mystic | 47203fc7445c1e0e06643f363dd7d86ccc46b70ab234e5fbfe72badfdd6704ae

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b05d662dcb605a8af070c2bd5fadda687e65adad15dca9ac32982db6ebd36bdf.exe
Size

815KB
MD5

e949d651f3fdf0479844a312e08b0f7c
SHA1

694dc2dfcfd543a69ba5af447b9f7a4ad366afca
SHA256

b05d662dcb605a8af070c2bd5fadda687e65adad15dca9ac32982db6ebd36bdf
SHA512

3631d871c90f7ebe86a3f30ccbf9a3ac1b4cb0d14ca0e3f7a8910876394e65ab0e43767e46ef6e45b0c76d8cc72d63f32b69e0596bada34b73e7acdb97b63f0d
SSDEEP

12288:AMrPy90SfXgZbiFJqOHSSPj1BPxQO9zOkLKQaPR6bQy42M/XLarjwfAtTyEG2:/yHPiiXXNPV1K1Z/fZ/XurjOclG2

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral13/memory/4124-21-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/4124-22-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/4124-25-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/4124-23-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2de043NW.exe	family_redline
behavioral13/memory/3516-29-0x0000000000780000-0x00000000007BE000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

VS0ON2jL.exeSm3Uc7ds.exe1UR72aD1.exe2de043NW.exe

pid process

4520 VS0ON2jL.exe
4460 Sm3Uc7ds.exe
3992 1UR72aD1.exe
3516 2de043NW.exe

pid	process
4520	VS0ON2jL.exe
4460	Sm3Uc7ds.exe
3992	1UR72aD1.exe
3516	2de043NW.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b05d662dcb605a8af070c2bd5fadda687e65adad15dca9ac32982db6ebd36bdf.exeVS0ON2jL.exeSm3Uc7ds.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b05d662dcb605a8af070c2bd5fadda687e65adad15dca9ac32982db6ebd36bdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	VS0ON2jL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Sm3Uc7ds.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1UR72aD1.exe

description pid process target process

PID 3992 set thread context of 4124 3992 1UR72aD1.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3808 3992 WerFault.exe 1UR72aD1.exe

description	pid	process	target process
PID 3992 set thread context of 4124	3992	1UR72aD1.exe	AppLaunch.exe

pid	pid_target	process	target process
3808	3992	WerFault.exe	1UR72aD1.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

b05d662dcb605a8af070c2bd5fadda687e65adad15dca9ac32982db6ebd36bdf.exeVS0ON2jL.exeSm3Uc7ds.exe1UR72aD1.exe

description	pid	process	target process
PID 4652 wrote to memory of 4520	4652	b05d662dcb605a8af070c2bd5fadda687e65adad15dca9ac32982db6ebd36bdf.exe	VS0ON2jL.exe
PID 4652 wrote to memory of 4520	4652	b05d662dcb605a8af070c2bd5fadda687e65adad15dca9ac32982db6ebd36bdf.exe	VS0ON2jL.exe
PID 4652 wrote to memory of 4520	4652	b05d662dcb605a8af070c2bd5fadda687e65adad15dca9ac32982db6ebd36bdf.exe	VS0ON2jL.exe
PID 4520 wrote to memory of 4460	4520	VS0ON2jL.exe	Sm3Uc7ds.exe
PID 4520 wrote to memory of 4460	4520	VS0ON2jL.exe	Sm3Uc7ds.exe
PID 4520 wrote to memory of 4460	4520	VS0ON2jL.exe	Sm3Uc7ds.exe
PID 4460 wrote to memory of 3992	4460	Sm3Uc7ds.exe	1UR72aD1.exe
PID 4460 wrote to memory of 3992	4460	Sm3Uc7ds.exe	1UR72aD1.exe
PID 4460 wrote to memory of 3992	4460	Sm3Uc7ds.exe	1UR72aD1.exe
PID 3992 wrote to memory of 4124	3992	1UR72aD1.exe	AppLaunch.exe
PID 3992 wrote to memory of 4124	3992	1UR72aD1.exe	AppLaunch.exe
PID 3992 wrote to memory of 4124	3992	1UR72aD1.exe	AppLaunch.exe
PID 3992 wrote to memory of 4124	3992	1UR72aD1.exe	AppLaunch.exe
PID 3992 wrote to memory of 4124	3992	1UR72aD1.exe	AppLaunch.exe
PID 3992 wrote to memory of 4124	3992	1UR72aD1.exe	AppLaunch.exe
PID 3992 wrote to memory of 4124	3992	1UR72aD1.exe	AppLaunch.exe
PID 3992 wrote to memory of 4124	3992	1UR72aD1.exe	AppLaunch.exe
PID 3992 wrote to memory of 4124	3992	1UR72aD1.exe	AppLaunch.exe
PID 3992 wrote to memory of 4124	3992	1UR72aD1.exe	AppLaunch.exe
PID 4460 wrote to memory of 3516	4460	Sm3Uc7ds.exe	2de043NW.exe
PID 4460 wrote to memory of 3516	4460	Sm3Uc7ds.exe	2de043NW.exe
PID 4460 wrote to memory of 3516	4460	Sm3Uc7ds.exe	2de043NW.exe

C:\Users\Admin\AppData\Local\Temp\b05d662dcb605a8af070c2bd5fadda687e65adad15dca9ac32982db6ebd36bdf.exe
"C:\Users\Admin\AppData\Local\Temp\b05d662dcb605a8af070c2bd5fadda687e65adad15dca9ac32982db6ebd36bdf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4652

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VS0ON2jL.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VS0ON2jL.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4520

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sm3Uc7ds.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sm3Uc7ds.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4460

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UR72aD1.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UR72aD1.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 584
5⤵
- Program crash
PID:3808

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2de043NW.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2de043NW.exe
4⤵
- Executes dropped EXE
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3992 -ip 3992
1⤵
PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VS0ON2jL.exe

Filesize
582KB

MD5
0f6873f184d581bb44f59494098f8e3b

SHA1
9b21df4bb6150c045b599b1a33f087868841e764

SHA256
b1928507ad743170102cda3ad7aa84e35b5bb73f0a5f0ae33b66f55d44008391

SHA512
68c1a70d5009b6512fc58bb94d4e1a2bd96363b501d59d19edc0d34819d33004c765b70ecc5b947849bfc67419dafbba266a0be838b51b80dfe8d9a06a2569d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sm3Uc7ds.exe

Filesize
381KB

MD5
6188ad31d0e3092988482fdf118f2faa

SHA1
d2e346a41764ed276012af593453b00181f0d18a

SHA256
5e794d64ad8d4e365c9f60495027eda38305980770368fab4c9b038f5746bff2

SHA512
cc0c7cb6a83c2ab1a60e7d9bb3496ba6dfaf0c170c64522bc5faf8b7c61664a2f5619c3730998373d55082b4b63b7bd4d0015eb2a99c450d24e570571f48cbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UR72aD1.exe

Filesize
295KB

MD5
3cc665e51f9945daf4b2a8636021516b

SHA1
4fb5010925160e8341efe28cf8a87a3a9617fc3b

SHA256
53f93f29391b156d681d247fdaee2eeb74e16c86c25d1f6949b25d319a488b3d

SHA512
6c06fdf1d5e1ffc2ded18e2c9786a2240f4f48c090771ac8536774cfee6f09f18330356b55435a313af4a63465e002a9cd900e70fc50350f9d8ed6e26b9b70ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2de043NW.exe

Filesize
222KB

MD5
f44ede84ef1cdda49223084935bb3c48

SHA1
df940574cf573f45be0c204685231df1b7773f5d

SHA256
ed6d7bcd018be6cdcc38a1bf683bbf252c0b684283fac86b774ab3e7912b5b59

SHA512
40bd001fd217ea34d6e0fb850e9bc493210bb212a8cc38158a8bdedfbf588938b8b5d09d28d722c55c073d91ea5b2d98c48ebffa24dba4761cb4ebd9954839a3

Download Submit
memory/3516-33-0x0000000008620000-0x0000000008C38000-memory.dmp

Filesize
6.1MB

Download
memory/3516-29-0x0000000000780000-0x00000000007BE000-memory.dmp

Filesize
248KB

Download
memory/3516-30-0x0000000007A50000-0x0000000007FF4000-memory.dmp

Filesize
5.6MB

Download
memory/3516-31-0x0000000007540000-0x00000000075D2000-memory.dmp

Filesize
584KB

Download
memory/3516-32-0x0000000004AD0000-0x0000000004ADA000-memory.dmp

Filesize
40KB

Download
memory/3516-34-0x00000000078C0000-0x00000000079CA000-memory.dmp

Filesize
1.0MB

Download
memory/3516-35-0x0000000007730000-0x0000000007742000-memory.dmp

Filesize
72KB

Download
memory/3516-36-0x00000000077B0000-0x00000000077EC000-memory.dmp

Filesize
240KB

Download
memory/3516-37-0x00000000077F0000-0x000000000783C000-memory.dmp

Filesize
304KB

Download
memory/4124-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4124-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4124-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4124-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download