mystic | ffe8fa0cf1ed446eeb9dc6eef440d6e2121396f13b66e26a431adcd9f2d605e3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917.exe
Size

382KB
MD5

4d8700ac9e259e9c05ccb05abcd3e55b
SHA1

3ca1f31e449c427a5223165abee3858b8d3a1bc6
SHA256

5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917
SHA512

a52da5997013a09ab0fbcc5516eba9eee0bc6fb971294d8ca48b985a1d2030c495493d02eb7d7646b67787816ba65ad67331aa08411944dede4301d1b01e28cb
SSDEEP

6144:KUy+bnr+Xp0yN90QEvNhYCAaMbdsJNuYI50Y/BJf9+aOwYSlup:MMrny90xNhCbdsLxI+Yd+9w6p

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral12/memory/1524-7-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral12/memory/1524-9-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral12/memory/1524-11-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral12/memory/1524-8-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2qB706de.exe	family_redline
behavioral12/memory/5060-16-0x0000000000CA0000-0x0000000000CDE000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

1ma43UZ9.exe2qB706de.exe

pid process

2500 1ma43UZ9.exe
5060 2qB706de.exe

pid	process
2500	1ma43UZ9.exe
5060	2qB706de.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1ma43UZ9.exe

description pid process target process

PID 2500 set thread context of 1524 2500 1ma43UZ9.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3700 2500 WerFault.exe 1ma43UZ9.exe
1780 1524 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 2500 set thread context of 1524	2500	1ma43UZ9.exe	AppLaunch.exe

pid	pid_target	process	target process
3700	2500	WerFault.exe	1ma43UZ9.exe
1780	1524	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917.exe1ma43UZ9.exe

description	pid	process	target process
PID 4492 wrote to memory of 2500	4492	5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917.exe	1ma43UZ9.exe
PID 4492 wrote to memory of 2500	4492	5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917.exe	1ma43UZ9.exe
PID 4492 wrote to memory of 2500	4492	5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917.exe	1ma43UZ9.exe
PID 2500 wrote to memory of 1524	2500	1ma43UZ9.exe	AppLaunch.exe
PID 2500 wrote to memory of 1524	2500	1ma43UZ9.exe	AppLaunch.exe
PID 2500 wrote to memory of 1524	2500	1ma43UZ9.exe	AppLaunch.exe
PID 2500 wrote to memory of 1524	2500	1ma43UZ9.exe	AppLaunch.exe
PID 2500 wrote to memory of 1524	2500	1ma43UZ9.exe	AppLaunch.exe
PID 2500 wrote to memory of 1524	2500	1ma43UZ9.exe	AppLaunch.exe
PID 2500 wrote to memory of 1524	2500	1ma43UZ9.exe	AppLaunch.exe
PID 2500 wrote to memory of 1524	2500	1ma43UZ9.exe	AppLaunch.exe
PID 2500 wrote to memory of 1524	2500	1ma43UZ9.exe	AppLaunch.exe
PID 2500 wrote to memory of 1524	2500	1ma43UZ9.exe	AppLaunch.exe
PID 4492 wrote to memory of 5060	4492	5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917.exe	2qB706de.exe
PID 4492 wrote to memory of 5060	4492	5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917.exe	2qB706de.exe
PID 4492 wrote to memory of 5060	4492	5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917.exe	2qB706de.exe

C:\Users\Admin\AppData\Local\Temp\5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917.exe
"C:\Users\Admin\AppData\Local\Temp\5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4492

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1ma43UZ9.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1ma43UZ9.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 540
4⤵
- Program crash
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 584
3⤵
- Program crash
PID:3700

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2qB706de.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2qB706de.exe
2⤵
- Executes dropped EXE
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1524 -ip 1524
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2500 -ip 2500
1⤵
PID:3608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1ma43UZ9.exe
Filesize
295KB

MD5
314f30b53027f3d7812a7ecc57c2be0d

SHA1
35b82de4d7a1bc2cee9d10b7de26616bad1271bd

SHA256
460cacca4c0d9d81113eeaeaac4b343acd2e4347dd129183cbd2f58eddfbb9f7

SHA512
fe4007c43e1896d3657486f170334ae5a20fd97ca282e2bdeb8783c96c3bbaad046fd81681355652a61bc79f33514f2be5b87d4ab7c404c2a65ad21b1434a480

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2qB706de.exe
Filesize
222KB

MD5
9b74f1c10b3f8287121fae55eb49628a

SHA1
18704ab838447c92b72d8232f8b58c365bde7a81

SHA256
1ef108d65269eb110a6f0ef126353b41ca9f086b909bec23dabefb15024eb1fd

SHA512
5bcb8cc16d6da308bd0f386a2cfdb2bec091963c4bb97c08487741774d1eebd03836fee6bfb1068fa9369d19f3e41164e3dc073ecaf61eec6bca3abf47a39a52

Download Submit
memory/1524-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1524-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1524-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1524-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5060-17-0x0000000008130000-0x00000000086D4000-memory.dmp

Filesize
5.6MB

Download
memory/5060-16-0x0000000000CA0000-0x0000000000CDE000-memory.dmp

Filesize
248KB

Download
memory/5060-15-0x00000000742BE000-0x00000000742BF000-memory.dmp

Filesize
4KB

Download
memory/5060-18-0x0000000007C20000-0x0000000007CB2000-memory.dmp

Filesize
584KB

Download
memory/5060-19-0x0000000002FE0000-0x0000000002FEA000-memory.dmp

Filesize
40KB

Download
memory/5060-20-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download
memory/5060-21-0x0000000008D00000-0x0000000009318000-memory.dmp

Filesize
6.1MB

Download
memory/5060-22-0x0000000007F50000-0x000000000805A000-memory.dmp

Filesize
1.0MB

Download
memory/5060-23-0x0000000007C00000-0x0000000007C12000-memory.dmp

Filesize
72KB

Download
memory/5060-24-0x0000000007DF0000-0x0000000007E2C000-memory.dmp

Filesize
240KB

Download
memory/5060-25-0x0000000007E40000-0x0000000007E8C000-memory.dmp

Filesize
304KB

Download
memory/5060-26-0x00000000742BE000-0x00000000742BF000-memory.dmp

Filesize
4KB

Download
memory/5060-27-0x00000000742B0000-0x0000000074A60000-memory.dmp

Filesize
7.7MB

Download