mystic | d66c5907218da0e1082f3a1318226d1c5bab6bd1ebb57b034a817b4c35495ac8

Analysis

max time kernel
134s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe
Size

761KB
MD5

216c4829a35a74ecacf925e3d47f46cc
SHA1

3792b2f30a7237382361cae16251ced767d973fd
SHA256

404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5
SHA512

c4ac9a5edd6200a7734a5fc2048ab52d974516e3a8607c3113dd38fca253adf6aee950b9adaa06ee9b923eeb694c8f2899790eaa19d8b995102473229c8adf15
SSDEEP

12288:LMrdy90rTPMHf9/WOfbJ2lkpZUAHwTHOXSVAsAwCGPjcfMgNLW7Wnbq9KsHfo:GyGPMHfp3DJppmAaHOXcMijcfMg1Wosw

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral6/memory/1816-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral6/memory/1816-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral6/memory/1816-20-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral6/memory/1816-17-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Tu073Gd.exe	family_redline
behavioral6/memory/2264-22-0x0000000000160000-0x000000000019E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

BE0Oy8Td.exe1qj07gX3.exe2Tu073Gd.exe

pid process

2532 BE0Oy8Td.exe
632 1qj07gX3.exe
2264 2Tu073Gd.exe

pid	process
2532	BE0Oy8Td.exe
632	1qj07gX3.exe
2264	2Tu073Gd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exeBE0Oy8Td.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	BE0Oy8Td.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1qj07gX3.exe

description pid process target process

PID 632 set thread context of 1816 632 1qj07gX3.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4932 1816 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 632 set thread context of 1816	632	1qj07gX3.exe	AppLaunch.exe

pid	pid_target	process	target process
4932	1816	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exeBE0Oy8Td.exe1qj07gX3.exe

description	pid	process	target process
PID 3584 wrote to memory of 2532	3584	404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe	BE0Oy8Td.exe
PID 3584 wrote to memory of 2532	3584	404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe	BE0Oy8Td.exe
PID 3584 wrote to memory of 2532	3584	404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe	BE0Oy8Td.exe
PID 2532 wrote to memory of 632	2532	BE0Oy8Td.exe	1qj07gX3.exe
PID 2532 wrote to memory of 632	2532	BE0Oy8Td.exe	1qj07gX3.exe
PID 2532 wrote to memory of 632	2532	BE0Oy8Td.exe	1qj07gX3.exe
PID 632 wrote to memory of 1816	632	1qj07gX3.exe	AppLaunch.exe
PID 632 wrote to memory of 1816	632	1qj07gX3.exe	AppLaunch.exe
PID 632 wrote to memory of 1816	632	1qj07gX3.exe	AppLaunch.exe
PID 632 wrote to memory of 1816	632	1qj07gX3.exe	AppLaunch.exe
PID 632 wrote to memory of 1816	632	1qj07gX3.exe	AppLaunch.exe
PID 632 wrote to memory of 1816	632	1qj07gX3.exe	AppLaunch.exe
PID 632 wrote to memory of 1816	632	1qj07gX3.exe	AppLaunch.exe
PID 632 wrote to memory of 1816	632	1qj07gX3.exe	AppLaunch.exe
PID 632 wrote to memory of 1816	632	1qj07gX3.exe	AppLaunch.exe
PID 632 wrote to memory of 1816	632	1qj07gX3.exe	AppLaunch.exe
PID 2532 wrote to memory of 2264	2532	BE0Oy8Td.exe	2Tu073Gd.exe
PID 2532 wrote to memory of 2264	2532	BE0Oy8Td.exe	2Tu073Gd.exe
PID 2532 wrote to memory of 2264	2532	BE0Oy8Td.exe	2Tu073Gd.exe

C:\Users\Admin\AppData\Local\Temp\404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe
"C:\Users\Admin\AppData\Local\Temp\404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BE0Oy8Td.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BE0Oy8Td.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qj07gX3.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qj07gX3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1816
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 540
        5⤵
        Program crash
        
        PID:4932
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Tu073Gd.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Tu073Gd.exe
    3⤵
    - Executes dropped EXE
    PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1816 -ip 1816
1⤵
PID:2040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:8
1⤵
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BE0Oy8Td.exe

Filesize
565KB

MD5
47f6def103d025da62719ad1dfbdf553

SHA1
7eac9c64389618e85e2d4232c151c43da44b2252

SHA256
02095c8ea70d9ef8f9f6f084e65f54c1154e3bf40463b149dab1796b76001025

SHA512
1be9f122d37e7f59acb25cfcf863e67094e0ed030b7faa6efea91272376702c7fef91542265024d94a1988754f21f53eda9882ca4b8356befa7b09da476cb29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qj07gX3.exe

Filesize
1.1MB

MD5
ddc7b24fd3ceb2a26b44d3fd4e7de888

SHA1
8b4f5929bf345b6393747480d4287ded2bf0a4f4

SHA256
10acf9580ebdc269ec8006e664151e59bc923256a5d2dc180796bb3ac2fc5e6a

SHA512
b6cf9c95a29dcfdffd121e2bdbffa5efde937b45217a697af331557ee7a6b387e80c3c6924bc6e168507c8184743c929f934190f1dcb923e9d6d7c6aba0e5fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Tu073Gd.exe

Filesize
222KB

MD5
fe8e9374126fb44db5e22c1bb457879a

SHA1
46536277ab6e785683e9936a49141887cbb47919

SHA256
7e96e339a8a9f1bbf8a3c2cfa4ba0b691681761315684f78b15a5551828510a9

SHA512
fe2efff14904134e52fb6fb43448f4b21f696e194b15208981d0712011a728444852ddf0c8e0523c831b9d3be1133f455e1457c219e85a003020c41b979d5254

Download Submit
memory/1816-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1816-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-23-0x00000000075E0000-0x0000000007B84000-memory.dmp

Filesize
5.6MB

Download
memory/2264-22-0x0000000000160000-0x000000000019E000-memory.dmp

Filesize
248KB

Download
memory/2264-24-0x00000000070D0000-0x0000000007162000-memory.dmp

Filesize
584KB

Download
memory/2264-25-0x0000000004620000-0x000000000462A000-memory.dmp

Filesize
40KB

Download
memory/2264-26-0x00000000081B0000-0x00000000087C8000-memory.dmp

Filesize
6.1MB

Download
memory/2264-27-0x0000000007400000-0x000000000750A000-memory.dmp

Filesize
1.0MB

Download
memory/2264-28-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/2264-29-0x00000000072F0000-0x000000000732C000-memory.dmp

Filesize
240KB

Download
memory/2264-30-0x0000000007280000-0x00000000072CC000-memory.dmp

Filesize
304KB

Download