mystic | 3cc30911c3eb32deaf5fb8bc4dfe2ca6abbafa106ab4c16e8ff25a715c1fe7e7

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd0f820c33b1cedd17049cf9b5cc18637676e9aa3cfaadbd8f19144e345b7da3.exe
Size

1.1MB
MD5

157293e9ec48c365745959b8300b17e1
SHA1

6e47a29b6f96c9a5f18dd25afc2d8e2a17792dc8
SHA256

dd0f820c33b1cedd17049cf9b5cc18637676e9aa3cfaadbd8f19144e345b7da3
SHA512

922146ea84fb7fae01c153329ceba4e265db7cfde77c38f3199c8d09c243a0ea12807297691f6542581c8e5b74aaa4e268c20d6d4b65639313364815fcb259ad
SSDEEP

24576:HyMyx7uQwJpYPGJiYh2uUT0IG+HuZZx40dJcZv3Ph/KOSyUAPZ4KX8P:SV7uPa8ignrMHuZ0sOfP4yNX8

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral17/memory/4760-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral17/memory/4760-38-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral17/memory/4760-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2WY025Nb.exe	family_redline
behavioral17/memory/3380-42-0x0000000000FB0000-0x0000000000FEE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

CC9VB2nT.exeNg8oS5Lx.exeMD6zo5kq.exejB8am3Mf.exe1QD67JK7.exe2WY025Nb.exe

pid process

3812 CC9VB2nT.exe
2700 Ng8oS5Lx.exe
2432 MD6zo5kq.exe
868 jB8am3Mf.exe
5072 1QD67JK7.exe
3380 2WY025Nb.exe

pid	process
3812	CC9VB2nT.exe
2700	Ng8oS5Lx.exe
2432	MD6zo5kq.exe
868	jB8am3Mf.exe
5072	1QD67JK7.exe
3380	2WY025Nb.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dd0f820c33b1cedd17049cf9b5cc18637676e9aa3cfaadbd8f19144e345b7da3.exeCC9VB2nT.exeNg8oS5Lx.exeMD6zo5kq.exejB8am3Mf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dd0f820c33b1cedd17049cf9b5cc18637676e9aa3cfaadbd8f19144e345b7da3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	CC9VB2nT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ng8oS5Lx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	MD6zo5kq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	jB8am3Mf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1QD67JK7.exe

description pid process target process

PID 5072 set thread context of 4760 5072 1QD67JK7.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1868 5072 WerFault.exe 1QD67JK7.exe

description	pid	process	target process
PID 5072 set thread context of 4760	5072	1QD67JK7.exe	AppLaunch.exe

pid	pid_target	process	target process
1868	5072	WerFault.exe	1QD67JK7.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

dd0f820c33b1cedd17049cf9b5cc18637676e9aa3cfaadbd8f19144e345b7da3.exeCC9VB2nT.exeNg8oS5Lx.exeMD6zo5kq.exejB8am3Mf.exe1QD67JK7.exe

description	pid	process	target process
PID 536 wrote to memory of 3812	536	dd0f820c33b1cedd17049cf9b5cc18637676e9aa3cfaadbd8f19144e345b7da3.exe	CC9VB2nT.exe
PID 536 wrote to memory of 3812	536	dd0f820c33b1cedd17049cf9b5cc18637676e9aa3cfaadbd8f19144e345b7da3.exe	CC9VB2nT.exe
PID 536 wrote to memory of 3812	536	dd0f820c33b1cedd17049cf9b5cc18637676e9aa3cfaadbd8f19144e345b7da3.exe	CC9VB2nT.exe
PID 3812 wrote to memory of 2700	3812	CC9VB2nT.exe	Ng8oS5Lx.exe
PID 3812 wrote to memory of 2700	3812	CC9VB2nT.exe	Ng8oS5Lx.exe
PID 3812 wrote to memory of 2700	3812	CC9VB2nT.exe	Ng8oS5Lx.exe
PID 2700 wrote to memory of 2432	2700	Ng8oS5Lx.exe	MD6zo5kq.exe
PID 2700 wrote to memory of 2432	2700	Ng8oS5Lx.exe	MD6zo5kq.exe
PID 2700 wrote to memory of 2432	2700	Ng8oS5Lx.exe	MD6zo5kq.exe
PID 2432 wrote to memory of 868	2432	MD6zo5kq.exe	jB8am3Mf.exe
PID 2432 wrote to memory of 868	2432	MD6zo5kq.exe	jB8am3Mf.exe
PID 2432 wrote to memory of 868	2432	MD6zo5kq.exe	jB8am3Mf.exe
PID 868 wrote to memory of 5072	868	jB8am3Mf.exe	1QD67JK7.exe
PID 868 wrote to memory of 5072	868	jB8am3Mf.exe	1QD67JK7.exe
PID 868 wrote to memory of 5072	868	jB8am3Mf.exe	1QD67JK7.exe
PID 5072 wrote to memory of 4760	5072	1QD67JK7.exe	AppLaunch.exe
PID 5072 wrote to memory of 4760	5072	1QD67JK7.exe	AppLaunch.exe
PID 5072 wrote to memory of 4760	5072	1QD67JK7.exe	AppLaunch.exe
PID 5072 wrote to memory of 4760	5072	1QD67JK7.exe	AppLaunch.exe
PID 5072 wrote to memory of 4760	5072	1QD67JK7.exe	AppLaunch.exe
PID 5072 wrote to memory of 4760	5072	1QD67JK7.exe	AppLaunch.exe
PID 5072 wrote to memory of 4760	5072	1QD67JK7.exe	AppLaunch.exe
PID 5072 wrote to memory of 4760	5072	1QD67JK7.exe	AppLaunch.exe
PID 5072 wrote to memory of 4760	5072	1QD67JK7.exe	AppLaunch.exe
PID 5072 wrote to memory of 4760	5072	1QD67JK7.exe	AppLaunch.exe
PID 868 wrote to memory of 3380	868	jB8am3Mf.exe	2WY025Nb.exe
PID 868 wrote to memory of 3380	868	jB8am3Mf.exe	2WY025Nb.exe
PID 868 wrote to memory of 3380	868	jB8am3Mf.exe	2WY025Nb.exe

C:\Users\Admin\AppData\Local\Temp\dd0f820c33b1cedd17049cf9b5cc18637676e9aa3cfaadbd8f19144e345b7da3.exe
"C:\Users\Admin\AppData\Local\Temp\dd0f820c33b1cedd17049cf9b5cc18637676e9aa3cfaadbd8f19144e345b7da3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CC9VB2nT.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CC9VB2nT.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3812

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ng8oS5Lx.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ng8oS5Lx.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MD6zo5kq.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MD6zo5kq.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2432

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jB8am3Mf.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jB8am3Mf.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1QD67JK7.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1QD67JK7.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 556
7⤵
- Program crash
PID:1868

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2WY025Nb.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2WY025Nb.exe
6⤵
- Executes dropped EXE
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5072 -ip 5072
1⤵
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CC9VB2nT.exe

Filesize
1008KB

MD5
18cfeea9f9553780502e6f2614324a6b

SHA1
a8aabeeb53e2a6e70e157c7a8ac5239259c1cb08

SHA256
d4d05b7d9006552621d4b224e56de449cb5990f1a5c3e01cbe1cce9c0e294c1d

SHA512
bac916489ceb57dde51d5a199c1e016a8a8f5bca01f3373d74b5119ef44871f4523cad6a8ef97cede79f40b0b3daf0dc3e366530e88ce368e16a5c0e3b7d056f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ng8oS5Lx.exe

Filesize
819KB

MD5
7cfd257b34fae866ba8aaa6df8b08c12

SHA1
cda2df546de510f73a7d41977e0725e4f3180ac3

SHA256
fbd8d72f7e8046c650efa73c6d984945abfe9952bd8f67360b4658fc5138e70c

SHA512
2a2e2a75b1f149d9304fe66690e7a2a712b17af9a6da0ede0870e137bad74243392fcfcfc564e79055913990976da8895bba3bb8755323064876e5f5e4dc125c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\MD6zo5kq.exe

Filesize
583KB

MD5
e40f23ca8e94f427a2d4bddbc321d459

SHA1
5d2e9fa12e9a42a6ec42e8e25ae02a35d8dd7e14

SHA256
080679bb8f09d217d70a3146daef22e344337c084820a08aa209b16d074cff51

SHA512
026b686d62752019f034a0210cfd853aa1f0b0ba5149d3760178e57d01877366af53087f2f6883bedc7fbf0573749a0114b087d6c7f54403747ab022449c372b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jB8am3Mf.exe

Filesize
383KB

MD5
0b3f96f0c65e134b7112622fa24a8b4b

SHA1
ec55c989b3393a5412ca2776e50520606ddec598

SHA256
300fb09db220962736eb5f9ba9ebd5fe9701205513a6860b275c9dee5b07374d

SHA512
54465e763ad4b99ea0507bf743ec6710a9daef74ad5547f797dc847d788f186c69da7723dc03262fbb801b2b31704c0a718dfcf6111e375b477078981c561e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1QD67JK7.exe

Filesize
298KB

MD5
4a071cc30292b81eb2350b5027cfde8f

SHA1
55825da08668fd0a1e197b75e6e42c7bbd99694f

SHA256
474f604ad90cb29cce321f4977f03a8144e99d8419e351de97e981e0db76d0a3

SHA512
2ab61f576810172f7671e7ed16c0f08e9802f16df843d543cf6ef600372ac715888b2822837766d8af8f61b7854acbef9d41b828500eb9d62184c496dc21e78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2WY025Nb.exe

Filesize
222KB

MD5
1cce1d4bf0256e3c39044d2d021fa5a3

SHA1
ac506fd1f0d7688219ae5fd4076c376fab032bd4

SHA256
50c03ebc296eb9521ce2c98efd21962ced67f66d1967828920856085b5ed112f

SHA512
91d94ce6cbd86068fd1e3b3c4665ab9bba242126422a292af140c6f649f82c4275c63bbd61a4b5c67b559ba82dea146c1998a64c434c905f78c328e53c756a70

Download Submit
memory/3380-42-0x0000000000FB0000-0x0000000000FEE000-memory.dmp

Filesize
248KB

Download
memory/3380-43-0x00000000082F0000-0x0000000008894000-memory.dmp

Filesize
5.6MB

Download
memory/3380-44-0x0000000007DE0000-0x0000000007E72000-memory.dmp

Filesize
584KB

Download
memory/3380-45-0x00000000031D0000-0x00000000031DA000-memory.dmp

Filesize
40KB

Download
memory/3380-46-0x0000000008EC0000-0x00000000094D8000-memory.dmp

Filesize
6.1MB

Download
memory/3380-47-0x0000000008140000-0x000000000824A000-memory.dmp

Filesize
1.0MB

Download
memory/3380-48-0x0000000007E80000-0x0000000007E92000-memory.dmp

Filesize
72KB

Download
memory/3380-49-0x0000000007EE0000-0x0000000007F1C000-memory.dmp

Filesize
240KB

Download
memory/3380-50-0x0000000008030000-0x000000000807C000-memory.dmp

Filesize
304KB

Download
memory/4760-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4760-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4760-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download