mystic | 02cacf524527064e447c85bef406a6e5125d06b69bd35e10a813bf4a5659b985

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f54336ceed1489c1501366db5c3d0173f045faa248587b9e1d9d3669f84114f.exe
Size

1.5MB
MD5

a40e62a544268214b09a8bafb68847b3
SHA1

9f388d46aed84dde179dc1e7c037d4a2a2cfadd4
SHA256

1f54336ceed1489c1501366db5c3d0173f045faa248587b9e1d9d3669f84114f
SHA512

11a2ca05e5b202af547b8ff9960346100477e9fac8089ab467edde417b0f8c2b2ce3c5234118f1e34cc6d3abbd32a19513430505767118b1c2ef7daed5694741
SSDEEP

24576:SyF/ldc9xGt1TuqHUtf/bo1JtIANdz3esqRTqzred7WEB2w6FR26Ph4e3lu:5Fj/tsqmM1J9zeGzrg7WaoFR265

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral3/memory/3308-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral3/memory/3308-40-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral3/memory/3308-37-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x0007000000023442-38.dat	family_redline
behavioral3/memory/1492-42-0x0000000000170000-0x00000000001AE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4496	tH2co1FC.exe
1012	CN9MA4tK.exe
5092	gB5gp0XT.exe
888	vx5sP5GW.exe
4064	1OM15jR1.exe
1492	2jy244Sd.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	CN9MA4tK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	gB5gp0XT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	vx5sP5GW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1f54336ceed1489c1501366db5c3d0173f045faa248587b9e1d9d3669f84114f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	tH2co1FC.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4064 set thread context of 3308	4064	1OM15jR1.exe	98

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 4496	388	1f54336ceed1489c1501366db5c3d0173f045faa248587b9e1d9d3669f84114f.exe	83
PID 388 wrote to memory of 4496	388	1f54336ceed1489c1501366db5c3d0173f045faa248587b9e1d9d3669f84114f.exe	83
PID 388 wrote to memory of 4496	388	1f54336ceed1489c1501366db5c3d0173f045faa248587b9e1d9d3669f84114f.exe	83
PID 4496 wrote to memory of 1012	4496	tH2co1FC.exe	84
PID 4496 wrote to memory of 1012	4496	tH2co1FC.exe	84
PID 4496 wrote to memory of 1012	4496	tH2co1FC.exe	84
PID 1012 wrote to memory of 5092	1012	CN9MA4tK.exe	86
PID 1012 wrote to memory of 5092	1012	CN9MA4tK.exe	86
PID 1012 wrote to memory of 5092	1012	CN9MA4tK.exe	86
PID 5092 wrote to memory of 888	5092	gB5gp0XT.exe	87
PID 5092 wrote to memory of 888	5092	gB5gp0XT.exe	87
PID 5092 wrote to memory of 888	5092	gB5gp0XT.exe	87
PID 888 wrote to memory of 4064	888	vx5sP5GW.exe	89
PID 888 wrote to memory of 4064	888	vx5sP5GW.exe	89
PID 888 wrote to memory of 4064	888	vx5sP5GW.exe	89
PID 4064 wrote to memory of 3308	4064	1OM15jR1.exe	98
PID 4064 wrote to memory of 3308	4064	1OM15jR1.exe	98
PID 4064 wrote to memory of 3308	4064	1OM15jR1.exe	98
PID 4064 wrote to memory of 3308	4064	1OM15jR1.exe	98
PID 4064 wrote to memory of 3308	4064	1OM15jR1.exe	98
PID 4064 wrote to memory of 3308	4064	1OM15jR1.exe	98
PID 4064 wrote to memory of 3308	4064	1OM15jR1.exe	98
PID 4064 wrote to memory of 3308	4064	1OM15jR1.exe	98
PID 4064 wrote to memory of 3308	4064	1OM15jR1.exe	98
PID 4064 wrote to memory of 3308	4064	1OM15jR1.exe	98
PID 888 wrote to memory of 1492	888	vx5sP5GW.exe	99
PID 888 wrote to memory of 1492	888	vx5sP5GW.exe	99
PID 888 wrote to memory of 1492	888	vx5sP5GW.exe	99

C:\Users\Admin\AppData\Local\Temp\1f54336ceed1489c1501366db5c3d0173f045faa248587b9e1d9d3669f84114f.exe
"C:\Users\Admin\AppData\Local\Temp\1f54336ceed1489c1501366db5c3d0173f045faa248587b9e1d9d3669f84114f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tH2co1FC.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tH2co1FC.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CN9MA4tK.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CN9MA4tK.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gB5gp0XT.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gB5gp0XT.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vx5sP5GW.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vx5sP5GW.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:888
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OM15jR1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OM15jR1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3308
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2jy244Sd.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2jy244Sd.exe
        6⤵
        Executes dropped EXE
        
        PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tH2co1FC.exe

Filesize
1.4MB

MD5
3e1886ccac2d4113b93e4cf4c58834cb

SHA1
8b3516752108e59adfb044f43ce8eb915283b20d

SHA256
62a388882d2b95dc3153e29963338659fda3ab661c9bd305260e835160bbbb59

SHA512
28dc65ef383c5da6a449f58912788381203804ecb691a4cd34c9ea6e4d88a16ceb077e98641580df7e6884546d9e7632886e42ae2b273514240aaa0b7161ca38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\CN9MA4tK.exe

Filesize
1.2MB

MD5
c85b5db057b1b1ac57693980710d0db1

SHA1
8d147ac154ee46277f40ec5a7591a627f715ae6b

SHA256
7f904eb337a3a5b5694a4aa1854ded3c5c733903478d8e2ca3e66607b29c8ce7

SHA512
9facb9380bc68641faa2c37ee6195976dc8d6c843f05796e7b2540f3a5d2803b1e9bf24e480e4095d940d829552872c3e7c6ce3f6f0fe5b9e6551dad685e5b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gB5gp0XT.exe

Filesize
776KB

MD5
17efd1bf08c7cbc19e4cbdf91b5cfbf6

SHA1
95badcbd7e8ddd197bda53b0eeb5f24586220c97

SHA256
95c5eb4fce4722e11b45e6fbe35059c47122cc7021750804a7190e3b727bd4bf

SHA512
520aba90ea531358ce87951f6059f116d211502f57d1e805b70c516d32e35b7724f854ff92a4e76e6015e4065dcf721b93c60116a6cecdae7ce87916b37f6f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vx5sP5GW.exe

Filesize
580KB

MD5
640ff896179f008597c934d9ef9e47a8

SHA1
37c2a00972333d2968e2c51062872075b5cac035

SHA256
776c2fe4aa118604bd47b501879f31be90bffa1f1c2d76f32571b5bac0ec9582

SHA512
0b7cf76c59f33d48a376ed4336932439055ae8883aae83c4d6e7f8967dc3aa290c2e09cf56903cc38c193d056ada1105a580480d8c8e77d34e9ea88631f3073e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1OM15jR1.exe

Filesize
1.1MB

MD5
a1c1c44e837edbc2d55d33ba9620a109

SHA1
0ba4e08d7b6f17f968d1f7cad75d0a3885bae998

SHA256
4160c00350706d7630b0a8bfb47722e7ec956858ab07d5adc9345e37ccb751e5

SHA512
75267e9d0652e006107506457c5253fe701149888ad977d95f52d215410b18e3b145c8779ae389b718f090c5aa41d614e45deb38a96852a07a299a5b075c02bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2jy244Sd.exe

Filesize
222KB

MD5
44a99e0fba58e49e0fb25112331a5449

SHA1
29050a61669a2ab02a509b3f5742e831f33d1aeb

SHA256
14575b62c3dcf93f029f241d4ff0b9ee2fad78f21e604cf9ce7a34b99ad9143e

SHA512
72a4c2c6e8e9aa0cef08ea61c1e3af79f5cb296673ceafd73b602e8d4ec473c099b7b53666b3487b1e6da5b46e8ca8413d42d363554f7a3efd098732976c8df5

Download Submit
memory/1492-42-0x0000000000170000-0x00000000001AE000-memory.dmp

Filesize
248KB

Download
memory/1492-43-0x00000000074C0000-0x0000000007A64000-memory.dmp

Filesize
5.6MB

Download
memory/1492-44-0x0000000006FB0000-0x0000000007042000-memory.dmp

Filesize
584KB

Download
memory/1492-45-0x00000000023A0000-0x00000000023AA000-memory.dmp

Filesize
40KB

Download
memory/1492-46-0x0000000008090000-0x00000000086A8000-memory.dmp

Filesize
6.1MB

Download
memory/1492-47-0x0000000007A70000-0x0000000007B7A000-memory.dmp

Filesize
1.0MB

Download
memory/1492-48-0x0000000007070000-0x0000000007082000-memory.dmp

Filesize
72KB

Download
memory/1492-49-0x00000000070D0000-0x000000000710C000-memory.dmp

Filesize
240KB

Download
memory/1492-50-0x0000000007230000-0x000000000727C000-memory.dmp

Filesize
304KB

Download
memory/3308-40-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3308-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3308-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads