mystic | dcf4e78aa4f4a43375e6c66a708f11e84986bd1f7bacc1564324e028fcba76f4

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85d15c923467e5894a2f36bf8563a0591dc6653d4ebd713eac8de5f3a57655a9.exe
Size

1.1MB
MD5

08bd73921a30f3e8b3a83ccd0c7f1902
SHA1

17256e6dbf837b38b5935b1e006223fe779e0eb1
SHA256

85d15c923467e5894a2f36bf8563a0591dc6653d4ebd713eac8de5f3a57655a9
SHA512

db843555bf73dc1e1c822f1226ba0db5093845ca7a6d8a1f2dac61364540f332417fdd9d90d5530ec8aa2f8439e004ac1bc3868e64f01b87fd4c0124c088ca21
SSDEEP

24576:AyWuMnYwIGk/9hIEIeoGc3nvlRdmtEkrTsHr7:HGZIpz5IeoT3ndmqOC

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral5/memory/4148-35-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral5/memory/4148-36-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral5/memory/4148-38-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral5/files/0x0007000000023465-40.dat	family_redline
behavioral5/memory/1732-42-0x0000000000830000-0x000000000086E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4064	lb8Gn7Ui.exe
744	QL4St2tl.exe
32	ll7jH0qR.exe
4144	OD6QG7mQ.exe
3728	1ny97lK3.exe
1732	2Pq282CM.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	lb8Gn7Ui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	QL4St2tl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ll7jH0qR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	OD6QG7mQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	85d15c923467e5894a2f36bf8563a0591dc6653d4ebd713eac8de5f3a57655a9.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3728 set thread context of 4148	3728	1ny97lK3.exe	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
60	3728	WerFault.exe	88

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 4064	404	85d15c923467e5894a2f36bf8563a0591dc6653d4ebd713eac8de5f3a57655a9.exe	83
PID 404 wrote to memory of 4064	404	85d15c923467e5894a2f36bf8563a0591dc6653d4ebd713eac8de5f3a57655a9.exe	83
PID 404 wrote to memory of 4064	404	85d15c923467e5894a2f36bf8563a0591dc6653d4ebd713eac8de5f3a57655a9.exe	83
PID 4064 wrote to memory of 744	4064	lb8Gn7Ui.exe	84
PID 4064 wrote to memory of 744	4064	lb8Gn7Ui.exe	84
PID 4064 wrote to memory of 744	4064	lb8Gn7Ui.exe	84
PID 744 wrote to memory of 32	744	QL4St2tl.exe	85
PID 744 wrote to memory of 32	744	QL4St2tl.exe	85
PID 744 wrote to memory of 32	744	QL4St2tl.exe	85
PID 32 wrote to memory of 4144	32	ll7jH0qR.exe	86
PID 32 wrote to memory of 4144	32	ll7jH0qR.exe	86
PID 32 wrote to memory of 4144	32	ll7jH0qR.exe	86
PID 4144 wrote to memory of 3728	4144	OD6QG7mQ.exe	88
PID 4144 wrote to memory of 3728	4144	OD6QG7mQ.exe	88
PID 4144 wrote to memory of 3728	4144	OD6QG7mQ.exe	88
PID 3728 wrote to memory of 4148	3728	1ny97lK3.exe	91
PID 3728 wrote to memory of 4148	3728	1ny97lK3.exe	91
PID 3728 wrote to memory of 4148	3728	1ny97lK3.exe	91
PID 3728 wrote to memory of 4148	3728	1ny97lK3.exe	91
PID 3728 wrote to memory of 4148	3728	1ny97lK3.exe	91
PID 3728 wrote to memory of 4148	3728	1ny97lK3.exe	91
PID 3728 wrote to memory of 4148	3728	1ny97lK3.exe	91
PID 3728 wrote to memory of 4148	3728	1ny97lK3.exe	91
PID 3728 wrote to memory of 4148	3728	1ny97lK3.exe	91
PID 3728 wrote to memory of 4148	3728	1ny97lK3.exe	91
PID 4144 wrote to memory of 1732	4144	OD6QG7mQ.exe	96
PID 4144 wrote to memory of 1732	4144	OD6QG7mQ.exe	96
PID 4144 wrote to memory of 1732	4144	OD6QG7mQ.exe	96

C:\Users\Admin\AppData\Local\Temp\85d15c923467e5894a2f36bf8563a0591dc6653d4ebd713eac8de5f3a57655a9.exe
"C:\Users\Admin\AppData\Local\Temp\85d15c923467e5894a2f36bf8563a0591dc6653d4ebd713eac8de5f3a57655a9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lb8Gn7Ui.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lb8Gn7Ui.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QL4St2tl.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QL4St2tl.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ll7jH0qR.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ll7jH0qR.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:32
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\OD6QG7mQ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\OD6QG7mQ.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4144
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ny97lK3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ny97lK3.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 604
        7⤵
        Program crash
        
        PID:60
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pq282CM.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pq282CM.exe
        6⤵
        Executes dropped EXE
        
        PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3728 -ip 3728
1⤵
PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lb8Gn7Ui.exe

Filesize
1001KB

MD5
b58b2331899a1aaebb53df9a7d7a7f5e

SHA1
6163219c6f68c6d2fb149f9d6a7487efd62f1dac

SHA256
e8ce26e8bc2b09d06925d206ef5cf0f3f65eec27791b44d91fea98b6595672ce

SHA512
98cc507e77158a93e89632a1bfe96d1b37e30c0f0a60093c30aa2679418a960b641ddd30ceafb41b1b14b8cb708a3ef153b67235b02c6efa4961e0451fddd180

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\QL4St2tl.exe

Filesize
811KB

MD5
c4fc2f7865f6d13a9b075a33addca626

SHA1
460e60ad3e06d3a611187bc724f1922f7ed87ada

SHA256
5a1ac8c0e631ffdd0582ef3c6e2b45496e8d8d1f5d57df8605a1aa48ac8c0e0a

SHA512
712944b003f02f4e6126d389de3e8248e382d9934901246624dc57cd07145e794717423a651b38f405d7bc7e89791c2478591ea47d46cb4ed5f04acda694ca41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ll7jH0qR.exe

Filesize
577KB

MD5
f4984ec0d94c54c0a01694ff18433385

SHA1
2b0261070bf41247b2c34ff62bfa6d2f760ee074

SHA256
9929490e98b37bcfdc9b95274456a77b31e78b2fc54361791dbe58a798e032c7

SHA512
eb39a97a0489b33fa6abf2be64da911df13bcb5be7598124e96f083cc5b5da31471e4b5abe3335c02b90cbb9a04e0298a8529e6aac0823723dd6d886106f43f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\OD6QG7mQ.exe

Filesize
381KB

MD5
15b68d196aa9bde5d1dfbce6409e5c10

SHA1
3ce2a2ac0e2ff6418d4ffd7154cfd6e0a17cb41b

SHA256
d7572c4debe37f9ca6787d6a01a002f8b30b34bf56e88d5447bf4caeddce9db6

SHA512
23090638bf9b1f6ece3fa60540f39e37361c51069ee4c2126c95513fbf005c61a60b8cdff7e3fb18026d19d66f0083057440fb980d652b4633ef9fd61709ed7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ny97lK3.exe

Filesize
295KB

MD5
75fb72b43bae090fba86c919306ed8a6

SHA1
5ac54ec075a3b19c5d43393769f7537ceaae4d29

SHA256
1dec280faa2c7289980c8c0861eef8a690237a0023d5c5cf5c15c2d7f6f07e27

SHA512
b6066574eaa25cec492658c59c9ab8e78312359b717b63b7d78ba5adada2d8a28c21eee6e8d454732de2e43b1e0b7227d539eab68c5b43e54f7b69f81056c194

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pq282CM.exe

Filesize
222KB

MD5
7b97c0172bfe30d299e918a1ee7a8547

SHA1
a949784995596fbbfeded9a18ccb9aca3be5ac74

SHA256
535679a2c9ac21c4bb570d64d1823dac88e78a374e03882e8ba8983257038a65

SHA512
3d5e7be11d417be9c97854106dda3a5dc82a1d6a6d5b476a233f4e7afca02a1dd78b472a3d2512d225a15f38c8ba1ebb3f78fc248245c9f2c0f847635699f770

Download Submit
memory/1732-42-0x0000000000830000-0x000000000086E000-memory.dmp

Filesize
248KB

Download
memory/1732-43-0x0000000007C10000-0x00000000081B4000-memory.dmp

Filesize
5.6MB

Download
memory/1732-44-0x0000000007740000-0x00000000077D2000-memory.dmp

Filesize
584KB

Download
memory/1732-45-0x0000000004D00000-0x0000000004D0A000-memory.dmp

Filesize
40KB

Download
memory/1732-46-0x00000000087E0000-0x0000000008DF8000-memory.dmp

Filesize
6.1MB

Download
memory/1732-47-0x0000000007A00000-0x0000000007B0A000-memory.dmp

Filesize
1.0MB

Download
memory/1732-48-0x0000000007930000-0x0000000007942000-memory.dmp

Filesize
72KB

Download
memory/1732-49-0x0000000007990000-0x00000000079CC000-memory.dmp

Filesize
240KB

Download
memory/1732-50-0x0000000007B10000-0x0000000007B5C000-memory.dmp

Filesize
304KB

Download
memory/4148-36-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4148-38-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4148-35-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads