mystic | 5eb722b1af29eaaa64b029ffc54dddae92acbb9c1b778b6bc51551329ed241e8

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d75908c0774dcb3f45e676b4c83554e0c2c94a1e96fd64e163484e0dbbf359b.exe
Size

1.5MB
MD5

c8ac1db7f2f53e0694220cb03abc8272
SHA1

b4cdc41ef7aea4375f230bd070b1a10e2dcac88a
SHA256

2d75908c0774dcb3f45e676b4c83554e0c2c94a1e96fd64e163484e0dbbf359b
SHA512

62ce61598936aebbc62fa07e1b361658156e30a27960b1f61f0a595a4548ea1d4c03c1135433c37a24bc7fa1c2d64434be8dc0c5600c796bdfd4f3093490f75b
SSDEEP

24576:8yDJ1g7XSiYHKHSZWbh7cwf+iGDJtYt4WjLfGxeVFlmjURMjxbkr1sibIkx:rDJe7XS/KHcWFAwf6DJtY5L+xeVFzMjN

Score

10^/10

mystic redline kukish infostealer persistence stealer

Malware Config

Extracted

Family

mystic

http://5.42.92.211/

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral5/memory/5092-35-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral5/memory/5092-36-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral5/memory/5092-38-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral5/files/0x0007000000023459-40.dat	family_redline
behavioral5/memory/4308-42-0x0000000000660000-0x000000000069E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3628	DX6uG5uV.exe
4732	zi6uY9Zh.exe
1992	OL3wW8bV.exe
3408	ol3qx3US.exe
752	1fa55eQ1.exe
4308	2Oa467gP.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	OL3wW8bV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ol3qx3US.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2d75908c0774dcb3f45e676b4c83554e0c2c94a1e96fd64e163484e0dbbf359b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	DX6uG5uV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zi6uY9Zh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 752 set thread context of 5092	752	1fa55eQ1.exe	98

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1692	752	WerFault.exe	89

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 3628	2252	2d75908c0774dcb3f45e676b4c83554e0c2c94a1e96fd64e163484e0dbbf359b.exe	83
PID 2252 wrote to memory of 3628	2252	2d75908c0774dcb3f45e676b4c83554e0c2c94a1e96fd64e163484e0dbbf359b.exe	83
PID 2252 wrote to memory of 3628	2252	2d75908c0774dcb3f45e676b4c83554e0c2c94a1e96fd64e163484e0dbbf359b.exe	83
PID 3628 wrote to memory of 4732	3628	DX6uG5uV.exe	84
PID 3628 wrote to memory of 4732	3628	DX6uG5uV.exe	84
PID 3628 wrote to memory of 4732	3628	DX6uG5uV.exe	84
PID 4732 wrote to memory of 1992	4732	zi6uY9Zh.exe	86
PID 4732 wrote to memory of 1992	4732	zi6uY9Zh.exe	86
PID 4732 wrote to memory of 1992	4732	zi6uY9Zh.exe	86
PID 1992 wrote to memory of 3408	1992	OL3wW8bV.exe	87
PID 1992 wrote to memory of 3408	1992	OL3wW8bV.exe	87
PID 1992 wrote to memory of 3408	1992	OL3wW8bV.exe	87
PID 3408 wrote to memory of 752	3408	ol3qx3US.exe	89
PID 3408 wrote to memory of 752	3408	ol3qx3US.exe	89
PID 3408 wrote to memory of 752	3408	ol3qx3US.exe	89
PID 752 wrote to memory of 4420	752	1fa55eQ1.exe	97
PID 752 wrote to memory of 4420	752	1fa55eQ1.exe	97
PID 752 wrote to memory of 4420	752	1fa55eQ1.exe	97
PID 752 wrote to memory of 5092	752	1fa55eQ1.exe	98
PID 752 wrote to memory of 5092	752	1fa55eQ1.exe	98
PID 752 wrote to memory of 5092	752	1fa55eQ1.exe	98
PID 752 wrote to memory of 5092	752	1fa55eQ1.exe	98
PID 752 wrote to memory of 5092	752	1fa55eQ1.exe	98
PID 752 wrote to memory of 5092	752	1fa55eQ1.exe	98
PID 752 wrote to memory of 5092	752	1fa55eQ1.exe	98
PID 752 wrote to memory of 5092	752	1fa55eQ1.exe	98
PID 752 wrote to memory of 5092	752	1fa55eQ1.exe	98
PID 752 wrote to memory of 5092	752	1fa55eQ1.exe	98
PID 3408 wrote to memory of 4308	3408	ol3qx3US.exe	103
PID 3408 wrote to memory of 4308	3408	ol3qx3US.exe	103
PID 3408 wrote to memory of 4308	3408	ol3qx3US.exe	103

C:\Users\Admin\AppData\Local\Temp\2d75908c0774dcb3f45e676b4c83554e0c2c94a1e96fd64e163484e0dbbf359b.exe
"C:\Users\Admin\AppData\Local\Temp\2d75908c0774dcb3f45e676b4c83554e0c2c94a1e96fd64e163484e0dbbf359b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DX6uG5uV.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DX6uG5uV.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zi6uY9Zh.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zi6uY9Zh.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OL3wW8bV.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OL3wW8bV.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ol3qx3US.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ol3qx3US.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3408
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fa55eQ1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fa55eQ1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 572
        7⤵
        Program crash
        
        PID:1692
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Oa467gP.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Oa467gP.exe
        6⤵
        Executes dropped EXE
        
        PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 752 -ip 752
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DX6uG5uV.exe

Filesize
1.3MB

MD5
1fcb660fbe1640affb3c27925b0e4278

SHA1
2e079774a3e6d2a110b1805b386c6f03efe0caf1

SHA256
24c589017de785ab87fb4bfc435d57e3ecc48b59a806c9800c95b24edde036f1

SHA512
f0cbe71110ddd0861563d7f9d6a6cb735e6f825bd9b02ad058b6fa217f8cbc410299b0e664c7a3f263abd1c5458b9410a4dba5a0ca61d5c65334beb3a01ec2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zi6uY9Zh.exe

Filesize
1.1MB

MD5
ce5fd94742af978cf4be6d45610a8ee4

SHA1
aca94d09d3047a2750da990ba7295af5fa9b880b

SHA256
d4fd8348cbea621462b455dfd928e596d854f70f9e715e8e60c3745094e10733

SHA512
6c170784483bdbfba87874445537ecadacd6b7a85ba8d3d90073c9c0b7f8193f926a1b29c9e07ac49b8828f489bd51847ea32178273a4b1634562152d791dfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OL3wW8bV.exe

Filesize
755KB

MD5
9f0776204e5dcfd93fe1aef3bea703fb

SHA1
9e07fcb95508b0c3cbef3d905e99cb8bc14e12e1

SHA256
6cd6c40c1b3106877ee814e4640e91f6a4bfb26d887c23f640dc06b840570720

SHA512
e80059dcdc420cb2c357883d912c3a56fce55396272fdfb47ce27447e048ae53d1c368031ddc77fcdfa8e69b6af1799e0bd410d3b0cbe3e27c299cb67ed6966d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ol3qx3US.exe

Filesize
559KB

MD5
fd792135bfd132462656b5ca55c00645

SHA1
394ea35bb200e85d13be559da2a7ab1bb346cfad

SHA256
ac9270e0bb2b71edc884845fa4d013ff7b88beea3d43d2bc53ec94ce2021b55f

SHA512
172219c3b278334449ae75be5329bbf0b46e525abe6858002f05de803658768745e6fc34119ae26c4a4ebf817468eb8618c6fe31cf26a7e6d94b476acb0c3448

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fa55eQ1.exe

Filesize
1.1MB

MD5
d91dadf74934a7d96b681ce5e08bf308

SHA1
df5bd0e0701b21e0441799ea4982f33426babaa2

SHA256
634b29d6c7f905692aea9662e8cd5421b5a5fa52d74dcc81b6f754a3c955591f

SHA512
cd37fa9382578b73dd7d92e561f6b33925f6af34d65ae74895970302f84c6fc57c4cc708f8982870026cfd736ac3ab427a60518254cf1a82ee3f34f63435560b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Oa467gP.exe

Filesize
221KB

MD5
1f09631d5926017ffd2d432e2be3fbc2

SHA1
f5aab3c4b929dc2a1b92e4a6aa4094aad66068ba

SHA256
463be140cde2c2416f8d73adce7c994b24a559d0774583079836f358c5e7ec2d

SHA512
db95c339bd677cb0cce2d7c212ef41cba733ea9269c123b78252817a9e5760445d71489ed1adde30977b069a16ac4e9224d1719df9de68c2ec28e4d120e38572

Download Submit
memory/4308-42-0x0000000000660000-0x000000000069E000-memory.dmp

Filesize
248KB

Download
memory/4308-43-0x0000000007A10000-0x0000000007FB4000-memory.dmp

Filesize
5.6MB

Download
memory/4308-44-0x0000000007540000-0x00000000075D2000-memory.dmp

Filesize
584KB

Download
memory/4308-45-0x0000000004B20000-0x0000000004B2A000-memory.dmp

Filesize
40KB

Download
memory/4308-46-0x00000000085E0000-0x0000000008BF8000-memory.dmp

Filesize
6.1MB

Download
memory/4308-47-0x0000000007860000-0x000000000796A000-memory.dmp

Filesize
1.0MB

Download
memory/4308-48-0x0000000007770000-0x0000000007782000-memory.dmp

Filesize
72KB

Download
memory/4308-49-0x00000000077D0000-0x000000000780C000-memory.dmp

Filesize
240KB

Download
memory/4308-50-0x0000000007810000-0x000000000785C000-memory.dmp

Filesize
304KB

Download
memory/5092-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads