mystic | 9874024432d4a4dc4017d0ebf9773eaea78b9aea747dfbe995938af4b572eb38

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db87d25edb56c618d7d41f2f458fbc54cabc5289ab771f1eb34a0e08d92928b5.exe
Size

818KB
MD5

7967bbff3e07fba124d8dea54e35eb77
SHA1

ddc12b8277caecdd80f5b01d69b1ab7b0c2e47da
SHA256

db87d25edb56c618d7d41f2f458fbc54cabc5289ab771f1eb34a0e08d92928b5
SHA512

fb2db1d102f8fd17ebe1e0e49ac195a671b3222529436d177d5561bc843357106e863a190e9b06052bc6c4493ca045226aa5c9cb0d2d552a6c1edd82b6ff555a
SSDEEP

24576:jyD5iE2i4/+TVlB7ISI6Ajq4VCSeJ2j2ab1A:21ID/onBmVLj28

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral19/memory/1344-21-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral19/memory/1344-22-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral19/files/0x0007000000023569-24.dat	family_redline
behavioral19/memory/888-26-0x0000000000A50000-0x0000000000A8E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
968	lZ7Ij1rd.exe
2792	cu3Qy3qw.exe
4928	1UZ83nq3.exe
888	2SI637GC.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	db87d25edb56c618d7d41f2f458fbc54cabc5289ab771f1eb34a0e08d92928b5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	lZ7Ij1rd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	cu3Qy3qw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4928 set thread context of 1344	4928	1UZ83nq3.exe	107

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3316	4928	WerFault.exe	92

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 968	4492	db87d25edb56c618d7d41f2f458fbc54cabc5289ab771f1eb34a0e08d92928b5.exe	90
PID 4492 wrote to memory of 968	4492	db87d25edb56c618d7d41f2f458fbc54cabc5289ab771f1eb34a0e08d92928b5.exe	90
PID 4492 wrote to memory of 968	4492	db87d25edb56c618d7d41f2f458fbc54cabc5289ab771f1eb34a0e08d92928b5.exe	90
PID 968 wrote to memory of 2792	968	lZ7Ij1rd.exe	91
PID 968 wrote to memory of 2792	968	lZ7Ij1rd.exe	91
PID 968 wrote to memory of 2792	968	lZ7Ij1rd.exe	91
PID 2792 wrote to memory of 4928	2792	cu3Qy3qw.exe	92
PID 2792 wrote to memory of 4928	2792	cu3Qy3qw.exe	92
PID 2792 wrote to memory of 4928	2792	cu3Qy3qw.exe	92
PID 4928 wrote to memory of 2368	4928	1UZ83nq3.exe	106
PID 4928 wrote to memory of 2368	4928	1UZ83nq3.exe	106
PID 4928 wrote to memory of 2368	4928	1UZ83nq3.exe	106
PID 4928 wrote to memory of 1344	4928	1UZ83nq3.exe	107
PID 4928 wrote to memory of 1344	4928	1UZ83nq3.exe	107
PID 4928 wrote to memory of 1344	4928	1UZ83nq3.exe	107
PID 4928 wrote to memory of 1344	4928	1UZ83nq3.exe	107
PID 4928 wrote to memory of 1344	4928	1UZ83nq3.exe	107
PID 4928 wrote to memory of 1344	4928	1UZ83nq3.exe	107
PID 4928 wrote to memory of 1344	4928	1UZ83nq3.exe	107
PID 4928 wrote to memory of 1344	4928	1UZ83nq3.exe	107
PID 4928 wrote to memory of 1344	4928	1UZ83nq3.exe	107
PID 4928 wrote to memory of 1344	4928	1UZ83nq3.exe	107
PID 2792 wrote to memory of 888	2792	cu3Qy3qw.exe	111
PID 2792 wrote to memory of 888	2792	cu3Qy3qw.exe	111
PID 2792 wrote to memory of 888	2792	cu3Qy3qw.exe	111

C:\Users\Admin\AppData\Local\Temp\db87d25edb56c618d7d41f2f458fbc54cabc5289ab771f1eb34a0e08d92928b5.exe
"C:\Users\Admin\AppData\Local\Temp\db87d25edb56c618d7d41f2f458fbc54cabc5289ab771f1eb34a0e08d92928b5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lZ7Ij1rd.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lZ7Ij1rd.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu3Qy3qw.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu3Qy3qw.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UZ83nq3.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UZ83nq3.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2368
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1344
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 588
        5⤵
        Program crash
        
        PID:3316
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2SI637GC.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2SI637GC.exe
      4⤵
      Executes dropped EXE
      PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4444,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:8
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4928 -ip 4928
1⤵
PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lZ7Ij1rd.exe

Filesize
583KB

MD5
3cb8ab596c2f49decc3c80e0809b5bfb

SHA1
6dfdc50e8dbd6b1d393a9d9a22b8d43d8309decf

SHA256
5ec3536683e22c7ac0f4b87f8eeb050c839dde046f1b848120e1bea9e5d772c2

SHA512
a5692534273c605f121083e7583e046fd56ca1a1d59b7cafba90d1fbac8bcd3b3996a8c5e20edbde725b180f18775f471b6b376d30a5afa66ff98b58cee92c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu3Qy3qw.exe

Filesize
383KB

MD5
93833fe8aab95b2c03057b727f4cf1e4

SHA1
035778f8574072c91b0f24e884b81fb04307d267

SHA256
26c470a8b0d923529cb630dee55e87b901f38e0ee675c3213b68e8b1db239e9a

SHA512
df64baedc559146652d0463b8164f0c546c8c6ada13b66b1e5adc47a5391d6b1894d46ad3563e839072144296786c90b1658686058207646f779a563afddfb52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UZ83nq3.exe

Filesize
298KB

MD5
4537b33120339c8cd45fdfaca6e2ba28

SHA1
d8e3aa200f29478769eb9ba985e62755c2c2ddf2

SHA256
f204bf582b6fcf0e28397ba3e40ba16eb2af1756d20ae2caf1e64b3c1870ece8

SHA512
337dd140c442ca3bf34d071a7ff454cee5340ad5ea85cdff1e27678a89b98c0a0ff4a4bfe7296a2766decf4de0bb4ca1cce76503c05a1b0e1a31d7a8b8f2eb1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2SI637GC.exe

Filesize
222KB

MD5
6fa7339f30118f8861b9c0e60bc7680e

SHA1
379f2426b2f25c401783a13fcf245cefdd8f7b6d

SHA256
dd4dd74c6f607744352dbafccf31ee23126ad9dbf8eebbc91c7847cb5368910b

SHA512
a907dd11a640e9a8a1c671b7c963c09f138b14c8c0d13374ca3a09a3a9960356a4183a33ae5f18cc56037556637873bfdf8c2e5080adfe0edc126e40c86c192a

Download Submit
memory/888-29-0x0000000002C70000-0x0000000002C7A000-memory.dmp

Filesize
40KB

Download
memory/888-26-0x0000000000A50000-0x0000000000A8E000-memory.dmp

Filesize
248KB

Download
memory/888-27-0x0000000007D70000-0x0000000008314000-memory.dmp

Filesize
5.6MB

Download
memory/888-28-0x0000000007860000-0x00000000078F2000-memory.dmp

Filesize
584KB

Download
memory/888-30-0x0000000008940000-0x0000000008F58000-memory.dmp

Filesize
6.1MB

Download
memory/888-31-0x0000000007B80000-0x0000000007C8A000-memory.dmp

Filesize
1.0MB

Download
memory/888-32-0x00000000079F0000-0x0000000007A02000-memory.dmp

Filesize
72KB

Download
memory/888-33-0x0000000007A60000-0x0000000007A9C000-memory.dmp

Filesize
240KB

Download
memory/888-34-0x0000000007AA0000-0x0000000007AEC000-memory.dmp

Filesize
304KB

Download
memory/1344-22-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1344-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads