mystic | dd599a6bab1a1dabfa1fca35b3aa571004102301666e21fec5316076b068ab55

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a9aed66614843df861e1716ffa1565f310d3f61f384e45ac0468be8b6bc162d.exe
Size

591KB
MD5

aa53efb806f4884fc8c93a3cbd9c060d
SHA1

9815cb95ebc875b9dd4bf3c711941fb02b272686
SHA256

5a9aed66614843df861e1716ffa1565f310d3f61f384e45ac0468be8b6bc162d
SHA512

e3e944a5579bae8e139a85e32708bf4071dd188da05ac592fbfb60c0a312830e0230eb07952702a05b228e8cd7c0dedefe3f850006bde525b1ec1250fff19855
SSDEEP

12288:FMrNy9038LNERyDpyHzz6szWZ9F/QnRtS2HU7giJj:syH2yQHzu3fQn+RUiJj

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral6/memory/3508-14-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral6/memory/3508-16-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral6/memory/3508-15-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral6/memory/3508-18-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral6/files/0x000700000002343e-20.dat	family_redline
behavioral6/memory/4296-22-0x0000000000B90000-0x0000000000BCE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
3848	yT9Jy7yd.exe
4668	1AE95aK4.exe
4296	2tI516xl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5a9aed66614843df861e1716ffa1565f310d3f61f384e45ac0468be8b6bc162d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	yT9Jy7yd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4668 set thread context of 3508	4668	1AE95aK4.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5072	3508	WerFault.exe	85

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 3848	1496	5a9aed66614843df861e1716ffa1565f310d3f61f384e45ac0468be8b6bc162d.exe	83
PID 1496 wrote to memory of 3848	1496	5a9aed66614843df861e1716ffa1565f310d3f61f384e45ac0468be8b6bc162d.exe	83
PID 1496 wrote to memory of 3848	1496	5a9aed66614843df861e1716ffa1565f310d3f61f384e45ac0468be8b6bc162d.exe	83
PID 3848 wrote to memory of 4668	3848	yT9Jy7yd.exe	84
PID 3848 wrote to memory of 4668	3848	yT9Jy7yd.exe	84
PID 3848 wrote to memory of 4668	3848	yT9Jy7yd.exe	84
PID 4668 wrote to memory of 3508	4668	1AE95aK4.exe	85
PID 4668 wrote to memory of 3508	4668	1AE95aK4.exe	85
PID 4668 wrote to memory of 3508	4668	1AE95aK4.exe	85
PID 4668 wrote to memory of 3508	4668	1AE95aK4.exe	85
PID 4668 wrote to memory of 3508	4668	1AE95aK4.exe	85
PID 4668 wrote to memory of 3508	4668	1AE95aK4.exe	85
PID 4668 wrote to memory of 3508	4668	1AE95aK4.exe	85
PID 4668 wrote to memory of 3508	4668	1AE95aK4.exe	85
PID 4668 wrote to memory of 3508	4668	1AE95aK4.exe	85
PID 4668 wrote to memory of 3508	4668	1AE95aK4.exe	85
PID 3848 wrote to memory of 4296	3848	yT9Jy7yd.exe	87
PID 3848 wrote to memory of 4296	3848	yT9Jy7yd.exe	87
PID 3848 wrote to memory of 4296	3848	yT9Jy7yd.exe	87

C:\Users\Admin\AppData\Local\Temp\5a9aed66614843df861e1716ffa1565f310d3f61f384e45ac0468be8b6bc162d.exe
"C:\Users\Admin\AppData\Local\Temp\5a9aed66614843df861e1716ffa1565f310d3f61f384e45ac0468be8b6bc162d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yT9Jy7yd.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yT9Jy7yd.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1AE95aK4.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1AE95aK4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3508
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 540
        5⤵
        Program crash
        
        PID:5072
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2tI516xl.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2tI516xl.exe
    3⤵
    - Executes dropped EXE
    PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3508 -ip 3508
1⤵
PID:272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yT9Jy7yd.exe

Filesize
396KB

MD5
234bb8b39da8c81e162be67a9ca5e5e7

SHA1
a75a881a68694dc59b564420a4cf1a3eb999d207

SHA256
03095aee6937cd0b66d0ca3bcb0ed6fca6cadc9141babc5b5214c571321c5cad

SHA512
3bc0db5902162a19f0e80a51f515ab356fe25a6b2800b5fb0459acf6ec772a1655c64eb6b898507edd01b25a0b68c197ab13cbbf1ee34005f4913ca773fc569d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1AE95aK4.exe

Filesize
314KB

MD5
7d141e23afc046b41fb099e2c08812c2

SHA1
f47939bee46898a4e1b9146893cc6a0b713963d3

SHA256
24601a4acab9ffb128f7f26110db079ffb8cc5a38e26f37fddcbffd9543e1d5b

SHA512
8fe89ef4fc0c338c6198870e19229a90b6f15e829944b84b6734d78e2c6ed04a2cdce350bfeae0482ec81c0dab4a3002ec889fe0d8982e6a42e9204f1cbae174

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2tI516xl.exe

Filesize
222KB

MD5
c0a05a1f212389eb4b1bb0f55209ff6c

SHA1
e09e4b58051d7dae2d56aaa56e806c8e02ad9759

SHA256
ece2693d79360a2ae6bb99899098e01b33045c35add9fbaa501a6cda9f90994c

SHA512
e770687c2e39991b7f42e64ae95759461021ad329eb4cf57bf316a82acdf0c03387b02500f34266230a57aa486db4296dc6737e8246251ad5ee288bb31aa3a97

Download Submit
memory/3508-14-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3508-16-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3508-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3508-18-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4296-23-0x0000000007E20000-0x00000000083C4000-memory.dmp

Filesize
5.6MB

Download
memory/4296-22-0x0000000000B90000-0x0000000000BCE000-memory.dmp

Filesize
248KB

Download
memory/4296-24-0x0000000007950000-0x00000000079E2000-memory.dmp

Filesize
584KB

Download
memory/4296-25-0x0000000004F40000-0x0000000004F4A000-memory.dmp

Filesize
40KB

Download
memory/4296-26-0x00000000089F0000-0x0000000009008000-memory.dmp

Filesize
6.1MB

Download
memory/4296-27-0x0000000007CA0000-0x0000000007DAA000-memory.dmp

Filesize
1.0MB

Download
memory/4296-28-0x0000000007B40000-0x0000000007B52000-memory.dmp

Filesize
72KB

Download
memory/4296-29-0x0000000007BD0000-0x0000000007C0C000-memory.dmp

Filesize
240KB

Download
memory/4296-30-0x0000000007C10000-0x0000000007C5C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads