mystic | 72e81f63c1ce3ff92f4a7f33c75a1c707392988def8901ab922efe607271c17f

Analysis

max time kernel
167s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.72e81f63c1ce3ff92f4a7f33c75a1c707392988def8901ab922efe607271c17f_JC.exe
Size

1.2MB
MD5

d39519f7684e4043c3e672c9ce96ea49
SHA1

3e4cf0d43c44d40bf131fa4b49987fc5fde96f5c
SHA256

72e81f63c1ce3ff92f4a7f33c75a1c707392988def8901ab922efe607271c17f
SHA512

0e715324684d1500e8654b1073fe76e1fa38c48e35d9f896fd3291d6e2e09162180c00482855a5553d092823eebfc004586727ccceaf5377fbe1f7d2828d912e
SSDEEP

24576:SyXl3fcp08vX+Aqpp+L0ZLxWnN3GAe7pY/nF1SBs:5XtfMdvX9qjv0naO/zo

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/2200-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2200-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2200-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2200-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231f4-41.dat	family_redline
behavioral2/files/0x00060000000231f4-42.dat	family_redline
behavioral2/memory/1496-43-0x0000000000440000-0x000000000047E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2372	QV4hF4Wu.exe
688	Uv5AA4KK.exe
1716	Vb2Nb0zR.exe
1552	eq4yI0eE.exe
3068	1mr53WH1.exe
1496	2QR966ET.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Uv5AA4KK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Vb2Nb0zR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	eq4yI0eE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.72e81f63c1ce3ff92f4a7f33c75a1c707392988def8901ab922efe607271c17f_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	QV4hF4Wu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3068 set thread context of 2200	3068	1mr53WH1.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1448	3068	WerFault.exe	90
2932	2200	WerFault.exe	92

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 2372	4644	NEAS.72e81f63c1ce3ff92f4a7f33c75a1c707392988def8901ab922efe607271c17f_JC.exe	86
PID 4644 wrote to memory of 2372	4644	NEAS.72e81f63c1ce3ff92f4a7f33c75a1c707392988def8901ab922efe607271c17f_JC.exe	86
PID 4644 wrote to memory of 2372	4644	NEAS.72e81f63c1ce3ff92f4a7f33c75a1c707392988def8901ab922efe607271c17f_JC.exe	86
PID 2372 wrote to memory of 688	2372	QV4hF4Wu.exe	87
PID 2372 wrote to memory of 688	2372	QV4hF4Wu.exe	87
PID 2372 wrote to memory of 688	2372	QV4hF4Wu.exe	87
PID 688 wrote to memory of 1716	688	Uv5AA4KK.exe	88
PID 688 wrote to memory of 1716	688	Uv5AA4KK.exe	88
PID 688 wrote to memory of 1716	688	Uv5AA4KK.exe	88
PID 1716 wrote to memory of 1552	1716	Vb2Nb0zR.exe	89
PID 1716 wrote to memory of 1552	1716	Vb2Nb0zR.exe	89
PID 1716 wrote to memory of 1552	1716	Vb2Nb0zR.exe	89
PID 1552 wrote to memory of 3068	1552	eq4yI0eE.exe	90
PID 1552 wrote to memory of 3068	1552	eq4yI0eE.exe	90
PID 1552 wrote to memory of 3068	1552	eq4yI0eE.exe	90
PID 3068 wrote to memory of 2200	3068	1mr53WH1.exe	92
PID 3068 wrote to memory of 2200	3068	1mr53WH1.exe	92
PID 3068 wrote to memory of 2200	3068	1mr53WH1.exe	92
PID 3068 wrote to memory of 2200	3068	1mr53WH1.exe	92
PID 3068 wrote to memory of 2200	3068	1mr53WH1.exe	92
PID 3068 wrote to memory of 2200	3068	1mr53WH1.exe	92
PID 3068 wrote to memory of 2200	3068	1mr53WH1.exe	92
PID 3068 wrote to memory of 2200	3068	1mr53WH1.exe	92
PID 3068 wrote to memory of 2200	3068	1mr53WH1.exe	92
PID 3068 wrote to memory of 2200	3068	1mr53WH1.exe	92
PID 1552 wrote to memory of 1496	1552	eq4yI0eE.exe	99
PID 1552 wrote to memory of 1496	1552	eq4yI0eE.exe	99
PID 1552 wrote to memory of 1496	1552	eq4yI0eE.exe	99

C:\Users\Admin\AppData\Local\Temp\NEAS.72e81f63c1ce3ff92f4a7f33c75a1c707392988def8901ab922efe607271c17f_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.72e81f63c1ce3ff92f4a7f33c75a1c707392988def8901ab922efe607271c17f_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QV4hF4Wu.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QV4hF4Wu.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Uv5AA4KK.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Uv5AA4KK.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vb2Nb0zR.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vb2Nb0zR.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\eq4yI0eE.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\eq4yI0eE.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1552
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mr53WH1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mr53WH1.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 540
        8⤵
        Program crash
        
        PID:2932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 592
        7⤵
        Program crash
        
        PID:1448
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QR966ET.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QR966ET.exe
        6⤵
        Executes dropped EXE
        
        PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3068 -ip 3068
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2200 -ip 2200
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QV4hF4Wu.exe

Filesize
1.0MB

MD5
4b2f60d92ce938c33f1c3df38b7373f2

SHA1
213e759ede3b91cac8bc4995c740e9bdd323f4c4

SHA256
77a80748c6ea1a9eace3e198c4a7c3e6ee521b4f092b5fd38e7818139f6204b5

SHA512
bc0da38b3312688b17eed9a7613e1f4f8e58ab80ccdbde977c60f6f7395d16dc10daba429d0a33ab163d9ca38a98ad58ffd510d9eb599a807a33dfc9fa93f60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QV4hF4Wu.exe

Filesize
1.0MB

MD5
4b2f60d92ce938c33f1c3df38b7373f2

SHA1
213e759ede3b91cac8bc4995c740e9bdd323f4c4

SHA256
77a80748c6ea1a9eace3e198c4a7c3e6ee521b4f092b5fd38e7818139f6204b5

SHA512
bc0da38b3312688b17eed9a7613e1f4f8e58ab80ccdbde977c60f6f7395d16dc10daba429d0a33ab163d9ca38a98ad58ffd510d9eb599a807a33dfc9fa93f60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Uv5AA4KK.exe

Filesize
884KB

MD5
aee5889d7a6e3bb9b8e7d8989b2b4bdd

SHA1
12567494309369bb902bf4d13f66a6c57ff6149d

SHA256
3c47d4d72a38e9bc6761e47d9e0e51429f2c67ffdd939c07a664efe29c9cd5e8

SHA512
2e85c20244c3a51c762076fedcacb87c32af1702da61c1db00889736781c64eaaf03dc44dd9f6219155886bf899a90f17db1ee49ef29c6b035f4b1d5dc6f316c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Uv5AA4KK.exe

Filesize
884KB

MD5
aee5889d7a6e3bb9b8e7d8989b2b4bdd

SHA1
12567494309369bb902bf4d13f66a6c57ff6149d

SHA256
3c47d4d72a38e9bc6761e47d9e0e51429f2c67ffdd939c07a664efe29c9cd5e8

SHA512
2e85c20244c3a51c762076fedcacb87c32af1702da61c1db00889736781c64eaaf03dc44dd9f6219155886bf899a90f17db1ee49ef29c6b035f4b1d5dc6f316c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vb2Nb0zR.exe

Filesize
590KB

MD5
b35f3858aa1170e2f95ec1c4b3261bd6

SHA1
a039c19ce6e7b23eb63f353612f0d50e8ad8bf3a

SHA256
271c94f6bca64d703ef5ac1bc9fabf62fa9450877570b9aa432be14bea668801

SHA512
169195a7b28112c54ba7e5056a9c56bacfc786abdcd0ba394c6f479e603ed447e239013aec15e82d78390c0a4e38760c582b43053570d5e3e35b74451722d586

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vb2Nb0zR.exe

Filesize
590KB

MD5
b35f3858aa1170e2f95ec1c4b3261bd6

SHA1
a039c19ce6e7b23eb63f353612f0d50e8ad8bf3a

SHA256
271c94f6bca64d703ef5ac1bc9fabf62fa9450877570b9aa432be14bea668801

SHA512
169195a7b28112c54ba7e5056a9c56bacfc786abdcd0ba394c6f479e603ed447e239013aec15e82d78390c0a4e38760c582b43053570d5e3e35b74451722d586

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\eq4yI0eE.exe

Filesize
417KB

MD5
e5b8819ec3bfdb4f9d0d1660cfd09f33

SHA1
83e4326fd253165d1e82bfe1cf437a53d4f1f4e0

SHA256
6dc9cfd058ef5ddbcfeee6c32e8c6d968cfba7b8a78a020fa30abd612bd964f4

SHA512
25f55829bc69303fda0e0d3fdf4bad33c5c85b40ff6690fce48396a77c7e4256390d09bb48b375568b4556aca1bb498edf09596efade7c2fc1a5260c5583e298

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\eq4yI0eE.exe

Filesize
417KB

MD5
e5b8819ec3bfdb4f9d0d1660cfd09f33

SHA1
83e4326fd253165d1e82bfe1cf437a53d4f1f4e0

SHA256
6dc9cfd058ef5ddbcfeee6c32e8c6d968cfba7b8a78a020fa30abd612bd964f4

SHA512
25f55829bc69303fda0e0d3fdf4bad33c5c85b40ff6690fce48396a77c7e4256390d09bb48b375568b4556aca1bb498edf09596efade7c2fc1a5260c5583e298

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mr53WH1.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mr53WH1.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QR966ET.exe

Filesize
231KB

MD5
0ba419dcb5dbcc474a6fa77ebee93be4

SHA1
060e768553a44694e4ac882ec96f5d309c47645c

SHA256
0aa9c3d925b98c3a3b242a22f44dc5e0a194b397b1aebd621265273b93b3d965

SHA512
e07cec9203fd002e2e51cb85c571bf164540cf46e0510d23aeb8a1dcbe31bb862f4fb8a8d842e0f3cbe228164dec2087f7213f5fc1af36607f2c1863a1e126fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2QR966ET.exe

Filesize
231KB

MD5
0ba419dcb5dbcc474a6fa77ebee93be4

SHA1
060e768553a44694e4ac882ec96f5d309c47645c

SHA256
0aa9c3d925b98c3a3b242a22f44dc5e0a194b397b1aebd621265273b93b3d965

SHA512
e07cec9203fd002e2e51cb85c571bf164540cf46e0510d23aeb8a1dcbe31bb862f4fb8a8d842e0f3cbe228164dec2087f7213f5fc1af36607f2c1863a1e126fe

Download Submit
memory/1496-46-0x00000000071C0000-0x0000000007252000-memory.dmp

Filesize
584KB

Download
memory/1496-48-0x00000000072D0000-0x00000000072DA000-memory.dmp

Filesize
40KB

Download
memory/1496-55-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/1496-54-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/1496-44-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/1496-43-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1496-45-0x00000000076D0000-0x0000000007C74000-memory.dmp

Filesize
5.6MB

Download
memory/1496-53-0x0000000007550000-0x000000000759C000-memory.dmp

Filesize
304KB

Download
memory/1496-52-0x0000000007510000-0x000000000754C000-memory.dmp

Filesize
240KB

Download
memory/1496-49-0x00000000082A0000-0x00000000088B8000-memory.dmp

Filesize
6.1MB

Download
memory/1496-47-0x0000000007390000-0x00000000073A0000-memory.dmp

Filesize
64KB

Download
memory/1496-50-0x00000000075A0000-0x00000000076AA000-memory.dmp

Filesize
1.0MB

Download
memory/1496-51-0x00000000074B0000-0x00000000074C2000-memory.dmp

Filesize
72KB

Download
memory/2200-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2200-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2200-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2200-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads