mystic | ffe8fa0cf1ed446eeb9dc6eef440d6e2121396f13b66e26a431adcd9f2d605e3

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe
Size

382KB
MD5

0cdd1d630baea001d0bad7a95db25072
SHA1

f4360bae0c4b6609c534eba13aafeaab3a492e54
SHA256

5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9
SHA512

2a6d327e07511fa00ed5c440afb2730a61384064ecb974c4ac895062bed87e1fe4388fbc0b9ddb633154827289c599949722aa4517f5fd6fc90854b4071d2cf1
SSDEEP

6144:KFy+bnr+hp0yN90QE5krZ8aQlp2GTvQFg1qo/qV0pB5BcWJoJnTY67h3TXhN:DMrFy90jkra2i4i1T/qV0DSBr7h3Tj

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral13/memory/2260-7-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/2260-11-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/2260-9-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/2260-8-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2BF796Js.exe	family_redline
behavioral13/memory/1896-16-0x00000000008C0000-0x00000000008FE000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

1CM30ma5.exe2BF796Js.exe

pid process

4384 1CM30ma5.exe
1896 2BF796Js.exe

pid	process
4384	1CM30ma5.exe
1896	2BF796Js.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1CM30ma5.exe

description pid process target process

PID 4384 set thread context of 2260 4384 1CM30ma5.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

840 4384 WerFault.exe 1CM30ma5.exe
4028 2260 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 4384 set thread context of 2260	4384	1CM30ma5.exe	AppLaunch.exe

pid	pid_target	process	target process
840	4384	WerFault.exe	1CM30ma5.exe
4028	2260	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe1CM30ma5.exe

description	pid	process	target process
PID 220 wrote to memory of 4384	220	5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe	1CM30ma5.exe
PID 220 wrote to memory of 4384	220	5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe	1CM30ma5.exe
PID 220 wrote to memory of 4384	220	5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe	1CM30ma5.exe
PID 4384 wrote to memory of 4620	4384	1CM30ma5.exe	AppLaunch.exe
PID 4384 wrote to memory of 4620	4384	1CM30ma5.exe	AppLaunch.exe
PID 4384 wrote to memory of 4620	4384	1CM30ma5.exe	AppLaunch.exe
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	AppLaunch.exe
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	AppLaunch.exe
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	AppLaunch.exe
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	AppLaunch.exe
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	AppLaunch.exe
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	AppLaunch.exe
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	AppLaunch.exe
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	AppLaunch.exe
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	AppLaunch.exe
PID 4384 wrote to memory of 2260	4384	1CM30ma5.exe	AppLaunch.exe
PID 220 wrote to memory of 1896	220	5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe	2BF796Js.exe
PID 220 wrote to memory of 1896	220	5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe	2BF796Js.exe
PID 220 wrote to memory of 1896	220	5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe	2BF796Js.exe

C:\Users\Admin\AppData\Local\Temp\5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe
"C:\Users\Admin\AppData\Local\Temp\5eee268a879c07625d7394a82b7c1c9212c1bd08e2f22fd5b294cc02b2f31cc9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1CM30ma5.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1CM30ma5.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:4620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 548
4⤵
- Program crash
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 584
3⤵
- Program crash
PID:840

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2BF796Js.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2BF796Js.exe
2⤵
- Executes dropped EXE
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2260 -ip 2260
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4384 -ip 4384
1⤵
PID:3300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3812,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:8
1⤵
PID:4024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1CM30ma5.exe
Filesize
295KB

MD5
66bdfee4ef9b26ed8d161e91fa32f4df

SHA1
65eea13abd7ec89f194c9703a4926de748324c38

SHA256
a40eddbeaf64736815cc75ee9b3a6cb785c5474dd31309cb48d485a23e2ca32c

SHA512
fe6b94a2cedb51a1cfaca580a3313cbe360cffa62da7d9607eda2279c1c3ec3af73b4caa7acf6723721babca5beb6948f329f76921776a2abeaa589fab3ebce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2BF796Js.exe
Filesize
222KB

MD5
8c5c774f027edfb3ca14b6ebfadbd343

SHA1
bd62bad4fc670b766d2f3c8800f56234db36d41b

SHA256
d57a78b2ceaf813b65e4e8ea532639345061fce101347d9317c001d659f9e133

SHA512
cf6d57edf8fa395b82a9561baae44d981d46f751986608912cf8acba152679c76f53f1ec107c82df05dbdeccec4264dc2d3b56c5226b0117ac044ac62d9a0ef2

Download Submit
memory/1896-21-0x0000000008730000-0x0000000008D48000-memory.dmp

Filesize
6.1MB

Download
memory/1896-20-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/1896-27-0x0000000073E90000-0x0000000074640000-memory.dmp

Filesize
7.7MB

Download
memory/1896-26-0x0000000073E9E000-0x0000000073E9F000-memory.dmp

Filesize
4KB

Download
memory/1896-15-0x0000000073E9E000-0x0000000073E9F000-memory.dmp

Filesize
4KB

Download
memory/1896-16-0x00000000008C0000-0x00000000008FE000-memory.dmp

Filesize
248KB

Download
memory/1896-17-0x0000000007B60000-0x0000000008104000-memory.dmp

Filesize
5.6MB

Download
memory/1896-18-0x0000000007690000-0x0000000007722000-memory.dmp

Filesize
584KB

Download
memory/1896-19-0x0000000004C20000-0x0000000004C2A000-memory.dmp

Filesize
40KB

Download
memory/1896-25-0x0000000007890000-0x00000000078DC000-memory.dmp

Filesize
304KB

Download
memory/1896-24-0x0000000007910000-0x000000000794C000-memory.dmp

Filesize
240KB

Download
memory/1896-22-0x0000000007A20000-0x0000000007B2A000-memory.dmp

Filesize
1.0MB

Download
memory/1896-23-0x0000000007860000-0x0000000007872000-memory.dmp

Filesize
72KB

Download
memory/2260-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2260-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2260-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2260-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download