mystic | 47203fc7445c1e0e06643f363dd7d86ccc46b70ab234e5fbfe72badfdd6704ae

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bee0ec94302af9baabb3e2b4d22397424e0fa315031f65258b35135c92ff0b1b.exe
Size

577KB
MD5

7e5a5c1814794055b55a04fe525a125e
SHA1

f42f766a75151ab8ff7c688f43fa30b430d9ca84
SHA256

bee0ec94302af9baabb3e2b4d22397424e0fa315031f65258b35135c92ff0b1b
SHA512

331744e8b2b3714ea2cbe6c0a4480f7b0f251304b62c962384aed768219b58154dd59245498894aef3b2bb0a9c151a527cc6e8eee40c4942c5a4192cd8be22a6
SSDEEP

12288:CMrLy90iloIG1yJErQNjCIZai9X5doTSPWJZqxsc9:hy9blAQBDaiN56TQW+xsO

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral15/memory/3896-14-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral15/memory/3896-18-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral15/memory/3896-16-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral15/memory/3896-15-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hP799mU.exe	family_redline
behavioral15/memory/3628-22-0x0000000000A30000-0x0000000000A6E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

UC0do8wj.exe1gM64uG3.exe2hP799mU.exe

pid process

716 UC0do8wj.exe
3360 1gM64uG3.exe
3628 2hP799mU.exe

pid	process
716	UC0do8wj.exe
3360	1gM64uG3.exe
3628	2hP799mU.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

UC0do8wj.exebee0ec94302af9baabb3e2b4d22397424e0fa315031f65258b35135c92ff0b1b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	UC0do8wj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bee0ec94302af9baabb3e2b4d22397424e0fa315031f65258b35135c92ff0b1b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1gM64uG3.exe

description pid process target process

PID 3360 set thread context of 3896 3360 1gM64uG3.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2324 3360 WerFault.exe 1gM64uG3.exe
1260 3896 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 3360 set thread context of 3896	3360	1gM64uG3.exe	AppLaunch.exe

pid	pid_target	process	target process
2324	3360	WerFault.exe	1gM64uG3.exe
1260	3896	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

bee0ec94302af9baabb3e2b4d22397424e0fa315031f65258b35135c92ff0b1b.exeUC0do8wj.exe1gM64uG3.exe

description	pid	process	target process
PID 2472 wrote to memory of 716	2472	bee0ec94302af9baabb3e2b4d22397424e0fa315031f65258b35135c92ff0b1b.exe	UC0do8wj.exe
PID 2472 wrote to memory of 716	2472	bee0ec94302af9baabb3e2b4d22397424e0fa315031f65258b35135c92ff0b1b.exe	UC0do8wj.exe
PID 2472 wrote to memory of 716	2472	bee0ec94302af9baabb3e2b4d22397424e0fa315031f65258b35135c92ff0b1b.exe	UC0do8wj.exe
PID 716 wrote to memory of 3360	716	UC0do8wj.exe	1gM64uG3.exe
PID 716 wrote to memory of 3360	716	UC0do8wj.exe	1gM64uG3.exe
PID 716 wrote to memory of 3360	716	UC0do8wj.exe	1gM64uG3.exe
PID 3360 wrote to memory of 3896	3360	1gM64uG3.exe	AppLaunch.exe
PID 3360 wrote to memory of 3896	3360	1gM64uG3.exe	AppLaunch.exe
PID 3360 wrote to memory of 3896	3360	1gM64uG3.exe	AppLaunch.exe
PID 3360 wrote to memory of 3896	3360	1gM64uG3.exe	AppLaunch.exe
PID 3360 wrote to memory of 3896	3360	1gM64uG3.exe	AppLaunch.exe
PID 3360 wrote to memory of 3896	3360	1gM64uG3.exe	AppLaunch.exe
PID 3360 wrote to memory of 3896	3360	1gM64uG3.exe	AppLaunch.exe
PID 3360 wrote to memory of 3896	3360	1gM64uG3.exe	AppLaunch.exe
PID 3360 wrote to memory of 3896	3360	1gM64uG3.exe	AppLaunch.exe
PID 3360 wrote to memory of 3896	3360	1gM64uG3.exe	AppLaunch.exe
PID 716 wrote to memory of 3628	716	UC0do8wj.exe	2hP799mU.exe
PID 716 wrote to memory of 3628	716	UC0do8wj.exe	2hP799mU.exe
PID 716 wrote to memory of 3628	716	UC0do8wj.exe	2hP799mU.exe

