mystic | dd599a6bab1a1dabfa1fca35b3aa571004102301666e21fec5316076b068ab55

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c05a0a402e12dd4248772fa3577f38e1fc9b8b060c219cf8a4890bfce5439f4.exe
Size

819KB
MD5

87669b0b3386f233e60d07ec9d7a4076
SHA1

7a5f0671f950acc0140ce7403151f659a3079926
SHA256

4c05a0a402e12dd4248772fa3577f38e1fc9b8b060c219cf8a4890bfce5439f4
SHA512

db587a5b1e30be1abb0f4cd35c8e15766371a0fada39e610588bb7f96fd237b58344af6c0af0387b032fc3bc1830eeddb8bc4b222e7793ce4ada776f541e6da9
SSDEEP

12288:SMruy90Vnypgv7Q5k9VIcYRzL+dEC8lufg0WQFwm7zY+sOR2M2/SLSgxGwmCtp7o:IyBl1V56b8lsvFwm3zsOZgeLp/k

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral5/memory/1340-21-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral5/memory/1340-22-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral5/memory/1340-23-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral5/memory/1340-25-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral5/files/0x00070000000234a7-27.dat	family_redline
behavioral5/memory/3344-29-0x0000000000EA0000-0x0000000000EDE000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2436	iP1Wz6sd.exe
1348	Zn7iE5oc.exe
2960	1aN93vh2.exe
3344	2GA595ks.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4c05a0a402e12dd4248772fa3577f38e1fc9b8b060c219cf8a4890bfce5439f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	iP1Wz6sd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Zn7iE5oc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2960 set thread context of 1340	2960	1aN93vh2.exe	100

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2776	2960	WerFault.exe	85

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2436	1460	4c05a0a402e12dd4248772fa3577f38e1fc9b8b060c219cf8a4890bfce5439f4.exe	83
PID 1460 wrote to memory of 2436	1460	4c05a0a402e12dd4248772fa3577f38e1fc9b8b060c219cf8a4890bfce5439f4.exe	83
PID 1460 wrote to memory of 2436	1460	4c05a0a402e12dd4248772fa3577f38e1fc9b8b060c219cf8a4890bfce5439f4.exe	83
PID 2436 wrote to memory of 1348	2436	iP1Wz6sd.exe	84
PID 2436 wrote to memory of 1348	2436	iP1Wz6sd.exe	84
PID 2436 wrote to memory of 1348	2436	iP1Wz6sd.exe	84
PID 1348 wrote to memory of 2960	1348	Zn7iE5oc.exe	85
PID 1348 wrote to memory of 2960	1348	Zn7iE5oc.exe	85
PID 1348 wrote to memory of 2960	1348	Zn7iE5oc.exe	85
PID 2960 wrote to memory of 1340	2960	1aN93vh2.exe	100
PID 2960 wrote to memory of 1340	2960	1aN93vh2.exe	100
PID 2960 wrote to memory of 1340	2960	1aN93vh2.exe	100
PID 2960 wrote to memory of 1340	2960	1aN93vh2.exe	100
PID 2960 wrote to memory of 1340	2960	1aN93vh2.exe	100
PID 2960 wrote to memory of 1340	2960	1aN93vh2.exe	100
PID 2960 wrote to memory of 1340	2960	1aN93vh2.exe	100
PID 2960 wrote to memory of 1340	2960	1aN93vh2.exe	100
PID 2960 wrote to memory of 1340	2960	1aN93vh2.exe	100
PID 2960 wrote to memory of 1340	2960	1aN93vh2.exe	100
PID 1348 wrote to memory of 3344	1348	Zn7iE5oc.exe	104
PID 1348 wrote to memory of 3344	1348	Zn7iE5oc.exe	104
PID 1348 wrote to memory of 3344	1348	Zn7iE5oc.exe	104

C:\Users\Admin\AppData\Local\Temp\4c05a0a402e12dd4248772fa3577f38e1fc9b8b060c219cf8a4890bfce5439f4.exe
"C:\Users\Admin\AppData\Local\Temp\4c05a0a402e12dd4248772fa3577f38e1fc9b8b060c219cf8a4890bfce5439f4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iP1Wz6sd.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iP1Wz6sd.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zn7iE5oc.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zn7iE5oc.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1aN93vh2.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1aN93vh2.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1340
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 580
        5⤵
        Program crash
        
        PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2GA595ks.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2GA595ks.exe
      4⤵
      Executes dropped EXE
      PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2960 -ip 2960
1⤵
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iP1Wz6sd.exe

Filesize
584KB

MD5
13016496629207e4ec19d7af08d2046f

SHA1
f25497b0e025d0ce806e7a403a02bd59dd3ab27f

SHA256
bf0089a4adfb0b9ecd0bbba99935f6221cbe578785e83d8f04118d06be0a3260

SHA512
bd9cf9eee9a81cf00699f10bde5df112ace8e059e9faf865c34da4b95246af40169ab01883c815a8bd523d50937f0d19974e9b569842e08cb2e3274f47fc02f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Zn7iE5oc.exe

Filesize
383KB

MD5
bb067f6a86dbd9850a5b57d694821a67

SHA1
e28b774444399918ff1b650599a3ddbd2da4c469

SHA256
c12bd9188f812707847a9863d14a8f485543e0c0b5d6c7be6dc8d731385fb9e2

SHA512
0cebf9bfcc2fe4639228105f592da9b3710c253b3a50e14dc542602259928f6f14625a646246d6db374542a7cf5d57f1cb493646ccc409f8ce52ded857180262

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1aN93vh2.exe

Filesize
298KB

MD5
4e336bd5c591ab1c18cf0e54f2ab761e

SHA1
ca9368e2aa92f8d85338e194cd383433973f535a

SHA256
46256b5f1774460c33d853dc2419d2ed5621051a320e295eac494028c00ab541

SHA512
77ab539378284950ffddfdc763c142a2936df28b2d02e0d4ae8f92f45458a297b1e3ce4bc4491544d1af30ef4065536e7b6bb7f0528aa646d8aad95245e40dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2GA595ks.exe

Filesize
222KB

MD5
c7c5ca8c7a32c3c34ca8e661977df929

SHA1
4bc89389deed11c2f8b7cb2d56a6d55fa7296a1b

SHA256
6f28d96a24b542148d2cff63435d4aa0aa1808a15a3da8ee723c23065508b45c

SHA512
094072b40ce4668b0bc0173c107883e1ded36eaf16570603a24f22766f990a60ebf4765ee01613201f1a5a2153cdeafafe86ece51b29a535a2df9fa3938c793b

Download Submit
memory/1340-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1340-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1340-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1340-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3344-29-0x0000000000EA0000-0x0000000000EDE000-memory.dmp

Filesize
248KB

Download
memory/3344-30-0x0000000008250000-0x00000000087F4000-memory.dmp

Filesize
5.6MB

Download
memory/3344-31-0x0000000007D80000-0x0000000007E12000-memory.dmp

Filesize
584KB

Download
memory/3344-32-0x0000000003190000-0x000000000319A000-memory.dmp

Filesize
40KB

Download
memory/3344-33-0x0000000008E20000-0x0000000009438000-memory.dmp

Filesize
6.1MB

Download
memory/3344-34-0x0000000008090000-0x000000000819A000-memory.dmp

Filesize
1.0MB

Download
memory/3344-35-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

Filesize
72KB

Download
memory/3344-36-0x0000000008000000-0x000000000803C000-memory.dmp

Filesize
240KB

Download
memory/3344-37-0x0000000008040000-0x000000000808C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads