mystic | ddacad369bdc13de3e96f4ecfee84a08e9bfbc576fcd1fb49f18852d17492c0a

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ddacad369bdc13de3e96f4ecfee84a08e9bfbc576fcd1fb49f18852d17492c0a_JC.exe
Size

1.2MB
MD5

2216ecad807d5a5060e52cee08e93633
SHA1

6b4514ade3dded88bb805c37275d461781ee8459
SHA256

ddacad369bdc13de3e96f4ecfee84a08e9bfbc576fcd1fb49f18852d17492c0a
SHA512

c70fb9d6e92788215214aa1088c5908d532f369f17b9c8e03c6a5a5b9291b25522bcf34698937ec26595cf4dbc27ce1096cc20a4b62fc7fb09bc36b37cc1359c
SSDEEP

24576:Hygx1DqX7JQ8k2IhsncGleWShMc3Z1VMRYoSzUFHE:Ss1DqbHXDeWm1VMRYoS

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1200-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1200-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1200-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1200-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yb253ww.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yb253ww.exe	family_redline
behavioral2/memory/2620-43-0x00000000000F0000-0x000000000012E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

pS1fG3Fa.exejM2SO0wf.exesO2Hp1QO.exeIm2Lh5TU.exe1Jg65Km8.exe2Yb253ww.exe

pid process

1556 pS1fG3Fa.exe
2360 jM2SO0wf.exe
3988 sO2Hp1QO.exe
3808 Im2Lh5TU.exe
4188 1Jg65Km8.exe
2620 2Yb253ww.exe

pid	process
1556	pS1fG3Fa.exe
2360	jM2SO0wf.exe
3988	sO2Hp1QO.exe
3808	Im2Lh5TU.exe
4188	1Jg65Km8.exe
2620	2Yb253ww.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.ddacad369bdc13de3e96f4ecfee84a08e9bfbc576fcd1fb49f18852d17492c0a_JC.exepS1fG3Fa.exejM2SO0wf.exesO2Hp1QO.exeIm2Lh5TU.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.ddacad369bdc13de3e96f4ecfee84a08e9bfbc576fcd1fb49f18852d17492c0a_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pS1fG3Fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	jM2SO0wf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	sO2Hp1QO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Im2Lh5TU.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1Jg65Km8.exe

description pid process target process

PID 4188 set thread context of 1200 4188 1Jg65Km8.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3168 1200 WerFault.exe AppLaunch.exe
4696 4188 WerFault.exe 1Jg65Km8.exe

description	pid	process	target process
PID 4188 set thread context of 1200	4188	1Jg65Km8.exe	AppLaunch.exe

pid	pid_target	process	target process
3168	1200	WerFault.exe	AppLaunch.exe
4696	4188	WerFault.exe	1Jg65Km8.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

NEAS.ddacad369bdc13de3e96f4ecfee84a08e9bfbc576fcd1fb49f18852d17492c0a_JC.exepS1fG3Fa.exejM2SO0wf.exesO2Hp1QO.exeIm2Lh5TU.exe1Jg65Km8.exe

description	pid	process	target process
PID 1504 wrote to memory of 1556	1504	NEAS.ddacad369bdc13de3e96f4ecfee84a08e9bfbc576fcd1fb49f18852d17492c0a_JC.exe	pS1fG3Fa.exe
PID 1504 wrote to memory of 1556	1504	NEAS.ddacad369bdc13de3e96f4ecfee84a08e9bfbc576fcd1fb49f18852d17492c0a_JC.exe	pS1fG3Fa.exe
PID 1504 wrote to memory of 1556	1504	NEAS.ddacad369bdc13de3e96f4ecfee84a08e9bfbc576fcd1fb49f18852d17492c0a_JC.exe	pS1fG3Fa.exe
PID 1556 wrote to memory of 2360	1556	pS1fG3Fa.exe	jM2SO0wf.exe
PID 1556 wrote to memory of 2360	1556	pS1fG3Fa.exe	jM2SO0wf.exe
PID 1556 wrote to memory of 2360	1556	pS1fG3Fa.exe	jM2SO0wf.exe
PID 2360 wrote to memory of 3988	2360	jM2SO0wf.exe	sO2Hp1QO.exe
PID 2360 wrote to memory of 3988	2360	jM2SO0wf.exe	sO2Hp1QO.exe
PID 2360 wrote to memory of 3988	2360	jM2SO0wf.exe	sO2Hp1QO.exe
PID 3988 wrote to memory of 3808	3988	sO2Hp1QO.exe	Im2Lh5TU.exe
PID 3988 wrote to memory of 3808	3988	sO2Hp1QO.exe	Im2Lh5TU.exe
PID 3988 wrote to memory of 3808	3988	sO2Hp1QO.exe	Im2Lh5TU.exe
PID 3808 wrote to memory of 4188	3808	Im2Lh5TU.exe	1Jg65Km8.exe
PID 3808 wrote to memory of 4188	3808	Im2Lh5TU.exe	1Jg65Km8.exe
PID 3808 wrote to memory of 4188	3808	Im2Lh5TU.exe	1Jg65Km8.exe
PID 4188 wrote to memory of 1200	4188	1Jg65Km8.exe	AppLaunch.exe
PID 4188 wrote to memory of 1200	4188	1Jg65Km8.exe	AppLaunch.exe
PID 4188 wrote to memory of 1200	4188	1Jg65Km8.exe	AppLaunch.exe
PID 4188 wrote to memory of 1200	4188	1Jg65Km8.exe	AppLaunch.exe
PID 4188 wrote to memory of 1200	4188	1Jg65Km8.exe	AppLaunch.exe
PID 4188 wrote to memory of 1200	4188	1Jg65Km8.exe	AppLaunch.exe
PID 4188 wrote to memory of 1200	4188	1Jg65Km8.exe	AppLaunch.exe
PID 4188 wrote to memory of 1200	4188	1Jg65Km8.exe	AppLaunch.exe
PID 4188 wrote to memory of 1200	4188	1Jg65Km8.exe	AppLaunch.exe
PID 4188 wrote to memory of 1200	4188	1Jg65Km8.exe	AppLaunch.exe
PID 3808 wrote to memory of 2620	3808	Im2Lh5TU.exe	2Yb253ww.exe
PID 3808 wrote to memory of 2620	3808	Im2Lh5TU.exe	2Yb253ww.exe
PID 3808 wrote to memory of 2620	3808	Im2Lh5TU.exe	2Yb253ww.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.ddacad369bdc13de3e96f4ecfee84a08e9bfbc576fcd1fb49f18852d17492c0a_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ddacad369bdc13de3e96f4ecfee84a08e9bfbc576fcd1fb49f18852d17492c0a_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pS1fG3Fa.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pS1fG3Fa.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jM2SO0wf.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jM2SO0wf.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sO2Hp1QO.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sO2Hp1QO.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3988

