mystic | dcf4e78aa4f4a43375e6c66a708f11e84986bd1f7bacc1564324e028fcba76f4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a14a0df7d62e3ee59ef076859a5922aba2949e201ebcaa2313a20715aad1fab5.exe
Size

1.1MB
MD5

257b7a3fbfab4302100f94e1b7cf3582
SHA1

e3fcf617c24c32d802c5a25f102ce12e7c9d57a8
SHA256

a14a0df7d62e3ee59ef076859a5922aba2949e201ebcaa2313a20715aad1fab5
SHA512

0e603c7584bfcf8ef6c9b91b6dea7bb1d905e4ff4f8f43cadea9c17f6a4132e5acb41b8953d87e440409c1d92367512596c71b4a93658e1c36ee16b137cb9659
SSDEEP

24576:tyw0R9Gr2IlzEM7WeQPUu0Adk3jZQ63S5HTGsITFVsu0Urt7rxpl:Iw89GaItZQcAy3jW6C5HTGsYVBrt/xp

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral10/memory/2084-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral10/memory/2084-38-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral10/memory/2084-37-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral10/files/0x00070000000233f8-40.dat	family_redline
behavioral10/memory/1020-42-0x0000000000960000-0x000000000099E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3320	pr7kv0ri.exe
5048	zA7Ft2oS.exe
768	pU5TJ8Ki.exe
1612	Aj9xk6GW.exe
5004	1fe14Tp5.exe
1020	2aQ772fp.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pr7kv0ri.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zA7Ft2oS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	pU5TJ8Ki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Aj9xk6GW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a14a0df7d62e3ee59ef076859a5922aba2949e201ebcaa2313a20715aad1fab5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5004 set thread context of 2084	5004	1fe14Tp5.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4680	5004	WerFault.exe	87

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 3320	4140	a14a0df7d62e3ee59ef076859a5922aba2949e201ebcaa2313a20715aad1fab5.exe	82
PID 4140 wrote to memory of 3320	4140	a14a0df7d62e3ee59ef076859a5922aba2949e201ebcaa2313a20715aad1fab5.exe	82
PID 4140 wrote to memory of 3320	4140	a14a0df7d62e3ee59ef076859a5922aba2949e201ebcaa2313a20715aad1fab5.exe	82
PID 3320 wrote to memory of 5048	3320	pr7kv0ri.exe	83
PID 3320 wrote to memory of 5048	3320	pr7kv0ri.exe	83
PID 3320 wrote to memory of 5048	3320	pr7kv0ri.exe	83
PID 5048 wrote to memory of 768	5048	zA7Ft2oS.exe	84
PID 5048 wrote to memory of 768	5048	zA7Ft2oS.exe	84
PID 5048 wrote to memory of 768	5048	zA7Ft2oS.exe	84
PID 768 wrote to memory of 1612	768	pU5TJ8Ki.exe	86
PID 768 wrote to memory of 1612	768	pU5TJ8Ki.exe	86
PID 768 wrote to memory of 1612	768	pU5TJ8Ki.exe	86
PID 1612 wrote to memory of 5004	1612	Aj9xk6GW.exe	87
PID 1612 wrote to memory of 5004	1612	Aj9xk6GW.exe	87
PID 1612 wrote to memory of 5004	1612	Aj9xk6GW.exe	87
PID 5004 wrote to memory of 2084	5004	1fe14Tp5.exe	90
PID 5004 wrote to memory of 2084	5004	1fe14Tp5.exe	90
PID 5004 wrote to memory of 2084	5004	1fe14Tp5.exe	90
PID 5004 wrote to memory of 2084	5004	1fe14Tp5.exe	90
PID 5004 wrote to memory of 2084	5004	1fe14Tp5.exe	90
PID 5004 wrote to memory of 2084	5004	1fe14Tp5.exe	90
PID 5004 wrote to memory of 2084	5004	1fe14Tp5.exe	90
PID 5004 wrote to memory of 2084	5004	1fe14Tp5.exe	90
PID 5004 wrote to memory of 2084	5004	1fe14Tp5.exe	90
PID 5004 wrote to memory of 2084	5004	1fe14Tp5.exe	90
PID 1612 wrote to memory of 1020	1612	Aj9xk6GW.exe	95
PID 1612 wrote to memory of 1020	1612	Aj9xk6GW.exe	95
PID 1612 wrote to memory of 1020	1612	Aj9xk6GW.exe	95

C:\Users\Admin\AppData\Local\Temp\a14a0df7d62e3ee59ef076859a5922aba2949e201ebcaa2313a20715aad1fab5.exe
"C:\Users\Admin\AppData\Local\Temp\a14a0df7d62e3ee59ef076859a5922aba2949e201ebcaa2313a20715aad1fab5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr7kv0ri.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr7kv0ri.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zA7Ft2oS.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zA7Ft2oS.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pU5TJ8Ki.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pU5TJ8Ki.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Aj9xk6GW.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Aj9xk6GW.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fe14Tp5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fe14Tp5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 160
        7⤵
        Program crash
        
        PID:4680
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aQ772fp.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aQ772fp.exe
        6⤵
        Executes dropped EXE
        
        PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5004 -ip 5004
1⤵
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr7kv0ri.exe

Filesize
1004KB

MD5
fd68846290ad57230c819e6b98e8ee1a

SHA1
f8303bfa0a0fd338923c645e3e77b0d8d0ee43b4

SHA256
593a162eec890738e32ef1ddbd43adaaef5da00ba8daf4f7214bf4c52ce42772

SHA512
0a0653e10d71958702c172328c121f38ad2e3ef2114f330039336247b272e4eabfb5deca7536814655a2e8ad11233cd978f9e9d965442764bf7baf6f0a4f9e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zA7Ft2oS.exe

Filesize
815KB

MD5
b0f4b8791cb8a771119cc924d81a080c

SHA1
8db6d49d085b12e158c3ae65d16d7dd2978cf66e

SHA256
50c1034b63a5a8d7d052d1bfaefd6e3cbcb6c119ad88a038c20a863ad38aca22

SHA512
748a9b326225fbb2f9621238f23da5dfdfd4cf45af1a36c85e9a11745dd74471e6ae7e71d92c2014aa128c0b137a8db68dc762f3217f5299303adf038d742429

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pU5TJ8Ki.exe

Filesize
582KB

MD5
24f9e25f5918b26e437e4b4120dfa2eb

SHA1
2436460a980290fc57124654e125072437991c52

SHA256
66f85b9a2ca15323e5e0b9ddd49f1120b0220db0fe811218332070529b67867d

SHA512
1102ae75fab3b07b09be80e01d1694e51e6d83c67e63da684eceb5209e33767c40fc225fa83e500ae4297e1356a27dce96a8360a516a1ef15bdeb48831e0f655

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Aj9xk6GW.exe

Filesize
382KB

MD5
d6b8fcdb08e7992a0f4bf4b8d7940f47

SHA1
f4ff15bd570535a695bd72e118c22ccefb96cbe8

SHA256
e79e94ac640e6decb968fb1faf61de593741b813bdc886607d88420b461a1b8a

SHA512
3194e532862632089823a2d8db6c3960b232bc7f599c2b117e81ac9f8cf5fd02bb8143bff3d0f43c9a74ba392222615d3d7e146ea8484df90276b0881afaf704

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fe14Tp5.exe

Filesize
295KB

MD5
42700092210bb208b2db58f68e9ea01b

SHA1
7446f078dc4157faf55d41f40e1111a37e30c3fa

SHA256
d8a393e19273486cc2f54bab3051c97dd77b616136eccbccb8f804fc5f1d3194

SHA512
f0ed50c0db48be84d0c01c13c18a951185198fb68d33d43d1e8a3ad2a552fbfee404e1f8fa24f11efd6aa57391b12c05b837e9a4f2637f31b2c01a1879bc4384

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2aQ772fp.exe

Filesize
222KB

MD5
82b2aef22e591b7a52d3bb32fde0b544

SHA1
1d2934b654d8bd1e8ad58f103a096892cf7d720d

SHA256
843b163433ff0a884d0077155f1df36e8f04c529917845f2f2bb3fdbb840dcd5

SHA512
fad1355b1f8ee4fdeae41f4a415085e80121700a74fe46376c37944cf5ce8723ae9044630c55b0939c98c234b3d7ebb086aaeda57157aef686eaa353656c445d

Download Submit
memory/1020-42-0x0000000000960000-0x000000000099E000-memory.dmp

Filesize
248KB

Download
memory/1020-43-0x0000000007BC0000-0x0000000008164000-memory.dmp

Filesize
5.6MB

Download
memory/1020-44-0x00000000076F0000-0x0000000007782000-memory.dmp

Filesize
584KB

Download
memory/1020-45-0x0000000004C90000-0x0000000004C9A000-memory.dmp

Filesize
40KB

Download
memory/1020-46-0x0000000008790000-0x0000000008DA8000-memory.dmp

Filesize
6.1MB

Download
memory/1020-47-0x0000000008170000-0x000000000827A000-memory.dmp

Filesize
1.0MB

Download
memory/1020-48-0x0000000007910000-0x0000000007922000-memory.dmp

Filesize
72KB

Download
memory/1020-49-0x0000000007970000-0x00000000079AC000-memory.dmp

Filesize
240KB

Download
memory/1020-50-0x00000000079F0000-0x0000000007A3C000-memory.dmp

Filesize
304KB

Download
memory/2084-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2084-37-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2084-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads