mystic | e19e97a334ecb39058fd976080222a46cc2159e34c85df371a9eaf0088ee80eb

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c901122f0065d9da89857ec8341cf2ffba9fd5fd9ac4717e138a6b96c776b070.exe
Size

756KB
MD5

4ef3c5ba8894158b3f0101b9512780c7
SHA1

777a91e9ab90e77abc4dfef4a88eb3100ddb8a3e
SHA256

c901122f0065d9da89857ec8341cf2ffba9fd5fd9ac4717e138a6b96c776b070
SHA512

406bed536404945e076c2cf46961ab6a2992f369e2cf6e2d010eb09ae92edcd190db68416dc0c20d3fe5a3482c8133b86b72374d17384f902ee53d87c21ce4f7
SSDEEP

12288:xMrwy90Tj5ffrOfwsAJ+s6DMeL6h0AY0FOCHhhdZweQfq4iee1Tvax:Ryi4Is7sTeL6h/Y23BXZwxfe2x

Score

10^/10

mystic redline kinza infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kinza

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral24/memory/1792-14-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral24/memory/1792-15-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral24/memory/1792-18-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral24/memory/1792-16-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ci447Sn.exe	family_redline
behavioral24/memory/5060-22-0x0000000000880000-0x00000000008BE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

mq6WM9Wn.exe1VL84Er7.exe2Ci447Sn.exe

pid process

3176 mq6WM9Wn.exe
4976 1VL84Er7.exe
5060 2Ci447Sn.exe

pid	process
3176	mq6WM9Wn.exe
4976	1VL84Er7.exe
5060	2Ci447Sn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c901122f0065d9da89857ec8341cf2ffba9fd5fd9ac4717e138a6b96c776b070.exemq6WM9Wn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c901122f0065d9da89857ec8341cf2ffba9fd5fd9ac4717e138a6b96c776b070.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mq6WM9Wn.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1VL84Er7.exe

description pid process target process

PID 4976 set thread context of 1792 4976 1VL84Er7.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4844 1792 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 4976 set thread context of 1792	4976	1VL84Er7.exe	AppLaunch.exe

pid	pid_target	process	target process
4844	1792	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

c901122f0065d9da89857ec8341cf2ffba9fd5fd9ac4717e138a6b96c776b070.exemq6WM9Wn.exe1VL84Er7.exe

description	pid	process	target process
PID 228 wrote to memory of 3176	228	c901122f0065d9da89857ec8341cf2ffba9fd5fd9ac4717e138a6b96c776b070.exe	mq6WM9Wn.exe
PID 228 wrote to memory of 3176	228	c901122f0065d9da89857ec8341cf2ffba9fd5fd9ac4717e138a6b96c776b070.exe	mq6WM9Wn.exe
PID 228 wrote to memory of 3176	228	c901122f0065d9da89857ec8341cf2ffba9fd5fd9ac4717e138a6b96c776b070.exe	mq6WM9Wn.exe
PID 3176 wrote to memory of 4976	3176	mq6WM9Wn.exe	1VL84Er7.exe
PID 3176 wrote to memory of 4976	3176	mq6WM9Wn.exe	1VL84Er7.exe
PID 3176 wrote to memory of 4976	3176	mq6WM9Wn.exe	1VL84Er7.exe
PID 4976 wrote to memory of 5032	4976	1VL84Er7.exe	AppLaunch.exe
PID 4976 wrote to memory of 5032	4976	1VL84Er7.exe	AppLaunch.exe
PID 4976 wrote to memory of 5032	4976	1VL84Er7.exe	AppLaunch.exe
PID 4976 wrote to memory of 1792	4976	1VL84Er7.exe	AppLaunch.exe
PID 4976 wrote to memory of 1792	4976	1VL84Er7.exe	AppLaunch.exe
PID 4976 wrote to memory of 1792	4976	1VL84Er7.exe	AppLaunch.exe
PID 4976 wrote to memory of 1792	4976	1VL84Er7.exe	AppLaunch.exe
PID 4976 wrote to memory of 1792	4976	1VL84Er7.exe	AppLaunch.exe
PID 4976 wrote to memory of 1792	4976	1VL84Er7.exe	AppLaunch.exe
PID 4976 wrote to memory of 1792	4976	1VL84Er7.exe	AppLaunch.exe
PID 4976 wrote to memory of 1792	4976	1VL84Er7.exe	AppLaunch.exe
PID 4976 wrote to memory of 1792	4976	1VL84Er7.exe	AppLaunch.exe
PID 4976 wrote to memory of 1792	4976	1VL84Er7.exe	AppLaunch.exe
PID 3176 wrote to memory of 5060	3176	mq6WM9Wn.exe	2Ci447Sn.exe
PID 3176 wrote to memory of 5060	3176	mq6WM9Wn.exe	2Ci447Sn.exe
PID 3176 wrote to memory of 5060	3176	mq6WM9Wn.exe	2Ci447Sn.exe

C:\Users\Admin\AppData\Local\Temp\c901122f0065d9da89857ec8341cf2ffba9fd5fd9ac4717e138a6b96c776b070.exe
"C:\Users\Admin\AppData\Local\Temp\c901122f0065d9da89857ec8341cf2ffba9fd5fd9ac4717e138a6b96c776b070.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:228

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mq6WM9Wn.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mq6WM9Wn.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1VL84Er7.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1VL84Er7.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:5032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 540
5⤵
- Program crash
PID:4844

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ci447Sn.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ci447Sn.exe
3⤵
- Executes dropped EXE
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1792 -ip 1792
1⤵
PID:4440

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mq6WM9Wn.exe
Filesize
560KB

MD5
772fc542ce9e4bfbe2039c823816e3fe

SHA1
132cdd72bce7904bd08b5a045b94d1a506e11b2e

SHA256
6739c06a028feb657682357ea322c0dee5a1c0b0955dfc1ff63c3a96b21d8718

SHA512
e6ac6ae44d3ac10bf6058fc189c923d4036940de64bb89ef2a38f0b1f14f85a953e49e6b1a4285fc5ae7c4658158bca660e9e7fec3b6a3832d0b4452808291bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1VL84Er7.exe
Filesize
1.0MB

MD5
7a0135fe2bad0e99d46b47f4af33d76f

SHA1
0b62194c52978717d516bf04df877ddf80c600ea

SHA256
7322bacd181e869925f6e69e1beb6d93e8506e6e7c849f47f5acca7736ae01d0

SHA512
f8dc3479204950065698946bf857068a713ef0d05b66dec3e0c8e6877792824db3656d7cbdcb9dde50a1c5aeb4d1543ec630b2085747f2e59b69bd1b08d93ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ci447Sn.exe
Filesize
222KB

MD5
e0118708431baaa2812a3d4c651c003d

SHA1
56d3aa1cb1e35de549535b392887f4bf5e2705c1

SHA256
99dcfc46702f92d9c1f9ca4084c3fd6097df0e241a4fec598a555cae56363ed9

SHA512
52f578b88d182fa996aa0ce59c407d72b0f2b54a7bf14253552faeeb874656189b1ded9734bd8be876e690ae374e4e4a11e223e241e33501a394dab256d30be9

Download Submit
memory/1792-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-23-0x0000000007C40000-0x00000000081E4000-memory.dmp

Filesize
5.6MB

Download
memory/5060-22-0x0000000000880000-0x00000000008BE000-memory.dmp

Filesize
248KB

Download
memory/5060-24-0x0000000007770000-0x0000000007802000-memory.dmp

Filesize
584KB

Download
memory/5060-25-0x0000000004D60000-0x0000000004D6A000-memory.dmp

Filesize
40KB

Download
memory/5060-26-0x0000000008810000-0x0000000008E28000-memory.dmp

Filesize
6.1MB

Download
memory/5060-27-0x0000000007A90000-0x0000000007B9A000-memory.dmp

Filesize
1.0MB

Download
memory/5060-28-0x0000000007980000-0x0000000007992000-memory.dmp

Filesize
72KB

Download
memory/5060-29-0x00000000079E0000-0x0000000007A1C000-memory.dmp

Filesize
240KB

Download
memory/5060-30-0x0000000007A20000-0x0000000007A6C000-memory.dmp

Filesize
304KB

Download