mystic | bd5cb5ed04f67f5a6f2f5411e9ad5c457c0c3e3bf3a38e4996624bdfba01d98d

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f80bd799075b9e73bec4964dc911341456e6d8cb065c4ab30d36cb613faf6593.exe
Size

811KB
MD5

cf846f7c594cd193b3ed42192f1aa70b
SHA1

cd8d543d7f3e31185a888037df93b430684d18bc
SHA256

f80bd799075b9e73bec4964dc911341456e6d8cb065c4ab30d36cb613faf6593
SHA512

b62d90a3b3556fdcc4d7c18eb86eeec31850c807200056558e037b40dddff2a0b7324accef115c7cbabbaafa29393f9b0c237f044c8b85b361a70974c779cf05
SSDEEP

24576:kyvaji1WUvRUmEyEihp3u3GRPYl7SYtdQ:zMi1WUumEyEihn+AY

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral21/memory/432-21-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral21/memory/432-23-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral21/memory/432-25-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral21/memory/432-22-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2El707HD.exe	family_redline
behavioral21/memory/3224-29-0x00000000002E0000-0x000000000031E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

JE1jK8xs.exeDd1HR7Vx.exe1hi53En0.exe2El707HD.exe

pid process

628 JE1jK8xs.exe
3240 Dd1HR7Vx.exe
3992 1hi53En0.exe
3224 2El707HD.exe

pid	process
628	JE1jK8xs.exe
3240	Dd1HR7Vx.exe
3992	1hi53En0.exe
3224	2El707HD.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f80bd799075b9e73bec4964dc911341456e6d8cb065c4ab30d36cb613faf6593.exeJE1jK8xs.exeDd1HR7Vx.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f80bd799075b9e73bec4964dc911341456e6d8cb065c4ab30d36cb613faf6593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	JE1jK8xs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Dd1HR7Vx.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1hi53En0.exe

description pid process target process

PID 3992 set thread context of 432 3992 1hi53En0.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

904 3992 WerFault.exe 1hi53En0.exe

description	pid	process	target process
PID 3992 set thread context of 432	3992	1hi53En0.exe	AppLaunch.exe

pid	pid_target	process	target process
904	3992	WerFault.exe	1hi53En0.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

f80bd799075b9e73bec4964dc911341456e6d8cb065c4ab30d36cb613faf6593.exeJE1jK8xs.exeDd1HR7Vx.exe1hi53En0.exe

description	pid	process	target process
PID 2680 wrote to memory of 628	2680	f80bd799075b9e73bec4964dc911341456e6d8cb065c4ab30d36cb613faf6593.exe	JE1jK8xs.exe
PID 2680 wrote to memory of 628	2680	f80bd799075b9e73bec4964dc911341456e6d8cb065c4ab30d36cb613faf6593.exe	JE1jK8xs.exe
PID 2680 wrote to memory of 628	2680	f80bd799075b9e73bec4964dc911341456e6d8cb065c4ab30d36cb613faf6593.exe	JE1jK8xs.exe
PID 628 wrote to memory of 3240	628	JE1jK8xs.exe	Dd1HR7Vx.exe
PID 628 wrote to memory of 3240	628	JE1jK8xs.exe	Dd1HR7Vx.exe
PID 628 wrote to memory of 3240	628	JE1jK8xs.exe	Dd1HR7Vx.exe
PID 3240 wrote to memory of 3992	3240	Dd1HR7Vx.exe	1hi53En0.exe
PID 3240 wrote to memory of 3992	3240	Dd1HR7Vx.exe	1hi53En0.exe
PID 3240 wrote to memory of 3992	3240	Dd1HR7Vx.exe	1hi53En0.exe
PID 3992 wrote to memory of 432	3992	1hi53En0.exe	AppLaunch.exe
PID 3992 wrote to memory of 432	3992	1hi53En0.exe	AppLaunch.exe
PID 3992 wrote to memory of 432	3992	1hi53En0.exe	AppLaunch.exe
PID 3992 wrote to memory of 432	3992	1hi53En0.exe	AppLaunch.exe
PID 3992 wrote to memory of 432	3992	1hi53En0.exe	AppLaunch.exe
PID 3992 wrote to memory of 432	3992	1hi53En0.exe	AppLaunch.exe
PID 3992 wrote to memory of 432	3992	1hi53En0.exe	AppLaunch.exe
PID 3992 wrote to memory of 432	3992	1hi53En0.exe	AppLaunch.exe
PID 3992 wrote to memory of 432	3992	1hi53En0.exe	AppLaunch.exe
PID 3992 wrote to memory of 432	3992	1hi53En0.exe	AppLaunch.exe
PID 3240 wrote to memory of 3224	3240	Dd1HR7Vx.exe	2El707HD.exe
PID 3240 wrote to memory of 3224	3240	Dd1HR7Vx.exe	2El707HD.exe
PID 3240 wrote to memory of 3224	3240	Dd1HR7Vx.exe	2El707HD.exe

C:\Users\Admin\AppData\Local\Temp\f80bd799075b9e73bec4964dc911341456e6d8cb065c4ab30d36cb613faf6593.exe
"C:\Users\Admin\AppData\Local\Temp\f80bd799075b9e73bec4964dc911341456e6d8cb065c4ab30d36cb613faf6593.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JE1jK8xs.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JE1jK8xs.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dd1HR7Vx.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dd1HR7Vx.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hi53En0.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hi53En0.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3992
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:432
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 136
        5⤵
        Program crash
        
        PID:904
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2El707HD.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2El707HD.exe
      4⤵
      Executes dropped EXE
      PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3992 -ip 3992
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JE1jK8xs.exe

Filesize
577KB

MD5
3dc107ab43c46c6e44aa7e38600f9453

SHA1
4409035d56091531c827acfbf5023ca4b8bcfaf0

SHA256
128906b201e125f57cc1763f3cbd41bf17792b31454d28f6db5548278ef4dcc8

SHA512
02f838ea394f52eaf88eabf04fbad67a6eb616452cb9e24fa1a40b5203af948a832944d44f3eec6100a77cd1b8cf973a2a55a1f5902610cc6079e5c1837173e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dd1HR7Vx.exe

Filesize
381KB

MD5
5008baf4d376af00e269ef43c28cd776

SHA1
ac0d6c4247b996bf55841ac775d8952d106920bf

SHA256
696265ce71db21041af5561cb63ac8eb774fa0c81479006489c92103b1ab772b

SHA512
ead21772eea11adb80f3fcde9949b1a5b480c9e0e24e108021d2ebb3414127ca22ae1f11718eafa1e1a8b6cc5ca9dbe2d47f09e47c54fefd1c6108fa3750c6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hi53En0.exe

Filesize
295KB

MD5
1ddd3b7949f8298e028f59e2a0bf2242

SHA1
60706d663681e29a76afce2f1b009779a6e5de61

SHA256
73b6f66d7f25da07915a48851fab8b8a97f7230df6fbee474c69b06a3633c1c8

SHA512
01e5eafc0896c6b5fcde7356d85608d94a17059d4bacf6fc05aecfc38ed932e071fa17eb449f1ff9d55e28962a2b2b8ae1446c4fdc7e6e0b3c058e7d3a45cc88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2El707HD.exe

Filesize
222KB

MD5
97b5f2969da21c0197eea47590c42d4c

SHA1
4d28b20dfd93bac8bb31688c50e97dc43a99c29f

SHA256
6c15de91b26f959259b3b567c99f12162c4f8deb04f1adb349f3183ad09441a2

SHA512
7033f56c370eca87595f3ce8b54767d8f3bce008c625bdbd99d3b21523c10f85e3861eeea1e6ee9564aae4773c973e696635c4e13ece66ba3c0e61bca7c53739

Download Submit
memory/432-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/432-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/432-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/432-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3224-29-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/3224-30-0x0000000007760000-0x0000000007D04000-memory.dmp

Filesize
5.6MB

Download
memory/3224-31-0x00000000071B0000-0x0000000007242000-memory.dmp

Filesize
584KB

Download
memory/3224-32-0x00000000025E0000-0x00000000025EA000-memory.dmp

Filesize
40KB

Download
memory/3224-33-0x0000000008330000-0x0000000008948000-memory.dmp

Filesize
6.1MB

Download
memory/3224-34-0x00000000074E0000-0x00000000075EA000-memory.dmp

Filesize
1.0MB

Download
memory/3224-35-0x00000000073F0000-0x0000000007402000-memory.dmp

Filesize
72KB

Download
memory/3224-36-0x0000000007450000-0x000000000748C000-memory.dmp

Filesize
240KB

Download
memory/3224-37-0x0000000007490000-0x00000000074DC000-memory.dmp

Filesize
304KB

Download