mystic | df082341e3dfa9b4203cbcc9ce56d2d44ffdddb16d6fa744eb00cb67d3f6255a

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.df082341e3dfa9b4203cbcc9ce56d2d44ffdddb16d6fa744eb00cb67d3f6255a_JC.exe
Size

1.2MB
MD5

7a37d9200f1b26ef38d83fc8bab95593
SHA1

805048f58107db04ecb7fb403a31132adb8d72bf
SHA256

df082341e3dfa9b4203cbcc9ce56d2d44ffdddb16d6fa744eb00cb67d3f6255a
SHA512

170043c934432aa19938f312f3ab83a13561794c9514e19f6610122aa6ac07a80baaf0496eaaa497e92d1006be3c31f4e2a7d8b3a6eacafc3b862d4dd0e6b8bb
SSDEEP

24576:xyu7A5IXxBE1i1pHeD+6ryVXA8u7+SAoZl+2tf9J4VD:kuA5IBWo1pH+YZuq1W+F

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4764-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4764-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4764-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4764-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NM322Sp.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NM322Sp.exe	family_redline
behavioral2/memory/4688-43-0x00000000001A0000-0x00000000001DE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

Mt9qp2jg.exeSd8RQ8kX.exesk0aN7Be.exeEr3iM5Xh.exe1DW33ET8.exe2NM322Sp.exe

pid process

2288 Mt9qp2jg.exe
2832 Sd8RQ8kX.exe
772 sk0aN7Be.exe
4308 Er3iM5Xh.exe
548 1DW33ET8.exe
4688 2NM322Sp.exe

pid	process
2288	Mt9qp2jg.exe
2832	Sd8RQ8kX.exe
772	sk0aN7Be.exe
4308	Er3iM5Xh.exe
548	1DW33ET8.exe
4688	2NM322Sp.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Er3iM5Xh.exeNEAS.df082341e3dfa9b4203cbcc9ce56d2d44ffdddb16d6fa744eb00cb67d3f6255a_JC.exeMt9qp2jg.exeSd8RQ8kX.exesk0aN7Be.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Er3iM5Xh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.df082341e3dfa9b4203cbcc9ce56d2d44ffdddb16d6fa744eb00cb67d3f6255a_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Mt9qp2jg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Sd8RQ8kX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	sk0aN7Be.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1DW33ET8.exe

description pid process target process

PID 548 set thread context of 4764 548 1DW33ET8.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3792 4764 WerFault.exe AppLaunch.exe
688 548 WerFault.exe 1DW33ET8.exe

description	pid	process	target process
PID 548 set thread context of 4764	548	1DW33ET8.exe	AppLaunch.exe

pid	pid_target	process	target process
3792	4764	WerFault.exe	AppLaunch.exe
688	548	WerFault.exe	1DW33ET8.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

NEAS.df082341e3dfa9b4203cbcc9ce56d2d44ffdddb16d6fa744eb00cb67d3f6255a_JC.exeMt9qp2jg.exeSd8RQ8kX.exesk0aN7Be.exeEr3iM5Xh.exe1DW33ET8.exe

