mystic | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
135s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0990290e38dc94b3c6a8bd8d028c230706f11717bdc17beb40d9a73dcfb2628.exe
Size

761KB
MD5

06138684c4b8c192821da39e5acca07a
SHA1

e58549604d1d468fea175b8db2482018af6a7372
SHA256

e0990290e38dc94b3c6a8bd8d028c230706f11717bdc17beb40d9a73dcfb2628
SHA512

17c066953b74e0e7b5d284a2fe25cc2d7cc490104432b6c9da0dbbdd0f6be99b3d8338ad042828382ca09acd2156db1ec988feeab9ac2b25dc3496468ae93de1
SSDEEP

12288:GMrgy90DKILFwj2MGzpceuIBL3yUXyL5xfekP8zp6BltXY7LiELUWZxykBSG7:Wy/o4fGzuetB7dXydVeg89Ko7cQykoO

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral21/memory/3128-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral21/memory/3128-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral21/memory/3128-17-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral21/memory/3128-15-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral21/files/0x0007000000023435-20.dat	family_redline
behavioral21/memory/3064-22-0x0000000000210000-0x000000000024E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2340	vP9DO5kH.exe
2432	1ps46bf1.exe
3064	2kx833Ws.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e0990290e38dc94b3c6a8bd8d028c230706f11717bdc17beb40d9a73dcfb2628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vP9DO5kH.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2432 set thread context of 3128	2432	1ps46bf1.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4748	3128	WerFault.exe	89

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 2340	4592	e0990290e38dc94b3c6a8bd8d028c230706f11717bdc17beb40d9a73dcfb2628.exe	85
PID 4592 wrote to memory of 2340	4592	e0990290e38dc94b3c6a8bd8d028c230706f11717bdc17beb40d9a73dcfb2628.exe	85
PID 4592 wrote to memory of 2340	4592	e0990290e38dc94b3c6a8bd8d028c230706f11717bdc17beb40d9a73dcfb2628.exe	85
PID 2340 wrote to memory of 2432	2340	vP9DO5kH.exe	86
PID 2340 wrote to memory of 2432	2340	vP9DO5kH.exe	86
PID 2340 wrote to memory of 2432	2340	vP9DO5kH.exe	86
PID 2432 wrote to memory of 3128	2432	1ps46bf1.exe	89
PID 2432 wrote to memory of 3128	2432	1ps46bf1.exe	89
PID 2432 wrote to memory of 3128	2432	1ps46bf1.exe	89
PID 2432 wrote to memory of 3128	2432	1ps46bf1.exe	89
PID 2432 wrote to memory of 3128	2432	1ps46bf1.exe	89
PID 2432 wrote to memory of 3128	2432	1ps46bf1.exe	89
PID 2432 wrote to memory of 3128	2432	1ps46bf1.exe	89
PID 2432 wrote to memory of 3128	2432	1ps46bf1.exe	89
PID 2432 wrote to memory of 3128	2432	1ps46bf1.exe	89
PID 2432 wrote to memory of 3128	2432	1ps46bf1.exe	89
PID 2340 wrote to memory of 3064	2340	vP9DO5kH.exe	90
PID 2340 wrote to memory of 3064	2340	vP9DO5kH.exe	90
PID 2340 wrote to memory of 3064	2340	vP9DO5kH.exe	90

C:\Users\Admin\AppData\Local\Temp\e0990290e38dc94b3c6a8bd8d028c230706f11717bdc17beb40d9a73dcfb2628.exe
"C:\Users\Admin\AppData\Local\Temp\e0990290e38dc94b3c6a8bd8d028c230706f11717bdc17beb40d9a73dcfb2628.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vP9DO5kH.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vP9DO5kH.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ps46bf1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ps46bf1.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3128
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 540
        5⤵
        Program crash
        
        PID:4748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2kx833Ws.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2kx833Ws.exe
    3⤵
    - Executes dropped EXE
    PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3128 -ip 3128
1⤵
PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vP9DO5kH.exe

Filesize
565KB

MD5
73327f20ac6d1c2243cf1e39882e6be6

SHA1
107cc02245ff49f9abf37b5734990a82a6cf7121

SHA256
4778ae9b0d2560084769ba392f9ceaa26a57ce0f1d024a57baacfdf3d8e98d99

SHA512
e29af1992bf5a8ad3022b3cc6b238958a4fd057085b52b6be7f2a93d0bca0983d5444d54d19a1781efa509c9c73b1b82ba547bdac6b7fd7319ca19c627d68b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ps46bf1.exe

Filesize
1.1MB

MD5
12d5297d31000de1f5fcbc9bd21d6737

SHA1
6d2e0becc2d79b5040ca3fed892528e965b31406

SHA256
557402c7afc56d36914e3308c174c206f1331ed545f1c0bb4eb622e4789af5c5

SHA512
7d1454ccc8266d0cb3ef7c57fe8c11dde18d725a57ff9838698da2abac05b1598a4e6294ff4d75029bd5b9a3a88e23afa00f8770a678e25119f66255113db4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2kx833Ws.exe

Filesize
221KB

MD5
9ad1fe7fe94c204f000be1047ba76fe9

SHA1
fae80c6850174c8e38161f80071a87a4cf75020c

SHA256
d2fa8091aeaebcd85f85c6eb21a30227b04f4049b2d50a21f3c290c7f9b098b2

SHA512
d89aa9837f44a504690db80ae476dcc6d725e39b373e4462323d2638c4681008a17676513b48041e13f5617c89abc735fece4b44784e840a726a963fce89a772

Download Submit
memory/3064-23-0x0000000007460000-0x0000000007A04000-memory.dmp

Filesize
5.6MB

Download
memory/3064-22-0x0000000000210000-0x000000000024E000-memory.dmp

Filesize
248KB

Download
memory/3064-24-0x0000000006F90000-0x0000000007022000-memory.dmp

Filesize
584KB

Download
memory/3064-25-0x0000000007090000-0x000000000709A000-memory.dmp

Filesize
40KB

Download
memory/3064-26-0x0000000008030000-0x0000000008648000-memory.dmp

Filesize
6.1MB

Download
memory/3064-28-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/3064-27-0x0000000007340000-0x000000000744A000-memory.dmp

Filesize
1.0MB

Download
memory/3064-29-0x00000000072D0000-0x000000000730C000-memory.dmp

Filesize
240KB

Download
memory/3064-30-0x0000000007A10000-0x0000000007A5C000-memory.dmp

Filesize
304KB

Download
memory/3128-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3128-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads