mystic | 92023f346ccc819d9c52da2af751cda1bc5396b5d745c68d99d1d2ff99db093a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f07691246ef6b1342b6b3c147dc49c2f4a89eec24e4f141c8ff8768bbc4711f6.exe
Size

763KB
MD5

5fa1a6ff2bd078a1dd67512ae11f6710
SHA1

8413bf1b00ed1df30697a39d5e324504f6d21cf7
SHA256

f07691246ef6b1342b6b3c147dc49c2f4a89eec24e4f141c8ff8768bbc4711f6
SHA512

b3c1914550887a8b8946b7cbac24c55f736f09f42a8b72c7762634a872fdb3aeea588a33c5cce8fdd1ae89ee10fda6027fd326421ea50d2de8871578c358b5b6
SSDEEP

12288:NMrvy90ESlNReuPx5M4ICpezpN9qJclHFsUKruJtI6/h3zbtRUJGvNffKPFZUG:Ky8lD5xrICp0NcUKKJtb/hzRqJgNffKr

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral20/memory/1548-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral20/memory/1548-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral20/memory/1548-16-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral20/memory/1548-15-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral20/files/0x000700000002346a-19.dat	family_redline
behavioral20/memory/2612-22-0x0000000000700000-0x000000000073E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
404	Rn8OM4MH.exe
4608	1rw90oQ2.exe
2612	2he829Dc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f07691246ef6b1342b6b3c147dc49c2f4a89eec24e4f141c8ff8768bbc4711f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Rn8OM4MH.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4608 set thread context of 1548	4608	1rw90oQ2.exe	87

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2428	4608	WerFault.exe	84
3104	1548	WerFault.exe	87

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 404	3540	f07691246ef6b1342b6b3c147dc49c2f4a89eec24e4f141c8ff8768bbc4711f6.exe	83
PID 3540 wrote to memory of 404	3540	f07691246ef6b1342b6b3c147dc49c2f4a89eec24e4f141c8ff8768bbc4711f6.exe	83
PID 3540 wrote to memory of 404	3540	f07691246ef6b1342b6b3c147dc49c2f4a89eec24e4f141c8ff8768bbc4711f6.exe	83
PID 404 wrote to memory of 4608	404	Rn8OM4MH.exe	84
PID 404 wrote to memory of 4608	404	Rn8OM4MH.exe	84
PID 404 wrote to memory of 4608	404	Rn8OM4MH.exe	84
PID 4608 wrote to memory of 1548	4608	1rw90oQ2.exe	87
PID 4608 wrote to memory of 1548	4608	1rw90oQ2.exe	87
PID 4608 wrote to memory of 1548	4608	1rw90oQ2.exe	87
PID 4608 wrote to memory of 1548	4608	1rw90oQ2.exe	87
PID 4608 wrote to memory of 1548	4608	1rw90oQ2.exe	87
PID 4608 wrote to memory of 1548	4608	1rw90oQ2.exe	87
PID 4608 wrote to memory of 1548	4608	1rw90oQ2.exe	87
PID 4608 wrote to memory of 1548	4608	1rw90oQ2.exe	87
PID 4608 wrote to memory of 1548	4608	1rw90oQ2.exe	87
PID 4608 wrote to memory of 1548	4608	1rw90oQ2.exe	87
PID 404 wrote to memory of 2612	404	Rn8OM4MH.exe	94
PID 404 wrote to memory of 2612	404	Rn8OM4MH.exe	94
PID 404 wrote to memory of 2612	404	Rn8OM4MH.exe	94

C:\Users\Admin\AppData\Local\Temp\f07691246ef6b1342b6b3c147dc49c2f4a89eec24e4f141c8ff8768bbc4711f6.exe
"C:\Users\Admin\AppData\Local\Temp\f07691246ef6b1342b6b3c147dc49c2f4a89eec24e4f141c8ff8768bbc4711f6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rn8OM4MH.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rn8OM4MH.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1rw90oQ2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1rw90oQ2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 540
        5⤵
        Program crash
        
        PID:3104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 584
      4⤵
      Program crash
      PID:2428
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2he829Dc.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2he829Dc.exe
    3⤵
    - Executes dropped EXE
    PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4608 -ip 4608
1⤵
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1548 -ip 1548
1⤵
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rn8OM4MH.exe

Filesize
566KB

MD5
61fbb2862a5d533a5fb2adaa3d1d8dbd

SHA1
cf4b2cf9f7c0e329c7fb903b142cb2034c463e75

SHA256
269f94978b623d574f9ba4a085b7a198d10e8e6e9c0f35f7a37e29d4ac49cc01

SHA512
f9155dcc6af47e8bda738658762702f32ba0f82ee4895ca29e80aaa28c27a282f4f4e8a6b5b77502b4b10d4e4791676bb76e2e18d14b404c5247eeca7a8d5b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1rw90oQ2.exe

Filesize
1.1MB

MD5
8a4f92e7bae66ff53f4af5d0b94d7f0b

SHA1
4a3e2802afd48fddcad3b3badc28261aac260ea7

SHA256
791eedb3d2a4b678426283d48a53a6b1d9a1e059d5ca71c942b4b854ea4f2cc5

SHA512
1d2140f8792e3ab56e1fbd956f4b2cc7a31efa698284644a858c43e373b2053840d76870a45eeac43cae5eca9bd6b9c2b1f5704e26b0b2c0732f0bec0fe96027

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2he829Dc.exe

Filesize
222KB

MD5
3ff5722053a8897c53c3a88bbf0690ef

SHA1
9a45d67b8da18a1a283aa6417abf11223dd47125

SHA256
230a3cef891295fcff7a8897c470c216e5e3e0011775d116a2e3e298cc175133

SHA512
faa934fc85dcd8937f4acdbe1b7b5e18635b7d04a16f2dbee99bfbce0b768703b74e223fbd52268d94b1c9f790f45821d63e2d12def6ff3c389b98d0984b53eb

Download Submit
memory/1548-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1548-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2612-23-0x0000000007970000-0x0000000007F14000-memory.dmp

Filesize
5.6MB

Download
memory/2612-22-0x0000000000700000-0x000000000073E000-memory.dmp

Filesize
248KB

Download
memory/2612-24-0x0000000007480000-0x0000000007512000-memory.dmp

Filesize
584KB

Download
memory/2612-25-0x0000000004A50000-0x0000000004A5A000-memory.dmp

Filesize
40KB

Download
memory/2612-26-0x0000000008540000-0x0000000008B58000-memory.dmp

Filesize
6.1MB

Download
memory/2612-27-0x00000000077B0000-0x00000000078BA000-memory.dmp

Filesize
1.0MB

Download
memory/2612-28-0x00000000076C0000-0x00000000076D2000-memory.dmp

Filesize
72KB

Download
memory/2612-29-0x0000000007720000-0x000000000775C000-memory.dmp

Filesize
240KB

Download
memory/2612-30-0x0000000007760000-0x00000000077AC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads