mystic | 9b80269950e0f1b633a8f97657fa8c4843d63cc1062890797edcbbcf58625520

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ca6e4b470413b98976384ac3e479028c30b8486b2ebb4a4dd8e4e2142faac97.exe
Size

761KB
MD5

beca03b004cff0040bd6fe86c8bbaca0
SHA1

6982391f353b0884dad9cfe6a74989cde215b6aa
SHA256

2ca6e4b470413b98976384ac3e479028c30b8486b2ebb4a4dd8e4e2142faac97
SHA512

f720259a5620da7c2d8405356b9496847d52a793c1e109ea11a637f91b20b88af0adf4e2ea352b0a89861c4b55d20b363ae11a7a8addd396fb5084d8cdcf090a
SSDEEP

12288:xMrmy90OmdMUmVSz10z5WiWpsQB6+W5hu/G13XxRZDVYDOGmRjd4LjNIp:jyYHmgz+IvuQB6+W5w83XXrYDOGCOjN4

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral3/memory/4268-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral3/memory/4268-15-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral3/memory/4268-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral3/memory/4268-16-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x0007000000023414-20.dat	family_redline
behavioral3/memory/4904-22-0x0000000000F80000-0x0000000000FBE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
4448	jw4zU9NJ.exe
4996	1kh06kN2.exe
4904	2ui317gK.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2ca6e4b470413b98976384ac3e479028c30b8486b2ebb4a4dd8e4e2142faac97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	jw4zU9NJ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4996 set thread context of 4268	4996	1kh06kN2.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3436	4268	WerFault.exe	88

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 4448	3244	2ca6e4b470413b98976384ac3e479028c30b8486b2ebb4a4dd8e4e2142faac97.exe	84
PID 3244 wrote to memory of 4448	3244	2ca6e4b470413b98976384ac3e479028c30b8486b2ebb4a4dd8e4e2142faac97.exe	84
PID 3244 wrote to memory of 4448	3244	2ca6e4b470413b98976384ac3e479028c30b8486b2ebb4a4dd8e4e2142faac97.exe	84
PID 4448 wrote to memory of 4996	4448	jw4zU9NJ.exe	85
PID 4448 wrote to memory of 4996	4448	jw4zU9NJ.exe	85
PID 4448 wrote to memory of 4996	4448	jw4zU9NJ.exe	85
PID 4996 wrote to memory of 4268	4996	1kh06kN2.exe	88
PID 4996 wrote to memory of 4268	4996	1kh06kN2.exe	88
PID 4996 wrote to memory of 4268	4996	1kh06kN2.exe	88
PID 4996 wrote to memory of 4268	4996	1kh06kN2.exe	88
PID 4996 wrote to memory of 4268	4996	1kh06kN2.exe	88
PID 4996 wrote to memory of 4268	4996	1kh06kN2.exe	88
PID 4996 wrote to memory of 4268	4996	1kh06kN2.exe	88
PID 4996 wrote to memory of 4268	4996	1kh06kN2.exe	88
PID 4996 wrote to memory of 4268	4996	1kh06kN2.exe	88
PID 4996 wrote to memory of 4268	4996	1kh06kN2.exe	88
PID 4448 wrote to memory of 4904	4448	jw4zU9NJ.exe	90
PID 4448 wrote to memory of 4904	4448	jw4zU9NJ.exe	90
PID 4448 wrote to memory of 4904	4448	jw4zU9NJ.exe	90

C:\Users\Admin\AppData\Local\Temp\2ca6e4b470413b98976384ac3e479028c30b8486b2ebb4a4dd8e4e2142faac97.exe
"C:\Users\Admin\AppData\Local\Temp\2ca6e4b470413b98976384ac3e479028c30b8486b2ebb4a4dd8e4e2142faac97.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jw4zU9NJ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jw4zU9NJ.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1kh06kN2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1kh06kN2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4268
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 540
        5⤵
        Program crash
        
        PID:3436
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ui317gK.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ui317gK.exe
    3⤵
    - Executes dropped EXE
    PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4268 -ip 4268
1⤵
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jw4zU9NJ.exe

Filesize
565KB

MD5
faad00e14f34cf44ac9ac31210c9ee43

SHA1
5ef54230eb161049aca9964aecd9a7fb05a34b64

SHA256
0515db4f55c14c84c422ea901b02022bf980667039ad5f7137a04492b9dd7283

SHA512
49ec59d439150440be36fc58950cc221ef628d9767d702457a6d9f59a167a291681670515ac4f6ab7a9b3853d0a0550ea19e2178393fc66d9b831d6ea780271f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1kh06kN2.exe

Filesize
1.1MB

MD5
6c771d3adf6dd0b256bb1a0e939e6dc7

SHA1
bc63888f1bd39e61746224b2d46a53fa4371cb5d

SHA256
3224810d26b6900a502d08b2a97f3c9832b72fc17f02c090d4d15f89b137f1c3

SHA512
2d99a68a656e31eddabc32b934e76accb139efe2da64f8cc1a01e8818e4b0054c700fa4b2cf0c0a0788d15142440565503fa57a81e8369b317b7b9d9483b2a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2ui317gK.exe

Filesize
222KB

MD5
46239d6e245181c0c45b98a350ddaf9c

SHA1
99fe74b1e2e3bd35d3472bc3c3aa3df9a9336aeb

SHA256
f070ad5c2b71fc0c335f5aad6c404cf2a03dcd8a45821a267d7c52810c96b24b

SHA512
2fd6fecf6b6f44e4285d75bd79e9aa54a2b64ba085acb3a7e2ca1a37ca551f02b62e51048ee30b17fdb0f53841427653e94e923d979298497b178e0d0f696f24

Download Submit
memory/4268-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4268-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4268-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4268-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4904-23-0x0000000008330000-0x00000000088D4000-memory.dmp

Filesize
5.6MB

Download
memory/4904-22-0x0000000000F80000-0x0000000000FBE000-memory.dmp

Filesize
248KB

Download
memory/4904-24-0x0000000007E80000-0x0000000007F12000-memory.dmp

Filesize
584KB

Download
memory/4904-25-0x00000000053E0000-0x00000000053EA000-memory.dmp

Filesize
40KB

Download
memory/4904-26-0x0000000008F00000-0x0000000009518000-memory.dmp

Filesize
6.1MB

Download
memory/4904-27-0x0000000008190000-0x000000000829A000-memory.dmp

Filesize
1.0MB

Download
memory/4904-28-0x0000000008080000-0x0000000008092000-memory.dmp

Filesize
72KB

Download
memory/4904-29-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/4904-30-0x0000000008120000-0x000000000816C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads