mystic | 914615fc2a86a1a3aa8a108084dd30cc54e8b935b2f14f7def84c51a049c95c2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9cf5844f6f5b6bc020ebfcf05d096f8176125e06f1618580463eca739c9b3d1.exe
Size

1.5MB
MD5

021891a672841cff00bd936e7caea8cf
SHA1

1ac9bd9c0375e4f235992904567ea7ecc2cb9643
SHA256

b9cf5844f6f5b6bc020ebfcf05d096f8176125e06f1618580463eca739c9b3d1
SHA512

a53cbd4ccd8dddb6a3168c96b5c4375f8cc6bcd97f107387b86d81f60c4aff8521ed894189ea7e938cb10da4c7af4c14a301c31b36ffb6c80fe44e50d0c696ad
SSDEEP

24576:QyTDnMoGCUOrEGholR7wyUS5toE59dnu+tXHYCT9QoX7irDj6yeEdR4IjY3w4:XPMOZrKj/N3oE5Hu+tXHjGrD/

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral15/memory/816-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral15/memory/816-41-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral15/memory/816-39-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral15/files/0x00070000000233f2-37.dat	family_redline
behavioral15/memory/3484-42-0x00000000007A0000-0x00000000007DE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1856	ks3Eg8lo.exe
2720	RD5WA7Pt.exe
8	YQ4ky3Ev.exe
1736	KQ0qx4wy.exe
1076	1lf45UF2.exe
3484	2CQ301NM.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	RD5WA7Pt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	YQ4ky3Ev.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	KQ0qx4wy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b9cf5844f6f5b6bc020ebfcf05d096f8176125e06f1618580463eca739c9b3d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ks3Eg8lo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1076 set thread context of 816	1076	1lf45UF2.exe	90

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 1856	3300	b9cf5844f6f5b6bc020ebfcf05d096f8176125e06f1618580463eca739c9b3d1.exe	82
PID 3300 wrote to memory of 1856	3300	b9cf5844f6f5b6bc020ebfcf05d096f8176125e06f1618580463eca739c9b3d1.exe	82
PID 3300 wrote to memory of 1856	3300	b9cf5844f6f5b6bc020ebfcf05d096f8176125e06f1618580463eca739c9b3d1.exe	82
PID 1856 wrote to memory of 2720	1856	ks3Eg8lo.exe	83
PID 1856 wrote to memory of 2720	1856	ks3Eg8lo.exe	83
PID 1856 wrote to memory of 2720	1856	ks3Eg8lo.exe	83
PID 2720 wrote to memory of 8	2720	RD5WA7Pt.exe	85
PID 2720 wrote to memory of 8	2720	RD5WA7Pt.exe	85
PID 2720 wrote to memory of 8	2720	RD5WA7Pt.exe	85
PID 8 wrote to memory of 1736	8	YQ4ky3Ev.exe	87
PID 8 wrote to memory of 1736	8	YQ4ky3Ev.exe	87
PID 8 wrote to memory of 1736	8	YQ4ky3Ev.exe	87
PID 1736 wrote to memory of 1076	1736	KQ0qx4wy.exe	89
PID 1736 wrote to memory of 1076	1736	KQ0qx4wy.exe	89
PID 1736 wrote to memory of 1076	1736	KQ0qx4wy.exe	89
PID 1076 wrote to memory of 816	1076	1lf45UF2.exe	90
PID 1076 wrote to memory of 816	1076	1lf45UF2.exe	90
PID 1076 wrote to memory of 816	1076	1lf45UF2.exe	90
PID 1076 wrote to memory of 816	1076	1lf45UF2.exe	90
PID 1076 wrote to memory of 816	1076	1lf45UF2.exe	90
PID 1076 wrote to memory of 816	1076	1lf45UF2.exe	90
PID 1076 wrote to memory of 816	1076	1lf45UF2.exe	90
PID 1076 wrote to memory of 816	1076	1lf45UF2.exe	90
PID 1076 wrote to memory of 816	1076	1lf45UF2.exe	90
PID 1076 wrote to memory of 816	1076	1lf45UF2.exe	90
PID 1736 wrote to memory of 3484	1736	KQ0qx4wy.exe	91
PID 1736 wrote to memory of 3484	1736	KQ0qx4wy.exe	91
PID 1736 wrote to memory of 3484	1736	KQ0qx4wy.exe	91

