mystic | 35fa914c6357cde578322016bb343396ee5cbe965e37dbbc27e58563c27f3d00

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bd974094233a10e7da32c9aadcee1df6ea2adcf713f0732f2dd1d84d4252fae.exe
Size

383KB
MD5

a4bd7b390a1aea0ac6b619a180b54da8
SHA1

786b0029683758fb7e1636aa8cbf4e7ec450743e
SHA256

4bd974094233a10e7da32c9aadcee1df6ea2adcf713f0732f2dd1d84d4252fae
SHA512

e4b7500520e95111526b6065e075909e3035b6aeb8eab38d7cabdbfc367e909e8d7c37f58c279d8851e350fb54c4e4a735580fc28eade915cf767a35db09c8fa
SSDEEP

6144:Kdy+bnr+Np0yN90QE6s8RLa+Uu+jhvDNmW+G1YqK9Fe9VJRspU58kMTi1tKCCBJ:jMrVy90os8RlUu+jhvZmpGaqIQC655P+

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral5/memory/1192-7-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral5/memory/1192-9-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral5/memory/1192-11-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral5/memory/1192-8-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2UV178uW.exe	family_redline
behavioral5/memory/4120-16-0x00000000006B0000-0x00000000006EE000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

1uV01Oc1.exe2UV178uW.exe

pid process

1444 1uV01Oc1.exe
4120 2UV178uW.exe

pid	process
1444	1uV01Oc1.exe
4120	2UV178uW.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4bd974094233a10e7da32c9aadcee1df6ea2adcf713f0732f2dd1d84d4252fae.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4bd974094233a10e7da32c9aadcee1df6ea2adcf713f0732f2dd1d84d4252fae.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1uV01Oc1.exe

description pid process target process

PID 1444 set thread context of 1192 1444 1uV01Oc1.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4488 1192 WerFault.exe AppLaunch.exe
2044 1444 WerFault.exe 1uV01Oc1.exe

description	pid	process	target process
PID 1444 set thread context of 1192	1444	1uV01Oc1.exe	AppLaunch.exe

pid	pid_target	process	target process
4488	1192	WerFault.exe	AppLaunch.exe
2044	1444	WerFault.exe	1uV01Oc1.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

4bd974094233a10e7da32c9aadcee1df6ea2adcf713f0732f2dd1d84d4252fae.exe1uV01Oc1.exe

description	pid	process	target process
PID 4464 wrote to memory of 1444	4464	4bd974094233a10e7da32c9aadcee1df6ea2adcf713f0732f2dd1d84d4252fae.exe	1uV01Oc1.exe
PID 4464 wrote to memory of 1444	4464	4bd974094233a10e7da32c9aadcee1df6ea2adcf713f0732f2dd1d84d4252fae.exe	1uV01Oc1.exe
PID 4464 wrote to memory of 1444	4464	4bd974094233a10e7da32c9aadcee1df6ea2adcf713f0732f2dd1d84d4252fae.exe	1uV01Oc1.exe
PID 1444 wrote to memory of 1936	1444	1uV01Oc1.exe	AppLaunch.exe
PID 1444 wrote to memory of 1936	1444	1uV01Oc1.exe	AppLaunch.exe
PID 1444 wrote to memory of 1936	1444	1uV01Oc1.exe	AppLaunch.exe
PID 1444 wrote to memory of 1192	1444	1uV01Oc1.exe	AppLaunch.exe
PID 1444 wrote to memory of 1192	1444	1uV01Oc1.exe	AppLaunch.exe
PID 1444 wrote to memory of 1192	1444	1uV01Oc1.exe	AppLaunch.exe
PID 1444 wrote to memory of 1192	1444	1uV01Oc1.exe	AppLaunch.exe
PID 1444 wrote to memory of 1192	1444	1uV01Oc1.exe	AppLaunch.exe
PID 1444 wrote to memory of 1192	1444	1uV01Oc1.exe	AppLaunch.exe
PID 1444 wrote to memory of 1192	1444	1uV01Oc1.exe	AppLaunch.exe
PID 1444 wrote to memory of 1192	1444	1uV01Oc1.exe	AppLaunch.exe
PID 1444 wrote to memory of 1192	1444	1uV01Oc1.exe	AppLaunch.exe
PID 1444 wrote to memory of 1192	1444	1uV01Oc1.exe	AppLaunch.exe
PID 4464 wrote to memory of 4120	4464	4bd974094233a10e7da32c9aadcee1df6ea2adcf713f0732f2dd1d84d4252fae.exe	2UV178uW.exe
PID 4464 wrote to memory of 4120	4464	4bd974094233a10e7da32c9aadcee1df6ea2adcf713f0732f2dd1d84d4252fae.exe	2UV178uW.exe
PID 4464 wrote to memory of 4120	4464	4bd974094233a10e7da32c9aadcee1df6ea2adcf713f0732f2dd1d84d4252fae.exe	2UV178uW.exe

C:\Users\Admin\AppData\Local\Temp\4bd974094233a10e7da32c9aadcee1df6ea2adcf713f0732f2dd1d84d4252fae.exe
"C:\Users\Admin\AppData\Local\Temp\4bd974094233a10e7da32c9aadcee1df6ea2adcf713f0732f2dd1d84d4252fae.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4464

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1uV01Oc1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1uV01Oc1.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 552
4⤵
- Program crash
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 604
3⤵
- Program crash
PID:2044

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2UV178uW.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2UV178uW.exe
2⤵
- Executes dropped EXE
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1192 -ip 1192
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1444 -ip 1444
1⤵
PID:2428

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1uV01Oc1.exe
Filesize
295KB

MD5
6b4c00bae3d4eaeb64f31cb61fab1318

SHA1
59ae12cf1138091156014fca5c09db5ce098f2e7

SHA256
f4aece32ea5ddf8c8e0387e67d53abf0342ddf4df0ad0cc18778b786a4179222

SHA512
17f3d79b509d02f9ae113d4e143741598ab174967b5e777a702226924bb22026422222c196e9befe88414101cae6c90fec4a021f9ffcdc866507cdaea642027c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2UV178uW.exe
Filesize
222KB

MD5
00c88dafb810e890a0b0007c7e9301ad

SHA1
a8efaa16da1bc74cbb1a80bc1c4712c260e3452b

SHA256
4be22d6b7385b77f07d742c9a10e5885df84d9cad370b5b5e99b9cb7781ea48e

SHA512
54d8bfd5c8613aac6c26e81f758975068832de88368a787259184ff91f906483d32c7d32081650db6293ace0c66b920a3c57cd37f6e2f29ce779e719663d46cf

Download Submit
memory/1192-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1192-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1192-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1192-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4120-17-0x0000000007950000-0x0000000007EF4000-memory.dmp

Filesize
5.6MB

Download
memory/4120-16-0x00000000006B0000-0x00000000006EE000-memory.dmp

Filesize
248KB

Download
memory/4120-15-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/4120-18-0x0000000007480000-0x0000000007512000-memory.dmp

Filesize
584KB

Download
memory/4120-19-0x0000000002910000-0x000000000291A000-memory.dmp

Filesize
40KB

Download
memory/4120-20-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download
memory/4120-21-0x0000000008520000-0x0000000008B38000-memory.dmp

Filesize
6.1MB

Download
memory/4120-23-0x0000000007560000-0x0000000007572000-memory.dmp

Filesize
72KB

Download
memory/4120-22-0x0000000007F00000-0x000000000800A000-memory.dmp

Filesize
1.0MB

Download
memory/4120-24-0x00000000075E0000-0x000000000761C000-memory.dmp

Filesize
240KB

Download
memory/4120-25-0x0000000007750000-0x000000000779C000-memory.dmp

Filesize
304KB

Download
memory/4120-26-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

Filesize
4KB

Download
memory/4120-27-0x0000000074B60000-0x0000000075310000-memory.dmp

Filesize
7.7MB

Download