mystic | 29cabdede6fa9410d740bf84185f3125175f74cf5be33b57c7f3bf127e31c892

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2023, 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29cabdede6fa9410d740bf84185f3125175f74cf5be33b57c7f3bf127e31c892.exe
Size

1.7MB
MD5

7eb06f87d25653d364c68a0064e617cb
SHA1

bd561180237a1869ccf7e616a918029d5fff949e
SHA256

29cabdede6fa9410d740bf84185f3125175f74cf5be33b57c7f3bf127e31c892
SHA512

004eed6bd24a0aad51dcdb5123a1c5f0b11deb137a641f3bd6256dcb037ee688450550092412621ccc595d2128ed537882eef95146c0d40c1ac10099814909b7
SSDEEP

49152:ITuUi7rkXlRvEr7iap3tWkGN0vNdxS4Fl:iuhrkXfimaBtWkGKvN/S4F

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3652-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3652-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3652-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3652-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000231d2-41.dat	family_redline
behavioral1/files/0x00070000000231d2-42.dat	family_redline
behavioral1/memory/3448-43-0x0000000000A20000-0x0000000000A5E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3212	As9pQ8gh.exe
2900	rP5WE6Pl.exe
4636	Wu0Vk4He.exe
1436	iM0zH9yu.exe
3144	1xz46Cy8.exe
3448	2fR514dg.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	iM0zH9yu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	29cabdede6fa9410d740bf84185f3125175f74cf5be33b57c7f3bf127e31c892.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	As9pQ8gh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	rP5WE6Pl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Wu0Vk4He.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3144 set thread context of 3652	3144	1xz46Cy8.exe	91

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1908	3144	WerFault.exe	90
1016	3652	WerFault.exe	91

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 3212	2044	29cabdede6fa9410d740bf84185f3125175f74cf5be33b57c7f3bf127e31c892.exe	86
PID 2044 wrote to memory of 3212	2044	29cabdede6fa9410d740bf84185f3125175f74cf5be33b57c7f3bf127e31c892.exe	86
PID 2044 wrote to memory of 3212	2044	29cabdede6fa9410d740bf84185f3125175f74cf5be33b57c7f3bf127e31c892.exe	86
PID 3212 wrote to memory of 2900	3212	As9pQ8gh.exe	87
PID 3212 wrote to memory of 2900	3212	As9pQ8gh.exe	87
PID 3212 wrote to memory of 2900	3212	As9pQ8gh.exe	87
PID 2900 wrote to memory of 4636	2900	rP5WE6Pl.exe	88
PID 2900 wrote to memory of 4636	2900	rP5WE6Pl.exe	88
PID 2900 wrote to memory of 4636	2900	rP5WE6Pl.exe	88
PID 4636 wrote to memory of 1436	4636	Wu0Vk4He.exe	89
PID 4636 wrote to memory of 1436	4636	Wu0Vk4He.exe	89
PID 4636 wrote to memory of 1436	4636	Wu0Vk4He.exe	89
PID 1436 wrote to memory of 3144	1436	iM0zH9yu.exe	90
PID 1436 wrote to memory of 3144	1436	iM0zH9yu.exe	90
PID 1436 wrote to memory of 3144	1436	iM0zH9yu.exe	90
PID 3144 wrote to memory of 3652	3144	1xz46Cy8.exe	91
PID 3144 wrote to memory of 3652	3144	1xz46Cy8.exe	91
PID 3144 wrote to memory of 3652	3144	1xz46Cy8.exe	91
PID 3144 wrote to memory of 3652	3144	1xz46Cy8.exe	91
PID 3144 wrote to memory of 3652	3144	1xz46Cy8.exe	91
PID 3144 wrote to memory of 3652	3144	1xz46Cy8.exe	91
PID 3144 wrote to memory of 3652	3144	1xz46Cy8.exe	91
PID 3144 wrote to memory of 3652	3144	1xz46Cy8.exe	91
PID 3144 wrote to memory of 3652	3144	1xz46Cy8.exe	91
PID 3144 wrote to memory of 3652	3144	1xz46Cy8.exe	91
PID 1436 wrote to memory of 3448	1436	iM0zH9yu.exe	98
PID 1436 wrote to memory of 3448	1436	iM0zH9yu.exe	98
PID 1436 wrote to memory of 3448	1436	iM0zH9yu.exe	98

C:\Users\Admin\AppData\Local\Temp\29cabdede6fa9410d740bf84185f3125175f74cf5be33b57c7f3bf127e31c892.exe
"C:\Users\Admin\AppData\Local\Temp\29cabdede6fa9410d740bf84185f3125175f74cf5be33b57c7f3bf127e31c892.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\As9pQ8gh.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\As9pQ8gh.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rP5WE6Pl.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rP5WE6Pl.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wu0Vk4He.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wu0Vk4He.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4636
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iM0zH9yu.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iM0zH9yu.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1436
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1xz46Cy8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1xz46Cy8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 568
        8⤵
        Program crash
        
        PID:1016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 592
        7⤵
        Program crash
        
        PID:1908
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fR514dg.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fR514dg.exe
        6⤵
        Executes dropped EXE
        
        PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3144 -ip 3144
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3652 -ip 3652
1⤵
PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\As9pQ8gh.exe

Filesize
1.5MB

MD5
3079c84be1233cd3e15cb13f312b5ef6

SHA1
7fffee7a5149ad269ae0990335dd5ec4cb870df8

SHA256
4683f396a5176a724d7fa67f4cb9f136e23b83f1a326cc32c584e97872b3f52b

SHA512
83471b3155c402c3c923e49abf34684f20e6c66f8e38bfafbeecd87559f314a09b2e39b50d2563150d3b2c8ba3f93a9e1f60cba38fca43a67d81b0ae95f97eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\As9pQ8gh.exe

Filesize
1.5MB

MD5
3079c84be1233cd3e15cb13f312b5ef6

SHA1
7fffee7a5149ad269ae0990335dd5ec4cb870df8

SHA256
4683f396a5176a724d7fa67f4cb9f136e23b83f1a326cc32c584e97872b3f52b

SHA512
83471b3155c402c3c923e49abf34684f20e6c66f8e38bfafbeecd87559f314a09b2e39b50d2563150d3b2c8ba3f93a9e1f60cba38fca43a67d81b0ae95f97eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rP5WE6Pl.exe

Filesize
1.3MB

MD5
bdd3c3324a3730592d0bc0a129a7174b

SHA1
2672d5c262840d582e74a149abbdcee466fa24bb

SHA256
bacc4c2814082e1dbe5cb680ba40dde13fdc3f5f3cdc5bf612d05e375760540b

SHA512
3f1748bc858dd2f3a0f90d7c6827ffca595090b34b5c9add572add34f063553bc85591f05812ecb599c673b9c58c03563401f79e08365cdc30edaf84c8539dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rP5WE6Pl.exe

Filesize
1.3MB

MD5
bdd3c3324a3730592d0bc0a129a7174b

SHA1
2672d5c262840d582e74a149abbdcee466fa24bb

SHA256
bacc4c2814082e1dbe5cb680ba40dde13fdc3f5f3cdc5bf612d05e375760540b

SHA512
3f1748bc858dd2f3a0f90d7c6827ffca595090b34b5c9add572add34f063553bc85591f05812ecb599c673b9c58c03563401f79e08365cdc30edaf84c8539dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wu0Vk4He.exe

Filesize
824KB

MD5
00aac8960b1723810030e0bb7fd6f33c

SHA1
306c97dac4ac58b67674e3ae3f4a231845e3fe6c

SHA256
cea4b69932985b2ce2d38b296a07e2c5b4a41f07d84f26c9df7fe31fe898d6fa

SHA512
5cd0a15707c768b67dedde19a1f9f77cb0095c8e4c2bc0d84f713bfe394ef8cab6bd4f767c8739d2178cd8b38415f8676a91d322b9eb248656db1d13b102c543

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wu0Vk4He.exe

Filesize
824KB

MD5
00aac8960b1723810030e0bb7fd6f33c

SHA1
306c97dac4ac58b67674e3ae3f4a231845e3fe6c

SHA256
cea4b69932985b2ce2d38b296a07e2c5b4a41f07d84f26c9df7fe31fe898d6fa

SHA512
5cd0a15707c768b67dedde19a1f9f77cb0095c8e4c2bc0d84f713bfe394ef8cab6bd4f767c8739d2178cd8b38415f8676a91d322b9eb248656db1d13b102c543

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iM0zH9yu.exe

Filesize
652KB

MD5
77ee532ccf49d61225f96c7871e654d1

SHA1
7b7a4dec51219df5e8f3dc5fb4cfa6295c070e9e

SHA256
94e055904af13ac2d2c5f9a43e5c1f1bb1898f5ab6e6a9cf83a4d7c48c0ccc68

SHA512
bae19d1c135950a2da6d396ba96b4adac574e6cc3c89525d49eb6639d8da3cce9b913c365e334ffeae3b6dabec7aba605ea7ff0e136f747289e684872c0d1ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iM0zH9yu.exe

Filesize
652KB

MD5
77ee532ccf49d61225f96c7871e654d1

SHA1
7b7a4dec51219df5e8f3dc5fb4cfa6295c070e9e

SHA256
94e055904af13ac2d2c5f9a43e5c1f1bb1898f5ab6e6a9cf83a4d7c48c0ccc68

SHA512
bae19d1c135950a2da6d396ba96b4adac574e6cc3c89525d49eb6639d8da3cce9b913c365e334ffeae3b6dabec7aba605ea7ff0e136f747289e684872c0d1ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1xz46Cy8.exe

Filesize
1.8MB

MD5
f3f2f8b5752ef75807bb50f7cdca9813

SHA1
0b4c8a7da527a45432922e8f6eaddc5959165ae1

SHA256
0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d

SHA512
6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1xz46Cy8.exe

Filesize
1.8MB

MD5
f3f2f8b5752ef75807bb50f7cdca9813

SHA1
0b4c8a7da527a45432922e8f6eaddc5959165ae1

SHA256
0fef3487fff91a01030ad443e6e548c323825a6c9d354d406c5d224b25dc880d

SHA512
6bd7f737e4490756f520f21d3f3c5c08b36f70c001f861c6cea9b75ae59254a1fa42d265f121c2ba54d0f12bdfd6b03580cf5a4a8e037fd0331732bddd95d09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fR514dg.exe

Filesize
230KB

MD5
cee114ce3e19ab389e783e9f0c6f01ae

SHA1
5097065050f7ac4d83a91c9c8a5e22ba4e519362

SHA256
0b2a361739640719193bca3a614a786c1db1d33b0224248abd5655cb55c930cc

SHA512
654c74f0f612dca35061184862624f35f8a5255fb1d8eb39da62d966843bd6ea7e3ff0f2cd3ed9b1b7fc76dc1fdf4cac771d7c146f58cbdada6593729b656f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2fR514dg.exe

Filesize
230KB

MD5
cee114ce3e19ab389e783e9f0c6f01ae

SHA1
5097065050f7ac4d83a91c9c8a5e22ba4e519362

SHA256
0b2a361739640719193bca3a614a786c1db1d33b0224248abd5655cb55c930cc

SHA512
654c74f0f612dca35061184862624f35f8a5255fb1d8eb39da62d966843bd6ea7e3ff0f2cd3ed9b1b7fc76dc1fdf4cac771d7c146f58cbdada6593729b656f5f

Download Submit
memory/3448-46-0x00000000078E0000-0x0000000007972000-memory.dmp

Filesize
584KB

Download
memory/3448-48-0x00000000079F0000-0x00000000079FA000-memory.dmp

Filesize
40KB

Download
memory/3448-55-0x00000000078A0000-0x00000000078B0000-memory.dmp

Filesize
64KB

Download
memory/3448-54-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/3448-43-0x0000000000A20000-0x0000000000A5E000-memory.dmp

Filesize
248KB

Download
memory/3448-44-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/3448-45-0x0000000007D90000-0x0000000008334000-memory.dmp

Filesize
5.6MB

Download
memory/3448-53-0x0000000007C60000-0x0000000007CAC000-memory.dmp

Filesize
304KB

Download
memory/3448-52-0x0000000007C20000-0x0000000007C5C000-memory.dmp

Filesize
240KB

Download
memory/3448-49-0x0000000008960000-0x0000000008F78000-memory.dmp

Filesize
6.1MB

Download
memory/3448-47-0x00000000078A0000-0x00000000078B0000-memory.dmp

Filesize
64KB

Download
memory/3448-50-0x0000000008340000-0x000000000844A000-memory.dmp

Filesize
1.0MB

Download
memory/3448-51-0x0000000007BC0000-0x0000000007BD2000-memory.dmp

Filesize
72KB

Download
memory/3652-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3652-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3652-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3652-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads