mystic | dd599a6bab1a1dabfa1fca35b3aa571004102301666e21fec5316076b068ab55

Analysis

max time kernel
145s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75b625c13b24d7458adfc514723864292401468613eaedafdba252e90b3f5707.exe
Size

578KB
MD5

e839203e1658c8119fb1e3aa12bdcb83
SHA1

16f93463c445b1059c954ef2f756393eba6d91a3
SHA256

75b625c13b24d7458adfc514723864292401468613eaedafdba252e90b3f5707
SHA512

80c1c67114e162187daa55d8d750e6d1f968ebf1df49e15e251ebcc3ceca84341ab049dd185fa243cfe3843c22b5e9138560477eaaf930e944fe6386bab864e8
SSDEEP

12288:7MrBy90CRVUaLCHFbwEyZft7zaU+RohaPvFab/Oheyg7oPfmKfe:iyHRVUCCHChZF7zaU+RohdOtmge

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral13/memory/1768-14-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/1768-16-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/1768-18-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/1768-15-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral13/files/0x000700000002328a-20.dat	family_redline
behavioral13/memory/1204-22-0x00000000000E0000-0x000000000011E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
1168	dN9LV4wq.exe
4088	1Ww44Xj4.exe
1204	2QG702Xi.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	75b625c13b24d7458adfc514723864292401468613eaedafdba252e90b3f5707.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dN9LV4wq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4088 set thread context of 1768	4088	1Ww44Xj4.exe	94

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4756	4088	WerFault.exe	92
4324	1768	WerFault.exe	94

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 1168	4504	75b625c13b24d7458adfc514723864292401468613eaedafdba252e90b3f5707.exe	91
PID 4504 wrote to memory of 1168	4504	75b625c13b24d7458adfc514723864292401468613eaedafdba252e90b3f5707.exe	91
PID 4504 wrote to memory of 1168	4504	75b625c13b24d7458adfc514723864292401468613eaedafdba252e90b3f5707.exe	91
PID 1168 wrote to memory of 4088	1168	dN9LV4wq.exe	92
PID 1168 wrote to memory of 4088	1168	dN9LV4wq.exe	92
PID 1168 wrote to memory of 4088	1168	dN9LV4wq.exe	92
PID 4088 wrote to memory of 1768	4088	1Ww44Xj4.exe	94
PID 4088 wrote to memory of 1768	4088	1Ww44Xj4.exe	94
PID 4088 wrote to memory of 1768	4088	1Ww44Xj4.exe	94
PID 4088 wrote to memory of 1768	4088	1Ww44Xj4.exe	94
PID 4088 wrote to memory of 1768	4088	1Ww44Xj4.exe	94
PID 4088 wrote to memory of 1768	4088	1Ww44Xj4.exe	94
PID 4088 wrote to memory of 1768	4088	1Ww44Xj4.exe	94
PID 4088 wrote to memory of 1768	4088	1Ww44Xj4.exe	94
PID 4088 wrote to memory of 1768	4088	1Ww44Xj4.exe	94
PID 4088 wrote to memory of 1768	4088	1Ww44Xj4.exe	94
PID 1168 wrote to memory of 1204	1168	dN9LV4wq.exe	100
PID 1168 wrote to memory of 1204	1168	dN9LV4wq.exe	100
PID 1168 wrote to memory of 1204	1168	dN9LV4wq.exe	100

C:\Users\Admin\AppData\Local\Temp\75b625c13b24d7458adfc514723864292401468613eaedafdba252e90b3f5707.exe
"C:\Users\Admin\AppData\Local\Temp\75b625c13b24d7458adfc514723864292401468613eaedafdba252e90b3f5707.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dN9LV4wq.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dN9LV4wq.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ww44Xj4.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ww44Xj4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1768
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 540
        5⤵
        Program crash
        
        PID:4324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 140
      4⤵
      Program crash
      PID:4756
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2QG702Xi.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2QG702Xi.exe
    3⤵
    - Executes dropped EXE
    PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1768 -ip 1768
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4088 -ip 4088
1⤵
PID:4252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dN9LV4wq.exe

Filesize
382KB

MD5
67f3e29bd0364750743343d2d670a93a

SHA1
355cb7eb1c1aa6cda8bad693c2dac5126bbc2dfc

SHA256
f69dfb20bfb3d64d95b96593edd37c49c3384d127396bc654f428c12f0f89238

SHA512
e0ba1632a976fe38b59d10f2547c8279533b404ca78b3a6c17e0c19fc3e78cdaefec8b53c17732895ffa33d41d69acc2225a12d4dada411f7ec195d8eaa9fa62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Ww44Xj4.exe

Filesize
295KB

MD5
0afca7bb766cd8d219bb6eaf5ba77238

SHA1
430aba24200f4b56972fc2fe7653b45b3e3d1fe5

SHA256
9e03de3eb086614cc8aa06affcf92f20930d31a9196949d6b408aeb50eb2a7f4

SHA512
6ce2c449d78ab1ffb548de1e61070c871337e0aa88152f565dad127cd5f043678f778e35c862639cf78ee9db66053597100d647fcb92be4a180111ece6e24e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2QG702Xi.exe

Filesize
222KB

MD5
cfec74afdf86a8872e20deca623594b0

SHA1
7647706a1322fc8d8cf0bbbd8b13f06ca7eabd9c

SHA256
e7479c9acc72a6429106aeac85b8effbb91d4ee43671f4c191a440557ed8cae7

SHA512
180a2bbf0ed7d8a42cea851b2f32f09153813d8ea22d054991732a32546a03788d7eb417f44563719cda9c8e7ded1bea9fc6fe7ed8e3de4a6a83071cefe9b404

Download Submit
memory/1204-27-0x0000000007210000-0x000000000731A000-memory.dmp

Filesize
1.0MB

Download
memory/1204-22-0x00000000000E0000-0x000000000011E000-memory.dmp

Filesize
248KB

Download
memory/1204-23-0x00000000073F0000-0x0000000007994000-memory.dmp

Filesize
5.6MB

Download
memory/1204-24-0x0000000006EE0000-0x0000000006F72000-memory.dmp

Filesize
584KB

Download
memory/1204-25-0x0000000007070000-0x000000000707A000-memory.dmp

Filesize
40KB

Download
memory/1204-26-0x0000000007FC0000-0x00000000085D8000-memory.dmp

Filesize
6.1MB

Download
memory/1204-28-0x0000000007140000-0x0000000007152000-memory.dmp

Filesize
72KB

Download
memory/1204-29-0x00000000071A0000-0x00000000071DC000-memory.dmp

Filesize
240KB

Download
memory/1204-30-0x0000000007320000-0x000000000736C000-memory.dmp

Filesize
304KB

Download
memory/1768-18-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1768-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1768-16-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1768-14-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads