mystic | 3cc30911c3eb32deaf5fb8bc4dfe2ca6abbafa106ab4c16e8ff25a715c1fe7e7

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

775b7a04793f8621742cc362f51bef7b4d75b10169fa3493b7c9f713d38fa73d.exe
Size

1.1MB
MD5

30ec8753ba08b1b439e43e84a4f02e90
SHA1

a872df7ec9adaa22035b161ce6dad745e89a5a5b
SHA256

775b7a04793f8621742cc362f51bef7b4d75b10169fa3493b7c9f713d38fa73d
SHA512

593f922e0291eb7127041f4ce9868924817a3534d4dc67d69bc11127b721f2f33bb477654f4d74828d004d29c5862acf9f3022b706f2080cf238b8506325bd60
SSDEEP

12288:+MrQy90QW+wWzj3Q6ks5eE/2NowcE/WEaDSEHxm5QsVGdqZnZQqHSqSyHU8GB88j:CyUQrtJE/WEsSWI3VlZQuhGBPni3O5t

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

mystic

http://5.42.92.211/

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral9/memory/4112-28-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral9/memory/4112-30-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral9/memory/4112-31-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xW389rQ.exe	family_redline
behavioral9/memory/1420-35-0x00000000006A0000-0x00000000006DE000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

YN6ZE6SU.exesf3YE1mZ.exeGm7Ih8Fp.exe1Jw66Oq4.exe2xW389rQ.exe

pid process

960 YN6ZE6SU.exe
2676 sf3YE1mZ.exe
1456 Gm7Ih8Fp.exe
2748 1Jw66Oq4.exe
1420 2xW389rQ.exe

pid	process
960	YN6ZE6SU.exe
2676	sf3YE1mZ.exe
1456	Gm7Ih8Fp.exe
2748	1Jw66Oq4.exe
1420	2xW389rQ.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

775b7a04793f8621742cc362f51bef7b4d75b10169fa3493b7c9f713d38fa73d.exeYN6ZE6SU.exesf3YE1mZ.exeGm7Ih8Fp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	775b7a04793f8621742cc362f51bef7b4d75b10169fa3493b7c9f713d38fa73d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	YN6ZE6SU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sf3YE1mZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Gm7Ih8Fp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Jw66Oq4.exe

description pid process target process

PID 2748 set thread context of 4112 2748 1Jw66Oq4.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3816 2748 WerFault.exe 1Jw66Oq4.exe

description	pid	process	target process
PID 2748 set thread context of 4112	2748	1Jw66Oq4.exe	AppLaunch.exe

pid	pid_target	process	target process
3816	2748	WerFault.exe	1Jw66Oq4.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

775b7a04793f8621742cc362f51bef7b4d75b10169fa3493b7c9f713d38fa73d.exeYN6ZE6SU.exesf3YE1mZ.exeGm7Ih8Fp.exe1Jw66Oq4.exe

description	pid	process	target process
PID 4484 wrote to memory of 960	4484	775b7a04793f8621742cc362f51bef7b4d75b10169fa3493b7c9f713d38fa73d.exe	YN6ZE6SU.exe
PID 4484 wrote to memory of 960	4484	775b7a04793f8621742cc362f51bef7b4d75b10169fa3493b7c9f713d38fa73d.exe	YN6ZE6SU.exe
PID 4484 wrote to memory of 960	4484	775b7a04793f8621742cc362f51bef7b4d75b10169fa3493b7c9f713d38fa73d.exe	YN6ZE6SU.exe
PID 960 wrote to memory of 2676	960	YN6ZE6SU.exe	sf3YE1mZ.exe
PID 960 wrote to memory of 2676	960	YN6ZE6SU.exe	sf3YE1mZ.exe
PID 960 wrote to memory of 2676	960	YN6ZE6SU.exe	sf3YE1mZ.exe
PID 2676 wrote to memory of 1456	2676	sf3YE1mZ.exe	Gm7Ih8Fp.exe
PID 2676 wrote to memory of 1456	2676	sf3YE1mZ.exe	Gm7Ih8Fp.exe
PID 2676 wrote to memory of 1456	2676	sf3YE1mZ.exe	Gm7Ih8Fp.exe
PID 1456 wrote to memory of 2748	1456	Gm7Ih8Fp.exe	1Jw66Oq4.exe
PID 1456 wrote to memory of 2748	1456	Gm7Ih8Fp.exe	1Jw66Oq4.exe
PID 1456 wrote to memory of 2748	1456	Gm7Ih8Fp.exe	1Jw66Oq4.exe
PID 2748 wrote to memory of 4112	2748	1Jw66Oq4.exe	AppLaunch.exe
PID 2748 wrote to memory of 4112	2748	1Jw66Oq4.exe	AppLaunch.exe
PID 2748 wrote to memory of 4112	2748	1Jw66Oq4.exe	AppLaunch.exe
PID 2748 wrote to memory of 4112	2748	1Jw66Oq4.exe	AppLaunch.exe
PID 2748 wrote to memory of 4112	2748	1Jw66Oq4.exe	AppLaunch.exe
PID 2748 wrote to memory of 4112	2748	1Jw66Oq4.exe	AppLaunch.exe
PID 2748 wrote to memory of 4112	2748	1Jw66Oq4.exe	AppLaunch.exe
PID 2748 wrote to memory of 4112	2748	1Jw66Oq4.exe	AppLaunch.exe
PID 2748 wrote to memory of 4112	2748	1Jw66Oq4.exe	AppLaunch.exe
PID 2748 wrote to memory of 4112	2748	1Jw66Oq4.exe	AppLaunch.exe
PID 1456 wrote to memory of 1420	1456	Gm7Ih8Fp.exe	2xW389rQ.exe
PID 1456 wrote to memory of 1420	1456	Gm7Ih8Fp.exe	2xW389rQ.exe
PID 1456 wrote to memory of 1420	1456	Gm7Ih8Fp.exe	2xW389rQ.exe

C:\Users\Admin\AppData\Local\Temp\775b7a04793f8621742cc362f51bef7b4d75b10169fa3493b7c9f713d38fa73d.exe
"C:\Users\Admin\AppData\Local\Temp\775b7a04793f8621742cc362f51bef7b4d75b10169fa3493b7c9f713d38fa73d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4484

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YN6ZE6SU.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YN6ZE6SU.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf3YE1mZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf3YE1mZ.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gm7Ih8Fp.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gm7Ih8Fp.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Jw66Oq4.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Jw66Oq4.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 580
6⤵
- Program crash
PID:3816

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xW389rQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xW389rQ.exe
5⤵
- Executes dropped EXE
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2748 -ip 2748
1⤵
PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YN6ZE6SU.exe
Filesize
921KB

MD5
4b10ff31caa8c8740c7da578b790bc71

SHA1
d37378d119b76396b8e6d3eeb0904117e2a0aa73

SHA256
0d07e67057866c842a1f16e6d8cdd7673cdc0d7993dcf2546c220592f10a38e9

SHA512
a396aa2fb105bb35b64362283b4f1a7268dcbd1a9a56c07809c821d5e704015cc18fad43381f5f652b0c5a2e8c1ed0866374b978de6ea0271028f09b507bda68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf3YE1mZ.exe
Filesize
632KB

MD5
105971c816c28b2cd63f455d2951db4a

SHA1
801ebe9c89f3ba2ed8f378cdc73d266b6f8d66ed

SHA256
b05b8d41f42fa94dc9ec9902e15c86ef4b82d5f5b08830717f3a9d9d5d61146f

SHA512
e22b7848f89cb3b5fd2e954904093b4cda3d4a6904529e5aacb6bb9f3489695147d682a6371fb7cfc619514c5035f390f913e0215a2a2856dd0589cf6a49ad28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gm7Ih8Fp.exe
Filesize
436KB

MD5
5822ab4797e28a49bc2e0b6d7ecf8a0d

SHA1
aa41ea9a5644c59922657b79f93bc5a19852718a

SHA256
66026ff373fdd938d3aac4ebcb6360b4432233b15e17fba625f8da4d04b7c7e3

SHA512
ea3056a488cbe852e600c4ac7f0e8dcb420b9df94e1261a8b06ff8b3ec60846f2988488c2183607000747a7f6e7c3ebad6531e1ad89df9f1ea540c087391bcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Jw66Oq4.exe
Filesize
407KB

MD5
91ed0d51510f7e9f975493dd5cf1bb19

SHA1
16b4bdc9c6cd0fe944bfcfffea8755973cad7491

SHA256
7b847348a350fd8560edaeff4e917e14ae5855f6c705c0d067477922a78f28c7

SHA512
dd50d6d44d551b09359088480ac7e73bc4c1a3c9732a5858379c38180759fb7245e1ddeca27ecee5d49331867f6948b5189e2cdac9a94167c6f97289558f6ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2xW389rQ.exe
Filesize
221KB

MD5
bd98d090052a88e49c39a351ebeae0ca

SHA1
1b01fffe7725fdd4bdafc454d3260fbd28c7ce10

SHA256
8d375f9cfe8994b74a4b6ed46602762f3676e678a76243b32c9487e319b65760

SHA512
3a66fb3f37e5b51963e0ee96f0848cf90328e42ea0af50dbad0cbb281263cb2b91356e713c29f4e228e0a7babc1a3bd15822eba9ba3b26329dc1d204884f2dd0

Download Submit
memory/1420-39-0x0000000008650000-0x0000000008C68000-memory.dmp

Filesize
6.1MB

Download
memory/1420-35-0x00000000006A0000-0x00000000006DE000-memory.dmp

Filesize
248KB

Download
memory/1420-36-0x0000000007A80000-0x0000000008024000-memory.dmp

Filesize
5.6MB

Download
memory/1420-37-0x00000000074D0000-0x0000000007562000-memory.dmp

Filesize
584KB

Download
memory/1420-38-0x00000000028F0000-0x00000000028FA000-memory.dmp

Filesize
40KB

Download
memory/1420-40-0x0000000007860000-0x000000000796A000-memory.dmp

Filesize
1.0MB

Download
memory/1420-41-0x0000000007570000-0x0000000007582000-memory.dmp

Filesize
72KB

Download
memory/1420-42-0x00000000075D0000-0x000000000760C000-memory.dmp

Filesize
240KB

Download
memory/1420-43-0x0000000007750000-0x000000000779C000-memory.dmp

Filesize
304KB

Download
memory/4112-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4112-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download