mystic | 713146a5e9dd5ad2825448abd84d859a54a53ea06895d080f39a4ba51cb6888c

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.713146a5e9dd5ad2825448abd84d859a54a53ea06895d080f39a4ba51cb6888c_JC.exe
Size

1.2MB
MD5

e84afaf23abab5126c6516ee0485afeb
SHA1

3ec8f6019c1369b6bd61616c7d3d703b7b273640
SHA256

713146a5e9dd5ad2825448abd84d859a54a53ea06895d080f39a4ba51cb6888c
SHA512

335b2ec77751e31bd2badecc3163e0f384a05e8c9e07224028f24d6b43363431ef61c6f7b1bb65dfbf3d585ffeb121d0a78da9d153ee42f2db5023782cfd8b3f
SSDEEP

24576:pyWNrbMAKDKXynWbLNtz0UHXaiCDy7A6qAP6nsiJD7Np0:ckMQY6qi+y/qAynPJD7Np

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1624-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1624-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1624-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1624-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hn146cY.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hn146cY.exe	family_redline
behavioral2/memory/1244-43-0x0000000000F70000-0x0000000000FAE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

gQ0ST3Cf.exemC7Ly9IV.exekv3jv2aW.exett9zq9aE.exe1zW72rX5.exe2Hn146cY.exe

pid process

4192 gQ0ST3Cf.exe
624 mC7Ly9IV.exe
1268 kv3jv2aW.exe
2024 tt9zq9aE.exe
1304 1zW72rX5.exe
1244 2Hn146cY.exe

pid	process
4192	gQ0ST3Cf.exe
624	mC7Ly9IV.exe
1268	kv3jv2aW.exe
2024	tt9zq9aE.exe
1304	1zW72rX5.exe
1244	2Hn146cY.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

kv3jv2aW.exett9zq9aE.exeNEAS.713146a5e9dd5ad2825448abd84d859a54a53ea06895d080f39a4ba51cb6888c_JC.exegQ0ST3Cf.exemC7Ly9IV.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kv3jv2aW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	tt9zq9aE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.713146a5e9dd5ad2825448abd84d859a54a53ea06895d080f39a4ba51cb6888c_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gQ0ST3Cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	mC7Ly9IV.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1zW72rX5.exe

description pid process target process

PID 1304 set thread context of 1624 1304 1zW72rX5.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3304 1304 WerFault.exe 1zW72rX5.exe
5080 1624 WerFault.exe AppLaunch.exe

description	pid	process	target process
PID 1304 set thread context of 1624	1304	1zW72rX5.exe	AppLaunch.exe

pid	pid_target	process	target process
3304	1304	WerFault.exe	1zW72rX5.exe
5080	1624	WerFault.exe	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

NEAS.713146a5e9dd5ad2825448abd84d859a54a53ea06895d080f39a4ba51cb6888c_JC.exegQ0ST3Cf.exemC7Ly9IV.exekv3jv2aW.exett9zq9aE.exe1zW72rX5.exe

description	pid	process	target process
PID 540 wrote to memory of 4192	540	NEAS.713146a5e9dd5ad2825448abd84d859a54a53ea06895d080f39a4ba51cb6888c_JC.exe	gQ0ST3Cf.exe
PID 540 wrote to memory of 4192	540	NEAS.713146a5e9dd5ad2825448abd84d859a54a53ea06895d080f39a4ba51cb6888c_JC.exe	gQ0ST3Cf.exe
PID 540 wrote to memory of 4192	540	NEAS.713146a5e9dd5ad2825448abd84d859a54a53ea06895d080f39a4ba51cb6888c_JC.exe	gQ0ST3Cf.exe
PID 4192 wrote to memory of 624	4192	gQ0ST3Cf.exe	mC7Ly9IV.exe
PID 4192 wrote to memory of 624	4192	gQ0ST3Cf.exe	mC7Ly9IV.exe
PID 4192 wrote to memory of 624	4192	gQ0ST3Cf.exe	mC7Ly9IV.exe
PID 624 wrote to memory of 1268	624	mC7Ly9IV.exe	kv3jv2aW.exe
PID 624 wrote to memory of 1268	624	mC7Ly9IV.exe	kv3jv2aW.exe
PID 624 wrote to memory of 1268	624	mC7Ly9IV.exe	kv3jv2aW.exe
PID 1268 wrote to memory of 2024	1268	kv3jv2aW.exe	tt9zq9aE.exe
PID 1268 wrote to memory of 2024	1268	kv3jv2aW.exe	tt9zq9aE.exe
PID 1268 wrote to memory of 2024	1268	kv3jv2aW.exe	tt9zq9aE.exe
PID 2024 wrote to memory of 1304	2024	tt9zq9aE.exe	1zW72rX5.exe
PID 2024 wrote to memory of 1304	2024	tt9zq9aE.exe	1zW72rX5.exe
PID 2024 wrote to memory of 1304	2024	tt9zq9aE.exe	1zW72rX5.exe
PID 1304 wrote to memory of 1624	1304	1zW72rX5.exe	AppLaunch.exe
PID 1304 wrote to memory of 1624	1304	1zW72rX5.exe	AppLaunch.exe
PID 1304 wrote to memory of 1624	1304	1zW72rX5.exe	AppLaunch.exe
PID 1304 wrote to memory of 1624	1304	1zW72rX5.exe	AppLaunch.exe
PID 1304 wrote to memory of 1624	1304	1zW72rX5.exe	AppLaunch.exe
PID 1304 wrote to memory of 1624	1304	1zW72rX5.exe	AppLaunch.exe
PID 1304 wrote to memory of 1624	1304	1zW72rX5.exe	AppLaunch.exe
PID 1304 wrote to memory of 1624	1304	1zW72rX5.exe	AppLaunch.exe
PID 1304 wrote to memory of 1624	1304	1zW72rX5.exe	AppLaunch.exe
PID 1304 wrote to memory of 1624	1304	1zW72rX5.exe	AppLaunch.exe
PID 2024 wrote to memory of 1244	2024	tt9zq9aE.exe	2Hn146cY.exe
PID 2024 wrote to memory of 1244	2024	tt9zq9aE.exe	2Hn146cY.exe
PID 2024 wrote to memory of 1244	2024	tt9zq9aE.exe	2Hn146cY.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.713146a5e9dd5ad2825448abd84d859a54a53ea06895d080f39a4ba51cb6888c_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.713146a5e9dd5ad2825448abd84d859a54a53ea06895d080f39a4ba51cb6888c_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gQ0ST3Cf.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gQ0ST3Cf.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4192

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC7Ly9IV.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC7Ly9IV.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kv3jv2aW.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kv3jv2aW.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tt9zq9aE.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tt9zq9aE.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zW72rX5.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zW72rX5.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 552
8⤵
- Program crash
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 264
7⤵
- Program crash
PID:3304

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hn146cY.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hn146cY.exe
6⤵
- Executes dropped EXE
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1304 -ip 1304
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1624 -ip 1624
1⤵
PID:4760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gQ0ST3Cf.exe
Filesize
1.0MB

MD5
761891430592c4895c99d966574d02e6

SHA1
846e3b451b74360d04a3f655b0aebac918a72596

SHA256
b93953fdcdc76448c045781faad16d62b8a36a6afd62f80be0282873da4027f5

SHA512
8305273afe90fc0aefb5dcfd4002803e5d9dcc1d7571e41d21448d4659d4231edd5516ff1d50a473c1005fc74c4160c44dbc78a3e31cff0de5dcaa978370e0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gQ0ST3Cf.exe
Filesize
1.0MB

MD5
761891430592c4895c99d966574d02e6

SHA1
846e3b451b74360d04a3f655b0aebac918a72596

SHA256
b93953fdcdc76448c045781faad16d62b8a36a6afd62f80be0282873da4027f5

SHA512
8305273afe90fc0aefb5dcfd4002803e5d9dcc1d7571e41d21448d4659d4231edd5516ff1d50a473c1005fc74c4160c44dbc78a3e31cff0de5dcaa978370e0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC7Ly9IV.exe
Filesize
884KB

MD5
44bddcaa992845f7a616cf6973811650

SHA1
0f84def06f4ec1ce715b28fd5cb717e7537eea19

SHA256
a3d95baca1835f33acb3813657b598ffac40cc330badb3145018f58f938ccfa7

SHA512
e41931410ca6571157ec7606eabd420701af46004d9ef3c3da1b20853625d5f5dbfa84b31ab04f7cf9cf834b2626062edf3ec9e05d55143385cf14e282bde4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mC7Ly9IV.exe
Filesize
884KB

MD5
44bddcaa992845f7a616cf6973811650

SHA1
0f84def06f4ec1ce715b28fd5cb717e7537eea19

SHA256
a3d95baca1835f33acb3813657b598ffac40cc330badb3145018f58f938ccfa7

SHA512
e41931410ca6571157ec7606eabd420701af46004d9ef3c3da1b20853625d5f5dbfa84b31ab04f7cf9cf834b2626062edf3ec9e05d55143385cf14e282bde4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kv3jv2aW.exe
Filesize
590KB

MD5
485d0b1e29e0de81c5e79f29a428ccd4

SHA1
42586dddb110bc1b0c284949efbed46a1e175a23

SHA256
024702ba67b622c2df2f6b3610157313745be0dc3a56cfb09b1dfda2462a04a7

SHA512
270d6f5731064b3b3d9d08e64d7f9c0d4047628f25aa36ecfd2b3f99d781d425259f4ceacc625f23c883e2e88b4087d25b08fdab1884764640233211802a8b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kv3jv2aW.exe
Filesize
590KB

MD5
485d0b1e29e0de81c5e79f29a428ccd4

SHA1
42586dddb110bc1b0c284949efbed46a1e175a23

SHA256
024702ba67b622c2df2f6b3610157313745be0dc3a56cfb09b1dfda2462a04a7

SHA512
270d6f5731064b3b3d9d08e64d7f9c0d4047628f25aa36ecfd2b3f99d781d425259f4ceacc625f23c883e2e88b4087d25b08fdab1884764640233211802a8b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tt9zq9aE.exe
Filesize
417KB

MD5
7aa08cf6fbe974e88e2532f69b8ef3a2

SHA1
6b35673bda0f84bec19ba4e42e1de4d02e52ae35

SHA256
86ba139606398dc9be71eba2e43178399491665caab0354a93091b1ae5864def

SHA512
0cfc717cd8d1036be281d6a6c4bd87599df27e7cbf4b2af633cbbfd96dad723c3fa718d9b6db2ea91be96d6cf2d08de12f69cca202f60bf898cb5472ca566fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tt9zq9aE.exe
Filesize
417KB

MD5
7aa08cf6fbe974e88e2532f69b8ef3a2

SHA1
6b35673bda0f84bec19ba4e42e1de4d02e52ae35

SHA256
86ba139606398dc9be71eba2e43178399491665caab0354a93091b1ae5864def

SHA512
0cfc717cd8d1036be281d6a6c4bd87599df27e7cbf4b2af633cbbfd96dad723c3fa718d9b6db2ea91be96d6cf2d08de12f69cca202f60bf898cb5472ca566fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zW72rX5.exe
Filesize
378KB

MD5
20172dcb1253c831020ac279d3ff2e77

SHA1
0721bce4972c4c20e2f775a6c42117e7a1d4cb08

SHA256
8fcc594c3ea2994d6ed8d5207550b6f36d8e33d25fdc414b1e48fafba11bc2b7

SHA512
a0e8fedce0fe176a26c7961e1bf7440aa2d6db5a97b757085d36720acd377ad03fc006d7ba533080b4962a47a3f19cb44166d11c586146bd1feb32d48f441352

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zW72rX5.exe
Filesize
378KB

MD5
20172dcb1253c831020ac279d3ff2e77

SHA1
0721bce4972c4c20e2f775a6c42117e7a1d4cb08

SHA256
8fcc594c3ea2994d6ed8d5207550b6f36d8e33d25fdc414b1e48fafba11bc2b7

SHA512
a0e8fedce0fe176a26c7961e1bf7440aa2d6db5a97b757085d36720acd377ad03fc006d7ba533080b4962a47a3f19cb44166d11c586146bd1feb32d48f441352

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hn146cY.exe
Filesize
231KB

MD5
cd09284b00fd068c493d93c64fc9e777

SHA1
f31c28d71983a171e751d4779b027a37729cc05a

SHA256
862d1e21f6c7ed83a11f5cb6c76884269b1b4d12050c85c262bdcc1148ad0365

SHA512
31d9340927626f20f11a70f8e8402fa49b1a6850113649be6f581dc0d93ac448f0bed4d6507d78af27ecefa1916e4d8944cd1b5a84a584f9ca02a1cf67b11ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hn146cY.exe
Filesize
231KB

MD5
cd09284b00fd068c493d93c64fc9e777

SHA1
f31c28d71983a171e751d4779b027a37729cc05a

SHA256
862d1e21f6c7ed83a11f5cb6c76884269b1b4d12050c85c262bdcc1148ad0365

SHA512
31d9340927626f20f11a70f8e8402fa49b1a6850113649be6f581dc0d93ac448f0bed4d6507d78af27ecefa1916e4d8944cd1b5a84a584f9ca02a1cf67b11ec2

Download Submit
memory/1244-46-0x0000000007CF0000-0x0000000007D82000-memory.dmp

Filesize
584KB

Download
memory/1244-43-0x0000000000F70000-0x0000000000FAE000-memory.dmp

Filesize
248KB

Download
memory/1244-47-0x0000000007F50000-0x0000000007F60000-memory.dmp

Filesize
64KB

Download
memory/1244-55-0x0000000007F50000-0x0000000007F60000-memory.dmp

Filesize
64KB

Download
memory/1244-48-0x0000000007EF0000-0x0000000007EFA000-memory.dmp

Filesize
40KB

Download
memory/1244-44-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/1244-45-0x00000000081A0000-0x0000000008744000-memory.dmp

Filesize
5.6MB

Download
memory/1244-49-0x0000000008D70000-0x0000000009388000-memory.dmp

Filesize
6.1MB

Download
memory/1244-54-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/1244-53-0x0000000008140000-0x000000000818C000-memory.dmp

Filesize
304KB

Download
memory/1244-52-0x0000000008750000-0x000000000878C000-memory.dmp

Filesize
240KB

Download
memory/1244-50-0x0000000008860000-0x000000000896A000-memory.dmp

Filesize
1.0MB

Download
memory/1244-51-0x0000000008110000-0x0000000008122000-memory.dmp

Filesize
72KB

Download
memory/1624-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1624-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1624-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1624-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download