mystic | 3cc30911c3eb32deaf5fb8bc4dfe2ca6abbafa106ab4c16e8ff25a715c1fe7e7

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62d27d23e1f8603e95173890b3a03815aecbbbba3cc357aa36aba1f8374397d0.exe
Size

1.3MB
MD5

eb745fe2c2df0c9642e60c076ebbb8a8
SHA1

cd9cf0966d4be269ab50bfb98635a74a0e958f57
SHA256

62d27d23e1f8603e95173890b3a03815aecbbbba3cc357aa36aba1f8374397d0
SHA512

dc88627295a2e54b31599818e335fc3e76b6ebe53e0d23a0405270516446c4325769b5f0772f30502c22ec92e30cc8be0fd4192937436f3d5395c678d0845db8
SSDEEP

24576:oyM5I8I2r54QwinOnVK7oOKTX0fNRDgKwkGtUO5qcZ+ifXWp7B+WpwJMVd:vMCTQwiOVaoO7TwkGCO5qcI2mJAWpK

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

mystic

http://5.42.92.211/

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral7/memory/2632-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral7/memory/2632-38-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral7/memory/2632-36-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral7/files/0x0007000000023487-40.dat	family_redline
behavioral7/memory/2628-42-0x0000000000D60000-0x0000000000D9E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4664	TC8zp8Sk.exe
1044	BO3uz4iD.exe
4068	jU7ag7xx.exe
1160	Ho4OM1ip.exe
4280	1Bl62sz1.exe
2628	2sP907Yn.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Ho4OM1ip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	62d27d23e1f8603e95173890b3a03815aecbbbba3cc357aa36aba1f8374397d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	TC8zp8Sk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	BO3uz4iD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	jU7ag7xx.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4280 set thread context of 2632	4280	1Bl62sz1.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2528	4280	WerFault.exe	86

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 4664	1528	62d27d23e1f8603e95173890b3a03815aecbbbba3cc357aa36aba1f8374397d0.exe	82
PID 1528 wrote to memory of 4664	1528	62d27d23e1f8603e95173890b3a03815aecbbbba3cc357aa36aba1f8374397d0.exe	82
PID 1528 wrote to memory of 4664	1528	62d27d23e1f8603e95173890b3a03815aecbbbba3cc357aa36aba1f8374397d0.exe	82
PID 4664 wrote to memory of 1044	4664	TC8zp8Sk.exe	83
PID 4664 wrote to memory of 1044	4664	TC8zp8Sk.exe	83
PID 4664 wrote to memory of 1044	4664	TC8zp8Sk.exe	83
PID 1044 wrote to memory of 4068	1044	BO3uz4iD.exe	84
PID 1044 wrote to memory of 4068	1044	BO3uz4iD.exe	84
PID 1044 wrote to memory of 4068	1044	BO3uz4iD.exe	84
PID 4068 wrote to memory of 1160	4068	jU7ag7xx.exe	85
PID 4068 wrote to memory of 1160	4068	jU7ag7xx.exe	85
PID 4068 wrote to memory of 1160	4068	jU7ag7xx.exe	85
PID 1160 wrote to memory of 4280	1160	Ho4OM1ip.exe	86
PID 1160 wrote to memory of 4280	1160	Ho4OM1ip.exe	86
PID 1160 wrote to memory of 4280	1160	Ho4OM1ip.exe	86
PID 4280 wrote to memory of 548	4280	1Bl62sz1.exe	89
PID 4280 wrote to memory of 548	4280	1Bl62sz1.exe	89
PID 4280 wrote to memory of 548	4280	1Bl62sz1.exe	89
PID 4280 wrote to memory of 2632	4280	1Bl62sz1.exe	90
PID 4280 wrote to memory of 2632	4280	1Bl62sz1.exe	90
PID 4280 wrote to memory of 2632	4280	1Bl62sz1.exe	90
PID 4280 wrote to memory of 2632	4280	1Bl62sz1.exe	90
PID 4280 wrote to memory of 2632	4280	1Bl62sz1.exe	90
PID 4280 wrote to memory of 2632	4280	1Bl62sz1.exe	90
PID 4280 wrote to memory of 2632	4280	1Bl62sz1.exe	90
PID 4280 wrote to memory of 2632	4280	1Bl62sz1.exe	90
PID 4280 wrote to memory of 2632	4280	1Bl62sz1.exe	90
PID 4280 wrote to memory of 2632	4280	1Bl62sz1.exe	90
PID 1160 wrote to memory of 2628	1160	Ho4OM1ip.exe	95
PID 1160 wrote to memory of 2628	1160	Ho4OM1ip.exe	95
PID 1160 wrote to memory of 2628	1160	Ho4OM1ip.exe	95

C:\Users\Admin\AppData\Local\Temp\62d27d23e1f8603e95173890b3a03815aecbbbba3cc357aa36aba1f8374397d0.exe
"C:\Users\Admin\AppData\Local\Temp\62d27d23e1f8603e95173890b3a03815aecbbbba3cc357aa36aba1f8374397d0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TC8zp8Sk.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TC8zp8Sk.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BO3uz4iD.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BO3uz4iD.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jU7ag7xx.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jU7ag7xx.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4068
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ho4OM1ip.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ho4OM1ip.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1160
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Bl62sz1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Bl62sz1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:548
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 608
        7⤵
        Program crash
        
        PID:2528
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sP907Yn.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sP907Yn.exe
        6⤵
        Executes dropped EXE
        
        PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4280 -ip 4280
1⤵
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TC8zp8Sk.exe

Filesize
1.1MB

MD5
90e58d49d006bf3583129a2fa9cef24f

SHA1
46f53795e4a1596b8aaad6ed7fd95b22d3d04049

SHA256
cbe2518d5aea2e594c721c6752ed2e532bb7d72ddfe025906c8a726f69e6d32b

SHA512
ace13a601340f4bb698d889861ff476908ee009030d4eb742f15566d3ecf598854eeba734e9bd1955cc80bf9d40da8edbee6e384aef3ad08cc45f9edf3c6440a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\BO3uz4iD.exe

Filesize
948KB

MD5
5627ccba42aeb077314d7a39e77ced49

SHA1
842873f0d2405c15766cf9b4b7873fb5787904e9

SHA256
4267680c713514c352b7e33936e7e3d3af53fcb996f9c86675a12facbfab4fca

SHA512
5853dfb472e7e288714c6545839ab7d81e880ad284c7494bc53d0f6fcfdd80be82a9600dfd7a1ea6b73941a14c433c675fc8862ba15c364c4e43f3b8dddc30ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jU7ag7xx.exe

Filesize
647KB

MD5
e5546f2812847bec5844431d9f265553

SHA1
dfefbcacce34491119d5f6e92eb6d40849d12c58

SHA256
eed2e932e588b481ab8cd657783b15cc1c6562d691adf379d4acf46f2405a834

SHA512
550f0bc605de269e06ec7c9c6ecf4baff35738788d48b4f0147af224af3956ef96b2b7ec44b868af9c3841e61e26d9bb8f03a2909c59ca592e6ce7b3e14cf8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ho4OM1ip.exe

Filesize
451KB

MD5
4d41e34be72900417d3b2d1cba329828

SHA1
053754af78e9783c4face121a82bdf2a188fc428

SHA256
376467220eaf634338b1dc79625308a7ede386509bba0661cd345be9b034feb4

SHA512
62e72a9591097542dd7f0c65ba3206e33052943a67b756d4100f16d37745c6ac5aa855892b60fe56b06188bff7cf97bba6419ec1dfb7dbf239d03b20d5206b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Bl62sz1.exe

Filesize
448KB

MD5
c098e6e949f7bb07bf6f724872aaa1c4

SHA1
3384293915760d88053c871b92e449c4acce0ffa

SHA256
3307b86a927033aab99e77f9f5787b4604a891c09585ae4e4267e3e8dabee79f

SHA512
074b0e2e7703d31e94562559bb1196bde67e29b73241d5b9fc2e1ac410d3d56c616182c9bc77aa3b5af4ca7c8b2fee86d137fa14fa414613a01410f6100ea301

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2sP907Yn.exe

Filesize
221KB

MD5
0c685a90fa06ddc200e0fa9d4e3cdffd

SHA1
f4048f9e449927b9ee811c97a2cbae494a0c1c23

SHA256
49fdfec235050b0d20aa40fda2efdb29a34201c0786d77fa90c5d3aaf692b7c4

SHA512
9552ed8ac78dbe960a821212df22569107af446294b537f66946696f79ad1f9bc1676cc0a070ac715473a99b9872796bdacf14180c5d844c620d084710566d89

Download Submit
memory/2628-42-0x0000000000D60000-0x0000000000D9E000-memory.dmp

Filesize
248KB

Download
memory/2628-43-0x00000000081D0000-0x0000000008774000-memory.dmp

Filesize
5.6MB

Download
memory/2628-44-0x0000000007CC0000-0x0000000007D52000-memory.dmp

Filesize
584KB

Download
memory/2628-45-0x00000000015F0000-0x00000000015FA000-memory.dmp

Filesize
40KB

Download
memory/2628-46-0x0000000008DA0000-0x00000000093B8000-memory.dmp

Filesize
6.1MB

Download
memory/2628-47-0x0000000008020000-0x000000000812A000-memory.dmp

Filesize
1.0MB

Download
memory/2628-48-0x0000000007E50000-0x0000000007E62000-memory.dmp

Filesize
72KB

Download
memory/2628-49-0x0000000007EB0000-0x0000000007EEC000-memory.dmp

Filesize
240KB

Download
memory/2628-50-0x0000000007F10000-0x0000000007F5C000-memory.dmp

Filesize
304KB

Download
memory/2632-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads