn6xo.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:428
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zM0Xm0bU.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zM0Xm0bU.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4340
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UM42uf1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UM42uf1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4932
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nV349DO.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nV349DO.exe
        6⤵
        Executes dropped EXE
        
        PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xM5zw6Ii.exe

Filesize
1.3MB

MD5
e70923307d10721689c5561892f8c55f

SHA1
4e532bfdb5a295402a0bb47afa7f68b83550d723

SHA256
2d385a948fe63e837541d02d401177251cff9194d59b7e0c619264f0dab64b02

SHA512
cc868634491ea7e3cb69af41c37558017bc42ac843477a4db734188333871a3797d936ada11aa14abfe957b19fb3842f6daf85fd255a7af8470c610639aabbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PD7nI5CD.exe

Filesize
1.1MB

MD5
be53836db15b8dfc390ce7957889f3a4

SHA1
cb8e9bdb97b8b31dd476f91a7f26d43f96050237

SHA256
d092e25ae7bea9f604bd113798d663474f73dc51adc9b5a5d7eaa847f33dbe9b

SHA512
8f876faecab2e77065d5cf4b1c251723767ad0e8ced84f69bab34ca099848da4c42be46945abf77cd9e5a0858724ecd0828e8bbca4c3335dc7569b2aa342b90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\El2Fn6xo.exe

Filesize
758KB

MD5
9e94ef1b931f68f722a69465756bbe30

SHA1
f32835ba07cd05bbc2311939ce3b4117f67f21ab

SHA256
c4250eab48d9405545214da261a19ccd6e3e4652a5bde20d9e585bf9e80f2201

SHA512
890469d459e8743b9dbda8b23cf140b4f650c3a6de8c8727f80fa0f776f95102c65d1d1f7076fb21a92c816ca090bae141e104ba1a6b8f6c4102355d45739b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zM0Xm0bU.exe

Filesize
562KB

MD5
bb4821e16408061fd669b608ba7914e6

SHA1
2a82f9a9d07bcec6d6a05514a492d6f58c9746f7

SHA256
730c808381a1f128a4f6f1004ea0156e2c76731f7cdb44781b8f2286024427a1

SHA512
7eafb112c9a36207ac01e99185474190334901d196f7fcdcc74f0a4d1e043e9a7aace065a3a46dbd4d854df8ba92593847a00a7517947b11c6df1d6c62144f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1UM42uf1.exe

Filesize
1.1MB

MD5
a07c046be4d31f27ce12d25923953f66

SHA1
f7647894a3eff651fd9b5c58bdef50dd753ac3f0

SHA256
b0de5b7b284346e3d289e11608df560463a4235371a357caba7500af40d6eca8

SHA512
1877bf0fc1a1d477cdeec7a06ead33d8a113c877a9ed371ad966c9b405ff0354ffa5c49a138b86eed31e9fe4c92342ce9c693abc88174833f85f2a4720eeca4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nV349DO.exe

Filesize
222KB

MD5
d1b3b07728c3768f9c0871c4cc6e0738

SHA1
ef37d8cb41d26dedcaf6c9645dc343f0fdf7b567

SHA256
b567bc4b9b529a67ea1c785cfe0541df26c68b037219f58d0a00baca429903b9

SHA512
69f31b063e7b6e5a737c0fc4ab32d8af62fa844e9f80e316b1c82c79d80274993857d5c0629456c243ea7d48fbbea0bfb889112ec35687c8d655119c3a09061f

Download Submit
memory/2180-42-0x0000000000950000-0x000000000098E000-memory.dmp

Filesize
248KB

Download
memory/2180-43-0x0000000007DC0000-0x0000000008364000-memory.dmp

Filesize
5.6MB

Download
memory/2180-44-0x00000000078B0000-0x0000000007942000-memory.dmp

Filesize
584KB

Download
memory/2180-45-0x0000000004E60000-0x0000000004E6A000-memory.dmp

Filesize
40KB

Download
memory/2180-46-0x0000000008990000-0x0000000008FA8000-memory.dmp

Filesize
6.1MB

Download
memory/2180-47-0x0000000007C40000-0x0000000007D4A000-memory.dmp

Filesize
1.0MB

Download
memory/2180-48-0x0000000007950000-0x0000000007962000-memory.dmp

Filesize
72KB

Download
memory/2180-49-0x00000000079B0000-0x00000000079EC000-memory.dmp

Filesize
240KB

Download
memory/2180-50-0x0000000007B30000-0x0000000007B7C000-memory.dmp

Filesize
304KB

Download
memory/4932-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4932-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads