mystic | 9874024432d4a4dc4017d0ebf9773eaea78b9aea747dfbe995938af4b572eb38

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7018985aa093121c146c37bf15499c6914c370d8b1e61fe98047260a3f0f5d8e.exe
Size

584KB
MD5

3d95c1908906f19aaba4db1e866b1c18
SHA1

da63f6664090fb6e72d9235d64506e93c603d3c3
SHA256

7018985aa093121c146c37bf15499c6914c370d8b1e61fe98047260a3f0f5d8e
SHA512

da14352bb65f08ce590f7ec7fc2e0cd2497b0ddf8daf5e491cd5a1b9b24d0ec5ddc9e9e5de912074fc10ea0339cd9107cb19fd62e48617f180873bdb094b6e69
SSDEEP

12288:6Mr7y90m8vemdFOfRi7WwAk7Fv+eOWr5WaU2GrnJ:hyIve8bD5FGejgWAnJ

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral13/memory/1968-18-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/1968-16-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/1968-15-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral13/memory/1968-14-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2AY316zp.exe	family_redline
behavioral13/memory/4404-22-0x0000000000DD0000-0x0000000000E0E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

LR9XE8yK.exe1BB92Hd6.exe2AY316zp.exe

pid process

4724 LR9XE8yK.exe
3348 1BB92Hd6.exe
4404 2AY316zp.exe

pid	process
4724	LR9XE8yK.exe
3348	1BB92Hd6.exe
4404	2AY316zp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7018985aa093121c146c37bf15499c6914c370d8b1e61fe98047260a3f0f5d8e.exeLR9XE8yK.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7018985aa093121c146c37bf15499c6914c370d8b1e61fe98047260a3f0f5d8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	LR9XE8yK.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1BB92Hd6.exe

description pid process target process

PID 3348 set thread context of 1968 3348 1BB92Hd6.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1520 1968 WerFault.exe AppLaunch.exe
3328 3348 WerFault.exe 1BB92Hd6.exe

description	pid	process	target process
PID 3348 set thread context of 1968	3348	1BB92Hd6.exe	AppLaunch.exe

pid	pid_target	process	target process
1520	1968	WerFault.exe	AppLaunch.exe
3328	3348	WerFault.exe	1BB92Hd6.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

7018985aa093121c146c37bf15499c6914c370d8b1e61fe98047260a3f0f5d8e.exeLR9XE8yK.exe1BB92Hd6.exe

description	pid	process	target process
PID 1020 wrote to memory of 4724	1020	7018985aa093121c146c37bf15499c6914c370d8b1e61fe98047260a3f0f5d8e.exe	LR9XE8yK.exe
PID 1020 wrote to memory of 4724	1020	7018985aa093121c146c37bf15499c6914c370d8b1e61fe98047260a3f0f5d8e.exe	LR9XE8yK.exe
PID 1020 wrote to memory of 4724	1020	7018985aa093121c146c37bf15499c6914c370d8b1e61fe98047260a3f0f5d8e.exe	LR9XE8yK.exe
PID 4724 wrote to memory of 3348	4724	LR9XE8yK.exe	1BB92Hd6.exe
PID 4724 wrote to memory of 3348	4724	LR9XE8yK.exe	1BB92Hd6.exe
PID 4724 wrote to memory of 3348	4724	LR9XE8yK.exe	1BB92Hd6.exe
PID 3348 wrote to memory of 1968	3348	1BB92Hd6.exe	AppLaunch.exe
PID 3348 wrote to memory of 1968	3348	1BB92Hd6.exe	AppLaunch.exe
PID 3348 wrote to memory of 1968	3348	1BB92Hd6.exe	AppLaunch.exe
PID 3348 wrote to memory of 1968	3348	1BB92Hd6.exe	AppLaunch.exe
PID 3348 wrote to memory of 1968	3348	1BB92Hd6.exe	AppLaunch.exe
PID 3348 wrote to memory of 1968	3348	1BB92Hd6.exe	AppLaunch.exe
PID 3348 wrote to memory of 1968	3348	1BB92Hd6.exe	AppLaunch.exe
PID 3348 wrote to memory of 1968	3348	1BB92Hd6.exe	AppLaunch.exe
PID 3348 wrote to memory of 1968	3348	1BB92Hd6.exe	AppLaunch.exe
PID 3348 wrote to memory of 1968	3348	1BB92Hd6.exe	AppLaunch.exe
PID 4724 wrote to memory of 4404	4724	LR9XE8yK.exe	2AY316zp.exe
PID 4724 wrote to memory of 4404	4724	LR9XE8yK.exe	2AY316zp.exe
PID 4724 wrote to memory of 4404	4724	LR9XE8yK.exe	2AY316zp.exe

C:\Users\Admin\AppData\Local\Temp\7018985aa093121c146c37bf15499c6914c370d8b1e61fe98047260a3f0f5d8e.exe
"C:\Users\Admin\AppData\Local\Temp\7018985aa093121c146c37bf15499c6914c370d8b1e61fe98047260a3f0f5d8e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LR9XE8yK.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LR9XE8yK.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1BB92Hd6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1BB92Hd6.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1968
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 540
        5⤵
        Program crash
        
        PID:1520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 136
      4⤵
      Program crash
      PID:3328
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2AY316zp.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2AY316zp.exe
    3⤵
    - Executes dropped EXE
    PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1968 -ip 1968
1⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3348 -ip 3348
1⤵
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LR9XE8yK.exe

Filesize
383KB

MD5
849e3d9f898ba64ea1f29e55350c09f5

SHA1
407675a180a3d11401be761cd983af379c071c16

SHA256
534763e7b81baa6740e998a357715b126279b6a759cd71785f81c80a7305e3a1

SHA512
d90015bc2b9440f25eb762937c4fdf096ed6e5cf9f55b88fb9452875f7cf65e2bdb094252ddd521fe707b54821a55b9de0e047be5370eb7fe7638f3297c4bb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1BB92Hd6.exe

Filesize
298KB

MD5
c469d1a65af45d8b61e2a7e3a5c4adfe

SHA1
c7bf392c62fda17f9ba978a186660a0003b2e3b6

SHA256
fc3a26eb37c3a4aece5a74de608313ed42ce32fc16ba25523e5f0919bd3216c7

SHA512
c9db35891ec89efb65a5a1756a93495871010db4fd74e93567a632f7900210209db73c32c0d466e43b13589a4ceb6967cc0006fa5d42de15dc74684ac6c5ae47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2AY316zp.exe

Filesize
222KB

MD5
4a3638daba97b7030faf3d9012e21f52

SHA1
e1eb743e96cc69603f42826792ebce7842e81722

SHA256
2e73b7e0a8a59712d22ce2c32efdf83f2e8eb656b5c0408e1c55aafa5cf76112

SHA512
f56ea8ecea2891d5ca00c91410a6a7fe34583be9023a7a5294c80e963d366cf9fa277551ef283b826740c493ea4d3d1c73169839e7f8e8b6f5e0b8eb00116e29

Download Submit
memory/1968-18-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1968-16-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1968-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1968-14-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4404-23-0x0000000008090000-0x0000000008634000-memory.dmp

Filesize
5.6MB

Download
memory/4404-22-0x0000000000DD0000-0x0000000000E0E000-memory.dmp

Filesize
248KB

Download
memory/4404-24-0x0000000007B80000-0x0000000007C12000-memory.dmp

Filesize
584KB

Download
memory/4404-25-0x0000000002FE0000-0x0000000002FEA000-memory.dmp

Filesize
40KB

Download
memory/4404-26-0x0000000008C60000-0x0000000009278000-memory.dmp

Filesize
6.1MB

Download
memory/4404-27-0x0000000007E60000-0x0000000007F6A000-memory.dmp

Filesize
1.0MB

Download
memory/4404-28-0x0000000007D90000-0x0000000007DA2000-memory.dmp

Filesize
72KB

Download
memory/4404-29-0x0000000007DF0000-0x0000000007E2C000-memory.dmp

Filesize
240KB

Download
memory/4404-30-0x0000000007F70000-0x0000000007FBC000-memory.dmp

Filesize
304KB

Download