description	pid	process	target process
PID 1308 wrote to memory of 2288	1308	NEAS.df082341e3dfa9b4203cbcc9ce56d2d44ffdddb16d6fa744eb00cb67d3f6255a_JC.exe	Mt9qp2jg.exe
PID 1308 wrote to memory of 2288	1308	NEAS.df082341e3dfa9b4203cbcc9ce56d2d44ffdddb16d6fa744eb00cb67d3f6255a_JC.exe	Mt9qp2jg.exe
PID 1308 wrote to memory of 2288	1308	NEAS.df082341e3dfa9b4203cbcc9ce56d2d44ffdddb16d6fa744eb00cb67d3f6255a_JC.exe	Mt9qp2jg.exe
PID 2288 wrote to memory of 2832	2288	Mt9qp2jg.exe	Sd8RQ8kX.exe
PID 2288 wrote to memory of 2832	2288	Mt9qp2jg.exe	Sd8RQ8kX.exe
PID 2288 wrote to memory of 2832	2288	Mt9qp2jg.exe	Sd8RQ8kX.exe
PID 2832 wrote to memory of 772	2832	Sd8RQ8kX.exe	sk0aN7Be.exe
PID 2832 wrote to memory of 772	2832	Sd8RQ8kX.exe	sk0aN7Be.exe
PID 2832 wrote to memory of 772	2832	Sd8RQ8kX.exe	sk0aN7Be.exe
PID 772 wrote to memory of 4308	772	sk0aN7Be.exe	Er3iM5Xh.exe
PID 772 wrote to memory of 4308	772	sk0aN7Be.exe	Er3iM5Xh.exe
PID 772 wrote to memory of 4308	772	sk0aN7Be.exe	Er3iM5Xh.exe
PID 4308 wrote to memory of 548	4308	Er3iM5Xh.exe	1DW33ET8.exe
PID 4308 wrote to memory of 548	4308	Er3iM5Xh.exe	1DW33ET8.exe
PID 4308 wrote to memory of 548	4308	Er3iM5Xh.exe	1DW33ET8.exe
PID 548 wrote to memory of 4764	548	1DW33ET8.exe	AppLaunch.exe
PID 548 wrote to memory of 4764	548	1DW33ET8.exe	AppLaunch.exe
PID 548 wrote to memory of 4764	548	1DW33ET8.exe	AppLaunch.exe
PID 548 wrote to memory of 4764	548	1DW33ET8.exe	AppLaunch.exe
PID 548 wrote to memory of 4764	548	1DW33ET8.exe	AppLaunch.exe
PID 548 wrote to memory of 4764	548	1DW33ET8.exe	AppLaunch.exe
PID 548 wrote to memory of 4764	548	1DW33ET8.exe	AppLaunch.exe
PID 548 wrote to memory of 4764	548	1DW33ET8.exe	AppLaunch.exe
PID 548 wrote to memory of 4764	548	1DW33ET8.exe	AppLaunch.exe
PID 548 wrote to memory of 4764	548	1DW33ET8.exe	AppLaunch.exe
PID 4308 wrote to memory of 4688	4308	Er3iM5Xh.exe	2NM322Sp.exe
PID 4308 wrote to memory of 4688	4308	Er3iM5Xh.exe	2NM322Sp.exe
PID 4308 wrote to memory of 4688	4308	Er3iM5Xh.exe	2NM322Sp.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.df082341e3dfa9b4203cbcc9ce56d2d44ffdddb16d6fa744eb00cb67d3f6255a_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.df082341e3dfa9b4203cbcc9ce56d2d44ffdddb16d6fa744eb00cb67d3f6255a_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mt9qp2jg.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mt9qp2jg.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sd8RQ8kX.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sd8RQ8kX.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sk0aN7Be.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sk0aN7Be.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Er3iM5Xh.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Er3iM5Xh.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4308

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DW33ET8.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DW33ET8.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 540
8⤵
- Program crash
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 592
7⤵
- Program crash
PID:688

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NM322Sp.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NM322Sp.exe
6⤵
- Executes dropped EXE
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4764 -ip 4764
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 548 -ip 548
1⤵
PID:4204

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mt9qp2jg.exe
Filesize
1.0MB

MD5
a5f257f9d7db1fc79a6a65fe44146b62

SHA1
ebe780b12264e843cf5e3ef6d5803fe5ce8d98d8

SHA256
fc2ba2ae12d4ce92558fcabe0da44486931625a86a93e69ac9f63520b4412028

SHA512
9785f1d7cd4a32088f410647efd5beb9fba7e33715d7001e52cb1b97f9a67ba59cb40d577dd43ff9d993f197068ce210be820eb95689a6322c54c5f2155aa009

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mt9qp2jg.exe
Filesize
1.0MB

MD5
a5f257f9d7db1fc79a6a65fe44146b62

SHA1
ebe780b12264e843cf5e3ef6d5803fe5ce8d98d8

SHA256
fc2ba2ae12d4ce92558fcabe0da44486931625a86a93e69ac9f63520b4412028

SHA512
9785f1d7cd4a32088f410647efd5beb9fba7e33715d7001e52cb1b97f9a67ba59cb40d577dd43ff9d993f197068ce210be820eb95689a6322c54c5f2155aa009

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sd8RQ8kX.exe
Filesize
884KB

MD5
a2acde444a301a3c84598b3fb8c6c4da

SHA1
cadafcf1e96bac636ff9d5da45cc79b62864aa0f

SHA256
eb8cedd00b7ab240f275eb4069c500fbebe244ecae84cca8f1700815583b7f3b

SHA512
9242447c31e6be528f2fa050f18aa607428e49d2b572cd797adbf43f38dced96c5ca16fd6b0581b17fc0a9406199e481faa99150cb9e646578672561bf00285f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sd8RQ8kX.exe
Filesize
884KB

MD5
a2acde444a301a3c84598b3fb8c6c4da

SHA1
cadafcf1e96bac636ff9d5da45cc79b62864aa0f

SHA256
eb8cedd00b7ab240f275eb4069c500fbebe244ecae84cca8f1700815583b7f3b

SHA512
9242447c31e6be528f2fa050f18aa607428e49d2b572cd797adbf43f38dced96c5ca16fd6b0581b17fc0a9406199e481faa99150cb9e646578672561bf00285f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sk0aN7Be.exe
Filesize
590KB

MD5
96ff283c100efaf89094a618113c3709

SHA1
122c103d15556a781d48287472e4d4c3f6b3b598

SHA256
43b3cda3f8e1cb5920a61bcaa710e0b426336360d614795ba231cb3c4c424868

SHA512
e6179959cae3675f496bd887bc829a662f3834f5004e83f7fb65f768f155c8cb51fa5cea757ec666ed038c94f5fb87d630d43bc084f395c17962da59426712c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sk0aN7Be.exe
Filesize
590KB

MD5
96ff283c100efaf89094a618113c3709

SHA1
122c103d15556a781d48287472e4d4c3f6b3b598

SHA256
43b3cda3f8e1cb5920a61bcaa710e0b426336360d614795ba231cb3c4c424868

SHA512
e6179959cae3675f496bd887bc829a662f3834f5004e83f7fb65f768f155c8cb51fa5cea757ec666ed038c94f5fb87d630d43bc084f395c17962da59426712c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Er3iM5Xh.exe
Filesize
417KB

MD5
f5fe73580e6061b453e5e52c1b4d1fe2

SHA1
e29ff7c20633ba5b052d7bc24e3c056783af2f77

SHA256
299663995567ce7e8d92c1a76f6910056efcce778fe83d664f85a3ca9b2e2059

SHA512
40e96b896ae52e76ce5ed33cb5f68548b2bef2232721eecb2a2becb6f1523dd786778fd5bf454ef51727a755cb5959f69548139232f4cecb84941a3edb319977

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Er3iM5Xh.exe
Filesize
417KB

MD5
f5fe73580e6061b453e5e52c1b4d1fe2

SHA1
e29ff7c20633ba5b052d7bc24e3c056783af2f77

SHA256
299663995567ce7e8d92c1a76f6910056efcce778fe83d664f85a3ca9b2e2059

SHA512
40e96b896ae52e76ce5ed33cb5f68548b2bef2232721eecb2a2becb6f1523dd786778fd5bf454ef51727a755cb5959f69548139232f4cecb84941a3edb319977

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DW33ET8.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DW33ET8.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NM322Sp.exe
Filesize
231KB

MD5
9b9cbc983e6c062582f117df47db53c5

SHA1
b8ff60c1b709e1f170db8ad7d7197ebadff4dbe6

SHA256
6653c670b9c5df02e2ce27619d5881b7ccfa6e4b1927f0b8f062243857204e61

SHA512
10532de95cbe17e2c8511f94479b725dab2a4806c380d3d3d856ae5033b109c61b64de7947205859a38dd09fcb47fbd378ff1e29a8237070a471735bf47a27d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NM322Sp.exe
Filesize
231KB

MD5
9b9cbc983e6c062582f117df47db53c5

SHA1
b8ff60c1b709e1f170db8ad7d7197ebadff4dbe6

SHA256
6653c670b9c5df02e2ce27619d5881b7ccfa6e4b1927f0b8f062243857204e61

SHA512
10532de95cbe17e2c8511f94479b725dab2a4806c380d3d3d856ae5033b109c61b64de7947205859a38dd09fcb47fbd378ff1e29a8237070a471735bf47a27d9

Download Submit
memory/4688-46-0x0000000006F60000-0x0000000006FF2000-memory.dmp

Filesize
584KB

Download
memory/4688-43-0x00000000001A0000-0x00000000001DE000-memory.dmp

Filesize
248KB

Download
memory/4688-47-0x0000000007140000-0x0000000007150000-memory.dmp

Filesize
64KB

Download
memory/4688-55-0x0000000007140000-0x0000000007150000-memory.dmp

Filesize
64KB

Download
memory/4688-48-0x0000000007110000-0x000000000711A000-memory.dmp

Filesize
40KB

Download
memory/4688-44-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4688-45-0x0000000007420000-0x00000000079C4000-memory.dmp

Filesize
5.6MB

Download
memory/4688-49-0x0000000007FF0000-0x0000000008608000-memory.dmp

Filesize
6.1MB

Download
memory/4688-54-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4688-53-0x0000000007AE0000-0x0000000007B2C000-memory.dmp

Filesize
304KB

Download
memory/4688-52-0x00000000073A0000-0x00000000073DC000-memory.dmp

Filesize
240KB

Download
memory/4688-50-0x00000000079D0000-0x0000000007ADA000-memory.dmp

Filesize
1.0MB

Download
memory/4688-51-0x0000000007340000-0x0000000007352000-memory.dmp

Filesize
72KB

Download
memory/4764-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4764-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4764-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4764-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download