mystic | 9b80269950e0f1b633a8f97657fa8c4843d63cc1062890797edcbbcf58625520

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20d5ad811e156e522c088718e9fad42c9719bbca8aa4b3f144c468550177d6b7.exe
Size

1.5MB
MD5

befe5f1c063836f70bf44237b916e619
SHA1

eeca7ed0b98f96c5d70c56fbc9bf9e4beeaa1317
SHA256

20d5ad811e156e522c088718e9fad42c9719bbca8aa4b3f144c468550177d6b7
SHA512

0fe262519c341adfda710a1b71ec0831c3cc1c848ea0454313e6d95ea67eb444ef30007fa0fdc805d116a793689228f54dc9c3d88f9f58d132d5a52b2c9edf73
SSDEEP

24576:jy4nIp1D1ArWtg/x9TVZbQ3FBriDt4ZMWe1QkKctCUfe8jrBUsalIliK++17Aq:2Sgmnx9ZZOiDS56QuTmesbPi7

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/5020-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral2/memory/5020-36-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral2/memory/5020-38-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023439-40.dat	family_redline
behavioral2/memory/4140-42-0x00000000006A0000-0x00000000006DE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2372	PW4pu0Eh.exe
972	yl7LF1iC.exe
1172	lz4NJ7dl.exe
4424	IV7HV4zY.exe
3488	1vj32NA2.exe
4140	2UV617hO.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	lz4NJ7dl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	IV7HV4zY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	20d5ad811e156e522c088718e9fad42c9719bbca8aa4b3f144c468550177d6b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	PW4pu0Eh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	yl7LF1iC.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3488 set thread context of 5020	3488	1vj32NA2.exe	92

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 2372	888	20d5ad811e156e522c088718e9fad42c9719bbca8aa4b3f144c468550177d6b7.exe	82
PID 888 wrote to memory of 2372	888	20d5ad811e156e522c088718e9fad42c9719bbca8aa4b3f144c468550177d6b7.exe	82
PID 888 wrote to memory of 2372	888	20d5ad811e156e522c088718e9fad42c9719bbca8aa4b3f144c468550177d6b7.exe	82
PID 2372 wrote to memory of 972	2372	PW4pu0Eh.exe	83
PID 2372 wrote to memory of 972	2372	PW4pu0Eh.exe	83
PID 2372 wrote to memory of 972	2372	PW4pu0Eh.exe	83
PID 972 wrote to memory of 1172	972	yl7LF1iC.exe	85
PID 972 wrote to memory of 1172	972	yl7LF1iC.exe	85
PID 972 wrote to memory of 1172	972	yl7LF1iC.exe	85
PID 1172 wrote to memory of 4424	1172	lz4NJ7dl.exe	86
PID 1172 wrote to memory of 4424	1172	lz4NJ7dl.exe	86
PID 1172 wrote to memory of 4424	1172	lz4NJ7dl.exe	86
PID 4424 wrote to memory of 3488	4424	IV7HV4zY.exe	87
PID 4424 wrote to memory of 3488	4424	IV7HV4zY.exe	87
PID 4424 wrote to memory of 3488	4424	IV7HV4zY.exe	87
PID 3488 wrote to memory of 5020	3488	1vj32NA2.exe	92
PID 3488 wrote to memory of 5020	3488	1vj32NA2.exe	92
PID 3488 wrote to memory of 5020	3488	1vj32NA2.exe	92
PID 3488 wrote to memory of 5020	3488	1vj32NA2.exe	92
PID 3488 wrote to memory of 5020	3488	1vj32NA2.exe	92
PID 3488 wrote to memory of 5020	3488	1vj32NA2.exe	92
PID 3488 wrote to memory of 5020	3488	1vj32NA2.exe	92
PID 3488 wrote to memory of 5020	3488	1vj32NA2.exe	92
PID 3488 wrote to memory of 5020	3488	1vj32NA2.exe	92
PID 3488 wrote to memory of 5020	3488	1vj32NA2.exe	92
PID 4424 wrote to memory of 4140	4424	IV7HV4zY.exe	93
PID 4424 wrote to memory of 4140	4424	IV7HV4zY.exe	93
PID 4424 wrote to memory of 4140	4424	IV7HV4zY.exe	93

C:\Users\Admin\AppData\Local\Temp\20d5ad811e156e522c088718e9fad42c9719bbca8aa4b3f144c468550177d6b7.exe
"C:\Users\Admin\AppData\Local\Temp\20d5ad811e156e522c088718e9fad42c9719bbca8aa4b3f144c468550177d6b7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PW4pu0Eh.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PW4pu0Eh.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl7LF1iC.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl7LF1iC.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lz4NJ7dl.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lz4NJ7dl.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IV7HV4zY.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IV7HV4zY.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4424
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vj32NA2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vj32NA2.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:5020
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UV617hO.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UV617hO.exe
        6⤵
        Executes dropped EXE
        
        PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PW4pu0Eh.exe

Filesize
1.3MB

MD5
6be3381fb26d22667a5aa1f9782ed72a

SHA1
05bc85886a36f17e9e79cc2f8544d82dcbc131d4

SHA256
34f1a9706bfa7fa6aac32b9b4eb7de390bdb1696209f3139a120cd5f95c33018

SHA512
1984d5f80b08dffbe5ee4f5ecfb1aa462768e0125ca193635e1b780b21cde68bd65721f80ef85bad7eb04cff7e26255475ee9d99d667f8eec5c344927e84cf67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yl7LF1iC.exe

Filesize
1.1MB

MD5
6507662c6ce7b2ce06da3bc9e31b104b

SHA1
29906c4d9dd5c4ab186e0d9d5e384ac9ae682fe3

SHA256
f5c6266139141a1657bc1f46dfc63e20d8b0c9b5611d484b2235cd229d21b523

SHA512
1ec3a92b2d7d34e8a154b276a2b8cc474b9421c05e5218a5de3062cdbd63f7d1057827206d928110b14046ee3e139cc317ba9f2f536f9fcddc11354102a3f1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lz4NJ7dl.exe

Filesize
760KB

MD5
4e681a2769082f368d2a3aefc159c229

SHA1
fac048f80f2b1cc6a9e75314d6ad5d523e536114

SHA256
2fcdbb1e9372c1661ee08d0d860112c9d845f5f936d982fb6be6eb8e7ded609c

SHA512
6d97f894254641a2fe0f5e93dd464dba45c9416bc95f6700369370d1f8f1877878c49a5bc235e329b5bcce9d97d7ddec4433fbd9bbe65d5f9380ea73fb866adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\IV7HV4zY.exe

Filesize
563KB

MD5
82422076978596e9d8136fc0420d5c1d

SHA1
627cd1a6c31efac889190ad574b2c608f567b2c6

SHA256
f6236d346868530954571df3566cc8286abf81b1aca0fe9e794e5f9f3e7dc2c0

SHA512
4fd5b6bd59074b2df516d29a17c7abd8cce93d9e0c4331dbd26d4a0d3df992afc109a8f152e0b40f2f811c01b025ae86cc925b22caf86890089e4c3d2ad4b846

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1vj32NA2.exe

Filesize
1.1MB

MD5
b2fafa382b60687b7738e2d55ca1ac1c

SHA1
1c224d4546e444366035b0a6981577dd30af1be2

SHA256
72dd541dccb514281422506e2762b6ea3bfc9c62abd7d00758891f2ab3d04040

SHA512
62b049c583c334c1bc4974cdd3527b2b62d44a29ce770f28ce9b4989e3f80b6445c48efe6d44eb02461d7d64fb3ad3ad3322277ac50d355d5d94333895464962

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UV617hO.exe

Filesize
221KB

MD5
734d6235533fb2a03b6673decbbd52f8

SHA1
21145a781d27d5a60ba437e7f456b8f32e92318a

SHA256
0ecb72a59b982cac26468540deb26d98448177f7880837b152f4dfefc3ccd0c1

SHA512
bdca125233634f4641e62a3a3b03a7d543d9e4efdd9e1727b9c21fa7ead03b38519413fc3455d38293203ffc3826a5803cc5d16223a9d9cb3038f12e1a6475ee

Download Submit
memory/4140-42-0x00000000006A0000-0x00000000006DE000-memory.dmp

Filesize
248KB

Download
memory/4140-43-0x0000000007950000-0x0000000007EF4000-memory.dmp

Filesize
5.6MB

Download
memory/4140-44-0x0000000007440000-0x00000000074D2000-memory.dmp

Filesize
584KB

Download
memory/4140-45-0x00000000010E0000-0x00000000010EA000-memory.dmp

Filesize
40KB

Download
memory/4140-46-0x0000000008520000-0x0000000008B38000-memory.dmp

Filesize
6.1MB

Download
memory/4140-47-0x0000000007770000-0x000000000787A000-memory.dmp

Filesize
1.0MB

Download
memory/4140-48-0x0000000007660000-0x0000000007672000-memory.dmp

Filesize
72KB

Download
memory/4140-49-0x00000000076C0000-0x00000000076FC000-memory.dmp

Filesize
240KB

Download
memory/4140-50-0x0000000007700000-0x000000000774C000-memory.dmp

Filesize
304KB

Download
memory/5020-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads