mystic | ce9955c91d6a5f9e211ecb80cc51d8025eccfe4e1398947c094c94a6e2904f18

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc220ed080f58ca4a078f8ea2a3ba2d42611f3da8514d41359c39eae805b1c4e.exe
Size

1008KB
MD5

014a2a1979a35d870c55175b30df4794
SHA1

1473c11702720aa9deb9877bf4ec8f10c745d6a5
SHA256

dc220ed080f58ca4a078f8ea2a3ba2d42611f3da8514d41359c39eae805b1c4e
SHA512

049797fac32069693c9342812a1de56796ad9feec5b69ef037ea29f99a97c5a9c121217e71245031504ecd5511dec1bdd4f5efe97eb374f7b56c55cfa2b31769
SSDEEP

24576:fy4SXxIK8PAwSsWbOMUEq6tl9zbGdfLeg21zL0ZS+mxE:q4SSKaAwSsOZq6tl9zbBhJL/v

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral14/memory/2596-28-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral14/memory/2596-31-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral14/memory/2596-29-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Uo986BI.exe	family_redline
behavioral14/memory/784-35-0x00000000009C0000-0x00000000009FE000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

Bn4Yi7rd.exeig7Ie7rC.exelv6Rc3XR.exe1Ls24Rn1.exe2Uo986BI.exe

pid process

2280 Bn4Yi7rd.exe
4544 ig7Ie7rC.exe
4064 lv6Rc3XR.exe
4516 1Ls24Rn1.exe
784 2Uo986BI.exe

pid	process
2280	Bn4Yi7rd.exe
4544	ig7Ie7rC.exe
4064	lv6Rc3XR.exe
4516	1Ls24Rn1.exe
784	2Uo986BI.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

lv6Rc3XR.exedc220ed080f58ca4a078f8ea2a3ba2d42611f3da8514d41359c39eae805b1c4e.exeBn4Yi7rd.exeig7Ie7rC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	lv6Rc3XR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dc220ed080f58ca4a078f8ea2a3ba2d42611f3da8514d41359c39eae805b1c4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Bn4Yi7rd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ig7Ie7rC.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Ls24Rn1.exe

description pid process target process

PID 4516 set thread context of 2596 4516 1Ls24Rn1.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4320 4516 WerFault.exe 1Ls24Rn1.exe

description	pid	process	target process
PID 4516 set thread context of 2596	4516	1Ls24Rn1.exe	AppLaunch.exe

pid	pid_target	process	target process
4320	4516	WerFault.exe	1Ls24Rn1.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

dc220ed080f58ca4a078f8ea2a3ba2d42611f3da8514d41359c39eae805b1c4e.exeBn4Yi7rd.exeig7Ie7rC.exelv6Rc3XR.exe1Ls24Rn1.exe

description	pid	process	target process
PID 4524 wrote to memory of 2280	4524	dc220ed080f58ca4a078f8ea2a3ba2d42611f3da8514d41359c39eae805b1c4e.exe	Bn4Yi7rd.exe
PID 4524 wrote to memory of 2280	4524	dc220ed080f58ca4a078f8ea2a3ba2d42611f3da8514d41359c39eae805b1c4e.exe	Bn4Yi7rd.exe
PID 4524 wrote to memory of 2280	4524	dc220ed080f58ca4a078f8ea2a3ba2d42611f3da8514d41359c39eae805b1c4e.exe	Bn4Yi7rd.exe
PID 2280 wrote to memory of 4544	2280	Bn4Yi7rd.exe	ig7Ie7rC.exe
PID 2280 wrote to memory of 4544	2280	Bn4Yi7rd.exe	ig7Ie7rC.exe
PID 2280 wrote to memory of 4544	2280	Bn4Yi7rd.exe	ig7Ie7rC.exe
PID 4544 wrote to memory of 4064	4544	ig7Ie7rC.exe	lv6Rc3XR.exe
PID 4544 wrote to memory of 4064	4544	ig7Ie7rC.exe	lv6Rc3XR.exe
PID 4544 wrote to memory of 4064	4544	ig7Ie7rC.exe	lv6Rc3XR.exe
PID 4064 wrote to memory of 4516	4064	lv6Rc3XR.exe	1Ls24Rn1.exe
PID 4064 wrote to memory of 4516	4064	lv6Rc3XR.exe	1Ls24Rn1.exe
PID 4064 wrote to memory of 4516	4064	lv6Rc3XR.exe	1Ls24Rn1.exe
PID 4516 wrote to memory of 2596	4516	1Ls24Rn1.exe	AppLaunch.exe
PID 4516 wrote to memory of 2596	4516	1Ls24Rn1.exe	AppLaunch.exe
PID 4516 wrote to memory of 2596	4516	1Ls24Rn1.exe	AppLaunch.exe
PID 4516 wrote to memory of 2596	4516	1Ls24Rn1.exe	AppLaunch.exe
PID 4516 wrote to memory of 2596	4516	1Ls24Rn1.exe	AppLaunch.exe
PID 4516 wrote to memory of 2596	4516	1Ls24Rn1.exe	AppLaunch.exe
PID 4516 wrote to memory of 2596	4516	1Ls24Rn1.exe	AppLaunch.exe
PID 4516 wrote to memory of 2596	4516	1Ls24Rn1.exe	AppLaunch.exe
PID 4516 wrote to memory of 2596	4516	1Ls24Rn1.exe	AppLaunch.exe
PID 4516 wrote to memory of 2596	4516	1Ls24Rn1.exe	AppLaunch.exe
PID 4064 wrote to memory of 784	4064	lv6Rc3XR.exe	2Uo986BI.exe
PID 4064 wrote to memory of 784	4064	lv6Rc3XR.exe	2Uo986BI.exe
PID 4064 wrote to memory of 784	4064	lv6Rc3XR.exe	2Uo986BI.exe

C:\Users\Admin\AppData\Local\Temp\dc220ed080f58ca4a078f8ea2a3ba2d42611f3da8514d41359c39eae805b1c4e.exe
"C:\Users\Admin\AppData\Local\Temp\dc220ed080f58ca4a078f8ea2a3ba2d42611f3da8514d41359c39eae805b1c4e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4524

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bn4Yi7rd.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bn4Yi7rd.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ig7Ie7rC.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ig7Ie7rC.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lv6Rc3XR.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lv6Rc3XR.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4064

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ls24Rn1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ls24Rn1.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 580
6⤵
- Program crash
PID:4320

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Uo986BI.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Uo986BI.exe
5⤵
- Executes dropped EXE
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4516 -ip 4516
1⤵
PID:4116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bn4Yi7rd.exe
Filesize
819KB

MD5
1a0a83693be1415f0971c190f5401d2e

SHA1
ceca1ad1e379e9620f32c5a34272d755da173f3d

SHA256
021d13a77a08f2e3c44f262e824d6485448870e67206aaef888a907b23a862b2

SHA512
95d219d72d7211db87e9529472db7f87864926c5b9088d3821af6c56b436cfdff79ce97815eb63a5746066fccad7da8cd01d131733289e50eff2d76d116e4cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ig7Ie7rC.exe
Filesize
583KB

MD5
92ba9f7844e4b04137947a539d00b801

SHA1
d7f4fcc4a58f3f073d126f616cf4d73a9d64190b

SHA256
9597c86058f64aae54adb24842a95fac4cad649064da6cf1b83608a00569e1e3

SHA512
6de99719b3771cc0f92ccd6e3245c8c86454abc03356748dfb45a842dccc5120167bad36a6bf8a19ab0615707ec1c3df2cd25c2d77fdcca5bfab3409a709fd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lv6Rc3XR.exe
Filesize
383KB

MD5
3fc1f3de9fe185ba902861354dde3f5c

SHA1
c6d84f1c411dcd2ec9dd6df02a49978acfa6e3cd

SHA256
36064255a37f586f088b0dd3c9b623650a27d9fdd55722669fbd2b1aa446bc6a

SHA512
c1f2f7b212879d4affd15476122409c50f8795571ce7f59563222cb77f4867893871959d6c7c03ed58d4ad24d677b57f92a8cc36dda38d2d01ccef8f850fcc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ls24Rn1.exe
Filesize
298KB

MD5
2fa1d252aebab8694d7acac396e39a11

SHA1
8b546f55e262002d2feadc9e608145ecb8bb3b45

SHA256
0923a6fb53240bd2c207fb8f4994d0424d7554cf1ad6991d76807eee8d2185e7

SHA512
9551dc943ac781cebedf7c11e6671d234b66c1f907b87024307c00a88433c1ecec75e2afcc0d5b4bcd374cf9771c8a2daa2c11b9ab4bc08aa88ccb881bd96e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Uo986BI.exe
Filesize
222KB

MD5
b28b1c2fa80bcec0184f1d8180236f36

SHA1
d60a44ea4a8ec7f036acecdc8aa4575b8887bc78

SHA256
29de4e4af091e6d00a5dab969dbe974428fde43a6173cf6135e5683ff209f0da

SHA512
366209ef8afef7d8ba60eaa57de2b29981b78ee3608428271c6e6a31350020fc427bca45b0be3d21832b66874b229ca6a6861837678b029bd1c82b0ba4bfa1c7

Download Submit
memory/784-39-0x00000000087C0000-0x0000000008DD8000-memory.dmp

Filesize
6.1MB

Download
memory/784-35-0x00000000009C0000-0x00000000009FE000-memory.dmp

Filesize
248KB

Download
memory/784-36-0x0000000007BF0000-0x0000000008194000-memory.dmp

Filesize
5.6MB

Download
memory/784-37-0x0000000007740000-0x00000000077D2000-memory.dmp

Filesize
584KB

Download
memory/784-38-0x0000000004CF0000-0x0000000004CFA000-memory.dmp

Filesize
40KB

Download
memory/784-40-0x00000000081A0000-0x00000000082AA000-memory.dmp

Filesize
1.0MB

Download
memory/784-41-0x0000000007AC0000-0x0000000007AD2000-memory.dmp

Filesize
72KB

Download
memory/784-42-0x0000000007B20000-0x0000000007B5C000-memory.dmp

Filesize
240KB

Download
memory/784-43-0x0000000007B60000-0x0000000007BAC000-memory.dmp

Filesize
304KB

Download
memory/2596-29-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2596-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2596-28-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download