mystic | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
141s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

453554affb4477ef1397310265a6a90ae0953e5bca58d9b7b98e7323e7cccdf6.exe
Size

1.3MB
MD5

c9fecce5ddbbb4c08036eb804806585a
SHA1

de118ddb2f2b644a73e314d1bfc9ff777b84c41c
SHA256

453554affb4477ef1397310265a6a90ae0953e5bca58d9b7b98e7323e7cccdf6
SHA512

59be1a656c71b2dd3a2891a6b27e842f808074dffdd1b954d0ee781bab2183b048263e9381489223d97e74aff6cd8bfa825cab657c4b9aa9eba9d7f8d234faff
SSDEEP

24576:Iydmfk80iPrZsm2S05doZXri0tAnA+dzNpm5uQVMsi0:Pyk4ZPCU1And58pp

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral5/memory/3452-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral5/memory/3452-29-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral5/memory/3452-31-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2MK152qh.exe	family_redline
behavioral5/memory/4076-35-0x0000000000210000-0x000000000024E000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

JD7oZ9jo.exeYi0Qu7Ko.exedT9yG7Sf.exe1Rs37xE9.exe2MK152qh.exe

pid process

2456 JD7oZ9jo.exe
4720 Yi0Qu7Ko.exe
2704 dT9yG7Sf.exe
1964 1Rs37xE9.exe
4076 2MK152qh.exe

pid	process
2456	JD7oZ9jo.exe
4720	Yi0Qu7Ko.exe
2704	dT9yG7Sf.exe
1964	1Rs37xE9.exe
4076	2MK152qh.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

453554affb4477ef1397310265a6a90ae0953e5bca58d9b7b98e7323e7cccdf6.exeJD7oZ9jo.exeYi0Qu7Ko.exedT9yG7Sf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	453554affb4477ef1397310265a6a90ae0953e5bca58d9b7b98e7323e7cccdf6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	JD7oZ9jo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Yi0Qu7Ko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	dT9yG7Sf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Rs37xE9.exe

description pid process target process

PID 1964 set thread context of 3452 1964 1Rs37xE9.exe AppLaunch.exe

description	pid	process	target process
PID 1964 set thread context of 3452	1964	1Rs37xE9.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

453554affb4477ef1397310265a6a90ae0953e5bca58d9b7b98e7323e7cccdf6.exeJD7oZ9jo.exeYi0Qu7Ko.exedT9yG7Sf.exe1Rs37xE9.exe

description	pid	process	target process
PID 3932 wrote to memory of 2456	3932	453554affb4477ef1397310265a6a90ae0953e5bca58d9b7b98e7323e7cccdf6.exe	JD7oZ9jo.exe
PID 3932 wrote to memory of 2456	3932	453554affb4477ef1397310265a6a90ae0953e5bca58d9b7b98e7323e7cccdf6.exe	JD7oZ9jo.exe
PID 3932 wrote to memory of 2456	3932	453554affb4477ef1397310265a6a90ae0953e5bca58d9b7b98e7323e7cccdf6.exe	JD7oZ9jo.exe
PID 2456 wrote to memory of 4720	2456	JD7oZ9jo.exe	Yi0Qu7Ko.exe
PID 2456 wrote to memory of 4720	2456	JD7oZ9jo.exe	Yi0Qu7Ko.exe
PID 2456 wrote to memory of 4720	2456	JD7oZ9jo.exe	Yi0Qu7Ko.exe
PID 4720 wrote to memory of 2704	4720	Yi0Qu7Ko.exe	dT9yG7Sf.exe
PID 4720 wrote to memory of 2704	4720	Yi0Qu7Ko.exe	dT9yG7Sf.exe
PID 4720 wrote to memory of 2704	4720	Yi0Qu7Ko.exe	dT9yG7Sf.exe
PID 2704 wrote to memory of 1964	2704	dT9yG7Sf.exe	1Rs37xE9.exe
PID 2704 wrote to memory of 1964	2704	dT9yG7Sf.exe	1Rs37xE9.exe
PID 2704 wrote to memory of 1964	2704	dT9yG7Sf.exe	1Rs37xE9.exe
PID 1964 wrote to memory of 3452	1964	1Rs37xE9.exe	AppLaunch.exe
PID 1964 wrote to memory of 3452	1964	1Rs37xE9.exe	AppLaunch.exe
PID 1964 wrote to memory of 3452	1964	1Rs37xE9.exe	AppLaunch.exe
PID 1964 wrote to memory of 3452	1964	1Rs37xE9.exe	AppLaunch.exe
PID 1964 wrote to memory of 3452	1964	1Rs37xE9.exe	AppLaunch.exe
PID 1964 wrote to memory of 3452	1964	1Rs37xE9.exe	AppLaunch.exe
PID 1964 wrote to memory of 3452	1964	1Rs37xE9.exe	AppLaunch.exe
PID 1964 wrote to memory of 3452	1964	1Rs37xE9.exe	AppLaunch.exe
PID 1964 wrote to memory of 3452	1964	1Rs37xE9.exe	AppLaunch.exe
PID 1964 wrote to memory of 3452	1964	1Rs37xE9.exe	AppLaunch.exe
PID 2704 wrote to memory of 4076	2704	dT9yG7Sf.exe	2MK152qh.exe
PID 2704 wrote to memory of 4076	2704	dT9yG7Sf.exe	2MK152qh.exe
PID 2704 wrote to memory of 4076	2704	dT9yG7Sf.exe	2MK152qh.exe

C:\Users\Admin\AppData\Local\Temp\453554affb4477ef1397310265a6a90ae0953e5bca58d9b7b98e7323e7cccdf6.exe
"C:\Users\Admin\AppData\Local\Temp\453554affb4477ef1397310265a6a90ae0953e5bca58d9b7b98e7323e7cccdf6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JD7oZ9jo.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JD7oZ9jo.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2456

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yi0Qu7Ko.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yi0Qu7Ko.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4720

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dT9yG7Sf.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dT9yG7Sf.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Rs37xE9.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Rs37xE9.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2MK152qh.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2MK152qh.exe
5⤵
- Executes dropped EXE
PID:4076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JD7oZ9jo.exe
Filesize
1.2MB

MD5
f0c7089254a00e815feae5d8181b7f05

SHA1
f3b024cb82395c32629ac49898728fd5010c26cf

SHA256
37bef7fe1c718f9ee1ffa18fe8fb3a516d1f464aaa536f02c18f1b63b58edd73

SHA512
b8fa039c87837355afed88b3b77abfabda3d30a2e887adac620ac204eb6bc30bac809ed6092d837424f3a2c0324641d057c3f90e100634396bb0fa27d4e3f6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yi0Qu7Ko.exe
Filesize
762KB

MD5
b4050b917e28921affbf2dffa8246e5c

SHA1
44d3497d429695898e5230916d0ef0924d97c660

SHA256
8a14bc158f2bab49eafd556bd51635a7102b322a4debb1f63fcb57dcb7f745f1

SHA512
3680bf7579f36bcf440c349ea41f872bc36ca45297d1c384120844e86a3d8bf7e9c1af615dac4f6e93c5f32bcf3adfe95dbffaea802a2bcd2504395aa8abfa83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dT9yG7Sf.exe
Filesize
565KB

MD5
4d6df12a24cadf74e6bf1190c60fdda2

SHA1
7eaadf868c91ab8138f20f300b3b1258c83608fe

SHA256
03dd8bac72407083fc3d0017dcb1f7733700c553eaf4676f4505b20fb1d34d99

SHA512
3421f21c5a3cb33a08a716de494a2cb58443b6a99cd47e13be3666a0ec671f48e50c032f0c8b96dbaa47bd77031b69c69ef29fb830b995f272f92eac1e8411a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Rs37xE9.exe
Filesize
1.1MB

MD5
7251c994d90ff3fd8068854ccd67a748

SHA1
3e536fbb4b8d12e90eb0a67a7f728ee1479d0f19

SHA256
cd17f994e3027975bda505f96d1b218bbbd059c472495be222437a7aae651292

SHA512
87239c495e10298df1427c2dbaf1c8f93705f89e9bb95dfdd45554fe7cecee7e1bed80586369893262fd26f4d740fdb3de99cf7c3601375d68143765d26d841a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2MK152qh.exe
Filesize
221KB

MD5
f9b01336b5bc1df7afbd26b4df09d8e9

SHA1
b4d987a003e90420853d1c6a232e9dd0ba6f06ae

SHA256
7495e5e90c41793f72907b0e1355d97a867a0874b95c81804bd3f461a77e5996

SHA512
77618a417fd858f1b195e0761f1fe3346569c0c7499879654c3333723dd9887a3242ccce36e8a751f051d7fdec6bfc4ad60e5610354bd7bf1dd1d038bdff36c3

Download Submit
memory/3452-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4076-35-0x0000000000210000-0x000000000024E000-memory.dmp

Filesize
248KB

Download
memory/4076-36-0x0000000007630000-0x0000000007BD4000-memory.dmp

Filesize
5.6MB

Download
memory/4076-37-0x0000000007120000-0x00000000071B2000-memory.dmp

Filesize
584KB

Download
memory/4076-38-0x00000000072D0000-0x00000000072DA000-memory.dmp

Filesize
40KB

Download
memory/4076-39-0x0000000008200000-0x0000000008818000-memory.dmp

Filesize
6.1MB

Download
memory/4076-40-0x0000000007480000-0x000000000758A000-memory.dmp

Filesize
1.0MB

Download
memory/4076-41-0x00000000073B0000-0x00000000073C2000-memory.dmp

Filesize
72KB

Download
memory/4076-42-0x0000000007410000-0x000000000744C000-memory.dmp

Filesize
240KB

Download
memory/4076-43-0x0000000007590000-0x00000000075DC000-memory.dmp

Filesize
304KB

Download