mystic | 60fcc3045e1b1073753937ff8c184c464a45ea76225a406024335c07f898cf7b

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b12a5fda99550910914026e21295da2406a3d94496d0091261fd72c6336dda06.exe
Size

1.1MB
MD5

5a466aa4f85cd70486066bca0c04288a
SHA1

e07607b618425d99d77b4cd7bc92f73335ef9927
SHA256

b12a5fda99550910914026e21295da2406a3d94496d0091261fd72c6336dda06
SHA512

f2ae2f330511b719a5fea62d230efa0b8353a574a07447252f40a6401bd7214b7367b1e7ee0da9e70b14347b2602826b923b5da196c46b83649f0d8c2f275e03
SSDEEP

24576:iyrIp3fgghuDwBylwmclkwkg8ccyAJIxU3c8BtKF:Jsp3D4kBgnwOccDoU3c8

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral16/memory/1276-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral16/memory/1276-38-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral16/memory/1276-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral16/files/0x00070000000233e9-40.dat	family_redline
behavioral16/memory/2952-42-0x0000000000160000-0x000000000019E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
1588	dQ5uN2Qu.exe
1172	xx6Zw9ku.exe
4272	sC3hj8Az.exe
3612	dh0sw8PZ.exe
3240	1Yk85og2.exe
2952	2kv097YE.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	xx6Zw9ku.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	sC3hj8Az.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	dh0sw8PZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b12a5fda99550910914026e21295da2406a3d94496d0091261fd72c6336dda06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dQ5uN2Qu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3240 set thread context of 1276	3240	1Yk85og2.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3296	3240	WerFault.exe	86

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 1588	3092	b12a5fda99550910914026e21295da2406a3d94496d0091261fd72c6336dda06.exe	82
PID 3092 wrote to memory of 1588	3092	b12a5fda99550910914026e21295da2406a3d94496d0091261fd72c6336dda06.exe	82
PID 3092 wrote to memory of 1588	3092	b12a5fda99550910914026e21295da2406a3d94496d0091261fd72c6336dda06.exe	82
PID 1588 wrote to memory of 1172	1588	dQ5uN2Qu.exe	83
PID 1588 wrote to memory of 1172	1588	dQ5uN2Qu.exe	83
PID 1588 wrote to memory of 1172	1588	dQ5uN2Qu.exe	83
PID 1172 wrote to memory of 4272	1172	xx6Zw9ku.exe	84
PID 1172 wrote to memory of 4272	1172	xx6Zw9ku.exe	84
PID 1172 wrote to memory of 4272	1172	xx6Zw9ku.exe	84
PID 4272 wrote to memory of 3612	4272	sC3hj8Az.exe	85
PID 4272 wrote to memory of 3612	4272	sC3hj8Az.exe	85
PID 4272 wrote to memory of 3612	4272	sC3hj8Az.exe	85
PID 3612 wrote to memory of 3240	3612	dh0sw8PZ.exe	86
PID 3612 wrote to memory of 3240	3612	dh0sw8PZ.exe	86
PID 3612 wrote to memory of 3240	3612	dh0sw8PZ.exe	86
PID 3240 wrote to memory of 1276	3240	1Yk85og2.exe	88
PID 3240 wrote to memory of 1276	3240	1Yk85og2.exe	88
PID 3240 wrote to memory of 1276	3240	1Yk85og2.exe	88
PID 3240 wrote to memory of 1276	3240	1Yk85og2.exe	88
PID 3240 wrote to memory of 1276	3240	1Yk85og2.exe	88
PID 3240 wrote to memory of 1276	3240	1Yk85og2.exe	88
PID 3240 wrote to memory of 1276	3240	1Yk85og2.exe	88
PID 3240 wrote to memory of 1276	3240	1Yk85og2.exe	88
PID 3240 wrote to memory of 1276	3240	1Yk85og2.exe	88
PID 3240 wrote to memory of 1276	3240	1Yk85og2.exe	88
PID 3612 wrote to memory of 2952	3612	dh0sw8PZ.exe	92
PID 3612 wrote to memory of 2952	3612	dh0sw8PZ.exe	92
PID 3612 wrote to memory of 2952	3612	dh0sw8PZ.exe	92

C:\Users\Admin\AppData\Local\Temp\b12a5fda99550910914026e21295da2406a3d94496d0091261fd72c6336dda06.exe
"C:\Users\Admin\AppData\Local\Temp\b12a5fda99550910914026e21295da2406a3d94496d0091261fd72c6336dda06.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dQ5uN2Qu.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dQ5uN2Qu.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xx6Zw9ku.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xx6Zw9ku.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sC3hj8Az.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sC3hj8Az.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4272
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dh0sw8PZ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dh0sw8PZ.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3612
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yk85og2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yk85og2.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 140
        7⤵
        Program crash
        
        PID:3296
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kv097YE.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kv097YE.exe
        6⤵
        Executes dropped EXE
        
        PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3240 -ip 3240
1⤵
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dQ5uN2Qu.exe

Filesize
1005KB

MD5
19048c7a79bbd07d2d0fb167d33905ba

SHA1
8249aea9829fc4742ffff5cbbadc231433aefc82

SHA256
3aa42316cd6cd6b35a30411422af2570f89f069f63a673898180fd27abac2008

SHA512
78136795c06f4f4dd38aba2710fab3d65cfabd6f3b6aa94bb0baba6ee67029f7c3c009fef3fda53ff09f2291247f891892206cf5b231a00abc3743976ab3b6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xx6Zw9ku.exe

Filesize
816KB

MD5
8a3a35485e9bf4cd2824f5d47d66e3f5

SHA1
703f6bba5d7296ce96b5d670f3189c2b1caedd5a

SHA256
f4f189a58b2b1980a63d0be8282e77f15cf43f3b818dc944b1dba26565f3df1c

SHA512
64001fbb9cafc10f5948caec1d5c410871052d0fa7a2c04560e73b005ec751ad214225c8309a7558e06855a7d9a045ba5d291b58e12613f3c4aeca86d3d6f13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sC3hj8Az.exe

Filesize
583KB

MD5
25ba0801812b5aeeffd2dd95f06e5d2c

SHA1
91aa1a368336d8b256e17d9c3be1dba3d87737aa

SHA256
50b371c6c6aefc405b0a2f4b4ba3c3e9eaf06947b042c887f2b550d03ab51be5

SHA512
5eb10464e182a4b97f0dbcffd42fc2c6e13e0addbb9232357a28efa22e9762a02c413cfcf1f5581cee77ebe3673ec774ccda796fa4475938659c0bf9484752a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dh0sw8PZ.exe

Filesize
382KB

MD5
5070826d43f5120f43e61c62464927ee

SHA1
a994dc38954f6d807b6814993d8e7f7900afcc50

SHA256
9bd1459bcfb325d636dfa50518c4296a9f15335900dfcb40bc7df22e971afc0d

SHA512
8490f02c57f079eb6aa4f93b0badaf6a466e62425fda02e98b3e86e70c5839c5107ce4124d43c82d67a71ff962e48027c5fff68d77179a7dba0a304b66834944

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Yk85og2.exe

Filesize
295KB

MD5
f1973b4754cfe885d61dedeb0a3a221a

SHA1
01e96f1559cba0857acf7b432d3b2618b0f1aeda

SHA256
e89397fe10a960a1b5ea8be9d49f60c7251e9e3328752a2010ccbfd613ab4402

SHA512
65e9dcdcb4becc23c14204c0c302a4b98723dab3f064acbbfe5925ce6c373cf3e7104d80a7f885ec160cce19280b1d1137f2443ab62b8d94e1ba7c867cb8511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kv097YE.exe

Filesize
222KB

MD5
0f78d90d587530df20edebe283cc0572

SHA1
8f06d33a279b82fc9bfdd36b10bb84d1903f852f

SHA256
e4d6020bcd9157aa8d99937a73843b5e4683b1252f2b4102d9f8e494632d2c7b

SHA512
cf1808417e6af945c03d6b3bf62e49d2a9a27c914b5b9014e65059004fd84333443f3ab9774af27053331b33cf0a71b67dc9c69e1d7b3453b34d56dccec851fe

Download Submit
memory/1276-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1276-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1276-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2952-42-0x0000000000160000-0x000000000019E000-memory.dmp

Filesize
248KB

Download
memory/2952-43-0x0000000007400000-0x00000000079A4000-memory.dmp

Filesize
5.6MB

Download
memory/2952-44-0x0000000006EF0000-0x0000000006F82000-memory.dmp

Filesize
584KB

Download
memory/2952-45-0x00000000044C0000-0x00000000044CA000-memory.dmp

Filesize
40KB

Download
memory/2952-46-0x0000000007FD0000-0x00000000085E8000-memory.dmp

Filesize
6.1MB

Download
memory/2952-47-0x00000000079B0000-0x0000000007ABA000-memory.dmp

Filesize
1.0MB

Download
memory/2952-48-0x0000000007250000-0x0000000007262000-memory.dmp

Filesize
72KB

Download
memory/2952-49-0x00000000072F0000-0x000000000732C000-memory.dmp

Filesize
240KB

Download
memory/2952-50-0x0000000007280000-0x00000000072CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads