mystic | a44d7397ca2486a37cfbc6cd473037b204a5fe4678303dd2f187c814c85f25db

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1564be8f124041c0c125d9557c302f4631504d0048e1c1f41b6abfb473ebbad.exe
Size

928KB
MD5

5f7d972246ac7b99d22559f422100798
SHA1

2286717f0343e7d12dfba0f80f313678795fe5c3
SHA256

e1564be8f124041c0c125d9557c302f4631504d0048e1c1f41b6abfb473ebbad
SHA512

6f17fa1e7cea506c16e897600ce4f5e91df27a2682525e7ed49261a9bf0f1d283c1fbb0b8a095e57ca033bbc478591e863280baaa01f25791562fbd619d4363c
SSDEEP

24576:vykpjd/S0hNVQ/3erayK6tvfsnpBzX1rGhdC9sc9j1L:66R/RNVW3eBlknptRGhdWf9j1

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral16/memory/4180-28-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral16/memory/4180-29-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral16/memory/4180-31-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8594830.exe	family_redline
behavioral16/memory/4876-35-0x0000000000E00000-0x0000000000E30000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

x9667088.exex0330243.exex8348760.exeg0746780.exeh8594830.exe

pid process

740 x9667088.exe
4540 x0330243.exe
3972 x8348760.exe
3740 g0746780.exe
4876 h8594830.exe

pid	process
740	x9667088.exe
4540	x0330243.exe
3972	x8348760.exe
3740	g0746780.exe
4876	h8594830.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e1564be8f124041c0c125d9557c302f4631504d0048e1c1f41b6abfb473ebbad.exex9667088.exex0330243.exex8348760.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e1564be8f124041c0c125d9557c302f4631504d0048e1c1f41b6abfb473ebbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9667088.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0330243.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x8348760.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g0746780.exe

description pid process target process

PID 3740 set thread context of 4180 3740 g0746780.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3224 3740 WerFault.exe g0746780.exe

description	pid	process	target process
PID 3740 set thread context of 4180	3740	g0746780.exe	AppLaunch.exe

pid	pid_target	process	target process
3224	3740	WerFault.exe	g0746780.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

e1564be8f124041c0c125d9557c302f4631504d0048e1c1f41b6abfb473ebbad.exex9667088.exex0330243.exex8348760.exeg0746780.exe

description	pid	process	target process
PID 4388 wrote to memory of 740	4388	e1564be8f124041c0c125d9557c302f4631504d0048e1c1f41b6abfb473ebbad.exe	x9667088.exe
PID 4388 wrote to memory of 740	4388	e1564be8f124041c0c125d9557c302f4631504d0048e1c1f41b6abfb473ebbad.exe	x9667088.exe
PID 4388 wrote to memory of 740	4388	e1564be8f124041c0c125d9557c302f4631504d0048e1c1f41b6abfb473ebbad.exe	x9667088.exe
PID 740 wrote to memory of 4540	740	x9667088.exe	x0330243.exe
PID 740 wrote to memory of 4540	740	x9667088.exe	x0330243.exe
PID 740 wrote to memory of 4540	740	x9667088.exe	x0330243.exe
PID 4540 wrote to memory of 3972	4540	x0330243.exe	x8348760.exe
PID 4540 wrote to memory of 3972	4540	x0330243.exe	x8348760.exe
PID 4540 wrote to memory of 3972	4540	x0330243.exe	x8348760.exe
PID 3972 wrote to memory of 3740	3972	x8348760.exe	g0746780.exe
PID 3972 wrote to memory of 3740	3972	x8348760.exe	g0746780.exe
PID 3972 wrote to memory of 3740	3972	x8348760.exe	g0746780.exe
PID 3740 wrote to memory of 4180	3740	g0746780.exe	AppLaunch.exe
PID 3740 wrote to memory of 4180	3740	g0746780.exe	AppLaunch.exe
PID 3740 wrote to memory of 4180	3740	g0746780.exe	AppLaunch.exe
PID 3740 wrote to memory of 4180	3740	g0746780.exe	AppLaunch.exe
PID 3740 wrote to memory of 4180	3740	g0746780.exe	AppLaunch.exe
PID 3740 wrote to memory of 4180	3740	g0746780.exe	AppLaunch.exe
PID 3740 wrote to memory of 4180	3740	g0746780.exe	AppLaunch.exe
PID 3740 wrote to memory of 4180	3740	g0746780.exe	AppLaunch.exe
PID 3740 wrote to memory of 4180	3740	g0746780.exe	AppLaunch.exe
PID 3740 wrote to memory of 4180	3740	g0746780.exe	AppLaunch.exe
PID 3972 wrote to memory of 4876	3972	x8348760.exe	h8594830.exe
PID 3972 wrote to memory of 4876	3972	x8348760.exe	h8594830.exe
PID 3972 wrote to memory of 4876	3972	x8348760.exe	h8594830.exe

C:\Users\Admin\AppData\Local\Temp\e1564be8f124041c0c125d9557c302f4631504d0048e1c1f41b6abfb473ebbad.exe
"C:\Users\Admin\AppData\Local\Temp\e1564be8f124041c0c125d9557c302f4631504d0048e1c1f41b6abfb473ebbad.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9667088.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9667088.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0330243.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0330243.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8348760.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8348760.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3972
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0746780.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0746780.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3740
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4180
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 552
        6⤵
        Program crash
        
        PID:3224
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8594830.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8594830.exe
        5⤵
        Executes dropped EXE
        
        PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3740 -ip 3740
1⤵
PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9667088.exe

Filesize
827KB

MD5
34538acb9d92028e4f9e21e18f0d92d9

SHA1
ece5fdb6196865b2c0a9d0f062a35eee1db8e2b7

SHA256
c1fc2bcdcbd5997aee61287d7fde470b5b6fb8a7ffcbacb5e455e280629c7467

SHA512
11c2a2c964034b2afa530dd2d94760c04360b40882c804e0ad0df04ea4ded2f5536082430022e68533a7efbb0311718147ea7e79a37a06fd6a36836771b40cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0330243.exe

Filesize
556KB

MD5
acff14efa13ebd9420414d486dd893e8

SHA1
4fec9ca5e395c8d51123d0e8bf15e4b9353a2245

SHA256
ee0673715946e69c6c2409ba7dccb1d249a937a3d9f1462596287c443e5ca003

SHA512
3034e317faeda0d6c861f609f2b4ddb100fea5447ffc9601ef281e3ec2aca6c1dcd3bc1134ffef6744a622fa04bbb9ac8c3fbe602c1eb8cae2a1486d9f568606

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8348760.exe

Filesize
390KB

MD5
079cffb43bbdac32e7ce710d83a6554f

SHA1
13711461295f0368539ac89103818e73884168ad

SHA256
b0c4a1876af35a051d3116ab9cc294d52d8bf70090303fe08c5b73c215ae16e8

SHA512
2bed7150f40fe31ab11bca6cbed00f3644b8ceac7a80c81d059fb029249f3db112baa799874593c7f2ce07c460e544875f81bf712154bc84ddc18457e340ef26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0746780.exe

Filesize
364KB

MD5
e39498d5acf86f4c44e9f80e85a270a7

SHA1
5fd59907a91e569d83af61cd1cdf84d1bdaafcc5

SHA256
d8c42bb05472c7934f1b5fa113b2240e25669985b758232d0afc6636d5b6b6a8

SHA512
07dd33389697babc13ee1dc677dabbf3e1977d3d34c39fd700066a7ae77d0e2571cba4d4834e71c6df48ba8612d6bcedef12c0493eaff49936993aec83477aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8594830.exe

Filesize
173KB

MD5
70c4091ae9dcd655ecdfb98f66f96052

SHA1
ae3a49fa5f3e7c72c702cbb613cb477db8ceb6c7

SHA256
782bcd2020bb436113aaddc95a3726863eeeae48ffabe552334f8f427f1755e1

SHA512
f78c7ea2e03e4416894767c962419d78bc4f97443c346a223e7bfdadbe8095912b17f3219d97087eb149c526f9220c5d7d8ece3c31ca23dad0824feb0c5eb547

Download Submit
memory/4180-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4180-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4180-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4876-35-0x0000000000E00000-0x0000000000E30000-memory.dmp

Filesize
192KB

Download
memory/4876-36-0x0000000005820000-0x0000000005826000-memory.dmp

Filesize
24KB

Download
memory/4876-37-0x000000000B250000-0x000000000B868000-memory.dmp

Filesize
6.1MB

Download
memory/4876-38-0x000000000ADB0000-0x000000000AEBA000-memory.dmp

Filesize
1.0MB

Download
memory/4876-39-0x000000000ACF0000-0x000000000AD02000-memory.dmp

Filesize
72KB

Download
memory/4876-40-0x000000000AD50000-0x000000000AD8C000-memory.dmp

Filesize
240KB

Download
memory/4876-41-0x00000000031B0000-0x00000000031FC000-memory.dmp

Filesize
304KB

Download