C:\Users\Admin\AppData\Local\Temp\b9cf5844f6f5b6bc020ebfcf05d096f8176125e06f1618580463eca739c9b3d1.exe
"C:\Users\Admin\AppData\Local\Temp\b9cf5844f6f5b6bc020ebfcf05d096f8176125e06f1618580463eca739c9b3d1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ks3Eg8lo.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ks3Eg8lo.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RD5WA7Pt.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RD5WA7Pt.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YQ4ky3Ev.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YQ4ky3Ev.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\KQ0qx4wy.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\KQ0qx4wy.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1736
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1lf45UF2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1lf45UF2.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:816
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ301NM.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ301NM.exe
        6⤵
        Executes dropped EXE
        
        PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ks3Eg8lo.exe

Filesize
1.3MB

MD5
f0be9d9a5bebd596d6b5114126826afb

SHA1
ba147ecd93b8f8696fa9579a0d2ce8152bc17caf

SHA256
651174c7948f4bbdb52ddeeb7eced9d2be131490d56aa6b828613923347098cb

SHA512
b35cad5a3df66f4565854eab20524924161bb87939a41ae54cbbc12ec0cd877f3f5404719469ee5d7d90c50722076085b72cbfdfa45817b914db37164902614c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RD5WA7Pt.exe

Filesize
1.1MB

MD5
00475285ecd9d15ce2d0b04dcdd5d3ae

SHA1
b97468996b730dcecfb5beb2b4d7c65e01ed52bd

SHA256
632fd1850af8a574b61c61bdaf8fe5d5f7d0bee87d23a45302bcb1f5721f36fd

SHA512
4a1f4e0ae090ed9bdf548e9fa2499e46c6d0ebd8aa7bce650c220bf9f7665c3a50619bec62a64373d9c66efe070199d98d8a49764d9191fb4f7752d0f7755a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\YQ4ky3Ev.exe

Filesize
759KB

MD5
f13ac8df63a1b0acb4deabd07a0a14f7

SHA1
5ee1bd843fb457864c7db994771b9bc138f8f3ea

SHA256
cdbd4fa07647a0bfea5f1458504388aae105aeae311d40bf056ee81b3d351a08

SHA512
efaeb85db23da5787772192862921ee45ddfa4038f9e3e0ac36baa95813d060b4cf8003d6e26500fc886b34f17584aedfd02faa56f4eea9fde5f05fc56df16c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\KQ0qx4wy.exe

Filesize
563KB

MD5
4cbce265cdb13f5e77682bee0426981c

SHA1
0f610833d68e49c5a170fbf966bb0795aeef3e10

SHA256
72353de60a22d4f9aa392e02056f187a2253d327c58d0fe6600024e35587d4f5

SHA512
3b82591cb7d371c13f9cb9a70084c4ba0a66949624e7f0e3bd20e4edda46f9a7828dd7fbfbe64dbed4f5794d659fcc986c3ab5fee7d38a47a9184226358e04c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1lf45UF2.exe

Filesize
1.1MB

MD5
28898f089a982fab614df8509be01c2e

SHA1
03551452ea91bd6161e3ea8479cf35468404d017

SHA256
e8e9195540bfba5c519e77617b9e21f6d07e3926cec58fba9fa419177ecb0f25

SHA512
56dcf6938b6a82dbf978bb7c2130e9fabd28b6d001ad78c86ed780e392ed548975f260b58abf00d0f83e097baec53c06d702a4318035c18f022f21ba6c2728bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ301NM.exe

Filesize
221KB

MD5
c2e5c82893c9014b3ff7ebcee91ba6fe

SHA1
116cd78a0c583f17e7534a17a99fca77910786bd

SHA256
94499d12854f951513e0e9486f00ad537d79474c7581db226fe689ebec3b758a

SHA512
d1563a70593836fa4efe82db8e6bd42951171fd3037800d4c705bb238fe4ab804016ec110aefd4763c787edca5b4d088b29bfcb150e6787313139e82990f4c14

Download Submit
memory/816-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3484-42-0x00000000007A0000-0x00000000007DE000-memory.dmp

Filesize
248KB

Download
memory/3484-43-0x0000000007BE0000-0x0000000008184000-memory.dmp

Filesize
5.6MB

Download
memory/3484-44-0x00000000076D0000-0x0000000007762000-memory.dmp

Filesize
584KB

Download
memory/3484-45-0x0000000004C80000-0x0000000004C8A000-memory.dmp

Filesize
40KB

Download
memory/3484-46-0x00000000087B0000-0x0000000008DC8000-memory.dmp

Filesize
6.1MB

Download
memory/3484-47-0x0000000007A40000-0x0000000007B4A000-memory.dmp

Filesize
1.0MB

Download
memory/3484-48-0x0000000007890000-0x00000000078A2000-memory.dmp

Filesize
72KB

Download
memory/3484-49-0x0000000007930000-0x000000000796C000-memory.dmp

Filesize
240KB

Download
memory/3484-50-0x00000000078C0000-0x000000000790C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads