mystic | 9b80269950e0f1b633a8f97657fa8c4843d63cc1062890797edcbbcf58625520

Analysis

max time kernel
134s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43ea4b5927abdf60c2312374034e3b21c33a1082d31190027a6b747b84aef49e.exe
Size

1.5MB
MD5

c45e1f8653a052bdb4d697102396e863
SHA1

6e8f88305f5c7359a816c519a82ef03c676d1e35
SHA256

43ea4b5927abdf60c2312374034e3b21c33a1082d31190027a6b747b84aef49e
SHA512

6c2800555c67a354e0723774ac94722773643c10ff07ebb569e90de3e9404aa0121b4e4acbaf0c690139a2a438cbe51ecce9d0e16b3c3eb836caf579f48db44a
SSDEEP

24576:YyfuS0vx3E0sZomjE5DHLQcU+s+ee997Di17mn/MnYCIuKy:fGS0vx3TTmjEBQcU2tLeoMYCIu

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral6/memory/5032-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral6/memory/5032-37-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral6/memory/5032-39-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral6/files/0x0007000000023424-40.dat	family_redline
behavioral6/memory/904-42-0x00000000007A0000-0x00000000007DE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1320	Bo9nL4wI.exe
4528	RG3ai7MW.exe
4896	zK6eP4uo.exe
4196	dh1GC2aO.exe
2948	1zc17tB8.exe
904	2Wo351Yi.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	43ea4b5927abdf60c2312374034e3b21c33a1082d31190027a6b747b84aef49e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Bo9nL4wI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	RG3ai7MW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zK6eP4uo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	dh1GC2aO.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2948 set thread context of 5032	2948	1zc17tB8.exe	93

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 1320	4712	43ea4b5927abdf60c2312374034e3b21c33a1082d31190027a6b747b84aef49e.exe	82
PID 4712 wrote to memory of 1320	4712	43ea4b5927abdf60c2312374034e3b21c33a1082d31190027a6b747b84aef49e.exe	82
PID 4712 wrote to memory of 1320	4712	43ea4b5927abdf60c2312374034e3b21c33a1082d31190027a6b747b84aef49e.exe	82
PID 1320 wrote to memory of 4528	1320	Bo9nL4wI.exe	83
PID 1320 wrote to memory of 4528	1320	Bo9nL4wI.exe	83
PID 1320 wrote to memory of 4528	1320	Bo9nL4wI.exe	83
PID 4528 wrote to memory of 4896	4528	RG3ai7MW.exe	84
PID 4528 wrote to memory of 4896	4528	RG3ai7MW.exe	84
PID 4528 wrote to memory of 4896	4528	RG3ai7MW.exe	84
PID 4896 wrote to memory of 4196	4896	zK6eP4uo.exe	85
PID 4896 wrote to memory of 4196	4896	zK6eP4uo.exe	85
PID 4896 wrote to memory of 4196	4896	zK6eP4uo.exe	85
PID 4196 wrote to memory of 2948	4196	dh1GC2aO.exe	86
PID 4196 wrote to memory of 2948	4196	dh1GC2aO.exe	86
PID 4196 wrote to memory of 2948	4196	dh1GC2aO.exe	86
PID 2948 wrote to memory of 5032	2948	1zc17tB8.exe	93
PID 2948 wrote to memory of 5032	2948	1zc17tB8.exe	93
PID 2948 wrote to memory of 5032	2948	1zc17tB8.exe	93
PID 2948 wrote to memory of 5032	2948	1zc17tB8.exe	93
PID 2948 wrote to memory of 5032	2948	1zc17tB8.exe	93
PID 2948 wrote to memory of 5032	2948	1zc17tB8.exe	93
PID 2948 wrote to memory of 5032	2948	1zc17tB8.exe	93
PID 2948 wrote to memory of 5032	2948	1zc17tB8.exe	93
PID 2948 wrote to memory of 5032	2948	1zc17tB8.exe	93
PID 2948 wrote to memory of 5032	2948	1zc17tB8.exe	93
PID 4196 wrote to memory of 904	4196	dh1GC2aO.exe	94
PID 4196 wrote to memory of 904	4196	dh1GC2aO.exe	94
PID 4196 wrote to memory of 904	4196	dh1GC2aO.exe	94

C:\Users\Admin\AppData\Local\Temp\43ea4b5927abdf60c2312374034e3b21c33a1082d31190027a6b747b84aef49e.exe
"C:\Users\Admin\AppData\Local\Temp\43ea4b5927abdf60c2312374034e3b21c33a1082d31190027a6b747b84aef49e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bo9nL4wI.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bo9nL4wI.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RG3ai7MW.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RG3ai7MW.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zK6eP4uo.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zK6eP4uo.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dh1GC2aO.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dh1GC2aO.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4196
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zc17tB8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zc17tB8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:5032
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Wo351Yi.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Wo351Yi.exe
        6⤵
        Executes dropped EXE
        
        PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bo9nL4wI.exe

Filesize
1.3MB

MD5
ac354fa184e02ccfba25ef68e31bec47

SHA1
63c9988a86e8d632687298e4cf6df6db71ff6b8b

SHA256
86373bfd289f5871136e25e6c0da85f8e87a6c328e9681fb5f8b5ce858c0badd

SHA512
b11e441db571fbcfa13704770fbec29e5e457c9152c7c867289c40400882648bc8528458abe05c4555437f860d6a96700242ecffacb29f5d81e1c4dec89ed893

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RG3ai7MW.exe

Filesize
1.2MB

MD5
c67b495fc521e4b36c61e5b14d26c7c6

SHA1
ff8074700514b231044f375ebb9c4a31313cd396

SHA256
2654eb5d65d762a5f095d8b4d73e6e198f47a30754833d6910945f65a33d73d9

SHA512
28e5689484bf02921283ec048a5fb8416aa431d346077fc6d9cfce930b40f3aa2c18edfe72180ca628a341c7054cbefd34d733318269df86105332c914c16488

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zK6eP4uo.exe

Filesize
761KB

MD5
dc3abae021fb76c2b48bddb60df86e04

SHA1
89367ae4a3e5505275feaedefa5e6b50b138ace2

SHA256
ce8e662d84aaa8e6be9cd67b349caee7ec066cd54053a27e655d8ba95ff17d8b

SHA512
d6602e4bcd393e3638afeb225bce108b3742bf28e3c398e8702a845fc2a6dc18e96538684680d57d74deed507a7e1572b01fbeac6906cd7f22ad94237bea4326

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dh1GC2aO.exe

Filesize
565KB

MD5
b381d2f90e0e980e23045231cda9be6f

SHA1
34f3bf51415db99bfa26211c1f9e16cc086b7164

SHA256
4ef3aad381ed825d15c268a784b1b3af8bc03dcfa70abd6d4fb4b50fb8b11294

SHA512
3030890deb7e6fe8ee786043a77a17ada970c37b981b0f0b3c5efaf28d47b9f4b7cc558cc9143d66bea7b720d268537dddbb90cc361cb5e0139f444e546142f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zc17tB8.exe

Filesize
1.1MB

MD5
145cdb337a3d7ace0add3394bc3053a6

SHA1
cd52c89b4db2e59299fd48d931943dea81ab328b

SHA256
f0d54d0c133cac6c04ff6fc75512a7f3f46d6bc4e41e2d9ef68df3fb6f042d9f

SHA512
27979c80af377318259f681b1c564cbafc9fc50ada8e916b0fe60cd06ed22c66ae3481642b6ec88a9800b0d9ae63edc7d85b23416ce0ef2a5ab091c86ea71672

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Wo351Yi.exe

Filesize
221KB

MD5
97b7770eb9bac92c3080a08f7027399a

SHA1
83ae45c4c227577327dba5b4d3ad36807d77ad18

SHA256
522254301e218d3376bc8356a7c2df81348e495045b853a88a363bac76e6c360

SHA512
43f92a349cb471a4397f3da669ba417def557502fc681a00c869396ce2fe4634645133321173920ae2e12d7d2426417a5f14874c5dc706be7355e42761387987

Download Submit
memory/904-45-0x0000000004C50000-0x0000000004C5A000-memory.dmp

Filesize
40KB

Download
memory/904-42-0x00000000007A0000-0x00000000007DE000-memory.dmp

Filesize
248KB

Download
memory/904-43-0x0000000007BB0000-0x0000000008154000-memory.dmp

Filesize
5.6MB

Download
memory/904-44-0x00000000076A0000-0x0000000007732000-memory.dmp

Filesize
584KB

Download
memory/904-46-0x0000000008780000-0x0000000008D98000-memory.dmp

Filesize
6.1MB

Download
memory/904-47-0x0000000008160000-0x000000000826A000-memory.dmp

Filesize
1.0MB

Download
memory/904-48-0x0000000007790000-0x00000000077A2000-memory.dmp

Filesize
72KB

Download
memory/904-49-0x0000000007920000-0x000000000795C000-memory.dmp

Filesize
240KB

Download
memory/904-50-0x00000000077C0000-0x000000000780C000-memory.dmp

Filesize
304KB

Download
memory/5032-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5032-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads