mystic | 3767bd9b929fb47ae3b158c424044d32b3c87ffb6efc8eb109dc1df9f3d9b053

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3677484a61768095abfe1b2ea7de4cc0fe5fc5bf5cd7e10adb8b2e5024100ca2.exe
Size

1008KB
MD5

c90aac7f3ef9e1256cdb06254c6ec05f
SHA1

cc7232bbe0ede8bea9b17584af009cb89e738b74
SHA256

3677484a61768095abfe1b2ea7de4cc0fe5fc5bf5cd7e10adb8b2e5024100ca2
SHA512

19897bbcea64232554cca01af459ce3b99724ed4c85279c77e08afa702fa03da9ce1f34d2dc7fd719d391925d1cbcf9a650202af0db4fb1151f425453d81fef0
SSDEEP

24576:NylINAMFhoMHmqvrkN7r8XRyuu6zcFbn+:ooAIhDWady1

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral4/memory/1220-28-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral4/memory/1220-31-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral4/memory/1220-29-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hk771cr.exe	family_redline
behavioral4/memory/4712-35-0x00000000006D0000-0x000000000070E000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

Wm7Iz8cl.exeIH2Gs2zk.exeDd5UM2DR.exe1uN15BD9.exe2hk771cr.exe

pid process

3224 Wm7Iz8cl.exe
4796 IH2Gs2zk.exe
3484 Dd5UM2DR.exe
2136 1uN15BD9.exe
4712 2hk771cr.exe

pid	process
3224	Wm7Iz8cl.exe
4796	IH2Gs2zk.exe
3484	Dd5UM2DR.exe
2136	1uN15BD9.exe
4712	2hk771cr.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3677484a61768095abfe1b2ea7de4cc0fe5fc5bf5cd7e10adb8b2e5024100ca2.exeWm7Iz8cl.exeIH2Gs2zk.exeDd5UM2DR.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3677484a61768095abfe1b2ea7de4cc0fe5fc5bf5cd7e10adb8b2e5024100ca2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Wm7Iz8cl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	IH2Gs2zk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Dd5UM2DR.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1uN15BD9.exe

description pid process target process

PID 2136 set thread context of 1220 2136 1uN15BD9.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1700 2136 WerFault.exe 1uN15BD9.exe

description	pid	process	target process
PID 2136 set thread context of 1220	2136	1uN15BD9.exe	AppLaunch.exe

pid	pid_target	process	target process
1700	2136	WerFault.exe	1uN15BD9.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

3677484a61768095abfe1b2ea7de4cc0fe5fc5bf5cd7e10adb8b2e5024100ca2.exeWm7Iz8cl.exeIH2Gs2zk.exeDd5UM2DR.exe1uN15BD9.exe

description	pid	process	target process
PID 3832 wrote to memory of 3224	3832	3677484a61768095abfe1b2ea7de4cc0fe5fc5bf5cd7e10adb8b2e5024100ca2.exe	Wm7Iz8cl.exe
PID 3832 wrote to memory of 3224	3832	3677484a61768095abfe1b2ea7de4cc0fe5fc5bf5cd7e10adb8b2e5024100ca2.exe	Wm7Iz8cl.exe
PID 3832 wrote to memory of 3224	3832	3677484a61768095abfe1b2ea7de4cc0fe5fc5bf5cd7e10adb8b2e5024100ca2.exe	Wm7Iz8cl.exe
PID 3224 wrote to memory of 4796	3224	Wm7Iz8cl.exe	IH2Gs2zk.exe
PID 3224 wrote to memory of 4796	3224	Wm7Iz8cl.exe	IH2Gs2zk.exe
PID 3224 wrote to memory of 4796	3224	Wm7Iz8cl.exe	IH2Gs2zk.exe
PID 4796 wrote to memory of 3484	4796	IH2Gs2zk.exe	Dd5UM2DR.exe
PID 4796 wrote to memory of 3484	4796	IH2Gs2zk.exe	Dd5UM2DR.exe
PID 4796 wrote to memory of 3484	4796	IH2Gs2zk.exe	Dd5UM2DR.exe
PID 3484 wrote to memory of 2136	3484	Dd5UM2DR.exe	1uN15BD9.exe
PID 3484 wrote to memory of 2136	3484	Dd5UM2DR.exe	1uN15BD9.exe
PID 3484 wrote to memory of 2136	3484	Dd5UM2DR.exe	1uN15BD9.exe
PID 2136 wrote to memory of 4728	2136	1uN15BD9.exe	AppLaunch.exe
PID 2136 wrote to memory of 4728	2136	1uN15BD9.exe	AppLaunch.exe
PID 2136 wrote to memory of 4728	2136	1uN15BD9.exe	AppLaunch.exe
PID 2136 wrote to memory of 1220	2136	1uN15BD9.exe	AppLaunch.exe
PID 2136 wrote to memory of 1220	2136	1uN15BD9.exe	AppLaunch.exe
PID 2136 wrote to memory of 1220	2136	1uN15BD9.exe	AppLaunch.exe
PID 2136 wrote to memory of 1220	2136	1uN15BD9.exe	AppLaunch.exe
PID 2136 wrote to memory of 1220	2136	1uN15BD9.exe	AppLaunch.exe
PID 2136 wrote to memory of 1220	2136	1uN15BD9.exe	AppLaunch.exe
PID 2136 wrote to memory of 1220	2136	1uN15BD9.exe	AppLaunch.exe
PID 2136 wrote to memory of 1220	2136	1uN15BD9.exe	AppLaunch.exe
PID 2136 wrote to memory of 1220	2136	1uN15BD9.exe	AppLaunch.exe
PID 2136 wrote to memory of 1220	2136	1uN15BD9.exe	AppLaunch.exe
PID 3484 wrote to memory of 4712	3484	Dd5UM2DR.exe	2hk771cr.exe
PID 3484 wrote to memory of 4712	3484	Dd5UM2DR.exe	2hk771cr.exe
PID 3484 wrote to memory of 4712	3484	Dd5UM2DR.exe	2hk771cr.exe

C:\Users\Admin\AppData\Local\Temp\3677484a61768095abfe1b2ea7de4cc0fe5fc5bf5cd7e10adb8b2e5024100ca2.exe
"C:\Users\Admin\AppData\Local\Temp\3677484a61768095abfe1b2ea7de4cc0fe5fc5bf5cd7e10adb8b2e5024100ca2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3832

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Wm7Iz8cl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Wm7Iz8cl.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3224

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IH2Gs2zk.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IH2Gs2zk.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4796

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Dd5UM2DR.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Dd5UM2DR.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3484

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1uN15BD9.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1uN15BD9.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 572
6⤵
- Program crash
PID:1700

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hk771cr.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hk771cr.exe
5⤵
- Executes dropped EXE
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1036,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3816 /prefetch:8
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2136 -ip 2136
1⤵
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Wm7Iz8cl.exe

Filesize
819KB

MD5
49dc96424c9f6584a41276278a87e69e

SHA1
1b7bba55c1eb77891f54ca54310691e10edadabd

SHA256
9f63b232bb13eb2f8d6103a7323e402c23a26c42d369e91bce3e2fc84fd4b677

SHA512
29326f11827c29d491d70f55327dddd081476638b857335a5a1f196be5d0179f5d8281527379669f56594c255577fcc2fbbe98a1534b151e4ec8472dfc0d624a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IH2Gs2zk.exe

Filesize
583KB

MD5
54600f6319ca0778a743373e47f5a54f

SHA1
8fcad567c6021cdb590485ade4db4d967ae80638

SHA256
e499fb09760b6760775e22bffedb2ac3167311c3791d75847fe9fd7e6dadb743

SHA512
3ff4c18fa182f6e99791584d2005e63a9621c2ceb2d3929500ae122a028ff8e8eb65902f15274b190abb6549661be9bd33a83e1b21b5ab9dabf770c4b6543ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Dd5UM2DR.exe

Filesize
383KB

MD5
5b00562e3d4083b33969af27e9e69953

SHA1
e69867211df1d5970765e7c3a62dc7b02fbb20d4

SHA256
1d1f6fd05e5d39bd7ce7a542fe5ccf9da1a8cf286db00dbe7636cff24305f3f2

SHA512
540f7d9a65ec593670fc55b2ea9d635e3776ba9c9464722fea9e7618d575f0bc1ee308b5a859ebf0a0192f217ab0c64d51e808ee0843c037ed013233bae5906c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1uN15BD9.exe

Filesize
298KB

MD5
b2066ebb2652f7e2bf734fb2fb986ba0

SHA1
ea667fda1a5763d1c532467ed3d4211225ea6d5c

SHA256
879e73ba0991f7809db7158fe259e4d1c2d410158669ba86e729affb0f8aa350

SHA512
2f8443e6d7590fd9f34f611d62e4413ab15254b9ced30c847e329b85d02509d01d619f78e94f4250574cbe3d69baa33f346137cce2c7557d01af2314ae89a3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hk771cr.exe

Filesize
222KB

MD5
2b47028b1e3838231052dab20daf1606

SHA1
bd34d5f76b7ad72575cce43b2f1f8e7b150c18ee

SHA256
303051b82a456b3cf7f1c74f600820c16d9b5ab853e752ae18e375df5ccfa282

SHA512
1a8f10069aa42766301492b2784a1cd363e7a751a9f63a07ff280d44bff91e72acaca2975d8e3f8c1ff1fc0d57825e26fff35fdda0266986f7104677d1126d79

Download Submit
memory/1220-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1220-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1220-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4712-35-0x00000000006D0000-0x000000000070E000-memory.dmp

Filesize
248KB

Download
memory/4712-36-0x0000000007980000-0x0000000007F24000-memory.dmp

Filesize
5.6MB

Download
memory/4712-37-0x0000000007470000-0x0000000007502000-memory.dmp

Filesize
584KB

Download
memory/4712-38-0x0000000004A30000-0x0000000004A3A000-memory.dmp

Filesize
40KB

Download
memory/4712-39-0x0000000008550000-0x0000000008B68000-memory.dmp

Filesize
6.1MB

Download
memory/4712-40-0x0000000008040000-0x000000000814A000-memory.dmp

Filesize
1.0MB

Download
memory/4712-41-0x00000000075D0000-0x00000000075E2000-memory.dmp

Filesize
72KB

Download
memory/4712-42-0x0000000007630000-0x000000000766C000-memory.dmp

Filesize
240KB

Download
memory/4712-43-0x00000000078A0000-0x00000000078EC000-memory.dmp

Filesize
304KB

Download