mystic | 9f4cee8892544b3b9090f5a7288e0a353e34bada2f75253f19bfebaefa1f0f53

Analysis

max time kernel
135s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe
Size

1.5MB
MD5

107010beec076341ed4728108616ae14
SHA1

d521c427abf30e3dea44b2e3a6715310b13d5236
SHA256

a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52
SHA512

c3646f0d843750387e5b839247777ae8ad2ac09c8a421f5f51f9da537de753fbe2598b172e704a1e80265305f08c66cd5e60130cbaca52774bc0451ab032ca78
SSDEEP

24576:ByyUtVJGOjT10AgnfUZqs+D5aT82lA/Z1SMU9sWdtqvO9J:0yUhRT10Lnf8Z+D5YNKR1SMUfdt0U

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral15/memory/3084-35-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral15/memory/3084-38-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral15/memory/3084-36-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral15/files/0x000700000002355a-40.dat	family_redline
behavioral15/memory/4436-42-0x0000000000C40000-0x0000000000C7E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
748	vS3cv7Ny.exe
2920	md5uC1Kk.exe
1152	ig9ND9Br.exe
3664	hW6pu6vt.exe
4092	1Ea32tu8.exe
4436	2nO120ja.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	md5uC1Kk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ig9ND9Br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	hW6pu6vt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vS3cv7Ny.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4092 set thread context of 3084	4092	1Ea32tu8.exe	106

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 748	4864	a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe	91
PID 4864 wrote to memory of 748	4864	a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe	91
PID 4864 wrote to memory of 748	4864	a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe	91
PID 748 wrote to memory of 2920	748	vS3cv7Ny.exe	92
PID 748 wrote to memory of 2920	748	vS3cv7Ny.exe	92
PID 748 wrote to memory of 2920	748	vS3cv7Ny.exe	92
PID 2920 wrote to memory of 1152	2920	md5uC1Kk.exe	93
PID 2920 wrote to memory of 1152	2920	md5uC1Kk.exe	93
PID 2920 wrote to memory of 1152	2920	md5uC1Kk.exe	93
PID 1152 wrote to memory of 3664	1152	ig9ND9Br.exe	94
PID 1152 wrote to memory of 3664	1152	ig9ND9Br.exe	94
PID 1152 wrote to memory of 3664	1152	ig9ND9Br.exe	94
PID 3664 wrote to memory of 4092	3664	hW6pu6vt.exe	95
PID 3664 wrote to memory of 4092	3664	hW6pu6vt.exe	95
PID 3664 wrote to memory of 4092	3664	hW6pu6vt.exe	95
PID 4092 wrote to memory of 3732	4092	1Ea32tu8.exe	105
PID 4092 wrote to memory of 3732	4092	1Ea32tu8.exe	105
PID 4092 wrote to memory of 3732	4092	1Ea32tu8.exe	105
PID 4092 wrote to memory of 3084	4092	1Ea32tu8.exe	106
PID 4092 wrote to memory of 3084	4092	1Ea32tu8.exe	106
PID 4092 wrote to memory of 3084	4092	1Ea32tu8.exe	106
PID 4092 wrote to memory of 3084	4092	1Ea32tu8.exe	106
PID 4092 wrote to memory of 3084	4092	1Ea32tu8.exe	106
PID 4092 wrote to memory of 3084	4092	1Ea32tu8.exe	106
PID 4092 wrote to memory of 3084	4092	1Ea32tu8.exe	106
PID 4092 wrote to memory of 3084	4092	1Ea32tu8.exe	106
PID 4092 wrote to memory of 3084	4092	1Ea32tu8.exe	106
PID 4092 wrote to memory of 3084	4092	1Ea32tu8.exe	106
PID 3664 wrote to memory of 4436	3664	hW6pu6vt.exe	107
PID 3664 wrote to memory of 4436	3664	hW6pu6vt.exe	107
PID 3664 wrote to memory of 4436	3664	hW6pu6vt.exe	107

C:\Users\Admin\AppData\Local\Temp\a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe
"C:\Users\Admin\AppData\Local\Temp\a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hW6pu6vt.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hW6pu6vt.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3664
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ea32tu8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ea32tu8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3732
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3084
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nO120ja.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nO120ja.exe
        6⤵
        Executes dropped EXE
        
        PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=996,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=1276 /prefetch:8
1⤵
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe

Filesize
1.3MB

MD5
5e5e0f3b6bd23c17863a01d7e4439671

SHA1
2ac6bbedefd43a4fb1acb1b86982ff19ea5ffe8a

SHA256
db3f5deaf908591e151bdb9b23661598a8e6fb49973908c3fcea984b53897aab

SHA512
545ca59ef97f0dc4b3ca7830e58a7845915048fc8fffa365d7b3d555f77942cd5c906f4cad384c169c1ca511f3e50a31a8a4a36a101ac6069f2f469faef6e89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe

Filesize
1.2MB

MD5
e7f0ff0fc5d8ea2d182ae44634559875

SHA1
a7b2e67408a3f1d28d494c8a28089ca6347e3bff

SHA256
d30cdc5c8dcc4fae16924de9e07d71de570b81aa8f8746fad42c4193dee99154

SHA512
cab1b57bd4ee2f32c71f9b787bc150bbfc9aeb103d1b636cbec572d543f6056b49ace8fd84a7c4d34499abcaae06a6fa4462d14a1c7a6e0e52be481c8dac729c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe

Filesize
761KB

MD5
ee6710d772b4fa041ae3a6f57e8d7c05

SHA1
92345b8a2ece6d56842520922dd9f656cf347e96

SHA256
73b205f448b646e118fbaf2b64497d60ae79e7c528f69dda34aef6028ef91698

SHA512
d200796376d83c7723e3a041e5a30f5e07849ced11f313b5d51f0752e2e5fb85d225bb7ffc6f309408444adb9db881e1325e8428374e44980de42f1763033d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hW6pu6vt.exe

Filesize
565KB

MD5
b0d76a3682645518d2343a7c7df92342

SHA1
90de95db225295476be3704dd94d086da8f7d94b

SHA256
3e91f2232f52be3d79eae8e8e20b2078c040296a73c5caf7babe12cc104e7f51

SHA512
9c2b834ce01390c25607d04ce5bd9b20260d56e1769b1bfe85865d66273bf281f86e40b7984a0da7bfd14c67d914766c8af2e695fd5212f5039b24f33f5a4a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ea32tu8.exe

Filesize
1.1MB

MD5
9046d6452dc56f767b5634b91984df5b

SHA1
2652f44290e9aa986150c1d8ab0ebfd09dbaedfc

SHA256
065c2a915f5d18dff55ae9638fe2cfd99cdbb56bad37a6e62972d41180b53d01

SHA512
fed245375b595b7a1a66bcf91cbc9407fbaa3f35ae7c270879dea494fce8a7b144a6d293af8e4416ae09477edfb2caeb929c87eaaa4ffad4077bb8a63d4fe5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2nO120ja.exe

Filesize
221KB

MD5
e9072dfff42499a824f1cbfd0f2682a2

SHA1
b9cc6ba1bf371c9f42bc29b191c9e0c3684fadea

SHA256
89a4a03c0008f71f3aa17a852c21fbd18e01e00a05a85c9367ce835d208a6bca

SHA512
4dc08c3bb5ed5d5de1e1981cb44a882874cde363dc805f6104e58b9bafedbb58764bf9727bb83b5022d10c05cb75976a85ee4f6ffd608745a4f3526101829d8f

Download Submit
memory/3084-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-42-0x0000000000C40000-0x0000000000C7E000-memory.dmp

Filesize
248KB

Download
memory/4436-43-0x0000000008030000-0x00000000085D4000-memory.dmp

Filesize
5.6MB

Download
memory/4436-44-0x0000000007B40000-0x0000000007BD2000-memory.dmp

Filesize
584KB

Download
memory/4436-45-0x00000000050C0000-0x00000000050CA000-memory.dmp

Filesize
40KB

Download
memory/4436-46-0x0000000008C00000-0x0000000009218000-memory.dmp

Filesize
6.1MB

Download
memory/4436-47-0x0000000007F10000-0x000000000801A000-memory.dmp

Filesize
1.0MB

Download
memory/4436-48-0x0000000007C30000-0x0000000007C42000-memory.dmp

Filesize
72KB

Download
memory/4436-49-0x0000000007CB0000-0x0000000007CEC000-memory.dmp

Filesize
240KB

Download
memory/4436-50-0x0000000007E00000-0x0000000007E4C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads