mystic | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6843058b079dbc0a22ff6542bd36408373534e51519828b2e5059a1c3a0a837b.exe
Size

755KB
MD5

6e2b42c5af81be00ce089c6402751459
SHA1

e87e49393955166a1f1b1e3882b77d51085c2a8f
SHA256

6843058b079dbc0a22ff6542bd36408373534e51519828b2e5059a1c3a0a837b
SHA512

01149b34aaece48cdd430dc8c2a66907d3fb1580088718b2e80c783b8e9030c5c83cfa4b3c239ff0c68a7e5f465c173a0c93b6d32b311ac950369f157d775092
SSDEEP

12288:kMr4y90irAsuxGEW8QklzHVZOGhYZkqfzYiWW9rHZuU/kFuFadflBRX9gCemkfBL:0yNjCCkl7zY9LYR+bZuSKdTgCeLZLGrI

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral7/memory/1940-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral7/memory/1940-16-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral7/memory/1940-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral7/memory/1940-15-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2UC641yc.exe	family_redline
behavioral7/memory/2968-22-0x00000000008E0000-0x000000000091E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

bq3Ys3RM.exe1fO32Cv7.exe2UC641yc.exe

pid process

1352 bq3Ys3RM.exe
4516 1fO32Cv7.exe
2968 2UC641yc.exe

pid	process
1352	bq3Ys3RM.exe
4516	1fO32Cv7.exe
2968	2UC641yc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6843058b079dbc0a22ff6542bd36408373534e51519828b2e5059a1c3a0a837b.exebq3Ys3RM.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6843058b079dbc0a22ff6542bd36408373534e51519828b2e5059a1c3a0a837b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	bq3Ys3RM.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1fO32Cv7.exe

description pid process target process

PID 4516 set thread context of 1940 4516 1fO32Cv7.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4468 1940 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 4516 set thread context of 1940	4516	1fO32Cv7.exe	AppLaunch.exe

pid	pid_target	process	target process
4468	1940	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

6843058b079dbc0a22ff6542bd36408373534e51519828b2e5059a1c3a0a837b.exebq3Ys3RM.exe1fO32Cv7.exe

description	pid	process	target process
PID 1088 wrote to memory of 1352	1088	6843058b079dbc0a22ff6542bd36408373534e51519828b2e5059a1c3a0a837b.exe	bq3Ys3RM.exe
PID 1088 wrote to memory of 1352	1088	6843058b079dbc0a22ff6542bd36408373534e51519828b2e5059a1c3a0a837b.exe	bq3Ys3RM.exe
PID 1088 wrote to memory of 1352	1088	6843058b079dbc0a22ff6542bd36408373534e51519828b2e5059a1c3a0a837b.exe	bq3Ys3RM.exe
PID 1352 wrote to memory of 4516	1352	bq3Ys3RM.exe	1fO32Cv7.exe
PID 1352 wrote to memory of 4516	1352	bq3Ys3RM.exe	1fO32Cv7.exe
PID 1352 wrote to memory of 4516	1352	bq3Ys3RM.exe	1fO32Cv7.exe
PID 4516 wrote to memory of 1940	4516	1fO32Cv7.exe	AppLaunch.exe
PID 4516 wrote to memory of 1940	4516	1fO32Cv7.exe	AppLaunch.exe
PID 4516 wrote to memory of 1940	4516	1fO32Cv7.exe	AppLaunch.exe
PID 4516 wrote to memory of 1940	4516	1fO32Cv7.exe	AppLaunch.exe
PID 4516 wrote to memory of 1940	4516	1fO32Cv7.exe	AppLaunch.exe
PID 4516 wrote to memory of 1940	4516	1fO32Cv7.exe	AppLaunch.exe
PID 4516 wrote to memory of 1940	4516	1fO32Cv7.exe	AppLaunch.exe
PID 4516 wrote to memory of 1940	4516	1fO32Cv7.exe	AppLaunch.exe
PID 4516 wrote to memory of 1940	4516	1fO32Cv7.exe	AppLaunch.exe
PID 4516 wrote to memory of 1940	4516	1fO32Cv7.exe	AppLaunch.exe
PID 1352 wrote to memory of 2968	1352	bq3Ys3RM.exe	2UC641yc.exe
PID 1352 wrote to memory of 2968	1352	bq3Ys3RM.exe	2UC641yc.exe
PID 1352 wrote to memory of 2968	1352	bq3Ys3RM.exe	2UC641yc.exe

C:\Users\Admin\AppData\Local\Temp\6843058b079dbc0a22ff6542bd36408373534e51519828b2e5059a1c3a0a837b.exe
"C:\Users\Admin\AppData\Local\Temp\6843058b079dbc0a22ff6542bd36408373534e51519828b2e5059a1c3a0a837b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bq3Ys3RM.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bq3Ys3RM.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1fO32Cv7.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1fO32Cv7.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 540
5⤵
- Program crash
PID:4468

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2UC641yc.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2UC641yc.exe
3⤵
- Executes dropped EXE
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1940 -ip 1940
1⤵
PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bq3Ys3RM.exe
Filesize
559KB

MD5
fe66a5deee1ea4ea59bb3cc4e309d7b4

SHA1
e08f6208e7cb124f4d655f08b8d49fc153354329

SHA256
fd22d5b519d3c3105daae2fd698cc78518f954890817e0c4482073d18d40d7e1

SHA512
4b74d1220d7c6a9f9817af5b26da0594573825f4a606e3b5e0d95afb56f3fb8fd045d72bdf6a3d6267f8243d14727d5680afd881a8fd98937f499af8b8c30760

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1fO32Cv7.exe
Filesize
1.0MB

MD5
5bb15970e4dfba4c58ed093c9eaca43b

SHA1
706a3a95a40a6c7fb7b95104734e870e95ba0b95

SHA256
37492176f6a586d694821e3cc96b899d6c44934d114b29229f22196cebe11322

SHA512
bf0cc6e1c3f5d8057b0b5d6cf7582953a742e26ac218ef35a9911b0e13ebf3abef5c90c4fa8c870912bcfeac721ca0746f9f02624f5699126c93405ea5dff988

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2UC641yc.exe
Filesize
222KB

MD5
b731fa03a323e9d41349281baf184df7

SHA1
ad52bf55a6584bb44709486c1859a0cfaf6506ac

SHA256
cd2b9f42958eaf9d3303e017ee73fc1b8a2c4d13585a8c486d3ea7b6056ab43f

SHA512
0b9e52b7b12f1ed54f9e8379fe0d67676abdc89d84b433ffbfc8f5516ede6bc5ebacbc0ee843a72acf26a9de7728f8356c6ff5a0c69e1f923eb569b9de50859b

Download Submit
memory/1940-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2968-23-0x0000000007BE0000-0x0000000008184000-memory.dmp

Filesize
5.6MB

Download
memory/2968-22-0x00000000008E0000-0x000000000091E000-memory.dmp

Filesize
248KB

Download
memory/2968-24-0x00000000076D0000-0x0000000007762000-memory.dmp

Filesize
584KB

Download
memory/2968-25-0x0000000002B00000-0x0000000002B0A000-memory.dmp

Filesize
40KB

Download
memory/2968-26-0x00000000087B0000-0x0000000008DC8000-memory.dmp

Filesize
6.1MB

Download
memory/2968-27-0x0000000007A50000-0x0000000007B5A000-memory.dmp

Filesize
1.0MB

Download
memory/2968-28-0x00000000077A0000-0x00000000077B2000-memory.dmp

Filesize
72KB

Download
memory/2968-29-0x0000000007800000-0x000000000783C000-memory.dmp

Filesize
240KB

Download
memory/2968-30-0x0000000007940000-0x000000000798C000-memory.dmp

Filesize
304KB

Download