mystic | 221a018f5160e608effb19ba3143bee3d2e29489c2f31ea64185a8c206c42778

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2023 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

221a018f5160e608effb19ba3143bee3d2e29489c2f31ea64185a8c206c42778.exe
Size

1.6MB
MD5

7786789cfc86e1201383121f776645a8
SHA1

58b51f4aa5a513a02282f38f2aa5e918f70a0af1
SHA256

221a018f5160e608effb19ba3143bee3d2e29489c2f31ea64185a8c206c42778
SHA512

15fe50f1a9dec0b5468c5f1caadf8597cdb945f6574eff86e1edf6e22c8c7b37ba307d6c7dd8d385f5f35a9aa9bd3763a7e2219102c07a65954d92a56e1782f1
SSDEEP

24576:Kys8ZHGYG8AYj88rEpwKyVWGqBkP+lzZ/KxTejexnrLmSf4UqsFspsUhyhdLNnJ:RVcY48w9gEk+d/KojexrLmSf45e3X5n

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/3704-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3704-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3704-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral1/memory/3704-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0002000000022618-41.dat	family_redline
behavioral1/files/0x0002000000022618-42.dat	family_redline
behavioral1/memory/556-43-0x0000000000B40000-0x0000000000B7E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4764	hF7QS9uU.exe
1252	re0zg3KK.exe
1344	Se7Ho6sG.exe
2932	DK8ZI5Rw.exe
760	1us75RK9.exe
556	2Gx668VL.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	hF7QS9uU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	re0zg3KK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Se7Ho6sG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	DK8ZI5Rw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	221a018f5160e608effb19ba3143bee3d2e29489c2f31ea64185a8c206c42778.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 760 set thread context of 3704	760	1us75RK9.exe	89

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4732	760	WerFault.exe	87
2944	3704	WerFault.exe	89

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 4764	568	221a018f5160e608effb19ba3143bee3d2e29489c2f31ea64185a8c206c42778.exe	83
PID 568 wrote to memory of 4764	568	221a018f5160e608effb19ba3143bee3d2e29489c2f31ea64185a8c206c42778.exe	83
PID 568 wrote to memory of 4764	568	221a018f5160e608effb19ba3143bee3d2e29489c2f31ea64185a8c206c42778.exe	83
PID 4764 wrote to memory of 1252	4764	hF7QS9uU.exe	84
PID 4764 wrote to memory of 1252	4764	hF7QS9uU.exe	84
PID 4764 wrote to memory of 1252	4764	hF7QS9uU.exe	84
PID 1252 wrote to memory of 1344	1252	re0zg3KK.exe	85
PID 1252 wrote to memory of 1344	1252	re0zg3KK.exe	85
PID 1252 wrote to memory of 1344	1252	re0zg3KK.exe	85
PID 1344 wrote to memory of 2932	1344	Se7Ho6sG.exe	86
PID 1344 wrote to memory of 2932	1344	Se7Ho6sG.exe	86
PID 1344 wrote to memory of 2932	1344	Se7Ho6sG.exe	86
PID 2932 wrote to memory of 760	2932	DK8ZI5Rw.exe	87
PID 2932 wrote to memory of 760	2932	DK8ZI5Rw.exe	87
PID 2932 wrote to memory of 760	2932	DK8ZI5Rw.exe	87
PID 760 wrote to memory of 3704	760	1us75RK9.exe	89
PID 760 wrote to memory of 3704	760	1us75RK9.exe	89
PID 760 wrote to memory of 3704	760	1us75RK9.exe	89
PID 760 wrote to memory of 3704	760	1us75RK9.exe	89
PID 760 wrote to memory of 3704	760	1us75RK9.exe	89
PID 760 wrote to memory of 3704	760	1us75RK9.exe	89
PID 760 wrote to memory of 3704	760	1us75RK9.exe	89
PID 760 wrote to memory of 3704	760	1us75RK9.exe	89
PID 760 wrote to memory of 3704	760	1us75RK9.exe	89
PID 760 wrote to memory of 3704	760	1us75RK9.exe	89
PID 2932 wrote to memory of 556	2932	DK8ZI5Rw.exe	97
PID 2932 wrote to memory of 556	2932	DK8ZI5Rw.exe	97
PID 2932 wrote to memory of 556	2932	DK8ZI5Rw.exe	97

C:\Users\Admin\AppData\Local\Temp\221a018f5160e608effb19ba3143bee3d2e29489c2f31ea64185a8c206c42778.exe
"C:\Users\Admin\AppData\Local\Temp\221a018f5160e608effb19ba3143bee3d2e29489c2f31ea64185a8c206c42778.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:568
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hF7QS9uU.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hF7QS9uU.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\re0zg3KK.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\re0zg3KK.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Se7Ho6sG.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Se7Ho6sG.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DK8ZI5Rw.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DK8ZI5Rw.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1us75RK9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1us75RK9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 540
        8⤵
        Program crash
        
        PID:2944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 572
        7⤵
        Program crash
        
        PID:4732
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gx668VL.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gx668VL.exe
        6⤵
        Executes dropped EXE
        
        PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 760 -ip 760
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3704 -ip 3704
1⤵
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hF7QS9uU.exe

Filesize
1.5MB

MD5
41fcba086e3fe7d649696151cf752fac

SHA1
91e941b294e85e2c05e31a858b5e6ac2fe819bee

SHA256
0e95d1941932e764c53f7ff6dd6c1663325aa6630a4e31976cc7b4e4677d8f01

SHA512
be1caf61d947aced3c51f2cf246898f467896beaba9bed43cc1fa7bb4415c0119ba04207bc3795f996c80f3f4edda782fbc6309849612619c3ddf9addc249895

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hF7QS9uU.exe

Filesize
1.5MB

MD5
41fcba086e3fe7d649696151cf752fac

SHA1
91e941b294e85e2c05e31a858b5e6ac2fe819bee

SHA256
0e95d1941932e764c53f7ff6dd6c1663325aa6630a4e31976cc7b4e4677d8f01

SHA512
be1caf61d947aced3c51f2cf246898f467896beaba9bed43cc1fa7bb4415c0119ba04207bc3795f996c80f3f4edda782fbc6309849612619c3ddf9addc249895

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\re0zg3KK.exe

Filesize
1.3MB

MD5
6c1635a7940ef2d253059e23db84b447

SHA1
f392861b0bcb54c7059cc017beca1f7661e20742

SHA256
1fe75d904eddecf65183fc13951e14d0178987b96e309c0b9aa5097922783a82

SHA512
1b7e2615a5f51f3e989ca25d619a81189d20e648281a761b43f70d9a518eda539ee28b100f73098cdc574276fbdcc1c89651d6997b4eab18787a33708fed7dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\re0zg3KK.exe

Filesize
1.3MB

MD5
6c1635a7940ef2d253059e23db84b447

SHA1
f392861b0bcb54c7059cc017beca1f7661e20742

SHA256
1fe75d904eddecf65183fc13951e14d0178987b96e309c0b9aa5097922783a82

SHA512
1b7e2615a5f51f3e989ca25d619a81189d20e648281a761b43f70d9a518eda539ee28b100f73098cdc574276fbdcc1c89651d6997b4eab18787a33708fed7dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Se7Ho6sG.exe

Filesize
821KB

MD5
2c09e8c86fcd6432eb0a2051351388fd

SHA1
c11c5b0cff9db7c410ad26b2cc8affe13a9ddb9d

SHA256
b7f1bcf212fa5e94090edd897b06cb6c7c04ec754ff4bece6ad8d5797342b144

SHA512
7ee043c8072d6e8eedccc21adbb86c99b4bddb64ec9bb46d6865a76c93f3d07b25424686bd17845d5badc7b60ab8054d1553b4c4d600e6ffd18653d02396e631

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Se7Ho6sG.exe

Filesize
821KB

MD5
2c09e8c86fcd6432eb0a2051351388fd

SHA1
c11c5b0cff9db7c410ad26b2cc8affe13a9ddb9d

SHA256
b7f1bcf212fa5e94090edd897b06cb6c7c04ec754ff4bece6ad8d5797342b144

SHA512
7ee043c8072d6e8eedccc21adbb86c99b4bddb64ec9bb46d6865a76c93f3d07b25424686bd17845d5badc7b60ab8054d1553b4c4d600e6ffd18653d02396e631

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DK8ZI5Rw.exe

Filesize
649KB

MD5
36a28df10747a8398017aef5786ab9cd

SHA1
98d3fb3539982fc60ff0813474b8bd61ae83fca1

SHA256
1f2bd72d11a92fb72c72f6f17e1674dee92f68aa50e98b5e836dadf8b54b327c

SHA512
fdba07f545ce970f904297061518b6c02a7c5fd65c75874dd1efb682d43c9404299f153a30267d7dfb8b35e073767a3ac78ce520ad0465253d097aca929e464c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DK8ZI5Rw.exe

Filesize
649KB

MD5
36a28df10747a8398017aef5786ab9cd

SHA1
98d3fb3539982fc60ff0813474b8bd61ae83fca1

SHA256
1f2bd72d11a92fb72c72f6f17e1674dee92f68aa50e98b5e836dadf8b54b327c

SHA512
fdba07f545ce970f904297061518b6c02a7c5fd65c75874dd1efb682d43c9404299f153a30267d7dfb8b35e073767a3ac78ce520ad0465253d097aca929e464c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1us75RK9.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1us75RK9.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gx668VL.exe

Filesize
231KB

MD5
5e9a9a0a6ebf7e31d4a6fd42c6c14115

SHA1
50a488846697b3904aa049527b7ba931da0821cb

SHA256
fb81b18c027e6d5a387930e8c2dcb5f0f286ca3bf9c2eb6295ec9e62e8670274

SHA512
aa8c7519ba0e28aa3ed782073a512d864d4de9452c677fad1a5e039f30fcb47a7511c037be52fda6257f838e72cbd2992b9464c9165c619df595b004d7bcec88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Gx668VL.exe

Filesize
231KB

MD5
5e9a9a0a6ebf7e31d4a6fd42c6c14115

SHA1
50a488846697b3904aa049527b7ba931da0821cb

SHA256
fb81b18c027e6d5a387930e8c2dcb5f0f286ca3bf9c2eb6295ec9e62e8670274

SHA512
aa8c7519ba0e28aa3ed782073a512d864d4de9452c677fad1a5e039f30fcb47a7511c037be52fda6257f838e72cbd2992b9464c9165c619df595b004d7bcec88

Download Submit
memory/556-46-0x00000000078C0000-0x0000000007952000-memory.dmp

Filesize
584KB

Download
memory/556-43-0x0000000000B40000-0x0000000000B7E000-memory.dmp

Filesize
248KB

Download
memory/556-47-0x0000000007890000-0x00000000078A0000-memory.dmp

Filesize
64KB

Download
memory/556-55-0x0000000007890000-0x00000000078A0000-memory.dmp

Filesize
64KB

Download
memory/556-48-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

Filesize
40KB

Download
memory/556-44-0x0000000073CC0000-0x0000000074470000-memory.dmp

Filesize
7.7MB

Download
memory/556-45-0x0000000007DD0000-0x0000000008374000-memory.dmp

Filesize
5.6MB

Download
memory/556-49-0x00000000089A0000-0x0000000008FB8000-memory.dmp

Filesize
6.1MB

Download
memory/556-54-0x0000000073CC0000-0x0000000074470000-memory.dmp

Filesize
7.7MB

Download
memory/556-53-0x0000000007D80000-0x0000000007DCC000-memory.dmp

Filesize
304KB

Download
memory/556-52-0x0000000007C00000-0x0000000007C3C000-memory.dmp

Filesize
240KB

Download
memory/556-50-0x0000000007C70000-0x0000000007D7A000-memory.dmp

Filesize
1.0MB

Download
memory/556-51-0x0000000007BA0000-0x0000000007BB2000-memory.dmp

Filesize
72KB

Download
memory/3704-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3704-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3704-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3704-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads