mystic | 2dae798f2fcb49ad5f375700dcbe54c08e9cc5c25fe542ebd7939aa5f5f023aa

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e80ad3a8f8f885a60f3f6210a2c5e9d2cb05a18b779d36f8aae8206aebbf0f6.exe
Size

1.1MB
MD5

2a74ce12c8d822381814224ce2b98683
SHA1

fe50b6161b186009ac4100c7ffe379232b9acaf0
SHA256

0e80ad3a8f8f885a60f3f6210a2c5e9d2cb05a18b779d36f8aae8206aebbf0f6
SHA512

7164861ef179a1620cd9bd1af7d4c3f821a3280096cd9108e6a82122b815bfb9fa8afb6a346169ac0a7753a3e13774911412fb563fb72a31115d5b14f09279ef
SSDEEP

24576:py4KlhYs5R31A1Zj2bBOJ5xfTj7OxvbTaLe:c4KTL7BOJrfTYqL

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral3/memory/4296-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral3/memory/4296-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral3/memory/4296-38-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pv553Va.exe	family_redline
behavioral3/memory/1424-42-0x0000000000950000-0x000000000098E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

Cy2MR0gT.exerF0Ca6OV.exeHN5Kt6Fa.exeAC2IE0yY.exe1Mp28Hz4.exe2Pv553Va.exe

pid process

2092 Cy2MR0gT.exe
4400 rF0Ca6OV.exe
1544 HN5Kt6Fa.exe
3276 AC2IE0yY.exe
3492 1Mp28Hz4.exe
1424 2Pv553Va.exe

pid	process
2092	Cy2MR0gT.exe
4400	rF0Ca6OV.exe
1544	HN5Kt6Fa.exe
3276	AC2IE0yY.exe
3492	1Mp28Hz4.exe
1424	2Pv553Va.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HN5Kt6Fa.exeAC2IE0yY.exe0e80ad3a8f8f885a60f3f6210a2c5e9d2cb05a18b779d36f8aae8206aebbf0f6.exeCy2MR0gT.exerF0Ca6OV.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	HN5Kt6Fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	AC2IE0yY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0e80ad3a8f8f885a60f3f6210a2c5e9d2cb05a18b779d36f8aae8206aebbf0f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Cy2MR0gT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	rF0Ca6OV.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Mp28Hz4.exe

description pid process target process

PID 3492 set thread context of 4296 3492 1Mp28Hz4.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4644 3492 WerFault.exe 1Mp28Hz4.exe

description	pid	process	target process
PID 3492 set thread context of 4296	3492	1Mp28Hz4.exe	AppLaunch.exe

pid	pid_target	process	target process
4644	3492	WerFault.exe	1Mp28Hz4.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

0e80ad3a8f8f885a60f3f6210a2c5e9d2cb05a18b779d36f8aae8206aebbf0f6.exeCy2MR0gT.exerF0Ca6OV.exeHN5Kt6Fa.exeAC2IE0yY.exe1Mp28Hz4.exe

description	pid	process	target process
PID 2340 wrote to memory of 2092	2340	0e80ad3a8f8f885a60f3f6210a2c5e9d2cb05a18b779d36f8aae8206aebbf0f6.exe	Cy2MR0gT.exe
PID 2340 wrote to memory of 2092	2340	0e80ad3a8f8f885a60f3f6210a2c5e9d2cb05a18b779d36f8aae8206aebbf0f6.exe	Cy2MR0gT.exe
PID 2340 wrote to memory of 2092	2340	0e80ad3a8f8f885a60f3f6210a2c5e9d2cb05a18b779d36f8aae8206aebbf0f6.exe	Cy2MR0gT.exe
PID 2092 wrote to memory of 4400	2092	Cy2MR0gT.exe	rF0Ca6OV.exe
PID 2092 wrote to memory of 4400	2092	Cy2MR0gT.exe	rF0Ca6OV.exe
PID 2092 wrote to memory of 4400	2092	Cy2MR0gT.exe	rF0Ca6OV.exe
PID 4400 wrote to memory of 1544	4400	rF0Ca6OV.exe	HN5Kt6Fa.exe
PID 4400 wrote to memory of 1544	4400	rF0Ca6OV.exe	HN5Kt6Fa.exe
PID 4400 wrote to memory of 1544	4400	rF0Ca6OV.exe	HN5Kt6Fa.exe
PID 1544 wrote to memory of 3276	1544	HN5Kt6Fa.exe	AC2IE0yY.exe
PID 1544 wrote to memory of 3276	1544	HN5Kt6Fa.exe	AC2IE0yY.exe
PID 1544 wrote to memory of 3276	1544	HN5Kt6Fa.exe	AC2IE0yY.exe
PID 3276 wrote to memory of 3492	3276	AC2IE0yY.exe	1Mp28Hz4.exe
PID 3276 wrote to memory of 3492	3276	AC2IE0yY.exe	1Mp28Hz4.exe
PID 3276 wrote to memory of 3492	3276	AC2IE0yY.exe	1Mp28Hz4.exe
PID 3492 wrote to memory of 4296	3492	1Mp28Hz4.exe	AppLaunch.exe
PID 3492 wrote to memory of 4296	3492	1Mp28Hz4.exe	AppLaunch.exe
PID 3492 wrote to memory of 4296	3492	1Mp28Hz4.exe	AppLaunch.exe
PID 3492 wrote to memory of 4296	3492	1Mp28Hz4.exe	AppLaunch.exe
PID 3492 wrote to memory of 4296	3492	1Mp28Hz4.exe	AppLaunch.exe
PID 3492 wrote to memory of 4296	3492	1Mp28Hz4.exe	AppLaunch.exe
PID 3492 wrote to memory of 4296	3492	1Mp28Hz4.exe	AppLaunch.exe
PID 3492 wrote to memory of 4296	3492	1Mp28Hz4.exe	AppLaunch.exe
PID 3492 wrote to memory of 4296	3492	1Mp28Hz4.exe	AppLaunch.exe
PID 3492 wrote to memory of 4296	3492	1Mp28Hz4.exe	AppLaunch.exe
PID 3276 wrote to memory of 1424	3276	AC2IE0yY.exe	2Pv553Va.exe
PID 3276 wrote to memory of 1424	3276	AC2IE0yY.exe	2Pv553Va.exe
PID 3276 wrote to memory of 1424	3276	AC2IE0yY.exe	2Pv553Va.exe

C:\Users\Admin\AppData\Local\Temp\0e80ad3a8f8f885a60f3f6210a2c5e9d2cb05a18b779d36f8aae8206aebbf0f6.exe
"C:\Users\Admin\AppData\Local\Temp\0e80ad3a8f8f885a60f3f6210a2c5e9d2cb05a18b779d36f8aae8206aebbf0f6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cy2MR0gT.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cy2MR0gT.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rF0Ca6OV.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rF0Ca6OV.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4400

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HN5Kt6Fa.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HN5Kt6Fa.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AC2IE0yY.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AC2IE0yY.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3276

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Mp28Hz4.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Mp28Hz4.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 140
7⤵
- Program crash
PID:4644

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pv553Va.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pv553Va.exe
6⤵
- Executes dropped EXE
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3492 -ip 3492
1⤵
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cy2MR0gT.exe

Filesize
1006KB

MD5
ac585ad0b03cf59ae95ae0dd043d0233

SHA1
5f8d12e9c9eb9f06784e78f03de7593f0c42faaf

SHA256
29d2af464b79dc9a09ff0889c55b1c55798be1ae03bd64b05bd8f1dec53b1716

SHA512
eacf68e1ad5dcbf735395748712be08d4b38926cd7c0827fac04f7d46935cf0d9cbee0e42b5a2e311371fea401cbd47edd6d3e4ea079d53c86207b1340a6d5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rF0Ca6OV.exe

Filesize
816KB

MD5
59488f6a59b6ba4f20a7ba31c6a426d8

SHA1
47a248cb10bacd20e5630f52bbddcccf75f8c08a

SHA256
0c5d2249329e653008c132286830ed4fd4478ca5bb072666cbdcad231b2f4e3e

SHA512
c98146172d871ec6e83d2d75cc41668534703f580f898e8ced63979a8527b66034794e906e3b1d36f33ad262837608f82855c8f8d8500a5e3c4cf790bff08e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HN5Kt6Fa.exe

Filesize
582KB

MD5
d8eee500f193c596a3910a050b0275b5

SHA1
0c0210f3c653678cac03f94f424431ab60dfd7eb

SHA256
b827efdf01a926bc236313615d2341829ef345d389c9c6e1839751b8a08c07f3

SHA512
ba48e93a66855793145423d5f725ce051933f4d6b252cf9ee63cfe468d0af20376d1d0e05cd9f42e0fae8f4682c60d2611a310dd3b9399c7aff61808795d58a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AC2IE0yY.exe

Filesize
382KB

MD5
996acf1f2b6095793e441270f2ae55e3

SHA1
e05d59b1dbacfd505af3ee698f057365154e34e5

SHA256
0d09397a94f09bb4652c43755328084bae1127999558dd3407a24a402a405b53

SHA512
1b7424bc733e176c9568bcb529d3c64b36efa8cf0963bdfa321463c4a153f2c8bf6052e9a6a477c285ad67435f5bd8d73f5514f9a12b3ff5602987801f20a41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Mp28Hz4.exe

Filesize
295KB

MD5
677b17fe8c4fd8ea33f633839c270903

SHA1
abae50605896490303482a906c638bc8ef3396c8

SHA256
065846c71d61950be5c8e3ed381e060a518332b259baca1da81103b32aed1a6f

SHA512
084d23639aac96f3538bca908a453f86ad9645b25195402cce1da1efec53225a4d09076b4856bd1942e885e14756689a6efc2586584e16662ec822800728bb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pv553Va.exe

Filesize
222KB

MD5
9a0c7b99e0bcf3c675578cd5273d4b4c

SHA1
dcfefbc31f0e51d687257b4719ea8808fa934e30

SHA256
91de84dc8bf2f8faa642f5e9245b027bea28583c06a25112775ca0767795bb88

SHA512
8f911d938a6edbe255dbe8d4daadd2b27c645de9299f8921b8e9f2cc6713c35840ac01129f499f0d4a12f18ad1361762382d67506b2d1bbfe20c155dc720b78a

Download Submit
memory/1424-42-0x0000000000950000-0x000000000098E000-memory.dmp

Filesize
248KB

Download
memory/1424-43-0x0000000007BB0000-0x0000000008154000-memory.dmp

Filesize
5.6MB

Download
memory/1424-44-0x00000000076E0000-0x0000000007772000-memory.dmp

Filesize
584KB

Download
memory/1424-45-0x0000000004CA0000-0x0000000004CAA000-memory.dmp

Filesize
40KB

Download
memory/1424-46-0x0000000008780000-0x0000000008D98000-memory.dmp

Filesize
6.1MB

Download
memory/1424-47-0x0000000007A70000-0x0000000007B7A000-memory.dmp

Filesize
1.0MB

Download
memory/1424-48-0x0000000007900000-0x0000000007912000-memory.dmp

Filesize
72KB

Download
memory/1424-49-0x0000000007960000-0x000000000799C000-memory.dmp

Filesize
240KB

Download
memory/1424-50-0x00000000079A0000-0x00000000079EC000-memory.dmp

Filesize
304KB

Download
memory/4296-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4296-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4296-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download