mystic | 3cea2a4ea0be925701d0238777ac4957b1ba4b05c794a10b159e3a4c863fc4d7

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2023, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.3cea2a4ea0be925701d0238777ac4957b1ba4b05c794a10b159e3a4c863fc4d7_JC.exe
Size

1.6MB
MD5

6f3b19a3b5ae4e680f1f1b4e67c17198
SHA1

23b8c8a9fee9b60aa7d3e43988914658404713cc
SHA256

3cea2a4ea0be925701d0238777ac4957b1ba4b05c794a10b159e3a4c863fc4d7
SHA512

acc73976ad38385f67d0d6e23c32045fcfbff2be15f754642ba104882de41106ae60fefb6641b60fc88f5e87d4ce054821498033c74b686571a8a54a76c7ac31
SSDEEP

24576:8y6ft9WxcIjlyQxhmL96QlaAiwvei3s1yL5durrglgBnB0FRztyLgoZrdA:r8OBpy7wQ5h3ssLwrU1tKJd

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3080-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3080-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3080-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3080-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231cb-41.dat	family_redline
behavioral2/files/0x00060000000231cb-42.dat	family_redline
behavioral2/memory/3912-43-0x0000000000410000-0x000000000044E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4392	dg3Ld0Gc.exe
224	Vx9Tf2mG.exe
4128	Jc6VZ7Uh.exe
1068	ZQ9HC7dY.exe
3788	1Li28mK4.exe
3912	2QR401bJ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.3cea2a4ea0be925701d0238777ac4957b1ba4b05c794a10b159e3a4c863fc4d7_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dg3Ld0Gc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Vx9Tf2mG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Jc6VZ7Uh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ZQ9HC7dY.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3788 set thread context of 3080	3788	1Li28mK4.exe	93

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4848	3788	WerFault.exe	90
4664	3080	WerFault.exe	93

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 4392	1212	NEAS.3cea2a4ea0be925701d0238777ac4957b1ba4b05c794a10b159e3a4c863fc4d7_JC.exe	85
PID 1212 wrote to memory of 4392	1212	NEAS.3cea2a4ea0be925701d0238777ac4957b1ba4b05c794a10b159e3a4c863fc4d7_JC.exe	85
PID 1212 wrote to memory of 4392	1212	NEAS.3cea2a4ea0be925701d0238777ac4957b1ba4b05c794a10b159e3a4c863fc4d7_JC.exe	85
PID 4392 wrote to memory of 224	4392	dg3Ld0Gc.exe	86
PID 4392 wrote to memory of 224	4392	dg3Ld0Gc.exe	86
PID 4392 wrote to memory of 224	4392	dg3Ld0Gc.exe	86
PID 224 wrote to memory of 4128	224	Vx9Tf2mG.exe	87
PID 224 wrote to memory of 4128	224	Vx9Tf2mG.exe	87
PID 224 wrote to memory of 4128	224	Vx9Tf2mG.exe	87
PID 4128 wrote to memory of 1068	4128	Jc6VZ7Uh.exe	88
PID 4128 wrote to memory of 1068	4128	Jc6VZ7Uh.exe	88
PID 4128 wrote to memory of 1068	4128	Jc6VZ7Uh.exe	88
PID 1068 wrote to memory of 3788	1068	ZQ9HC7dY.exe	90
PID 1068 wrote to memory of 3788	1068	ZQ9HC7dY.exe	90
PID 1068 wrote to memory of 3788	1068	ZQ9HC7dY.exe	90
PID 3788 wrote to memory of 1976	3788	1Li28mK4.exe	91
PID 3788 wrote to memory of 1976	3788	1Li28mK4.exe	91
PID 3788 wrote to memory of 1976	3788	1Li28mK4.exe	91
PID 3788 wrote to memory of 4112	3788	1Li28mK4.exe	92
PID 3788 wrote to memory of 4112	3788	1Li28mK4.exe	92
PID 3788 wrote to memory of 4112	3788	1Li28mK4.exe	92
PID 3788 wrote to memory of 3080	3788	1Li28mK4.exe	93
PID 3788 wrote to memory of 3080	3788	1Li28mK4.exe	93
PID 3788 wrote to memory of 3080	3788	1Li28mK4.exe	93
PID 3788 wrote to memory of 3080	3788	1Li28mK4.exe	93
PID 3788 wrote to memory of 3080	3788	1Li28mK4.exe	93
PID 3788 wrote to memory of 3080	3788	1Li28mK4.exe	93
PID 3788 wrote to memory of 3080	3788	1Li28mK4.exe	93
PID 3788 wrote to memory of 3080	3788	1Li28mK4.exe	93
PID 3788 wrote to memory of 3080	3788	1Li28mK4.exe	93
PID 3788 wrote to memory of 3080	3788	1Li28mK4.exe	93
PID 1068 wrote to memory of 3912	1068	ZQ9HC7dY.exe	100
PID 1068 wrote to memory of 3912	1068	ZQ9HC7dY.exe	100
PID 1068 wrote to memory of 3912	1068	ZQ9HC7dY.exe	100

C:\Users\Admin\AppData\Local\Temp\NEAS.3cea2a4ea0be925701d0238777ac4957b1ba4b05c794a10b159e3a4c863fc4d7_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3cea2a4ea0be925701d0238777ac4957b1ba4b05c794a10b159e3a4c863fc4d7_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dg3Ld0Gc.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dg3Ld0Gc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vx9Tf2mG.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vx9Tf2mG.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jc6VZ7Uh.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jc6VZ7Uh.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4128
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZQ9HC7dY.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZQ9HC7dY.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1068
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Li28mK4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Li28mK4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 540
        8⤵
        Program crash
        
        PID:4664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 568
        7⤵
        Program crash
        
        PID:4848
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QR401bJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QR401bJ.exe
        6⤵
        Executes dropped EXE
        
        PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3788 -ip 3788
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3080 -ip 3080
1⤵
PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dg3Ld0Gc.exe

Filesize
1.5MB

MD5
13d7d2c2b12be3086ec25bca54f3017a

SHA1
5e9e95db9ea4aa7f41f21c59ece526ac132963da

SHA256
1db9bbbd7bc3f7d5252a30914d1dad0b148122a88b0e6f72e6b13f7e8b087988

SHA512
eec6452cc19db406dd603b390f88ccd55c7956362889119c5123457fa4751c833716051d8567fcbc7cfb83acb48f18887be66c918f58e064e97d353bdb18a992

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dg3Ld0Gc.exe

Filesize
1.5MB

MD5
13d7d2c2b12be3086ec25bca54f3017a

SHA1
5e9e95db9ea4aa7f41f21c59ece526ac132963da

SHA256
1db9bbbd7bc3f7d5252a30914d1dad0b148122a88b0e6f72e6b13f7e8b087988

SHA512
eec6452cc19db406dd603b390f88ccd55c7956362889119c5123457fa4751c833716051d8567fcbc7cfb83acb48f18887be66c918f58e064e97d353bdb18a992

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vx9Tf2mG.exe

Filesize
1.3MB

MD5
9b5cbe1904bc39d7252f5e273ea9c934

SHA1
eb6b99c1221b4df81351a848cf6011e42a0f2f9e

SHA256
d7f37b70a1c710b5112c8d7038dc7350fd41a853697ec19d9d4841511d4911c9

SHA512
1022b550396d61541d5fbe13b6ffe7403390db453efd7ec6cb311e387d858f867bf86dd1dc403cc35de5cd96e993ce8d90b5f9a1e4ee9c666bc64186467906d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vx9Tf2mG.exe

Filesize
1.3MB

MD5
9b5cbe1904bc39d7252f5e273ea9c934

SHA1
eb6b99c1221b4df81351a848cf6011e42a0f2f9e

SHA256
d7f37b70a1c710b5112c8d7038dc7350fd41a853697ec19d9d4841511d4911c9

SHA512
1022b550396d61541d5fbe13b6ffe7403390db453efd7ec6cb311e387d858f867bf86dd1dc403cc35de5cd96e993ce8d90b5f9a1e4ee9c666bc64186467906d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jc6VZ7Uh.exe

Filesize
821KB

MD5
8a1e9cd958924c6c6764bac4b80e14af

SHA1
d1217806104ac8bc4cbdd6f9b94feb1c2eabf1c3

SHA256
207d4b6ea06d4148608889ef69d4d051c6cdce826965f14eb529607ddaab4a55

SHA512
545383a135c06a86efcd3effa86f55753ceaa3137fecc3fb32b2dd81fe7de0ce02c862d15ada13ece66b9c4991c5403ed67f9cfc620cbc49d882dec16cd9f62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Jc6VZ7Uh.exe

Filesize
821KB

MD5
8a1e9cd958924c6c6764bac4b80e14af

SHA1
d1217806104ac8bc4cbdd6f9b94feb1c2eabf1c3

SHA256
207d4b6ea06d4148608889ef69d4d051c6cdce826965f14eb529607ddaab4a55

SHA512
545383a135c06a86efcd3effa86f55753ceaa3137fecc3fb32b2dd81fe7de0ce02c862d15ada13ece66b9c4991c5403ed67f9cfc620cbc49d882dec16cd9f62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZQ9HC7dY.exe

Filesize
649KB

MD5
fc122bf631de57f959728ea35e1b578f

SHA1
20ec5416ae3d8514433ef2b91bab543f3b8848c8

SHA256
7610f02b135acafe48822394c7cae381ced434d392c8cf351531ea6d4f32cd84

SHA512
83d0cb095617b41a8cbe123ad4394ff14184b3a411372e7a6da76afd0bd09e6b5422adb95d478f8ee5d1d2ab0bf8ccae714904fdb3db144bbf009530fce502f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ZQ9HC7dY.exe

Filesize
649KB

MD5
fc122bf631de57f959728ea35e1b578f

SHA1
20ec5416ae3d8514433ef2b91bab543f3b8848c8

SHA256
7610f02b135acafe48822394c7cae381ced434d392c8cf351531ea6d4f32cd84

SHA512
83d0cb095617b41a8cbe123ad4394ff14184b3a411372e7a6da76afd0bd09e6b5422adb95d478f8ee5d1d2ab0bf8ccae714904fdb3db144bbf009530fce502f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Li28mK4.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Li28mK4.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QR401bJ.exe

Filesize
231KB

MD5
be88c29b04026a8eb59d4d31c6afb9cc

SHA1
33d9823dcb98a339c04f18d63417c62665081223

SHA256
7017b8e337e48b5140bfb6c5e409df5e4461e10a382067fa6d7647eb0df7edae

SHA512
9e5ba340ae0c8695a97827198a932e765a31af2a69703a80bc8e03e9a5c1d98971a9c9676b6eedb204b4f636fcf1e44d552f8a85c03376d247d8c4c35228d791

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QR401bJ.exe

Filesize
231KB

MD5
be88c29b04026a8eb59d4d31c6afb9cc

SHA1
33d9823dcb98a339c04f18d63417c62665081223

SHA256
7017b8e337e48b5140bfb6c5e409df5e4461e10a382067fa6d7647eb0df7edae

SHA512
9e5ba340ae0c8695a97827198a932e765a31af2a69703a80bc8e03e9a5c1d98971a9c9676b6eedb204b4f636fcf1e44d552f8a85c03376d247d8c4c35228d791

Download Submit
memory/3080-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3080-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3080-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3080-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3912-46-0x00000000071D0000-0x0000000007262000-memory.dmp

Filesize
584KB

Download
memory/3912-44-0x0000000073D20000-0x00000000744D0000-memory.dmp

Filesize
7.7MB

Download
memory/3912-45-0x00000000076A0000-0x0000000007C44000-memory.dmp

Filesize
5.6MB

Download
memory/3912-43-0x0000000000410000-0x000000000044E000-memory.dmp

Filesize
248KB

Download
memory/3912-47-0x00000000073D0000-0x00000000073E0000-memory.dmp

Filesize
64KB

Download
memory/3912-48-0x0000000007380000-0x000000000738A000-memory.dmp

Filesize
40KB

Download
memory/3912-49-0x0000000008270000-0x0000000008888000-memory.dmp

Filesize
6.1MB

Download
memory/3912-50-0x0000000007540000-0x000000000764A000-memory.dmp

Filesize
1.0MB

Download
memory/3912-51-0x0000000007470000-0x0000000007482000-memory.dmp

Filesize
72KB

Download
memory/3912-52-0x00000000074D0000-0x000000000750C000-memory.dmp

Filesize
240KB

Download
memory/3912-53-0x0000000007650000-0x000000000769C000-memory.dmp

Filesize
304KB

Download
memory/3912-54-0x0000000073D20000-0x00000000744D0000-memory.dmp

Filesize
7.7MB

Download
memory/3912-55-0x00000000073D0000-0x00000000073E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads