mystic | 92023f346ccc819d9c52da2af751cda1bc5396b5d745c68d99d1d2ff99db093a

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34.exe
Size

768KB
MD5

4d1dc164a1a95c87bef2a357c41bf9e9
SHA1

02a094938f6119cb4e44afb4eb4f568627614e61
SHA256

369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34
SHA512

acd7994b25576cc1b51dec79fe45909e37d0e11924eff27b39e75b441df4e0870472da8f8c7acbbd76dbfcc94a06830c98780c3196ffe9b87967e48b6e8b96e1
SSDEEP

12288:IMriy90IS6DfCzMyG1J50BDhAQTlUtajgfKoc24s9gslFkc1aBR+:aySOfCwHJ2VhAQTlU2K4Ug7+

Score

10^/10

mystic redline kedru infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral9/memory/3108-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral9/memory/3108-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral9/memory/3108-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral9/memory/3108-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral9/files/0x00070000000233cc-19.dat	family_redline
behavioral9/memory/3084-22-0x0000000000720000-0x000000000075C000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
1700	Rz7dO3CO.exe
1688	1DT09If6.exe
3084	2OZ166hG.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Rz7dO3CO.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 3108	1688	1DT09If6.exe	83

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2296	3108	WerFault.exe	83
852	1688	WerFault.exe	82

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 1700	4868	369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34.exe	81
PID 4868 wrote to memory of 1700	4868	369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34.exe	81
PID 4868 wrote to memory of 1700	4868	369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34.exe	81
PID 1700 wrote to memory of 1688	1700	Rz7dO3CO.exe	82
PID 1700 wrote to memory of 1688	1700	Rz7dO3CO.exe	82
PID 1700 wrote to memory of 1688	1700	Rz7dO3CO.exe	82
PID 1688 wrote to memory of 3108	1688	1DT09If6.exe	83
PID 1688 wrote to memory of 3108	1688	1DT09If6.exe	83
PID 1688 wrote to memory of 3108	1688	1DT09If6.exe	83
PID 1688 wrote to memory of 3108	1688	1DT09If6.exe	83
PID 1688 wrote to memory of 3108	1688	1DT09If6.exe	83
PID 1688 wrote to memory of 3108	1688	1DT09If6.exe	83
PID 1688 wrote to memory of 3108	1688	1DT09If6.exe	83
PID 1688 wrote to memory of 3108	1688	1DT09If6.exe	83
PID 1688 wrote to memory of 3108	1688	1DT09If6.exe	83
PID 1688 wrote to memory of 3108	1688	1DT09If6.exe	83
PID 1700 wrote to memory of 3084	1700	Rz7dO3CO.exe	91
PID 1700 wrote to memory of 3084	1700	Rz7dO3CO.exe	91
PID 1700 wrote to memory of 3084	1700	Rz7dO3CO.exe	91

C:\Users\Admin\AppData\Local\Temp\369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34.exe
"C:\Users\Admin\AppData\Local\Temp\369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rz7dO3CO.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rz7dO3CO.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1DT09If6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1DT09If6.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3108
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 540
        5⤵
        Program crash
        
        PID:2296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 568
      4⤵
      Program crash
      PID:852
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2OZ166hG.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2OZ166hG.exe
    3⤵
    - Executes dropped EXE
    PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3108 -ip 3108
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1688 -ip 1688
1⤵
PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rz7dO3CO.exe

Filesize
573KB

MD5
271d63b01319617a1614afaa99456684

SHA1
a6497295abfa2f9a774b562912e1ab4e2ba6725b

SHA256
5ff354a516b82b3b5e3920ab61fdcdb98d5e4b5ee5dff942e0c0d41fd23b9826

SHA512
f3d1eecb78f4f713364a93c64c8860b42d3ac36a37665edeff2baa7d9a180908f6d9f4e2793b1bc36bb28c089b7564b389b4f8d9835ebe9a28615b9df8cd8b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1DT09If6.exe

Filesize
1.1MB

MD5
0c5f1346aac4747364c2da051ce8beed

SHA1
49b48a2a804c97ff1f171652fea01283abb48724

SHA256
b514d284eafe5c9acd5f68a1290e6a6b7d5a5fee5b7ae9ce4ef853fa6948bb4c

SHA512
e634ed76ac1e114415a2664a3773e1c70a35d4f67dbf06898ae576be28f8f241099ab0f19aeb96e6f95ebc6cdfc609ecb45e3895ecc346271c0d449aa1f94345

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2OZ166hG.exe

Filesize
219KB

MD5
db31cd92867dade24448b9e8f78d49b6

SHA1
64b70b0143d124a301bff8bf1ecd79b2d53ee619

SHA256
81cef48c3f3823d918f398c7e28111901927779a8d67ddd25851f91315693332

SHA512
039d9f00cc5b30b22456ebd31fe371f7432359dbf0915740998a2cffaaea35d506ec0e1d10bb9d87e1b4064a90dff7057562f503c469128874c956dc6a463a62

Download Submit
memory/3084-27-0x0000000007920000-0x0000000007A2A000-memory.dmp

Filesize
1.0MB

Download
memory/3084-22-0x0000000000720000-0x000000000075C000-memory.dmp

Filesize
240KB

Download
memory/3084-23-0x0000000007A40000-0x0000000007FE4000-memory.dmp

Filesize
5.6MB

Download
memory/3084-24-0x0000000007530000-0x00000000075C2000-memory.dmp

Filesize
584KB

Download
memory/3084-25-0x0000000004AC0000-0x0000000004ACA000-memory.dmp

Filesize
40KB

Download
memory/3084-26-0x0000000008610000-0x0000000008C28000-memory.dmp

Filesize
6.1MB

Download
memory/3084-28-0x0000000007830000-0x0000000007842000-memory.dmp

Filesize
72KB

Download
memory/3084-29-0x0000000007890000-0x00000000078CC000-memory.dmp

Filesize
240KB

Download
memory/3084-30-0x00000000078D0000-0x000000000791C000-memory.dmp

Filesize
304KB

Download
memory/3108-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads