mystic | 9874024432d4a4dc4017d0ebf9773eaea78b9aea747dfbe995938af4b572eb38

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe
Size

582KB
MD5

d56c66c9d163f9ffbee7639f49480fc3
SHA1

142c8ebad2060d80751aca395115aedcda26cc34
SHA256

19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec
SHA512

30cbac04de264e17c6e178376107ac6112b4f58a189dbd01b2cfbdf7d7811d759d22a720a02e595f8e35300931932ef0c303f8f91471b311423e975829191ba3
SSDEEP

12288:RMrRy90yRvnRHnhtDc3YLtYWBQy+K1edjYz84GLjC4k9Ur0w:Ayh/RHhhc3YZGPKiE8RNJrb

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral5/memory/3224-14-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral5/memory/3224-15-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral5/memory/3224-18-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family
behavioral5/memory/3224-16-0x0000000000400000-0x0000000000432000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2VG400Hw.exe	family_redline
behavioral5/memory/3160-22-0x0000000000920000-0x000000000095E000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

MW4BA0Ad.exe1jF56MM6.exe2VG400Hw.exe

pid process

3876 MW4BA0Ad.exe
2064 1jF56MM6.exe
3160 2VG400Hw.exe

pid	process
3876	MW4BA0Ad.exe
2064	1jF56MM6.exe
3160	2VG400Hw.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exeMW4BA0Ad.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	MW4BA0Ad.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1jF56MM6.exe

description pid process target process

PID 2064 set thread context of 3224 2064 1jF56MM6.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4936 2064 WerFault.exe 1jF56MM6.exe
5080 3224 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 2064 set thread context of 3224	2064	1jF56MM6.exe	AppLaunch.exe

pid	pid_target	process	target process
4936	2064	WerFault.exe	1jF56MM6.exe
5080	3224	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exeMW4BA0Ad.exe1jF56MM6.exe

description	pid	process	target process
PID 3048 wrote to memory of 3876	3048	19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe	MW4BA0Ad.exe
PID 3048 wrote to memory of 3876	3048	19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe	MW4BA0Ad.exe
PID 3048 wrote to memory of 3876	3048	19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe	MW4BA0Ad.exe
PID 3876 wrote to memory of 2064	3876	MW4BA0Ad.exe	1jF56MM6.exe
PID 3876 wrote to memory of 2064	3876	MW4BA0Ad.exe	1jF56MM6.exe
PID 3876 wrote to memory of 2064	3876	MW4BA0Ad.exe	1jF56MM6.exe
PID 2064 wrote to memory of 4996	2064	1jF56MM6.exe	AppLaunch.exe
PID 2064 wrote to memory of 4996	2064	1jF56MM6.exe	AppLaunch.exe
PID 2064 wrote to memory of 4996	2064	1jF56MM6.exe	AppLaunch.exe
PID 2064 wrote to memory of 3224	2064	1jF56MM6.exe	AppLaunch.exe
PID 2064 wrote to memory of 3224	2064	1jF56MM6.exe	AppLaunch.exe
PID 2064 wrote to memory of 3224	2064	1jF56MM6.exe	AppLaunch.exe
PID 2064 wrote to memory of 3224	2064	1jF56MM6.exe	AppLaunch.exe
PID 2064 wrote to memory of 3224	2064	1jF56MM6.exe	AppLaunch.exe
PID 2064 wrote to memory of 3224	2064	1jF56MM6.exe	AppLaunch.exe
PID 2064 wrote to memory of 3224	2064	1jF56MM6.exe	AppLaunch.exe
PID 2064 wrote to memory of 3224	2064	1jF56MM6.exe	AppLaunch.exe
PID 2064 wrote to memory of 3224	2064	1jF56MM6.exe	AppLaunch.exe
PID 2064 wrote to memory of 3224	2064	1jF56MM6.exe	AppLaunch.exe
PID 3876 wrote to memory of 3160	3876	MW4BA0Ad.exe	2VG400Hw.exe
PID 3876 wrote to memory of 3160	3876	MW4BA0Ad.exe	2VG400Hw.exe
PID 3876 wrote to memory of 3160	3876	MW4BA0Ad.exe	2VG400Hw.exe

C:\Users\Admin\AppData\Local\Temp\19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe
"C:\Users\Admin\AppData\Local\Temp\19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MW4BA0Ad.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MW4BA0Ad.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1jF56MM6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1jF56MM6.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4996
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3224
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 544
        5⤵
        Program crash
        
        PID:5080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 148
      4⤵
      Program crash
      PID:4936
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2VG400Hw.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2VG400Hw.exe
    3⤵
    - Executes dropped EXE
    PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3224 -ip 3224
1⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2064 -ip 2064
1⤵
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MW4BA0Ad.exe

Filesize
381KB

MD5
c8296c95ac5a07d3e8f5a35e12d2c77d

SHA1
c28cfbb88a915c485597220988d0593574e05cc6

SHA256
e3f99a38f5764ad5edb0b479c62a3f1641883af760ef7c8f31930ff45c5e3d82

SHA512
71308f3281e12a2fdfa76db11ed4fe1e72c36e21c8b0697602c3a3a1b71859a7b686412e176ad8c4abef619ad7fe0752011b065ed6e44740d72d27f6c53a1e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1jF56MM6.exe

Filesize
295KB

MD5
e40afd5775ee3f2f95895ac15725ebb8

SHA1
1894dfaf92f94f317b68c1173945e67b6009c6df

SHA256
2ff19b92c42c98c6435e5c247506a23ce9cb5f4e078bc85b2352ffa67c95c6e9

SHA512
1a8a1ee7591c2e0b272a8f8d29abe6a6d254ef5b21ef855191a81ec7835d1ea52acd8afbb9a2182e3dd7818c041596fde9b3b4851292fc43b987919e3e012065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2VG400Hw.exe

Filesize
222KB

MD5
264f6b8412bef8ea723db54352674ad5

SHA1
e701011372a8928059038122f6411608cf311268

SHA256
cde355a2e795143e13bba5c06a576dcf358263511efac9a55e51529d5d9f1f06

SHA512
68f5c19fafb92903687f56f58adb5d057926757ec27caa22a0a6623c7a72337cee7130565020bae8764d2f348612c5d783575c769bda95b9ecebbf35d9585dd7

Download Submit
memory/3160-27-0x0000000007AA0000-0x0000000007BAA000-memory.dmp

Filesize
1.0MB

Download
memory/3160-22-0x0000000000920000-0x000000000095E000-memory.dmp

Filesize
248KB

Download
memory/3160-23-0x0000000007C40000-0x00000000081E4000-memory.dmp

Filesize
5.6MB

Download
memory/3160-24-0x0000000007730000-0x00000000077C2000-memory.dmp

Filesize
584KB

Download
memory/3160-25-0x0000000004CF0000-0x0000000004CFA000-memory.dmp

Filesize
40KB

Download
memory/3160-26-0x0000000008810000-0x0000000008E28000-memory.dmp

Filesize
6.1MB

Download
memory/3160-28-0x00000000078E0000-0x00000000078F2000-memory.dmp

Filesize
72KB

Download
memory/3160-29-0x0000000007940000-0x000000000797C000-memory.dmp

Filesize
240KB

Download
memory/3160-30-0x0000000007990000-0x00000000079DC000-memory.dmp

Filesize
304KB

Download
memory/3224-18-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3224-16-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3224-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3224-14-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download