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im2Lh5TU.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im2Lh5TU.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3808

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jg65Km8.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jg65Km8.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 196
8⤵
- Program crash
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 592
7⤵
- Program crash
PID:4696

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yb253ww.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yb253ww.exe
6⤵
- Executes dropped EXE
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4188 -ip 4188
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1200 -ip 1200
1⤵
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pS1fG3Fa.exe
Filesize
1.0MB

MD5
a7543a6d367ce3b64480f2e08e9d5199

SHA1
8b8a89d6f1992df15b02e75d7acd40cc06e1d5ae

SHA256
5823925d139ce7818401631c48b26b293fabc432e81bfff43e500d668c2c7839

SHA512
0daf0117a5f41874b69d0b70bddc7c127170dcfec4f80b48001a00db4b752f44a7799d64890e862ed2ae004edbbbbc3eee07eb190384b7d1361be054974e1680

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pS1fG3Fa.exe
Filesize
1.0MB

MD5
a7543a6d367ce3b64480f2e08e9d5199

SHA1
8b8a89d6f1992df15b02e75d7acd40cc06e1d5ae

SHA256
5823925d139ce7818401631c48b26b293fabc432e81bfff43e500d668c2c7839

SHA512
0daf0117a5f41874b69d0b70bddc7c127170dcfec4f80b48001a00db4b752f44a7799d64890e862ed2ae004edbbbbc3eee07eb190384b7d1361be054974e1680

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jM2SO0wf.exe
Filesize
884KB

MD5
647ee86523eaecfe1a5c7ccbefbb285b

SHA1
eebdfa46090344086969e33d80bccbc5c13db95a

SHA256
33fd4eac40ad1872bfe8043978598ec1dbdd9c5dac1e9e78dfa94c0f040bf933

SHA512
8a842841ecc7ee9a469c4e59ed6e31ff79d72d5d91dca21a08b0068d64f1d5c9cdabf4e95f893b1807a6711b8af81854fd94756c370399fbe4dee701253400c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jM2SO0wf.exe
Filesize
884KB

MD5
647ee86523eaecfe1a5c7ccbefbb285b

SHA1
eebdfa46090344086969e33d80bccbc5c13db95a

SHA256
33fd4eac40ad1872bfe8043978598ec1dbdd9c5dac1e9e78dfa94c0f040bf933

SHA512
8a842841ecc7ee9a469c4e59ed6e31ff79d72d5d91dca21a08b0068d64f1d5c9cdabf4e95f893b1807a6711b8af81854fd94756c370399fbe4dee701253400c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sO2Hp1QO.exe
Filesize
590KB

MD5
e7afa3f04af45c3dee2e3ceba4a7b592

SHA1
da365c140dedb4cfe5fd99f1757850fa96ea9678

SHA256
19fecbe7c4fe6b587e9187b3f59959dda087600171b81a7b00d2615556d69471

SHA512
307ea14058f2e86f0038f8b8ffa34230dbf5bb78c9572c8dfb861f283ea75534619ece5b6a329cc1d0c0f658899c08ee84ee2c8be3f8cdfd2df586058e604d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sO2Hp1QO.exe
Filesize
590KB

MD5
e7afa3f04af45c3dee2e3ceba4a7b592

SHA1
da365c140dedb4cfe5fd99f1757850fa96ea9678

SHA256
19fecbe7c4fe6b587e9187b3f59959dda087600171b81a7b00d2615556d69471

SHA512
307ea14058f2e86f0038f8b8ffa34230dbf5bb78c9572c8dfb861f283ea75534619ece5b6a329cc1d0c0f658899c08ee84ee2c8be3f8cdfd2df586058e604d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im2Lh5TU.exe
Filesize
417KB

MD5
413d949438db4adf4746f42b3e558d82

SHA1
a4c8069ef945792a9820520d2a710cceb9e52e8a

SHA256
826a3434edfe24b0e761d08da3d037fb2e5bf124d4c0b05aaa4b12ee17426788

SHA512
f06ddb9186c293fa1f88a4813a7b7eea2b909174d449edad86259548304a229e69d65957efb20bb14dc2712d1942a638a66fd4fd84cbc9366333545fe6b6f735

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Im2Lh5TU.exe
Filesize
417KB

MD5
413d949438db4adf4746f42b3e558d82

SHA1
a4c8069ef945792a9820520d2a710cceb9e52e8a

SHA256
826a3434edfe24b0e761d08da3d037fb2e5bf124d4c0b05aaa4b12ee17426788

SHA512
f06ddb9186c293fa1f88a4813a7b7eea2b909174d449edad86259548304a229e69d65957efb20bb14dc2712d1942a638a66fd4fd84cbc9366333545fe6b6f735

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jg65Km8.exe
Filesize
378KB

MD5
9c94eb162f0a9ae92b95895fb3265eac

SHA1
efa8e659462f885e6d2008d7811a7676e60bf8f4

SHA256
444634ca1af14b9e0dd0bff40452b501b2d54fe09740d933c38ab111a971f881

SHA512
fc90bca08f2aede3979db22a8a47d37c7b1a2cb3bc6f1b25a90f567054e7b8995fdcdaf13403cb8bfec4c80e8554eb8db3b531666dc3fde24ec2aea39028049c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jg65Km8.exe
Filesize
378KB

MD5
9c94eb162f0a9ae92b95895fb3265eac

SHA1
efa8e659462f885e6d2008d7811a7676e60bf8f4

SHA256
444634ca1af14b9e0dd0bff40452b501b2d54fe09740d933c38ab111a971f881

SHA512
fc90bca08f2aede3979db22a8a47d37c7b1a2cb3bc6f1b25a90f567054e7b8995fdcdaf13403cb8bfec4c80e8554eb8db3b531666dc3fde24ec2aea39028049c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yb253ww.exe
Filesize
231KB

MD5
1b267ab7ccf0013ecb3521fccb51e45c

SHA1
480fea81746ad365980b4043229ac5810d26476b

SHA256
2ec12ac88fa1a5ca2fa8c8fb4640451a2b8d8ba63315a4587468805aa23bacb9

SHA512
076153fbcfb99c7cf64f6ea1fdb0a2ddda049acd87898fc43ae40646be5c100bbb52ea15ab6fc46f4783beda0b5db9e748af3d2cf0338908da15cb071b437a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Yb253ww.exe
Filesize
231KB

MD5
1b267ab7ccf0013ecb3521fccb51e45c

SHA1
480fea81746ad365980b4043229ac5810d26476b

SHA256
2ec12ac88fa1a5ca2fa8c8fb4640451a2b8d8ba63315a4587468805aa23bacb9

SHA512
076153fbcfb99c7cf64f6ea1fdb0a2ddda049acd87898fc43ae40646be5c100bbb52ea15ab6fc46f4783beda0b5db9e748af3d2cf0338908da15cb071b437a86

Download Submit
memory/1200-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1200-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1200-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1200-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2620-46-0x0000000006EE0000-0x0000000006F72000-memory.dmp

Filesize
584KB

Download
memory/2620-43-0x00000000000F0000-0x000000000012E000-memory.dmp

Filesize
248KB

Download
memory/2620-45-0x00000000073F0000-0x0000000007994000-memory.dmp

Filesize
5.6MB

Download
memory/2620-44-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/2620-47-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download
memory/2620-48-0x0000000006ED0000-0x0000000006EDA000-memory.dmp

Filesize
40KB

Download
memory/2620-49-0x0000000007FC0000-0x00000000085D8000-memory.dmp

Filesize
6.1MB

Download
memory/2620-50-0x00000000079A0000-0x0000000007AAA000-memory.dmp

Filesize
1.0MB

Download
memory/2620-51-0x0000000007290000-0x00000000072A2000-memory.dmp

Filesize
72KB

Download
memory/2620-52-0x00000000072F0000-0x000000000732C000-memory.dmp

Filesize
240KB

Download
memory/2620-53-0x0000000007330000-0x000000000737C000-memory.dmp

Filesize
304KB

Download
memory/2620-54-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/2620-55-0x00000000070E0000-0x00000000070F0000-memory.dmp

Filesize
64KB

Download