mystic | 914615fc2a86a1a3aa8a108084dd30cc54e8b935b2f14f7def84c51a049c95c2

Analysis

max time kernel
135s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6aa2043f478ddce45828d300d2a16520cd53a9cad9b7a83a8534bf055146784.exe
Size

1.3MB
MD5

315229a53aaa0d9b913b6459af465c47
SHA1

f05e4da7b3a14c6c12dea9433c815eb7689d2ca5
SHA256

a6aa2043f478ddce45828d300d2a16520cd53a9cad9b7a83a8534bf055146784
SHA512

8c76d8b48f3889ffb3b40511e8111dbaf49e157208eb4670fcb4d778985067e01cf0382fba7540b3e9e4efe92437ffc0c93b6ac99d8c4b117f53cbb9a088fcdd
SSDEEP

24576:ByovW660WwC7kD3fHu3H37VNK8K6xELHizSn+O5GlBbok6N98:0R6+7g/u3LVN6/HizSnZ5EBbM

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral12/memory/3492-28-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral12/memory/3492-31-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral12/memory/3492-29-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral12/files/0x000700000002342b-34.dat	family_redline
behavioral12/memory/4812-35-0x00000000007F0000-0x000000000082E000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
1548	XG4bL5PV.exe
4876	Od1Dq6GN.exe
3104	Zv8Gi4CM.exe
1964	1Pw95KJ9.exe
4812	2NN340IX.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a6aa2043f478ddce45828d300d2a16520cd53a9cad9b7a83a8534bf055146784.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	XG4bL5PV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Od1Dq6GN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Zv8Gi4CM.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 3492	1964	1Pw95KJ9.exe	91

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1548	2888	a6aa2043f478ddce45828d300d2a16520cd53a9cad9b7a83a8534bf055146784.exe	82
PID 2888 wrote to memory of 1548	2888	a6aa2043f478ddce45828d300d2a16520cd53a9cad9b7a83a8534bf055146784.exe	82
PID 2888 wrote to memory of 1548	2888	a6aa2043f478ddce45828d300d2a16520cd53a9cad9b7a83a8534bf055146784.exe	82
PID 1548 wrote to memory of 4876	1548	XG4bL5PV.exe	83
PID 1548 wrote to memory of 4876	1548	XG4bL5PV.exe	83
PID 1548 wrote to memory of 4876	1548	XG4bL5PV.exe	83
PID 4876 wrote to memory of 3104	4876	Od1Dq6GN.exe	84
PID 4876 wrote to memory of 3104	4876	Od1Dq6GN.exe	84
PID 4876 wrote to memory of 3104	4876	Od1Dq6GN.exe	84
PID 3104 wrote to memory of 1964	3104	Zv8Gi4CM.exe	86
PID 3104 wrote to memory of 1964	3104	Zv8Gi4CM.exe	86
PID 3104 wrote to memory of 1964	3104	Zv8Gi4CM.exe	86
PID 1964 wrote to memory of 3492	1964	1Pw95KJ9.exe	91
PID 1964 wrote to memory of 3492	1964	1Pw95KJ9.exe	91
PID 1964 wrote to memory of 3492	1964	1Pw95KJ9.exe	91
PID 1964 wrote to memory of 3492	1964	1Pw95KJ9.exe	91
PID 1964 wrote to memory of 3492	1964	1Pw95KJ9.exe	91
PID 1964 wrote to memory of 3492	1964	1Pw95KJ9.exe	91
PID 1964 wrote to memory of 3492	1964	1Pw95KJ9.exe	91
PID 1964 wrote to memory of 3492	1964	1Pw95KJ9.exe	91
PID 1964 wrote to memory of 3492	1964	1Pw95KJ9.exe	91
PID 1964 wrote to memory of 3492	1964	1Pw95KJ9.exe	91
PID 3104 wrote to memory of 4812	3104	Zv8Gi4CM.exe	93
PID 3104 wrote to memory of 4812	3104	Zv8Gi4CM.exe	93
PID 3104 wrote to memory of 4812	3104	Zv8Gi4CM.exe	93

C:\Users\Admin\AppData\Local\Temp\a6aa2043f478ddce45828d300d2a16520cd53a9cad9b7a83a8534bf055146784.exe
"C:\Users\Admin\AppData\Local\Temp\a6aa2043f478ddce45828d300d2a16520cd53a9cad9b7a83a8534bf055146784.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XG4bL5PV.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XG4bL5PV.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Od1Dq6GN.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Od1Dq6GN.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zv8Gi4CM.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zv8Gi4CM.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3104
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Pw95KJ9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Pw95KJ9.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3492
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2NN340IX.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2NN340IX.exe
        5⤵
        Executes dropped EXE
        
        PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XG4bL5PV.exe

Filesize
1.2MB

MD5
7d7c9e2c7f3bf9d709064cf98de80e43

SHA1
bc0ccd3f18a7790ce6177fbdeeb78b0585cb1133

SHA256
9c8865b20a66b79ba02e576ffbc001b8a76566518e3fe439b286ec535d3bc80d

SHA512
d18a990ed0d3db346912e886f451f867fedf9737f5fd5a35e8a898e6a918884f059af7c25ee41a15032c8507a16a7c0010cbdcfb3d1d1d20c7b4da5231b57e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Od1Dq6GN.exe

Filesize
761KB

MD5
d268c17c67e07bd15b1195e20075a9da

SHA1
995c663a3cdb06e7615fa767fdd444763648265f

SHA256
127dcec3745e9dc0c404cc1870182443e823d28a81753ccbac8328b976748d29

SHA512
d2a21947a2431b715452122651eebf6bb71568e9f9bc664067acaf3e41ccab0b8cf8c811af6889b3d415f2d5c93af08e15faa8d335a91e3de93a5b67ec74ae68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zv8Gi4CM.exe

Filesize
565KB

MD5
3cb7c260d1c96dece04b58535546a103

SHA1
0590dd3a589e0e45567249e3a6f2d971b4891984

SHA256
e699a552a2286ff56015f6e7beeb32ed863f642929639e0752a304219c52ae2f

SHA512
afa0f3a2f7450f6d514ed8807b252d60dfccf861cb73239f5b3d0304b9c0dc165219ca3948c5ffff95afc6b48ae7ea0595583739e0d5e203b03f7a1748cafc16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Pw95KJ9.exe

Filesize
1.1MB

MD5
256f1d191f4d315919cdc14822bdb0b7

SHA1
00ffd4bfd14bedf167e2324198bcc211fe126edb

SHA256
4357c9f6895febe6cffbe4abb8dfb4a47f02c8349d704b7d44779aafca7bd7d5

SHA512
d983ccbb34043e5789f35d3ffccef834398782267f733e953be6f26560712be99758381b04e18d9e3974f6adf807d58742904d21068468a28e9544d8e34962c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2NN340IX.exe

Filesize
221KB

MD5
dc71231a52e151cc29472970246dddab

SHA1
6a9b5556f2ed157b814afb3ec3f429333a431774

SHA256
225b0fbf0506f1a6035746360f08dd2a1d99020d45b3178443c281814b493f56

SHA512
73d9bff8adf69cc1f3f339d8e38284435a5b6bc581a8692deeb6c27e413b4b9a09069bd8ba63816f20c47a9a3e4c10948d09a4360b98d070fd76aed4125e3371

Download Submit
memory/3492-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3492-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3492-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4812-35-0x00000000007F0000-0x000000000082E000-memory.dmp

Filesize
248KB

Download
memory/4812-36-0x0000000007A30000-0x0000000007FD4000-memory.dmp

Filesize
5.6MB

Download
memory/4812-37-0x0000000007570000-0x0000000007602000-memory.dmp

Filesize
584KB

Download
memory/4812-38-0x0000000004BA0000-0x0000000004BAA000-memory.dmp

Filesize
40KB

Download
memory/4812-39-0x0000000008600000-0x0000000008C18000-memory.dmp

Filesize
6.1MB

Download
memory/4812-40-0x0000000007890000-0x000000000799A000-memory.dmp

Filesize
1.0MB

Download
memory/4812-41-0x00000000077B0000-0x00000000077C2000-memory.dmp

Filesize
72KB

Download
memory/4812-42-0x0000000007810000-0x000000000784C000-memory.dmp

Filesize
240KB

Download
memory/4812-43-0x00000000079A0000-0x00000000079EC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads