mystic | 9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6.exe
Size

759KB
MD5

cf283b15a0808e714c3020620715628a
SHA1

69bd17b4907e8b78c53429930364dbd013fe55da
SHA256

7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6
SHA512

6279071eca90cc1a6fa7010c081dc24cf3135bf46fc68dbfa83a918afa1b75e87cbdf401fbe07ff38c42ec71bfce69914fa0937bf32cd39dcc899d3caacfebbd
SSDEEP

12288:QMrny90ZKeg3G9Lrl3sBzIhill3+XhfOR0u7l9AJ/62muR4x7p:nyoKeg3G9Lrl8ZneNOP7J2D4

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral10/memory/4516-16-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral10/memory/4516-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral10/memory/4516-15-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral10/memory/4516-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2wO689jf.exe	family_redline
behavioral10/memory/1468-22-0x0000000000350000-0x000000000038E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

sp7bI4GT.exe1jx75Tq8.exe2wO689jf.exe

pid process

1628 sp7bI4GT.exe
4680 1jx75Tq8.exe
1468 2wO689jf.exe

pid	process
1628	sp7bI4GT.exe
4680	1jx75Tq8.exe
1468	2wO689jf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6.exesp7bI4GT.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sp7bI4GT.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1jx75Tq8.exe

description pid process target process

PID 4680 set thread context of 4516 4680 1jx75Tq8.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2664 4516 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 4680 set thread context of 4516	4680	1jx75Tq8.exe	AppLaunch.exe

pid	pid_target	process	target process
2664	4516	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6.exesp7bI4GT.exe1jx75Tq8.exe

description	pid	process	target process
PID 5080 wrote to memory of 1628	5080	7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6.exe	sp7bI4GT.exe
PID 5080 wrote to memory of 1628	5080	7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6.exe	sp7bI4GT.exe
PID 5080 wrote to memory of 1628	5080	7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6.exe	sp7bI4GT.exe
PID 1628 wrote to memory of 4680	1628	sp7bI4GT.exe	1jx75Tq8.exe
PID 1628 wrote to memory of 4680	1628	sp7bI4GT.exe	1jx75Tq8.exe
PID 1628 wrote to memory of 4680	1628	sp7bI4GT.exe	1jx75Tq8.exe
PID 4680 wrote to memory of 4516	4680	1jx75Tq8.exe	AppLaunch.exe
PID 4680 wrote to memory of 4516	4680	1jx75Tq8.exe	AppLaunch.exe
PID 4680 wrote to memory of 4516	4680	1jx75Tq8.exe	AppLaunch.exe
PID 4680 wrote to memory of 4516	4680	1jx75Tq8.exe	AppLaunch.exe
PID 4680 wrote to memory of 4516	4680	1jx75Tq8.exe	AppLaunch.exe
PID 4680 wrote to memory of 4516	4680	1jx75Tq8.exe	AppLaunch.exe
PID 4680 wrote to memory of 4516	4680	1jx75Tq8.exe	AppLaunch.exe
PID 4680 wrote to memory of 4516	4680	1jx75Tq8.exe	AppLaunch.exe
PID 4680 wrote to memory of 4516	4680	1jx75Tq8.exe	AppLaunch.exe
PID 4680 wrote to memory of 4516	4680	1jx75Tq8.exe	AppLaunch.exe
PID 1628 wrote to memory of 1468	1628	sp7bI4GT.exe	2wO689jf.exe
PID 1628 wrote to memory of 1468	1628	sp7bI4GT.exe	2wO689jf.exe
PID 1628 wrote to memory of 1468	1628	sp7bI4GT.exe	2wO689jf.exe

C:\Users\Admin\AppData\Local\Temp\7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6.exe
"C:\Users\Admin\AppData\Local\Temp\7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sp7bI4GT.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sp7bI4GT.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1jx75Tq8.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1jx75Tq8.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 540
        5⤵
        Program crash
        
        PID:2664
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2wO689jf.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2wO689jf.exe
    3⤵
    - Executes dropped EXE
    PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4516 -ip 4516
1⤵
PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sp7bI4GT.exe

Filesize
562KB

MD5
db448d1001560007c1bbe2e649cc7ba8

SHA1
ffe41fba5849b77a159fbca64de51c99272590bc

SHA256
50df0310edf2b04d5bcdd2bf1dd6dbeb2b2241cbbb3b4e07399a1d04e1e70112

SHA512
149ecf75b1efde47c447c153fa29fecb0470704fe67fe4e88c937a0bab875001e46d9789fe8629c804e0c5d595c7feb208edefe6858f46c9e6e67c1389240465

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1jx75Tq8.exe

Filesize
1.1MB

MD5
e7cb38ca3d91a3e4da85627bad71c6b5

SHA1
df31f16ff7f158377c344391e7f383bbf2c23c7d

SHA256
e693702abce0099c18a14c78b14424e0575aab8a3f3599642120d8ec507d78f3

SHA512
ba32dc1ea0bad9cee161d1ef7aa37d49f24de4736c74e2bbb10dbea1e12857869a6068b52ba9419b1617527c0fda15cdd9649eaa802823c099270c02aec8c2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2wO689jf.exe

Filesize
222KB

MD5
fdde1621ce05f6d8e25a27b36404c594

SHA1
75510cba4e080f21e35f6110f9ee2882654a995c

SHA256
6680a4819825ceab66547968b272ada8f31930cab6dea355ca3222c34007fc29

SHA512
ad9d9207df60bf4e5eaaf99c4bb2f6f59a9beaa768e57b443b7e97398cd82a8d49484e69858bf5bc2c77a79a9d146fcf978e0c309eeadf0067fb67c314d704c5

Download Submit
memory/1468-27-0x00000000074A0000-0x00000000075AA000-memory.dmp

Filesize
1.0MB

Download
memory/1468-22-0x0000000000350000-0x000000000038E000-memory.dmp

Filesize
248KB

Download
memory/1468-23-0x0000000007660000-0x0000000007C04000-memory.dmp

Filesize
5.6MB

Download
memory/1468-24-0x0000000007150000-0x00000000071E2000-memory.dmp

Filesize
584KB

Download
memory/1468-25-0x00000000046A0000-0x00000000046AA000-memory.dmp

Filesize
40KB

Download
memory/1468-26-0x0000000008230000-0x0000000008848000-memory.dmp

Filesize
6.1MB

Download
memory/1468-28-0x0000000007300000-0x0000000007312000-memory.dmp

Filesize
72KB

Download
memory/1468-29-0x0000000007390000-0x00000000073CC000-memory.dmp

Filesize
240KB

Download
memory/1468-30-0x0000000007330000-0x000000000737C000-memory.dmp

Filesize
304KB

Download
memory/4516-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4516-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download