mystic | ce9955c91d6a5f9e211ecb80cc51d8025eccfe4e1398947c094c94a6e2904f18

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exe
Size

648KB
MD5

c12139634f017d2d2c93952feebda554
SHA1

34d49019576082964f1d79b2cb8fa2f1298f1c29
SHA256

e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a
SHA512

85480633f93547b3ac6bf0b0971b42d41ef30bc4fda2eb1f91b8459e371d7705008fe168f63ba8eb11c5ce61cff484faa6200b823022183c39c10bbbf148b38f
SSDEEP

12288:6Mr/y90MJQl5BK7ra5tpf0e7FlSBhobizWQG+UhZ+wGBEAb9ot02QH4xk:NyWl5BMa5/tRitiQG+UhQvEAGtDgd

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

mystic

http://5.42.92.211/

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral15/memory/2568-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral15/memory/2568-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral15/memory/2568-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral15/memory/2568-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2jw288EV.exe	family_redline
behavioral15/memory/2248-22-0x0000000000D10000-0x0000000000D4E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Jm5AD1vQ.exe1OF70sw1.exe2jw288EV.exe

pid process

3236 Jm5AD1vQ.exe
392 1OF70sw1.exe
2248 2jw288EV.exe

pid	process
3236	Jm5AD1vQ.exe
392	1OF70sw1.exe
2248	2jw288EV.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exeJm5AD1vQ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Jm5AD1vQ.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1OF70sw1.exe

description pid process target process

PID 392 set thread context of 2568 392 1OF70sw1.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1496 392 WerFault.exe 1OF70sw1.exe
4688 2568 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 392 set thread context of 2568	392	1OF70sw1.exe	AppLaunch.exe

pid	pid_target	process	target process
1496	392	WerFault.exe	1OF70sw1.exe
4688	2568	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exeJm5AD1vQ.exe1OF70sw1.exe

description	pid	process	target process
PID 4528 wrote to memory of 3236	4528	e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exe	Jm5AD1vQ.exe
PID 4528 wrote to memory of 3236	4528	e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exe	Jm5AD1vQ.exe
PID 4528 wrote to memory of 3236	4528	e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exe	Jm5AD1vQ.exe
PID 3236 wrote to memory of 392	3236	Jm5AD1vQ.exe	1OF70sw1.exe
PID 3236 wrote to memory of 392	3236	Jm5AD1vQ.exe	1OF70sw1.exe
PID 3236 wrote to memory of 392	3236	Jm5AD1vQ.exe	1OF70sw1.exe
PID 392 wrote to memory of 4700	392	1OF70sw1.exe	AppLaunch.exe
PID 392 wrote to memory of 4700	392	1OF70sw1.exe	AppLaunch.exe
PID 392 wrote to memory of 4700	392	1OF70sw1.exe	AppLaunch.exe
PID 392 wrote to memory of 1272	392	1OF70sw1.exe	AppLaunch.exe
PID 392 wrote to memory of 1272	392	1OF70sw1.exe	AppLaunch.exe
PID 392 wrote to memory of 1272	392	1OF70sw1.exe	AppLaunch.exe
PID 392 wrote to memory of 2568	392	1OF70sw1.exe	AppLaunch.exe
PID 392 wrote to memory of 2568	392	1OF70sw1.exe	AppLaunch.exe
PID 392 wrote to memory of 2568	392	1OF70sw1.exe	AppLaunch.exe
PID 392 wrote to memory of 2568	392	1OF70sw1.exe	AppLaunch.exe
PID 392 wrote to memory of 2568	392	1OF70sw1.exe	AppLaunch.exe
PID 392 wrote to memory of 2568	392	1OF70sw1.exe	AppLaunch.exe
PID 392 wrote to memory of 2568	392	1OF70sw1.exe	AppLaunch.exe
PID 392 wrote to memory of 2568	392	1OF70sw1.exe	AppLaunch.exe
PID 392 wrote to memory of 2568	392	1OF70sw1.exe	AppLaunch.exe
PID 392 wrote to memory of 2568	392	1OF70sw1.exe	AppLaunch.exe
PID 3236 wrote to memory of 2248	3236	Jm5AD1vQ.exe	2jw288EV.exe
PID 3236 wrote to memory of 2248	3236	Jm5AD1vQ.exe	2jw288EV.exe
PID 3236 wrote to memory of 2248	3236	Jm5AD1vQ.exe	2jw288EV.exe

C:\Users\Admin\AppData\Local\Temp\e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exe
"C:\Users\Admin\AppData\Local\Temp\e5e7bb0a7cc45636a72f93a4151ea7e22ee4ee9111c58d3a429b065f67104b4a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4528

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jm5AD1vQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jm5AD1vQ.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3236

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1OF70sw1.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1OF70sw1.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:4700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:1272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 540
5⤵
- Program crash
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 612
4⤵
- Program crash
PID:1496

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2jw288EV.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2jw288EV.exe
3⤵
- Executes dropped EXE
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 392 -ip 392
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2568 -ip 2568
1⤵
PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jm5AD1vQ.exe
Filesize
452KB

MD5
bca9c7b71ead7fdeac218edf4f3fab4f

SHA1
8209879f1df23e99506acb591142cc2ef2d07bc3

SHA256
43916853307921a44b9bcbefcc2890ade99cddc949bd548070f7bdf60832f48c

SHA512
fd6a8ca472d2a69a6a5bb83fad33fa672ba2aaf75710e471042566337ea31abd0b5f31257bf9ee954c58962a37bcb40245a669e48dd9d3f8b2dc235213277196

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1OF70sw1.exe
Filesize
449KB

MD5
46c07b6d1b3acddad8d1950c6bd97e3e

SHA1
b6d22845e2970215807bcaaf0fbd214d6dc03823

SHA256
05a3779eb239d2829b65153440efeb694599a2847cd1944932450db46be8b0de

SHA512
f7b619451892c0274749f7732e0427048b04423602d13fb59bfb6b88e1797e1ed8fefebe7bcdf968a7927ab46b219f318742401c64c1d00b12276cf8c9b7d101

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2jw288EV.exe
Filesize
221KB

MD5
091ca9376b4690e7926da147c97b54d9

SHA1
3123d1df94c0e9c29f07ddbf4d5e8833b9eef48e

SHA256
8a05206e08291da87e64198c77450883d1953a5350a30c09699e115f8d07feaa

SHA512
65258bb587ae16cd2b90d029e67f2652538cac5c5f6e52e59f74e7845bcbc9b85f15fefd2fe97e490989472004cbf751482c06d8a93ee3ba7bdcf0b958c21aa6

Download Submit
memory/2248-27-0x0000000007E00000-0x0000000007F0A000-memory.dmp

Filesize
1.0MB

Download
memory/2248-22-0x0000000000D10000-0x0000000000D4E000-memory.dmp

Filesize
248KB

Download
memory/2248-23-0x0000000007FC0000-0x0000000008564000-memory.dmp

Filesize
5.6MB

Download
memory/2248-24-0x0000000007AF0000-0x0000000007B82000-memory.dmp

Filesize
584KB

Download
memory/2248-25-0x00000000050C0000-0x00000000050CA000-memory.dmp

Filesize
40KB

Download
memory/2248-26-0x0000000008B90000-0x00000000091A8000-memory.dmp

Filesize
6.1MB

Download
memory/2248-28-0x0000000007CC0000-0x0000000007CD2000-memory.dmp

Filesize
72KB

Download
memory/2248-29-0x0000000007D30000-0x0000000007D6C000-memory.dmp

Filesize
240KB

Download
memory/2248-30-0x0000000007D70000-0x0000000007DBC000-memory.dmp

Filesize
304KB

Download
memory/2568-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download