C:\Users\Admin\AppData\Local\Temp\bee0ec94302af9baabb3e2b4d22397424e0fa315031f65258b35135c92ff0b1b.exe
"C:\Users\Admin\AppData\Local\Temp\bee0ec94302af9baabb3e2b4d22397424e0fa315031f65258b35135c92ff0b1b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UC0do8wj.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UC0do8wj.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:716

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1gM64uG3.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1gM64uG3.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 224
5⤵
- Program crash
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 592
4⤵
- Program crash
PID:2324

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hP799mU.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hP799mU.exe
3⤵
- Executes dropped EXE
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3360 -ip 3360
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3896 -ip 3896
1⤵
PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UC0do8wj.exe

Filesize
381KB

MD5
544a67672232642c6071133f6ae36f05

SHA1
45e53e8f8a072d74f54bfb4d89aab149a5f930e7

SHA256
f3c80ae2ce2559ab6102c85cfcafd4867113b1135aa55595e855721c7a99c79d

SHA512
24bc85fb89dcb15e779e596a2661d07e3cab129640fdbf835c3847cc55ef941a3d910528e8cea0c0408d3d98522a21d15fd3ebf55d2e6c3cafc310f476611a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1gM64uG3.exe

Filesize
295KB

MD5
3865fed36397362ee3b697b32a00c649

SHA1
4553f8b311e2ad7ad045cfc74878e081c21699e6

SHA256
5b933a3f7bfe6c48a7a54a5dfd543358b3915459524c9a159df732ff0a4c07ed

SHA512
b3007e42d0d5064f63ccda373f73113752b0eec9d30be75f38038c11718db13c38b1847174245a443330c64df1b05ccdeb39e631aa0079ae5c206a40cbffed4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2hP799mU.exe

Filesize
222KB

MD5
d65f3ebf1e4d623353ed4d1746374e4c

SHA1
c3370149db91bad7af5b6f451aa2009fe3a4e998

SHA256
d42a281d1fd81ad4a16304ba40ed1afec1f9482a54c551c56e3739d9938d7e13

SHA512
39a2690702c8a0767ad1820c7850b57b84b36856c211070653f471b615ab1135c223f78a7f50db0b82fa9b79bbb23c608b92a1290e990a677783cdd300dc2ffb

Download Submit
memory/3628-29-0x0000000007B80000-0x0000000007BBC000-memory.dmp

Filesize
240KB

Download
memory/3628-22-0x0000000000A30000-0x0000000000A6E000-memory.dmp

Filesize
248KB

Download
memory/3628-23-0x0000000007E00000-0x00000000083A4000-memory.dmp

Filesize
5.6MB

Download
memory/3628-24-0x00000000078F0000-0x0000000007982000-memory.dmp

Filesize
584KB

Download
memory/3628-25-0x0000000002D20000-0x0000000002D2A000-memory.dmp

Filesize
40KB

Download
memory/3628-27-0x0000000007C90000-0x0000000007D9A000-memory.dmp

Filesize
1.0MB

Download
memory/3628-28-0x0000000007B20000-0x0000000007B32000-memory.dmp

Filesize
72KB

Download
memory/3628-30-0x0000000007BC0000-0x0000000007C0C000-memory.dmp

Filesize
304KB

Download
memory/3628-26-0x00000000089D0000-0x0000000008FE8000-memory.dmp

Filesize
6.1MB

Download
memory/3896-16-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3896-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3896-18-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3896-14-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download