mystic | ddc6b496a8a25762ee7b933f47107c5553187f5846568bf68b67dd8d5f4a7548

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e266a72166321124c500c505eac80a998786768d1c1e7be12c0c09adbdb969f.exe
Size

999KB
MD5

159973826e86877cbb334e7e1a0e5607
SHA1

cbbe3557369e98c878fd630d39f94e1354b9f136
SHA256

0e266a72166321124c500c505eac80a998786768d1c1e7be12c0c09adbdb969f
SHA512

d5748eeefb9865b6487a456f7d6fcd862b9a62caff1e6870c82289dbcbf6c1c7b5f3c75906a2825f60c1bf8203be3d5f0a9558c9eeb00c72ec6b338094f40e8e
SSDEEP

24576:eyn15WsEcSEL7pRBka7PyKfrj+3H1fluHx:tn1ofEL7pHpDWlduH

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3768-28-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/3768-29-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral1/memory/3768-31-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xf940aB.exe	family_redline
behavioral1/memory/1932-35-0x0000000000760000-0x000000000079E000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

Pm9sg6BC.exeLW7OL0ss.exezl5MI6Ns.exe1Uo74FM5.exe2xf940aB.exe

pid process

1320 Pm9sg6BC.exe
5352 LW7OL0ss.exe
5464 zl5MI6Ns.exe
1868 1Uo74FM5.exe
1932 2xf940aB.exe

pid	process
1320	Pm9sg6BC.exe
5352	LW7OL0ss.exe
5464	zl5MI6Ns.exe
1868	1Uo74FM5.exe
1932	2xf940aB.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0e266a72166321124c500c505eac80a998786768d1c1e7be12c0c09adbdb969f.exePm9sg6BC.exeLW7OL0ss.exezl5MI6Ns.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0e266a72166321124c500c505eac80a998786768d1c1e7be12c0c09adbdb969f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Pm9sg6BC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	LW7OL0ss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zl5MI6Ns.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Uo74FM5.exe

description pid process target process

PID 1868 set thread context of 3768 1868 1Uo74FM5.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

676 1868 WerFault.exe 1Uo74FM5.exe

description	pid	process	target process
PID 1868 set thread context of 3768	1868	1Uo74FM5.exe	AppLaunch.exe

pid	pid_target	process	target process
676	1868	WerFault.exe	1Uo74FM5.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

0e266a72166321124c500c505eac80a998786768d1c1e7be12c0c09adbdb969f.exePm9sg6BC.exeLW7OL0ss.exezl5MI6Ns.exe1Uo74FM5.exe

description	pid	process	target process
PID 2720 wrote to memory of 1320	2720	0e266a72166321124c500c505eac80a998786768d1c1e7be12c0c09adbdb969f.exe	Pm9sg6BC.exe
PID 2720 wrote to memory of 1320	2720	0e266a72166321124c500c505eac80a998786768d1c1e7be12c0c09adbdb969f.exe	Pm9sg6BC.exe
PID 2720 wrote to memory of 1320	2720	0e266a72166321124c500c505eac80a998786768d1c1e7be12c0c09adbdb969f.exe	Pm9sg6BC.exe
PID 1320 wrote to memory of 5352	1320	Pm9sg6BC.exe	LW7OL0ss.exe
PID 1320 wrote to memory of 5352	1320	Pm9sg6BC.exe	LW7OL0ss.exe
PID 1320 wrote to memory of 5352	1320	Pm9sg6BC.exe	LW7OL0ss.exe
PID 5352 wrote to memory of 5464	5352	LW7OL0ss.exe	zl5MI6Ns.exe
PID 5352 wrote to memory of 5464	5352	LW7OL0ss.exe	zl5MI6Ns.exe
PID 5352 wrote to memory of 5464	5352	LW7OL0ss.exe	zl5MI6Ns.exe
PID 5464 wrote to memory of 1868	5464	zl5MI6Ns.exe	1Uo74FM5.exe
PID 5464 wrote to memory of 1868	5464	zl5MI6Ns.exe	1Uo74FM5.exe
PID 5464 wrote to memory of 1868	5464	zl5MI6Ns.exe	1Uo74FM5.exe
PID 1868 wrote to memory of 3768	1868	1Uo74FM5.exe	AppLaunch.exe
PID 1868 wrote to memory of 3768	1868	1Uo74FM5.exe	AppLaunch.exe
PID 1868 wrote to memory of 3768	1868	1Uo74FM5.exe	AppLaunch.exe
PID 1868 wrote to memory of 3768	1868	1Uo74FM5.exe	AppLaunch.exe
PID 1868 wrote to memory of 3768	1868	1Uo74FM5.exe	AppLaunch.exe
PID 1868 wrote to memory of 3768	1868	1Uo74FM5.exe	AppLaunch.exe
PID 1868 wrote to memory of 3768	1868	1Uo74FM5.exe	AppLaunch.exe
PID 1868 wrote to memory of 3768	1868	1Uo74FM5.exe	AppLaunch.exe
PID 1868 wrote to memory of 3768	1868	1Uo74FM5.exe	AppLaunch.exe
PID 1868 wrote to memory of 3768	1868	1Uo74FM5.exe	AppLaunch.exe
PID 5464 wrote to memory of 1932	5464	zl5MI6Ns.exe	2xf940aB.exe
PID 5464 wrote to memory of 1932	5464	zl5MI6Ns.exe	2xf940aB.exe
PID 5464 wrote to memory of 1932	5464	zl5MI6Ns.exe	2xf940aB.exe

C:\Users\Admin\AppData\Local\Temp\0e266a72166321124c500c505eac80a998786768d1c1e7be12c0c09adbdb969f.exe
"C:\Users\Admin\AppData\Local\Temp\0e266a72166321124c500c505eac80a998786768d1c1e7be12c0c09adbdb969f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pm9sg6BC.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pm9sg6BC.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LW7OL0ss.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LW7OL0ss.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5352

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zl5MI6Ns.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zl5MI6Ns.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5464

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Uo74FM5.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Uo74FM5.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 220
6⤵
- Program crash
PID:676

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xf940aB.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xf940aB.exe
5⤵
- Executes dropped EXE
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1868 -ip 1868
1⤵
PID:2644

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pm9sg6BC.exe
Filesize
817KB

MD5
df43b191ac171d26833b8e222fa7351c

SHA1
b402df76ada96ec22dcdc016802a4da262faacc4

SHA256
0be005b385e48bb5861c5e9b59de996630c1da0612dad843917f21da0dcb306f

SHA512
6c223aadc59e51bdb62b0b8de09fffc447c2bcc864c2731aa628f0439e563da3d09521027c084ae434248044b5d57209d097e8716ebd5ce643810abfee4320a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LW7OL0ss.exe
Filesize
583KB

MD5
61e1ba5eeee9b71f991479235c171a6d

SHA1
25942d17dd9d3d53580d538aa6f602debc16686e

SHA256
8fa0eec1f485daf10d667e0ac4cbe12968aa44e38d14208f3a07e194beb084a9

SHA512
48428fe6075907599054513ac320879d22eb94bd5b896af9c62d2f507080834af0788dd5c3b43de5df0521e524c75c926956fe8866ae8efe5f403b6e8607fd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zl5MI6Ns.exe
Filesize
382KB

MD5
5b7a482303bd7bb35f85b3d64a3faafa

SHA1
aaa057ccd1e458deb13d44f71e319d515af439f7

SHA256
127645f2d293ace112f63abac2be3721da93ba6ae90eed4e556abee051233035

SHA512
2e01d64095336ecc0ed97e1d58465e9c85d12525b86e2516759a69739e6e19808472ceaac016bb396a6c83e6560bbfe55314001848a1256ab832d2780fd857ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Uo74FM5.exe
Filesize
295KB

MD5
ad265a13917203c7e4dcb1b7c4cea019

SHA1
0aabe291387835f36f8e70dfda613fba543c4f3b

SHA256
372bec15794108965d6fef8458f7958418f8fa0f78b646f59313b580ef4211ca

SHA512
c0dfcd3158b6e2ec0cc184609fe5bad3ffd9d19f534216e865a7781ed006be9beba81ab45c4861785133c80b75bfd146fad21d0e1315ddea4dce1ac0a88e629e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xf940aB.exe
Filesize
222KB

MD5
1fcf6bbd78ddd93b1bc18ca396c7f682

SHA1
378c2024d9ec22b78e37964604d98fa5d0f2caa4

SHA256
1088bda31d0a99bcc42a13ff142d1e73302ee362ab1ec52befec1ae32aa43454

SHA512
c01bd15054eda32e105192b93d8f6d95b549f74d262aac26744af9facc603bbac985d3d42279748dec0707a709a268f1886f23d69c5a34bc98ba074853890a45

Download Submit
memory/1932-39-0x00000000086F0000-0x0000000008D08000-memory.dmp

Filesize
6.1MB

Download
memory/1932-35-0x0000000000760000-0x000000000079E000-memory.dmp

Filesize
248KB

Download
memory/1932-36-0x0000000007B20000-0x00000000080C4000-memory.dmp

Filesize
5.6MB

Download
memory/1932-37-0x0000000007620000-0x00000000076B2000-memory.dmp

Filesize
584KB

Download
memory/1932-38-0x0000000002BA0000-0x0000000002BAA000-memory.dmp

Filesize
40KB

Download
memory/1932-41-0x0000000007870000-0x0000000007882000-memory.dmp

Filesize
72KB

Download
memory/1932-40-0x0000000007980000-0x0000000007A8A000-memory.dmp

Filesize
1.0MB

Download
memory/1932-43-0x0000000007910000-0x000000000795C000-memory.dmp

Filesize
304KB

Download
memory/1932-42-0x00000000078D0000-0x000000000790C000-memory.dmp

Filesize
240KB

Download
memory/3768-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3768-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3768-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download