mystic | 9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53

Analysis

max time kernel
138s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb.exe
Size

758KB
MD5

82d69f920d5865457796a89dcff321e9
SHA1

b983f0ae70afe27f4036ba9bf72d2209e24e322e
SHA256

e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb
SHA512

bfe94ca286e25843736c716b9b1007f6927d05e490875518e91f8d1ce574d5472b7b140abe14a6b7f777a2262b049fedd57f143cd21cdb630ee6de9f6533bbde
SSDEEP

12288:rMrty90yoBOaQUpKpIs7266c/HhBDgjLIQ1WgWK7mUJtSVWrFkfKKu:KyMkUEIs6zGhBDgd1WgH7mgYWr/Ku

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral18/memory/4300-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral18/memory/4300-16-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral18/memory/4300-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral18/memory/4300-15-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2xb747Wp.exe	family_redline
behavioral18/memory/3632-22-0x0000000000E30000-0x0000000000E6E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

XN9cw1Hj.exe1ZT14HQ9.exe2xb747Wp.exe

pid process

4596 XN9cw1Hj.exe
212 1ZT14HQ9.exe
3632 2xb747Wp.exe

pid	process
4596	XN9cw1Hj.exe
212	1ZT14HQ9.exe
3632	2xb747Wp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb.exeXN9cw1Hj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	XN9cw1Hj.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1ZT14HQ9.exe

description pid process target process

PID 212 set thread context of 4300 212 1ZT14HQ9.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1256 4300 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 212 set thread context of 4300	212	1ZT14HQ9.exe	AppLaunch.exe

pid	pid_target	process	target process
1256	4300	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb.exeXN9cw1Hj.exe1ZT14HQ9.exe

description	pid	process	target process
PID 2996 wrote to memory of 4596	2996	e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb.exe	XN9cw1Hj.exe
PID 2996 wrote to memory of 4596	2996	e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb.exe	XN9cw1Hj.exe
PID 2996 wrote to memory of 4596	2996	e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb.exe	XN9cw1Hj.exe
PID 4596 wrote to memory of 212	4596	XN9cw1Hj.exe	1ZT14HQ9.exe
PID 4596 wrote to memory of 212	4596	XN9cw1Hj.exe	1ZT14HQ9.exe
PID 4596 wrote to memory of 212	4596	XN9cw1Hj.exe	1ZT14HQ9.exe
PID 212 wrote to memory of 4184	212	1ZT14HQ9.exe	AppLaunch.exe
PID 212 wrote to memory of 4184	212	1ZT14HQ9.exe	AppLaunch.exe
PID 212 wrote to memory of 4184	212	1ZT14HQ9.exe	AppLaunch.exe
PID 212 wrote to memory of 4300	212	1ZT14HQ9.exe	AppLaunch.exe
PID 212 wrote to memory of 4300	212	1ZT14HQ9.exe	AppLaunch.exe
PID 212 wrote to memory of 4300	212	1ZT14HQ9.exe	AppLaunch.exe
PID 212 wrote to memory of 4300	212	1ZT14HQ9.exe	AppLaunch.exe
PID 212 wrote to memory of 4300	212	1ZT14HQ9.exe	AppLaunch.exe
PID 212 wrote to memory of 4300	212	1ZT14HQ9.exe	AppLaunch.exe
PID 212 wrote to memory of 4300	212	1ZT14HQ9.exe	AppLaunch.exe
PID 212 wrote to memory of 4300	212	1ZT14HQ9.exe	AppLaunch.exe
PID 212 wrote to memory of 4300	212	1ZT14HQ9.exe	AppLaunch.exe
PID 212 wrote to memory of 4300	212	1ZT14HQ9.exe	AppLaunch.exe
PID 4596 wrote to memory of 3632	4596	XN9cw1Hj.exe	2xb747Wp.exe
PID 4596 wrote to memory of 3632	4596	XN9cw1Hj.exe	2xb747Wp.exe
PID 4596 wrote to memory of 3632	4596	XN9cw1Hj.exe	2xb747Wp.exe

C:\Users\Admin\AppData\Local\Temp\e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb.exe
"C:\Users\Admin\AppData\Local\Temp\e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XN9cw1Hj.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XN9cw1Hj.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ZT14HQ9.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ZT14HQ9.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4184
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4300
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 540
        5⤵
        Program crash
        
        PID:1256
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2xb747Wp.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2xb747Wp.exe
    3⤵
    - Executes dropped EXE
    PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4300 -ip 4300
1⤵
PID:2860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XN9cw1Hj.exe

Filesize
562KB

MD5
0127d296a0d6228109069c350ae9a095

SHA1
2ffea9689be83b19ce98400c91996d52f662d4a2

SHA256
a9ab7d1c67508f96fd84260704a6ebaaef2f5fd3c489add76a3712df483671e9

SHA512
82022b42da34664c2b49b51e279d81b257c5d7a2b1ec819c37b918ffdee310d17fe3dd0f9ce01d7dc56ea1275426e2e863c01fde934a07f65c4e01cd3ff1fead

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1ZT14HQ9.exe

Filesize
1.1MB

MD5
457265489d6bbf1e57ef729b388256f0

SHA1
0e445b5f0c6c1df754055316de76e02e0344f59d

SHA256
118df5adccce0d66da3073afc36aeccfa5f74080ef08ec5d049cd3428491cbd3

SHA512
9a549dedb80d0d63575fbf348310c4bb2ef46f091dc6f974d06ff4f48aa1c61ae6b47a4810e9794514a3f7e786ec63f22727692d166637648d6e63028d1396eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2xb747Wp.exe

Filesize
222KB

MD5
3cfd29768413a8e47ea267daa62f4517

SHA1
56b46ad3726620f32776bdf98f41b9bcafcf2f1e

SHA256
f0e23d2da17ef2590702bc197423ce388cec580d6de298335e874d47e02ac138

SHA512
c75c6790c7b7b476a1d2391d1851f6461dec82787154cc929ac36ec27a28de784aabe30c77df1c8d367a27c12b17b53b65093f5c1b6289d5c88aa51a2da82900

Download Submit
memory/3632-27-0x0000000008650000-0x000000000875A000-memory.dmp

Filesize
1.0MB

Download
memory/3632-22-0x0000000000E30000-0x0000000000E6E000-memory.dmp

Filesize
248KB

Download
memory/3632-23-0x00000000080A0000-0x0000000008644000-memory.dmp

Filesize
5.6MB

Download
memory/3632-24-0x0000000007BB0000-0x0000000007C42000-memory.dmp

Filesize
584KB

Download
memory/3632-25-0x0000000005160000-0x000000000516A000-memory.dmp

Filesize
40KB

Download
memory/3632-26-0x0000000008C70000-0x0000000009288000-memory.dmp

Filesize
6.1MB

Download
memory/3632-28-0x0000000007CE0000-0x0000000007CF2000-memory.dmp

Filesize
72KB

Download
memory/3632-29-0x0000000007D80000-0x0000000007DBC000-memory.dmp

Filesize
240KB

Download
memory/3632-30-0x0000000007F00000-0x0000000007F4C000-memory.dmp

Filesize
304KB

Download
memory/4300-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4300-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download