mystic | 9874024432d4a4dc4017d0ebf9773eaea78b9aea747dfbe995938af4b572eb38

Analysis

max time kernel
148s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe
Size

382KB
MD5

4b6a6b8c35f3dda3915da3cac190029e
SHA1

3597679ae4df56f9683b53c33cbdc79a55b4bfe1
SHA256

f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c
SHA512

0b0433d33affb13aed2bd576a60d5a27e838dae3d7054c5e7ee9f1147cbdf2ab81d74a53c3b68d6ebc564f6937db752651ef3bc00b3fe99f40399be35452e74d
SSDEEP

6144:KQy+bnr+vp0yN90QEOHNFg2bq4vsR+dfPlqz5Dq4YL+BeqliSdt9n4y9r2ja3m0n:4MrHy90S+2bm01I5zKUASdoQ2ezIBFC

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral20/memory/3688-7-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral20/memory/3688-8-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral20/memory/3688-11-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral20/memory/3688-9-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Et292rp.exe	family_redline
behavioral20/memory/4340-16-0x0000000000C30000-0x0000000000C6E000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

Processes:

1XI06bE6.exe2Et292rp.exe

pid process

1064 1XI06bE6.exe
4340 2Et292rp.exe

pid	process
1064	1XI06bE6.exe
4340	2Et292rp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1XI06bE6.exe

description pid process target process

PID 1064 set thread context of 3688 1064 1XI06bE6.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1724 1064 WerFault.exe 1XI06bE6.exe
1072 3688 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 1064 set thread context of 3688	1064	1XI06bE6.exe	AppLaunch.exe

pid	pid_target	process	target process
1724	1064	WerFault.exe	1XI06bE6.exe
1072	3688	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe1XI06bE6.exe

description	pid	process	target process
PID 2348 wrote to memory of 1064	2348	f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe	1XI06bE6.exe
PID 2348 wrote to memory of 1064	2348	f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe	1XI06bE6.exe
PID 2348 wrote to memory of 1064	2348	f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe	1XI06bE6.exe
PID 1064 wrote to memory of 3688	1064	1XI06bE6.exe	AppLaunch.exe
PID 1064 wrote to memory of 3688	1064	1XI06bE6.exe	AppLaunch.exe
PID 1064 wrote to memory of 3688	1064	1XI06bE6.exe	AppLaunch.exe
PID 1064 wrote to memory of 3688	1064	1XI06bE6.exe	AppLaunch.exe
PID 1064 wrote to memory of 3688	1064	1XI06bE6.exe	AppLaunch.exe
PID 1064 wrote to memory of 3688	1064	1XI06bE6.exe	AppLaunch.exe
PID 1064 wrote to memory of 3688	1064	1XI06bE6.exe	AppLaunch.exe
PID 1064 wrote to memory of 3688	1064	1XI06bE6.exe	AppLaunch.exe
PID 1064 wrote to memory of 3688	1064	1XI06bE6.exe	AppLaunch.exe
PID 1064 wrote to memory of 3688	1064	1XI06bE6.exe	AppLaunch.exe
PID 2348 wrote to memory of 4340	2348	f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe	2Et292rp.exe
PID 2348 wrote to memory of 4340	2348	f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe	2Et292rp.exe
PID 2348 wrote to memory of 4340	2348	f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe	2Et292rp.exe

C:\Users\Admin\AppData\Local\Temp\f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe
"C:\Users\Admin\AppData\Local\Temp\f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1XI06bE6.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1XI06bE6.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 540
      4⤵
      Program crash
      PID:1072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 152
    3⤵
    - Program crash
    PID:1724
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Et292rp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Et292rp.exe
  2⤵
  - Executes dropped EXE
  PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3688 -ip 3688
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1064 -ip 1064
1⤵
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1XI06bE6.exe

Filesize
295KB

MD5
23ca287e2b958b8d67e03c6783ef0a99

SHA1
d893dc76c6110c12e50c1c5f2c210970a46de17f

SHA256
a072d9a92f0f7d9f4dbb17f3cfdc234c286286eeecbb29ee7c8bc30ed2fb288c

SHA512
6d4f005daabbc6de920f06e12cf149e4ed7be45bbbf4cadd348e95713769c2529336e0e7e072b49db5d7103cb85e4fb1f6a94a856660b647ae0ae9208be195df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Et292rp.exe

Filesize
222KB

MD5
21c5b31e96f384fb848cf79cf59e26ab

SHA1
801f17ea1b0185e612715ebaa8d7b938ec71fdc8

SHA256
c2c9657f2bfd2f471bf43ecd1cd1e3f0d0ca76c7d8778a7cce4bde62ba337070

SHA512
71e5690bb85e1797c09efd994ac711489e68e0b04fb817d7c32f7f69cb18b0283dbe3690f9056efef6b235e882acf5a3d282ffa34e9eb35d7d0e5f99ded5143a

Download Submit
memory/3688-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3688-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3688-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3688-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4340-17-0x0000000007FF0000-0x0000000008594000-memory.dmp

Filesize
5.6MB

Download
memory/4340-16-0x0000000000C30000-0x0000000000C6E000-memory.dmp

Filesize
248KB

Download
memory/4340-15-0x000000007475E000-0x000000007475F000-memory.dmp

Filesize
4KB

Download
memory/4340-18-0x0000000007AF0000-0x0000000007B82000-memory.dmp

Filesize
584KB

Download
memory/4340-19-0x0000000074750000-0x0000000074F00000-memory.dmp

Filesize
7.7MB

Download
memory/4340-20-0x0000000007C00000-0x0000000007C0A000-memory.dmp

Filesize
40KB

Download
memory/4340-21-0x0000000008BC0000-0x00000000091D8000-memory.dmp

Filesize
6.1MB

Download
memory/4340-22-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

Filesize
1.0MB

Download
memory/4340-23-0x0000000007DD0000-0x0000000007DE2000-memory.dmp

Filesize
72KB

Download
memory/4340-24-0x0000000007E30000-0x0000000007E6C000-memory.dmp

Filesize
240KB

Download
memory/4340-25-0x00000000085A0000-0x00000000085EC000-memory.dmp

Filesize
304KB

Download
memory/4340-26-0x000000007475E000-0x000000007475F000-memory.dmp

Filesize
4KB

Download
memory/4340-27-0x0000000074750000-0x0000000074F00000-memory.dmp

Filesize
7.7MB

Download