mystic | d66c5907218da0e1082f3a1318226d1c5bab6bd1ebb57b034a817b4c35495ac8

Analysis

max time kernel
133s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d940f9b9c60fd13aa5272fd2a69f035a8a08c097f0ed72b29431278d2fc4a849.exe
Size

761KB
MD5

4a01abacf29d457359df733251113c91
SHA1

b4ad19178b21c759bf8bf5676a435aa4b00b5e5e
SHA256

d940f9b9c60fd13aa5272fd2a69f035a8a08c097f0ed72b29431278d2fc4a849
SHA512

99da8748c8593756f22ada15415c9bb7e79f03796b28bf8b56479cfd7c4a715eb239ec9e0d83f044cbdaadadad8c71f4886ed01bd439ac444dc8219032dd277d
SSDEEP

12288:SMrWy90UWJTYhBFqL/iQlnlo07S7g/0dMJ6krt4Mr1W40PbyXTvhZHJ:EydPQDVlo07qQ0642tr1SbyXT5Zp

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral16/memory/3868-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral16/memory/3868-16-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral16/memory/3868-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral16/memory/3868-15-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2wv494Lv.exe	family_redline
behavioral16/memory/4248-22-0x0000000000B40000-0x0000000000B7E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Jk6xI8em.exe1Xx54Jf5.exe2wv494Lv.exe

pid process

2200 Jk6xI8em.exe
2428 1Xx54Jf5.exe
4248 2wv494Lv.exe

pid	process
2200	Jk6xI8em.exe
2428	1Xx54Jf5.exe
4248	2wv494Lv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d940f9b9c60fd13aa5272fd2a69f035a8a08c097f0ed72b29431278d2fc4a849.exeJk6xI8em.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d940f9b9c60fd13aa5272fd2a69f035a8a08c097f0ed72b29431278d2fc4a849.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Jk6xI8em.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Xx54Jf5.exe

description pid process target process

PID 2428 set thread context of 3868 2428 1Xx54Jf5.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4624 3868 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 2428 set thread context of 3868	2428	1Xx54Jf5.exe	AppLaunch.exe

pid	pid_target	process	target process
4624	3868	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

d940f9b9c60fd13aa5272fd2a69f035a8a08c097f0ed72b29431278d2fc4a849.exeJk6xI8em.exe1Xx54Jf5.exe

description	pid	process	target process
PID 1176 wrote to memory of 2200	1176	d940f9b9c60fd13aa5272fd2a69f035a8a08c097f0ed72b29431278d2fc4a849.exe	Jk6xI8em.exe
PID 1176 wrote to memory of 2200	1176	d940f9b9c60fd13aa5272fd2a69f035a8a08c097f0ed72b29431278d2fc4a849.exe	Jk6xI8em.exe
PID 1176 wrote to memory of 2200	1176	d940f9b9c60fd13aa5272fd2a69f035a8a08c097f0ed72b29431278d2fc4a849.exe	Jk6xI8em.exe
PID 2200 wrote to memory of 2428	2200	Jk6xI8em.exe	1Xx54Jf5.exe
PID 2200 wrote to memory of 2428	2200	Jk6xI8em.exe	1Xx54Jf5.exe
PID 2200 wrote to memory of 2428	2200	Jk6xI8em.exe	1Xx54Jf5.exe
PID 2428 wrote to memory of 3868	2428	1Xx54Jf5.exe	AppLaunch.exe
PID 2428 wrote to memory of 3868	2428	1Xx54Jf5.exe	AppLaunch.exe
PID 2428 wrote to memory of 3868	2428	1Xx54Jf5.exe	AppLaunch.exe
PID 2428 wrote to memory of 3868	2428	1Xx54Jf5.exe	AppLaunch.exe
PID 2428 wrote to memory of 3868	2428	1Xx54Jf5.exe	AppLaunch.exe
PID 2428 wrote to memory of 3868	2428	1Xx54Jf5.exe	AppLaunch.exe
PID 2428 wrote to memory of 3868	2428	1Xx54Jf5.exe	AppLaunch.exe
PID 2428 wrote to memory of 3868	2428	1Xx54Jf5.exe	AppLaunch.exe
PID 2428 wrote to memory of 3868	2428	1Xx54Jf5.exe	AppLaunch.exe
PID 2428 wrote to memory of 3868	2428	1Xx54Jf5.exe	AppLaunch.exe
PID 2200 wrote to memory of 4248	2200	Jk6xI8em.exe	2wv494Lv.exe
PID 2200 wrote to memory of 4248	2200	Jk6xI8em.exe	2wv494Lv.exe
PID 2200 wrote to memory of 4248	2200	Jk6xI8em.exe	2wv494Lv.exe

C:\Users\Admin\AppData\Local\Temp\d940f9b9c60fd13aa5272fd2a69f035a8a08c097f0ed72b29431278d2fc4a849.exe
"C:\Users\Admin\AppData\Local\Temp\d940f9b9c60fd13aa5272fd2a69f035a8a08c097f0ed72b29431278d2fc4a849.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jk6xI8em.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jk6xI8em.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Xx54Jf5.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Xx54Jf5.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 540
5⤵
- Program crash
PID:4624

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2wv494Lv.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2wv494Lv.exe
3⤵
- Executes dropped EXE
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3868 -ip 3868
1⤵
PID:1800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4204,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:8
1⤵
PID:464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jk6xI8em.exe
Filesize
565KB

MD5
c4c9b6e6d6cc6278c2a5dd0b7d7a510d

SHA1
4b953da1faf556699438c4a84ae0ea74686a42c5

SHA256
709e34d69fd09c60c05def853369ed8864760fea002b0fa82fa6ec1832808900

SHA512
ea4ec892c541abb3cab2856e9b7fdbfc73fafa6b133885deb230642afc204f26211af2dcf1c572a9a81ed7947892d06b439d575cb618c71bd714afb64b12eff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Xx54Jf5.exe
Filesize
1.1MB

MD5
010a49e27d3b182e379624c527bc4633

SHA1
61d26aea823f82298e9efc009086dab4d5e9a6ca

SHA256
803ad1a4710402452baa2842db4a548cb96db7484de45be50faf36f14826008b

SHA512
ea9ca5a98de69152083e9b88ee5e72751bbe9760dcaf841a41595a5d2a90a750c185d576207c6d99536650c538223f7ab9763f948ce6d6f0b0f4559683abc590

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2wv494Lv.exe
Filesize
221KB

MD5
f1967551553a0ad6e11f2199ed4a8597

SHA1
e71ca79cdecc26b7150e6377deaf67df817be30d

SHA256
5bc50a23f7fdf3d6d192e5608744f508ea629d1073a28168fee2e120ea97fbea

SHA512
f9ac0cad42ebaf923a72a2ab8027ca2181feeb4f7e4fa9fe0c4c900994315c9d9a446f16af5ab2a13d480258eeba537df593098afe27b2630efb4983ad1b6ee0

Download Submit
memory/3868-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4248-23-0x0000000007EB0000-0x0000000008454000-memory.dmp

Filesize
5.6MB

Download
memory/4248-22-0x0000000000B40000-0x0000000000B7E000-memory.dmp

Filesize
248KB

Download
memory/4248-24-0x0000000007900000-0x0000000007992000-memory.dmp

Filesize
584KB

Download
memory/4248-25-0x0000000002D30000-0x0000000002D3A000-memory.dmp

Filesize
40KB

Download
memory/4248-26-0x0000000008A80000-0x0000000009098000-memory.dmp

Filesize
6.1MB

Download
memory/4248-27-0x0000000007D00000-0x0000000007E0A000-memory.dmp

Filesize
1.0MB

Download
memory/4248-28-0x00000000079F0000-0x0000000007A02000-memory.dmp

Filesize
72KB

Download
memory/4248-29-0x0000000007A80000-0x0000000007ABC000-memory.dmp

Filesize
240KB

Download
memory/4248-30-0x0000000007A20000-0x0000000007A6C000-memory.dmp

Filesize
304KB

Download