mystic | 02cacf524527064e447c85bef406a6e5125d06b69bd35e10a813bf4a5659b985

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ff87c5bd0d476dfc954d3706672474698d1e412030e6189e037c2474b97b730.exe
Size

1.1MB
MD5

280ae5fee193835043a57b5858575e88
SHA1

864a3e1354257f7f027de1fb6a57c8f250522e27
SHA256

3ff87c5bd0d476dfc954d3706672474698d1e412030e6189e037c2474b97b730
SHA512

35031ee7e036a0ef439281b3ab83cfac1f63fede1b314ccd0950c13c6deb2acc93889690aed3a60409f40b98fb353f93cacdb45119c2af503b34e91911be60a5
SSDEEP

24576:uyT+eJNyRY6bWbYcd8v04KzKWzZcO8mMvd7g6FvjqmllVGTZZmWfnIH4C:9T++V6b/XKxZcOxmrLgVPQ

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral9/memory/1600-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral9/memory/1600-40-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral9/memory/1600-38-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral9/files/0x000700000002356f-37.dat	family_redline
behavioral9/memory/4356-42-0x0000000000C00000-0x0000000000C3E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2452	UV4vv0eX.exe
2792	OT6le4yz.exe
4928	Fz5SB3ab.exe
4036	xD6Ga6vR.exe
4296	1sE39gD3.exe
4356	2lj729Sz.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	OT6le4yz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Fz5SB3ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	xD6Ga6vR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3ff87c5bd0d476dfc954d3706672474698d1e412030e6189e037c2474b97b730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	UV4vv0eX.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4296 set thread context of 1600	4296	1sE39gD3.exe	97

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 2452	228	3ff87c5bd0d476dfc954d3706672474698d1e412030e6189e037c2474b97b730.exe	90
PID 228 wrote to memory of 2452	228	3ff87c5bd0d476dfc954d3706672474698d1e412030e6189e037c2474b97b730.exe	90
PID 228 wrote to memory of 2452	228	3ff87c5bd0d476dfc954d3706672474698d1e412030e6189e037c2474b97b730.exe	90
PID 2452 wrote to memory of 2792	2452	UV4vv0eX.exe	91
PID 2452 wrote to memory of 2792	2452	UV4vv0eX.exe	91
PID 2452 wrote to memory of 2792	2452	UV4vv0eX.exe	91
PID 2792 wrote to memory of 4928	2792	OT6le4yz.exe	92
PID 2792 wrote to memory of 4928	2792	OT6le4yz.exe	92
PID 2792 wrote to memory of 4928	2792	OT6le4yz.exe	92
PID 4928 wrote to memory of 4036	4928	Fz5SB3ab.exe	94
PID 4928 wrote to memory of 4036	4928	Fz5SB3ab.exe	94
PID 4928 wrote to memory of 4036	4928	Fz5SB3ab.exe	94
PID 4036 wrote to memory of 4296	4036	xD6Ga6vR.exe	95
PID 4036 wrote to memory of 4296	4036	xD6Ga6vR.exe	95
PID 4036 wrote to memory of 4296	4036	xD6Ga6vR.exe	95
PID 4296 wrote to memory of 1600	4296	1sE39gD3.exe	97
PID 4296 wrote to memory of 1600	4296	1sE39gD3.exe	97
PID 4296 wrote to memory of 1600	4296	1sE39gD3.exe	97
PID 4296 wrote to memory of 1600	4296	1sE39gD3.exe	97
PID 4296 wrote to memory of 1600	4296	1sE39gD3.exe	97
PID 4296 wrote to memory of 1600	4296	1sE39gD3.exe	97
PID 4296 wrote to memory of 1600	4296	1sE39gD3.exe	97
PID 4296 wrote to memory of 1600	4296	1sE39gD3.exe	97
PID 4296 wrote to memory of 1600	4296	1sE39gD3.exe	97
PID 4296 wrote to memory of 1600	4296	1sE39gD3.exe	97
PID 4036 wrote to memory of 4356	4036	xD6Ga6vR.exe	98
PID 4036 wrote to memory of 4356	4036	xD6Ga6vR.exe	98
PID 4036 wrote to memory of 4356	4036	xD6Ga6vR.exe	98

C:\Users\Admin\AppData\Local\Temp\3ff87c5bd0d476dfc954d3706672474698d1e412030e6189e037c2474b97b730.exe
"C:\Users\Admin\AppData\Local\Temp\3ff87c5bd0d476dfc954d3706672474698d1e412030e6189e037c2474b97b730.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UV4vv0eX.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UV4vv0eX.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OT6le4yz.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OT6le4yz.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Fz5SB3ab.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Fz5SB3ab.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xD6Ga6vR.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xD6Ga6vR.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4036
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sE39gD3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sE39gD3.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1600
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lj729Sz.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lj729Sz.exe
        6⤵
        Executes dropped EXE
        
        PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3452,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
1⤵
PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UV4vv0eX.exe

Filesize
1.0MB

MD5
8389a4bd81c796d1c4fa27a219660d81

SHA1
845c6523026b543ce37bd53c1a2a0e8d7bfd48c8

SHA256
da8afec940afc1660426ed43ca7460cfb2ffbf91c781c924bd1c1b92307a7d83

SHA512
4ee11972faac2998a42138b95a38fa9b2d33a9a5f3c2b277958a60bebded392491ccf81ee84143f5b8962ae3144cbfe260f4fd3a1a0643ad1b6a9e9ef26f950b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OT6le4yz.exe

Filesize
838KB

MD5
7a80c7cf888d2e8c6385d4c1ca10f811

SHA1
f648f7ea12a9aed60d9e8ec66f916a327f85b539

SHA256
1d3ef63ab625c9f783aca261288fc46dbea3cf2d38ecf39cfa64d3bcd89341d0

SHA512
d8b78e1d2377f7744822fd6ddc0f3371f698f04eab288d0fa516f7b4ecf8e44ecbb7b1feeff8a2f24f1fe465dfebb6a97f6566d418f9bccfffaf94fcbaf16dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Fz5SB3ab.exe

Filesize
591KB

MD5
dcf6df08d6c9077cb86e0e02067ef7c8

SHA1
024b4028094f29a70e4591d55c2b3455ee8e5ecf

SHA256
05f8a527c8d9b571e76fd16f61dd24958353bfda3dde2b587ca892b99000e67e

SHA512
dff6de6d8f04ca9aae898b8a93b0c7f225d8bc86d3ee6c512fc2948bd79433306da7d215450557f15a9b6325fa94c50a1ffcf1a5863873fd5ec964877c5e289b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xD6Ga6vR.exe

Filesize
396KB

MD5
b1ab365a9c9135e4c56a22b0c7b9577d

SHA1
733ccddb9d0aeeb48ff464e0e6ba25e757d5b7d8

SHA256
e1887362fe9195e5550982f91c220f7b548a2e52bd1ca85225f008e1b0c4e75e

SHA512
a0f42084f06911d5d8f3d1badf45778e0b2061116db506485bba8bc1320755f07f05c212ccf1ec1359038614651bbff5b6d938f49ce238c92696bd2da2059bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sE39gD3.exe

Filesize
314KB

MD5
f42e255820422555030231880474a3ec

SHA1
41a98d2d10e324f115353d0f22d7a4c2425e6dc4

SHA256
e6569c611e6d0ad1dbe82f8dced810e8253fb52f791be9e8e43981a460efe938

SHA512
659d9df645d79c10d99388bd109ca5b42f5085afdb9f1dd774b1bffe9c401fabb48a8417db5681928fe25144ca69d8a6aa943dfabac4436d80c511d1e7969a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lj729Sz.exe

Filesize
222KB

MD5
52d5d5664e89a6615e28ee7260691249

SHA1
256a172f0828c40473dc90ffe78316eb45b4a717

SHA256
af922a446cd888b746b7fcc3a5587cec49bfdf8985b6535e99c388b59ef1bcbf

SHA512
f6578392561adadd2499ba58593285084fc956597063645a9b9c4dd636dbc19a83419d9acbc742bd2de839fd3fd5af45a994c99f49b8f2838cdccbcb02717eb6

Download Submit
memory/1600-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1600-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1600-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4356-42-0x0000000000C00000-0x0000000000C3E000-memory.dmp

Filesize
248KB

Download
memory/4356-43-0x0000000007F40000-0x00000000084E4000-memory.dmp

Filesize
5.6MB

Download
memory/4356-44-0x0000000007A30000-0x0000000007AC2000-memory.dmp

Filesize
584KB

Download
memory/4356-45-0x0000000002DF0000-0x0000000002DFA000-memory.dmp

Filesize
40KB

Download
memory/4356-46-0x0000000008B10000-0x0000000009128000-memory.dmp

Filesize
6.1MB

Download
memory/4356-47-0x0000000007D80000-0x0000000007E8A000-memory.dmp

Filesize
1.0MB

Download
memory/4356-48-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

Filesize
72KB

Download
memory/4356-50-0x0000000007C70000-0x0000000007CBC000-memory.dmp

Filesize
304KB

Download
memory/4356-49-0x0000000007C20000-0x0000000007C5C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads