mystic | 47889c48da4c5e390f10c04d8390b2c5d9f68bec127bf0e18bbe686b9079b922

Analysis

max time kernel
133s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28e3223b75032745af45a606afdbd1788365c7af9b20cc01d5892478c17d91cb.exe
Size

928KB
MD5

e43fb0ba3f42cba89a4e9de789df3038
SHA1

755650aaa84f385009c339954364c6593b174f20
SHA256

28e3223b75032745af45a606afdbd1788365c7af9b20cc01d5892478c17d91cb
SHA512

5c42eccc3bd51d0bfbaa2c80feca9a8dba9e84cd7d153011b936aca2aa22aab21aaa473ac436ccb03fe05d6e4f089ee42bfe20ac78fbc61f6c19266c615aa518
SSDEEP

24576:Jy2jAwbwPPXDKN+xl43wd1Q21uhEn4WTzbD1yMT/uDwMM+:8wbgP+2Hd1QquhI4i5yMT/HMM

Score

10^/10

mystic redline kendo infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral6/memory/4048-31-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral6/memory/4048-29-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral6/memory/4048-28-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6629236.exe	family_redline
behavioral6/memory/2884-35-0x0000000000280000-0x00000000002B0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

x4216580.exex1014822.exex9417546.exeg5182699.exeh6629236.exe

pid process

3152 x4216580.exe
3468 x1014822.exe
4960 x9417546.exe
2764 g5182699.exe
2884 h6629236.exe

pid	process
3152	x4216580.exe
3468	x1014822.exe
4960	x9417546.exe
2764	g5182699.exe
2884	h6629236.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

28e3223b75032745af45a606afdbd1788365c7af9b20cc01d5892478c17d91cb.exex4216580.exex1014822.exex9417546.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	28e3223b75032745af45a606afdbd1788365c7af9b20cc01d5892478c17d91cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4216580.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1014822.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9417546.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g5182699.exe

description pid process target process

PID 2764 set thread context of 4048 2764 g5182699.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3012 2764 WerFault.exe g5182699.exe

description	pid	process	target process
PID 2764 set thread context of 4048	2764	g5182699.exe	AppLaunch.exe

pid	pid_target	process	target process
3012	2764	WerFault.exe	g5182699.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

28e3223b75032745af45a606afdbd1788365c7af9b20cc01d5892478c17d91cb.exex4216580.exex1014822.exex9417546.exeg5182699.exe

description	pid	process	target process
PID 3596 wrote to memory of 3152	3596	28e3223b75032745af45a606afdbd1788365c7af9b20cc01d5892478c17d91cb.exe	x4216580.exe
PID 3596 wrote to memory of 3152	3596	28e3223b75032745af45a606afdbd1788365c7af9b20cc01d5892478c17d91cb.exe	x4216580.exe
PID 3596 wrote to memory of 3152	3596	28e3223b75032745af45a606afdbd1788365c7af9b20cc01d5892478c17d91cb.exe	x4216580.exe
PID 3152 wrote to memory of 3468	3152	x4216580.exe	x1014822.exe
PID 3152 wrote to memory of 3468	3152	x4216580.exe	x1014822.exe
PID 3152 wrote to memory of 3468	3152	x4216580.exe	x1014822.exe
PID 3468 wrote to memory of 4960	3468	x1014822.exe	x9417546.exe
PID 3468 wrote to memory of 4960	3468	x1014822.exe	x9417546.exe
PID 3468 wrote to memory of 4960	3468	x1014822.exe	x9417546.exe
PID 4960 wrote to memory of 2764	4960	x9417546.exe	g5182699.exe
PID 4960 wrote to memory of 2764	4960	x9417546.exe	g5182699.exe
PID 4960 wrote to memory of 2764	4960	x9417546.exe	g5182699.exe
PID 2764 wrote to memory of 4048	2764	g5182699.exe	AppLaunch.exe
PID 2764 wrote to memory of 4048	2764	g5182699.exe	AppLaunch.exe
PID 2764 wrote to memory of 4048	2764	g5182699.exe	AppLaunch.exe
PID 2764 wrote to memory of 4048	2764	g5182699.exe	AppLaunch.exe
PID 2764 wrote to memory of 4048	2764	g5182699.exe	AppLaunch.exe
PID 2764 wrote to memory of 4048	2764	g5182699.exe	AppLaunch.exe
PID 2764 wrote to memory of 4048	2764	g5182699.exe	AppLaunch.exe
PID 2764 wrote to memory of 4048	2764	g5182699.exe	AppLaunch.exe
PID 2764 wrote to memory of 4048	2764	g5182699.exe	AppLaunch.exe
PID 2764 wrote to memory of 4048	2764	g5182699.exe	AppLaunch.exe
PID 4960 wrote to memory of 2884	4960	x9417546.exe	h6629236.exe
PID 4960 wrote to memory of 2884	4960	x9417546.exe	h6629236.exe
PID 4960 wrote to memory of 2884	4960	x9417546.exe	h6629236.exe

C:\Users\Admin\AppData\Local\Temp\28e3223b75032745af45a606afdbd1788365c7af9b20cc01d5892478c17d91cb.exe
"C:\Users\Admin\AppData\Local\Temp\28e3223b75032745af45a606afdbd1788365c7af9b20cc01d5892478c17d91cb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3596

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4216580.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4216580.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1014822.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1014822.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9417546.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9417546.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5182699.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5182699.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 552
6⤵
- Program crash
PID:3012

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6629236.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6629236.exe
5⤵
- Executes dropped EXE
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2764 -ip 2764
1⤵
PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4216580.exe

Filesize
826KB

MD5
843537b046ac9669536d2a4000c6d684

SHA1
a4ea07b19211a62d7bbf69d8b6ef392304b44e3e

SHA256
2c70d8c5725417dd1e21f4e739c888dfb97d7f3f4b63e180e5d0cd057675d32c

SHA512
b567d34da1ac0e279f3fc361286950ff42e4e398fe207ff2997c6a5c73edbd7ba0f2d472698de8b2e3b38762414740cdbc56b6d5701e5d7287158b037c6cf648

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1014822.exe

Filesize
556KB

MD5
3a01a88c12d28f6451e1e68f1cd50c47

SHA1
134a0d0eff2e8ff71ea3aadd4844442a0a9c756a

SHA256
03574285a2d12d6ba68b6e3d4712a23973f336203bdf728e412856a7f738a549

SHA512
c78a966a3053413b86d06ccf25d4696da6577c2149178980803afaa1ad86f207d26037518b35531db99a227aaaaaebc4de4e3a4756e497dae1b4e8912f0cb35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9417546.exe

Filesize
390KB

MD5
c6d3978f6a199e921f9cf2d1e190f30f

SHA1
86cf06f442283a2c0ce1e8d1d8411be14cc9e044

SHA256
951b73cd3d9807e492f6267fa8f59c87e95207fe233964de3515b74eaa270163

SHA512
349ba923cb1b2f6b5f9b1339bbc2ab1126f21030b1d9bd33477708c0f5c54bb97b3ac29047cf26a1beaf8ed0edc2a0eabb3eb08f5072a1e40e70efec98a5ec8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5182699.exe

Filesize
364KB

MD5
b215b62979e1610afe5ee50a770dd5a6

SHA1
ad0fdbe1ae10a5b6e9132b372f992d366882b980

SHA256
1a596056a7e702482d8a7052fef47f67726ce4a091dd5503b78b1f0e5d8d78f2

SHA512
a1771316b45af93d31fc3626ab3d208cc38ff86bc643035faa658765107efe7b3743487c5d8554dbfed5948f136088393de84e0a076e4bf44fae35fdd0ddfb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6629236.exe

Filesize
174KB

MD5
c41dc6b3404b23cc2005f407d88e38e1

SHA1
1f72165bc51e723cbf40c5e40a3b701fc02b142d

SHA256
779f5de18f9eada7d2f8a4fcf29f654f7befddb6070af14df3401643e780464a

SHA512
148252a8e6e6f62083fdad8f38289023f85fec1ba085ed4caab11a8ff45ce03bd29b69d35813703b34ba31e627f9eaf32ad4b9953cb4d9c2b7103d86f596ebea

Download Submit
memory/2884-36-0x0000000002670000-0x0000000002676000-memory.dmp

Filesize
24KB

Download
memory/2884-35-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download
memory/2884-37-0x000000000A740000-0x000000000AD58000-memory.dmp

Filesize
6.1MB

Download
memory/2884-38-0x000000000A230000-0x000000000A33A000-memory.dmp

Filesize
1.0MB

Download
memory/2884-39-0x000000000A170000-0x000000000A182000-memory.dmp

Filesize
72KB

Download
memory/2884-40-0x000000000A1D0000-0x000000000A20C000-memory.dmp

Filesize
240KB

Download
memory/2884-41-0x00000000046D0000-0x000000000471C000-memory.dmp

Filesize
304KB

Download
memory/4048-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4048-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4048-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download