mystic | 300eea77472a8e52b3f2ddc9616f05d14b8a344c410b3b0568b611fdeb2ab03e

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.300eea77472a8e52b3f2ddc9616f05d14b8a344c410b3b0568b611fdeb2ab03e_JC.exe
Size

1.2MB
MD5

d0c1af93a3f6d35a464a5bfe57a324f5
SHA1

8b37fe4cda0ea152950412829c3aca2cd3262347
SHA256

300eea77472a8e52b3f2ddc9616f05d14b8a344c410b3b0568b611fdeb2ab03e
SHA512

eea1d81b803e0a3558c99cdc02b6fbdad9d19d3749c1bfd030c9546ce5a1c9121e38a733b78bc34248a8fdf9727663601117260906bf3002e4d492fba5e56295
SSDEEP

24576:ayECoKrMdqf3Ef1dCfivYqpkBVp0jJxBjrgeXBn+Whcb5R8uV:hSs3Ef1a4pVjJL/geRnVub5uu

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4820-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4820-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4820-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4820-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NN873EZ.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NN873EZ.exe	family_redline
behavioral2/memory/2576-44-0x0000000000C70000-0x0000000000CAE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

sD7uY8og.exeUq8RQ5gd.exekT5VV6EA.exemz7rK4RH.exe1SS20pT5.exe2NN873EZ.exe

pid process

4144 sD7uY8og.exe
5092 Uq8RQ5gd.exe
2940 kT5VV6EA.exe
1464 mz7rK4RH.exe
4628 1SS20pT5.exe
2576 2NN873EZ.exe

pid	process
4144	sD7uY8og.exe
5092	Uq8RQ5gd.exe
2940	kT5VV6EA.exe
1464	mz7rK4RH.exe
4628	1SS20pT5.exe
2576	2NN873EZ.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sD7uY8og.exeUq8RQ5gd.exekT5VV6EA.exemz7rK4RH.exeNEAS.300eea77472a8e52b3f2ddc9616f05d14b8a344c410b3b0568b611fdeb2ab03e_JC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sD7uY8og.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Uq8RQ5gd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kT5VV6EA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	mz7rK4RH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.300eea77472a8e52b3f2ddc9616f05d14b8a344c410b3b0568b611fdeb2ab03e_JC.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1SS20pT5.exe

description pid process target process

PID 4628 set thread context of 4820 4628 1SS20pT5.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4248 4820 WerFault.exe AppLaunch.exe
3328 4628 WerFault.exe 1SS20pT5.exe

description	pid	process	target process
PID 4628 set thread context of 4820	4628	1SS20pT5.exe	AppLaunch.exe

pid	pid_target	process	target process
4248	4820	WerFault.exe	AppLaunch.exe
3328	4628	WerFault.exe	1SS20pT5.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

NEAS.300eea77472a8e52b3f2ddc9616f05d14b8a344c410b3b0568b611fdeb2ab03e_JC.exesD7uY8og.exeUq8RQ5gd.exekT5VV6EA.exemz7rK4RH.exe1SS20pT5.exe

description	pid	process	target process
PID 1076 wrote to memory of 4144	1076	NEAS.300eea77472a8e52b3f2ddc9616f05d14b8a344c410b3b0568b611fdeb2ab03e_JC.exe	sD7uY8og.exe
PID 1076 wrote to memory of 4144	1076	NEAS.300eea77472a8e52b3f2ddc9616f05d14b8a344c410b3b0568b611fdeb2ab03e_JC.exe	sD7uY8og.exe
PID 1076 wrote to memory of 4144	1076	NEAS.300eea77472a8e52b3f2ddc9616f05d14b8a344c410b3b0568b611fdeb2ab03e_JC.exe	sD7uY8og.exe
PID 4144 wrote to memory of 5092	4144	sD7uY8og.exe	Uq8RQ5gd.exe
PID 4144 wrote to memory of 5092	4144	sD7uY8og.exe	Uq8RQ5gd.exe
PID 4144 wrote to memory of 5092	4144	sD7uY8og.exe	Uq8RQ5gd.exe
PID 5092 wrote to memory of 2940	5092	Uq8RQ5gd.exe	kT5VV6EA.exe
PID 5092 wrote to memory of 2940	5092	Uq8RQ5gd.exe	kT5VV6EA.exe
PID 5092 wrote to memory of 2940	5092	Uq8RQ5gd.exe	kT5VV6EA.exe
PID 2940 wrote to memory of 1464	2940	kT5VV6EA.exe	mz7rK4RH.exe
PID 2940 wrote to memory of 1464	2940	kT5VV6EA.exe	mz7rK4RH.exe
PID 2940 wrote to memory of 1464	2940	kT5VV6EA.exe	mz7rK4RH.exe
PID 1464 wrote to memory of 4628	1464	mz7rK4RH.exe	1SS20pT5.exe
PID 1464 wrote to memory of 4628	1464	mz7rK4RH.exe	1SS20pT5.exe
PID 1464 wrote to memory of 4628	1464	mz7rK4RH.exe	1SS20pT5.exe
PID 4628 wrote to memory of 3152	4628	1SS20pT5.exe	AppLaunch.exe
PID 4628 wrote to memory of 3152	4628	1SS20pT5.exe	AppLaunch.exe
PID 4628 wrote to memory of 3152	4628	1SS20pT5.exe	AppLaunch.exe
PID 4628 wrote to memory of 4820	4628	1SS20pT5.exe	AppLaunch.exe
PID 4628 wrote to memory of 4820	4628	1SS20pT5.exe	AppLaunch.exe
PID 4628 wrote to memory of 4820	4628	1SS20pT5.exe	AppLaunch.exe
PID 4628 wrote to memory of 4820	4628	1SS20pT5.exe	AppLaunch.exe
PID 4628 wrote to memory of 4820	4628	1SS20pT5.exe	AppLaunch.exe
PID 4628 wrote to memory of 4820	4628	1SS20pT5.exe	AppLaunch.exe
PID 4628 wrote to memory of 4820	4628	1SS20pT5.exe	AppLaunch.exe
PID 4628 wrote to memory of 4820	4628	1SS20pT5.exe	AppLaunch.exe
PID 4628 wrote to memory of 4820	4628	1SS20pT5.exe	AppLaunch.exe
PID 4628 wrote to memory of 4820	4628	1SS20pT5.exe	AppLaunch.exe
PID 1464 wrote to memory of 2576	1464	mz7rK4RH.exe	2NN873EZ.exe
PID 1464 wrote to memory of 2576	1464	mz7rK4RH.exe	2NN873EZ.exe
PID 1464 wrote to memory of 2576	1464	mz7rK4RH.exe	2NN873EZ.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.300eea77472a8e52b3f2ddc9616f05d14b8a344c410b3b0568b611fdeb2ab03e_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.300eea77472a8e52b3f2ddc9616f05d14b8a344c410b3b0568b611fdeb2ab03e_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sD7uY8og.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sD7uY8og.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4144

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Uq8RQ5gd.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Uq8RQ5gd.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kT5VV6EA.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kT5VV6EA.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2940

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mz7rK4RH.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mz7rK4RH.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SS20pT5.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SS20pT5.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 540
8⤵
- Program crash
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 616
7⤵
- Program crash
PID:3328

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NN873EZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NN873EZ.exe
6⤵
- Executes dropped EXE
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4628 -ip 4628
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4820 -ip 4820
1⤵
PID:4660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sD7uY8og.exe
Filesize
1.0MB

MD5
25067c88c1b0d9c14e252daafa8c6fa6

SHA1
6f982e04c68baadc475f246db0b4753be70d6d9b

SHA256
c0734f423bb8748302e58f63e189985f8d0e5777c1e0b2ecd60d1d1029e980e5

SHA512
6f1e01ec4fdf2844177f4fec16a2fe3fa1e6cd577bd6fd4ff23fca9bc145bc27561e69571c10680b7d1c0eb1ad3fc14e4def259a630df003154fc2a19a18f4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sD7uY8og.exe
Filesize
1.0MB

MD5
25067c88c1b0d9c14e252daafa8c6fa6

SHA1
6f982e04c68baadc475f246db0b4753be70d6d9b

SHA256
c0734f423bb8748302e58f63e189985f8d0e5777c1e0b2ecd60d1d1029e980e5

SHA512
6f1e01ec4fdf2844177f4fec16a2fe3fa1e6cd577bd6fd4ff23fca9bc145bc27561e69571c10680b7d1c0eb1ad3fc14e4def259a630df003154fc2a19a18f4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Uq8RQ5gd.exe
Filesize
883KB

MD5
876bc3c4f6cc80de6cb6ae804635e809

SHA1
2b47e1aac8aed52d60f6fafe851949c2c58571b5

SHA256
7a0b3320e0257e14a5a417d502fb500d1b867acd29590c05d9c97b349388463c

SHA512
19997b83df7d4245edb1061e4f1c94a6fcd031735043570e14e307e54bebba85fe24e1139911dd3250fbf42682a8ed2e38e2b12ae0d60498025a36d6cb13f454

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Uq8RQ5gd.exe
Filesize
883KB

MD5
876bc3c4f6cc80de6cb6ae804635e809

SHA1
2b47e1aac8aed52d60f6fafe851949c2c58571b5

SHA256
7a0b3320e0257e14a5a417d502fb500d1b867acd29590c05d9c97b349388463c

SHA512
19997b83df7d4245edb1061e4f1c94a6fcd031735043570e14e307e54bebba85fe24e1139911dd3250fbf42682a8ed2e38e2b12ae0d60498025a36d6cb13f454

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kT5VV6EA.exe
Filesize
590KB

MD5
2881657188808e4a306e00b89195c73a

SHA1
83020c8208643d9d27c7844758baccab8a15482c

SHA256
77492f34e914abfed88413e5ec6e559b847dc2a8fcd50d480e4b6c5285835fe3

SHA512
fdb69dacc2e8805737c361052f292a91ae706f4b548caec3e66d68376d5c9444edde3f15db86265d98e43238050a6a3fd6492e8259e8e7d9c92f348fba262148

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kT5VV6EA.exe
Filesize
590KB

MD5
2881657188808e4a306e00b89195c73a

SHA1
83020c8208643d9d27c7844758baccab8a15482c

SHA256
77492f34e914abfed88413e5ec6e559b847dc2a8fcd50d480e4b6c5285835fe3

SHA512
fdb69dacc2e8805737c361052f292a91ae706f4b548caec3e66d68376d5c9444edde3f15db86265d98e43238050a6a3fd6492e8259e8e7d9c92f348fba262148

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mz7rK4RH.exe
Filesize
417KB

MD5
f3d9b75cb50765335ab49c7de14506d9

SHA1
a589adfc605295ec011fc082838651db9f8c9aed

SHA256
850361490edd12aa6dafa7277fd6f72264ec9134a4fe6af4547121f77ab9971e

SHA512
e3144514e3b42e8da420627c7c3f40adbc43670b17eaeb9c418187a7d838aca6e9da7dd96ae4f711ac1cc5abaf25307709b02e43e5cd7452e9a652e33863c6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mz7rK4RH.exe
Filesize
417KB

MD5
f3d9b75cb50765335ab49c7de14506d9

SHA1
a589adfc605295ec011fc082838651db9f8c9aed

SHA256
850361490edd12aa6dafa7277fd6f72264ec9134a4fe6af4547121f77ab9971e

SHA512
e3144514e3b42e8da420627c7c3f40adbc43670b17eaeb9c418187a7d838aca6e9da7dd96ae4f711ac1cc5abaf25307709b02e43e5cd7452e9a652e33863c6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SS20pT5.exe
Filesize
378KB

MD5
25946afd455a920541192ac878a714ac

SHA1
4e8edd37d9358bdd9858bb2b6abe4eb9df4b4d9a

SHA256
76e905725074287687ce5d1d3a55613206a04671e89fee998c9ad44ffd99af46

SHA512
9a81f9e5c959186b2d0a048ec1450a6107fb6679280e557c9aa0215b27c7197e00bc2ec54f6f33302b9be792a75f3685f61f26695b0f37a92f3b8040532082db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SS20pT5.exe
Filesize
378KB

MD5
25946afd455a920541192ac878a714ac

SHA1
4e8edd37d9358bdd9858bb2b6abe4eb9df4b4d9a

SHA256
76e905725074287687ce5d1d3a55613206a04671e89fee998c9ad44ffd99af46

SHA512
9a81f9e5c959186b2d0a048ec1450a6107fb6679280e557c9aa0215b27c7197e00bc2ec54f6f33302b9be792a75f3685f61f26695b0f37a92f3b8040532082db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NN873EZ.exe
Filesize
231KB

MD5
b70619eb3c55cc2131f8d0861eb7a86e

SHA1
a034114ffb0a0089dab88bc035d58cf1ecce932d

SHA256
61d5b01ae171e6f39c35753eaddddbc076912d1f3fedc885d0778e72b6abbd29

SHA512
44db720aca39ad6aa7ef2075986cbc04e23d2cd3ab1b5c00259a8699254b08dfa13c5252b19b9c3cdfcf7ea7958334f3c10078c60c10b7ba00f548d59ca04123

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NN873EZ.exe
Filesize
231KB

MD5
b70619eb3c55cc2131f8d0861eb7a86e

SHA1
a034114ffb0a0089dab88bc035d58cf1ecce932d

SHA256
61d5b01ae171e6f39c35753eaddddbc076912d1f3fedc885d0778e72b6abbd29

SHA512
44db720aca39ad6aa7ef2075986cbc04e23d2cd3ab1b5c00259a8699254b08dfa13c5252b19b9c3cdfcf7ea7958334f3c10078c60c10b7ba00f548d59ca04123

Download Submit
memory/2576-46-0x0000000007A80000-0x0000000007B12000-memory.dmp

Filesize
584KB

Download
memory/2576-43-0x0000000073E20000-0x00000000745D0000-memory.dmp

Filesize
7.7MB

Download
memory/2576-47-0x0000000007C50000-0x0000000007C60000-memory.dmp

Filesize
64KB

Download
memory/2576-55-0x0000000007C50000-0x0000000007C60000-memory.dmp

Filesize
64KB

Download
memory/2576-48-0x0000000007A60000-0x0000000007A6A000-memory.dmp

Filesize
40KB

Download
memory/2576-44-0x0000000000C70000-0x0000000000CAE000-memory.dmp

Filesize
248KB

Download
memory/2576-45-0x0000000007F50000-0x00000000084F4000-memory.dmp

Filesize
5.6MB

Download
memory/2576-49-0x0000000008B20000-0x0000000009138000-memory.dmp

Filesize
6.1MB

Download
memory/2576-54-0x0000000073E20000-0x00000000745D0000-memory.dmp

Filesize
7.7MB

Download
memory/2576-53-0x0000000007EB0000-0x0000000007EFC000-memory.dmp

Filesize
304KB

Download
memory/2576-52-0x0000000007E70000-0x0000000007EAC000-memory.dmp

Filesize
240KB

Download
memory/2576-50-0x0000000008500000-0x000000000860A000-memory.dmp

Filesize
1.0MB

Download
memory/2576-51-0x0000000007E10000-0x0000000007E22000-memory.dmp

Filesize
72KB

Download
memory/4820-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4820-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4820-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4820-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download