mystic | 02cacf524527064e447c85bef406a6e5125d06b69bd35e10a813bf4a5659b985

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65.exe
Size

1.1MB
MD5

db790b8be6c16299ccf7f1dccd680b89
SHA1

4d13d834f004cdb6c836eb0f9d7343fea266069c
SHA256

e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65
SHA512

63518a7fd2471ed7c678e650ff45939b86d9264cf175f6d3e5e3cf6662fd54a1dbc0063b5e97707d247046d982feaff164728d7267543622c66e5394427a988f
SSDEEP

24576:UyMQBHbtypH1KhYSPs1h4Gur9/pok9ULO0Rtlz01EjUdkr5eM:jMAbtypH1HFajr9/6jpI52

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral21/memory/4608-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral21/memory/4608-38-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral21/memory/4608-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral21/files/0x0007000000023473-40.dat	family_redline
behavioral21/memory/5112-42-0x00000000007A0000-0x00000000007DE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2532	fu0lY6TN.exe
3284	lp6RE6uj.exe
4084	sG2mu1dw.exe
3084	cr8Af0ES.exe
4984	1AV93bI3.exe
5112	2VC986WS.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	lp6RE6uj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	sG2mu1dw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	cr8Af0ES.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	fu0lY6TN.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4984 set thread context of 4608	4984	1AV93bI3.exe	99

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1620	4984	WerFault.exe	88

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2532	2084	e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65.exe	83
PID 2084 wrote to memory of 2532	2084	e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65.exe	83
PID 2084 wrote to memory of 2532	2084	e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65.exe	83
PID 2532 wrote to memory of 3284	2532	fu0lY6TN.exe	84
PID 2532 wrote to memory of 3284	2532	fu0lY6TN.exe	84
PID 2532 wrote to memory of 3284	2532	fu0lY6TN.exe	84
PID 3284 wrote to memory of 4084	3284	lp6RE6uj.exe	85
PID 3284 wrote to memory of 4084	3284	lp6RE6uj.exe	85
PID 3284 wrote to memory of 4084	3284	lp6RE6uj.exe	85
PID 4084 wrote to memory of 3084	4084	sG2mu1dw.exe	86
PID 4084 wrote to memory of 3084	4084	sG2mu1dw.exe	86
PID 4084 wrote to memory of 3084	4084	sG2mu1dw.exe	86
PID 3084 wrote to memory of 4984	3084	cr8Af0ES.exe	88
PID 3084 wrote to memory of 4984	3084	cr8Af0ES.exe	88
PID 3084 wrote to memory of 4984	3084	cr8Af0ES.exe	88
PID 4984 wrote to memory of 4608	4984	1AV93bI3.exe	99
PID 4984 wrote to memory of 4608	4984	1AV93bI3.exe	99
PID 4984 wrote to memory of 4608	4984	1AV93bI3.exe	99
PID 4984 wrote to memory of 4608	4984	1AV93bI3.exe	99
PID 4984 wrote to memory of 4608	4984	1AV93bI3.exe	99
PID 4984 wrote to memory of 4608	4984	1AV93bI3.exe	99
PID 4984 wrote to memory of 4608	4984	1AV93bI3.exe	99
PID 4984 wrote to memory of 4608	4984	1AV93bI3.exe	99
PID 4984 wrote to memory of 4608	4984	1AV93bI3.exe	99
PID 4984 wrote to memory of 4608	4984	1AV93bI3.exe	99
PID 3084 wrote to memory of 5112	3084	cr8Af0ES.exe	103
PID 3084 wrote to memory of 5112	3084	cr8Af0ES.exe	103
PID 3084 wrote to memory of 5112	3084	cr8Af0ES.exe	103

C:\Users\Admin\AppData\Local\Temp\e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65.exe
"C:\Users\Admin\AppData\Local\Temp\e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fu0lY6TN.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fu0lY6TN.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lp6RE6uj.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lp6RE6uj.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sG2mu1dw.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sG2mu1dw.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4084
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cr8Af0ES.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cr8Af0ES.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3084
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AV93bI3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AV93bI3.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 216
        7⤵
        Program crash
        
        PID:1620
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2VC986WS.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2VC986WS.exe
        6⤵
        Executes dropped EXE
        
        PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4984 -ip 4984
1⤵
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fu0lY6TN.exe

Filesize
1008KB

MD5
1d27f9f4a03fe48c2f9d4b2fcbc9182d

SHA1
4a558c6e74c25dc8a705e004ab4dadb2c73c0fc0

SHA256
3c219b549dcc418db8f235e201ec60e6f89698a896aa5cd78ba87ed032add83c

SHA512
d7308fa56d614008dd666b679b0819927c86a0f28bb9e6db4395ee41b4169bf0d231d1c3adc7f9f9c3b55408455ba1500764fb766827881b456d5eaa47291135

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lp6RE6uj.exe

Filesize
818KB

MD5
fe49a3848bca12504dfd63b9d6e9b2ee

SHA1
b9f30d617fe35f3ceed72433b1e842bd58e49d16

SHA256
d31b3d9daf5073ec50de40234effe6eb2a6f3ecf5c452ee268f0598fb2ddeb00

SHA512
27e2f8f6b26dc6aeb63d53982710066a2d9fc58f053a4edc3833f14cd5b7fb36a5f22c56b884b7d99e5a8a91967cd131416d7a24c0bdff6d424ceaacc71f564c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sG2mu1dw.exe

Filesize
583KB

MD5
70dc272df445f15cba31a6dfe47f7219

SHA1
7220884b80c17def7d7d6db80acd59bf472c8bdb

SHA256
8cdd00c271807e4fa6025e4a879726a0f41203eb6b43849880449edfbeb1af77

SHA512
d3203ef38e39c26d63ebcb2b8a2aed5354479079a15797b7427461d1d8c9e98b18d551d1a2f1bada403a5bd117e95fb1f1a1f42a290a5320b5a8b2bc852cd8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cr8Af0ES.exe

Filesize
383KB

MD5
2cb38ac9a5a658264401c6c84190a41e

SHA1
46d9f03f46a56a56a1bf789f2cd344d9ed3826f5

SHA256
881d6688184668a601418e29df505e0455a5971a044b30a1019defaa207f5023

SHA512
038a4f934866ab40381545d5002db489f105f9874b9271758ecc1d6704d9e0a98d8b914da36d9f6b1b7720f076fed71e23c37adbf62474a19408de4a422740d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AV93bI3.exe

Filesize
298KB

MD5
14a3010a5902d0b4daf37b3cdaceb97b

SHA1
b416dade9d7c544f418bb241c53d296fd61d4de2

SHA256
e664bebf09874a9d32e11d45bef7d8df7783c54d5c1e04a58b5fad3a0f3ce665

SHA512
9b86090e8bb8cc1c51cef9a74162e14e00871798ca0cdb0731f9eeba04842235a66172b0588a28206b43453e3a8ec73c4cce0177db06a4d46ca38ddf326e7243

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2VC986WS.exe

Filesize
222KB

MD5
c58ea29d3d9278ee732dabe5fc4b124c

SHA1
26a6d774309fd8f6b94f538eabbfb561c7870f35

SHA256
57fb6e26a4a82c3c97264cb220bd0d33c0e64ce60e5cfd2bcd28202441bcda2a

SHA512
4c9481a82ea29faef12dd5a563c74dbe3a2c72d86b8a09f70da4e80dc8dc0cecc216c7d7a9f7b7a9078d1f58f32cc418998146d582a018b9a0ddcf1b72b6d0a8

Download Submit
memory/4608-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4608-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4608-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5112-42-0x00000000007A0000-0x00000000007DE000-memory.dmp

Filesize
248KB

Download
memory/5112-43-0x0000000007B20000-0x00000000080C4000-memory.dmp

Filesize
5.6MB

Download
memory/5112-44-0x0000000007660000-0x00000000076F2000-memory.dmp

Filesize
584KB

Download
memory/5112-45-0x0000000004BF0000-0x0000000004BFA000-memory.dmp

Filesize
40KB

Download
memory/5112-46-0x00000000086F0000-0x0000000008D08000-memory.dmp

Filesize
6.1MB

Download
memory/5112-47-0x00000000079B0000-0x0000000007ABA000-memory.dmp

Filesize
1.0MB

Download
memory/5112-48-0x00000000078A0000-0x00000000078B2000-memory.dmp

Filesize
72KB

Download
memory/5112-49-0x0000000007900000-0x000000000793C000-memory.dmp

Filesize
240KB

Download
memory/5112-50-0x0000000007940000-0x000000000798C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads