mystic | 3767bd9b929fb47ae3b158c424044d32b3c87ffb6efc8eb109dc1df9f3d9b053

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12529f4b65aafd82d9020e079a369f24e8f9a5b222765ebfd7fece173373938e.exe
Size

1.5MB
MD5

1d7874fa02f9084e0b62af612261bdd2
SHA1

b1d81b9a48264bc5771e37de7c7103256e6683b9
SHA256

12529f4b65aafd82d9020e079a369f24e8f9a5b222765ebfd7fece173373938e
SHA512

a9b95375adf0020c7e530176719a678a35bdceff076ef6d136d8a03820fda02b51acde2c336de952b049a78396fe6a954be740414766fbbffa12fc98836c34a0
SSDEEP

24576:mycJDqllWkane4EQOdxmbFBj7UEiS6RJ4X/rZ77uYkMzTVoQ8xlQeM:1TbltndudeJ4X/l77uYkaTVofH

Score

10^/10

mystic redline kedru infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/1248-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/1248-36-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/1248-38-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000002341a-40.dat	family_redline
behavioral1/memory/3968-42-0x00000000007B0000-0x00000000007EC000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
776	sx7zF7bV.exe
4564	yB0UK0xi.exe
1068	EU1Ae4wu.exe
2976	Yl2IX5JG.exe
1148	1qx17eD8.exe
3968	2UY215SX.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	EU1Ae4wu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Yl2IX5JG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	12529f4b65aafd82d9020e079a369f24e8f9a5b222765ebfd7fece173373938e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sx7zF7bV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	yB0UK0xi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1148 set thread context of 1248	1148	1qx17eD8.exe	89

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 776	3984	12529f4b65aafd82d9020e079a369f24e8f9a5b222765ebfd7fece173373938e.exe	83
PID 3984 wrote to memory of 776	3984	12529f4b65aafd82d9020e079a369f24e8f9a5b222765ebfd7fece173373938e.exe	83
PID 3984 wrote to memory of 776	3984	12529f4b65aafd82d9020e079a369f24e8f9a5b222765ebfd7fece173373938e.exe	83
PID 776 wrote to memory of 4564	776	sx7zF7bV.exe	84
PID 776 wrote to memory of 4564	776	sx7zF7bV.exe	84
PID 776 wrote to memory of 4564	776	sx7zF7bV.exe	84
PID 4564 wrote to memory of 1068	4564	yB0UK0xi.exe	85
PID 4564 wrote to memory of 1068	4564	yB0UK0xi.exe	85
PID 4564 wrote to memory of 1068	4564	yB0UK0xi.exe	85
PID 1068 wrote to memory of 2976	1068	EU1Ae4wu.exe	86
PID 1068 wrote to memory of 2976	1068	EU1Ae4wu.exe	86
PID 1068 wrote to memory of 2976	1068	EU1Ae4wu.exe	86
PID 2976 wrote to memory of 1148	2976	Yl2IX5JG.exe	88
PID 2976 wrote to memory of 1148	2976	Yl2IX5JG.exe	88
PID 2976 wrote to memory of 1148	2976	Yl2IX5JG.exe	88
PID 1148 wrote to memory of 1248	1148	1qx17eD8.exe	89
PID 1148 wrote to memory of 1248	1148	1qx17eD8.exe	89
PID 1148 wrote to memory of 1248	1148	1qx17eD8.exe	89
PID 1148 wrote to memory of 1248	1148	1qx17eD8.exe	89
PID 1148 wrote to memory of 1248	1148	1qx17eD8.exe	89
PID 1148 wrote to memory of 1248	1148	1qx17eD8.exe	89
PID 1148 wrote to memory of 1248	1148	1qx17eD8.exe	89
PID 1148 wrote to memory of 1248	1148	1qx17eD8.exe	89
PID 1148 wrote to memory of 1248	1148	1qx17eD8.exe	89
PID 1148 wrote to memory of 1248	1148	1qx17eD8.exe	89
PID 2976 wrote to memory of 3968	2976	Yl2IX5JG.exe	90
PID 2976 wrote to memory of 3968	2976	Yl2IX5JG.exe	90
PID 2976 wrote to memory of 3968	2976	Yl2IX5JG.exe	90

C:\Users\Admin\AppData\Local\Temp\12529f4b65aafd82d9020e079a369f24e8f9a5b222765ebfd7fece173373938e.exe
"C:\Users\Admin\AppData\Local\Temp\12529f4b65aafd82d9020e079a369f24e8f9a5b222765ebfd7fece173373938e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sx7zF7bV.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sx7zF7bV.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yB0UK0xi.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yB0UK0xi.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EU1Ae4wu.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EU1Ae4wu.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Yl2IX5JG.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Yl2IX5JG.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qx17eD8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qx17eD8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1248
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UY215SX.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UY215SX.exe
        6⤵
        Executes dropped EXE
        
        PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sx7zF7bV.exe

Filesize
1.3MB

MD5
15f27099061088d8c257669d4c74e481

SHA1
37853bef3910352a3b01ba302750c468b962d2da

SHA256
87cd4299ec4c5d73e7816029ba406bbf0dae54f453b580b3aa4d37e1b65ecf9d

SHA512
9ada90177a41fcdf63a938d57c88b921f3bd971c0a8d4e483e5eefc95055d8321ac0b0bbdb2d35187b9b74792e1a731def6a5ac7ce4fe2ef71c1b88043a16fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yB0UK0xi.exe

Filesize
1.1MB

MD5
33ebfcac7d6fa9741faf68c11a99b5ea

SHA1
d0cafca947b407af751c5f2be14e82c3d4c0ef33

SHA256
a64309652f10da5354486f6164eacf9093bba10a58f12a80f506883a47c79140

SHA512
e51f9191ee38c53c21673d97aa924768f9b42e268ad35d27a51ac417ba7519a817e797ce226fee48ef2d46d9c1400de7bfe2062f6de346fa045bbe1fadbbeaec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EU1Ae4wu.exe

Filesize
754KB

MD5
fb33b38c410ca28988e63708fe49c138

SHA1
2f577330de35ee067bc69cfc0fa5f62bb1576867

SHA256
078dc808ebb36d067d981165d850afba09a18ada1c9d4cf3d0856a76d0a85317

SHA512
044bbc50f867643f097c40d519b081538b196f2b8ce8216e8092f52490f0ccd8f415f74fe36574362bca7ec55282c7da7e5bc9cc94abb3d7add9bdf849059273

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Yl2IX5JG.exe

Filesize
558KB

MD5
db9ff4bc4d353c73d1102e129347d406

SHA1
ee42ba06c56eae8aafcb4ec782ec15866da1a7b8

SHA256
2448ed5a870a586c65d2ce8818bb2705c5f7f0882f05614f40a6fea334c6ad95

SHA512
b50eb25744367829064d2de75faf8f29f5599857a1100264bdee4eb2c2a32b672049e37f8841fe4b76f020894ced4a7df45bf77c270457b997c7912acdb00090

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qx17eD8.exe

Filesize
1.0MB

MD5
a5a72ed79ae5e9780a11e88e6c6853c2

SHA1
9c59ba2bdb9066bedc108596ed94633c824edec8

SHA256
4d29c049f541cf4cfc30160228c05c981a115b3890004fb839ff261b99b62051

SHA512
84b85e7ce7701c18bffba0a76a289ab8f43dffaa77604d2c4e3682feb3dd8e937a70b00aba3213c5303d3ffa7bfc7e97008d39505087ace7c3cce9baac9b9d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UY215SX.exe

Filesize
219KB

MD5
da2e89d428425d025e2fd49a3942c68e

SHA1
6cb9c834d5209fdf9398f15671efbbe58c0a48b0

SHA256
8a3a5f9092d7eae1010ef9bde83d50ec60fee44e16d5ee97a1e4589ec9567306

SHA512
fe6fb8f30badccc93bbd9062de31c56f7c66dd6170161465bb46242d6f880eeaf0500c38d878f75fece909845b5d830ce3643ead1ce78df12dd5f431ac0fafc4

Download Submit
memory/1248-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-42-0x00000000007B0000-0x00000000007EC000-memory.dmp

Filesize
240KB

Download
memory/3968-43-0x0000000007BE0000-0x0000000008184000-memory.dmp

Filesize
5.6MB

Download
memory/3968-44-0x00000000076D0000-0x0000000007762000-memory.dmp

Filesize
584KB

Download
memory/3968-45-0x0000000004C70000-0x0000000004C7A000-memory.dmp

Filesize
40KB

Download
memory/3968-46-0x00000000087B0000-0x0000000008DC8000-memory.dmp

Filesize
6.1MB

Download
memory/3968-47-0x0000000007A90000-0x0000000007B9A000-memory.dmp

Filesize
1.0MB

Download
memory/3968-48-0x00000000077A0000-0x00000000077B2000-memory.dmp

Filesize
72KB

Download
memory/3968-49-0x0000000007820000-0x000000000785C000-memory.dmp

Filesize
240KB

Download
memory/3968-50-0x0000000007980000-0x00000000079CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads