mystic | c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2023, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c_JC.exe
Size

1.2MB
MD5

7fd4e883571ac0cd2258ffc3cbe35efa
SHA1

1cfe7b432615a93768d3d330da11c2a285cd3c8d
SHA256

c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c
SHA512

41f7915f73be38cc2f51a55f232ca2d5be374f5fe7a336c5bee7f8d9ff87c918cae804f432d0f64194e5dbdc6aa05151ec060a950a67f17bf0834be757d29c01
SSDEEP

24576:SyA79RURQ/FMFNWYePQgq+NGpRMaOL9Sb7h/MPUCjyvJKp:5okS/FMFNIQ1L38wb7hEcAI

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/4300-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4300-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4300-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4300-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023249-41.dat	family_redline
behavioral2/files/0x0008000000023249-42.dat	family_redline
behavioral2/memory/5052-44-0x0000000000F30000-0x0000000000F6E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
872	md8Ar3Dp.exe
3016	EX9Pe1xL.exe
2060	Dc8Jm1XJ.exe
2584	AD7rJ5YJ.exe
3616	1tO73Ur4.exe
5052	2Hq179qA.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	md8Ar3Dp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	EX9Pe1xL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Dc8Jm1XJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	AD7rJ5YJ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3616 set thread context of 4300	3616	1tO73Ur4.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3872	4300	WerFault.exe	92
4828	3616	WerFault.exe	90

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 872	1840	NEAS.c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c_JC.exe	86
PID 1840 wrote to memory of 872	1840	NEAS.c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c_JC.exe	86
PID 1840 wrote to memory of 872	1840	NEAS.c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c_JC.exe	86
PID 872 wrote to memory of 3016	872	md8Ar3Dp.exe	87
PID 872 wrote to memory of 3016	872	md8Ar3Dp.exe	87
PID 872 wrote to memory of 3016	872	md8Ar3Dp.exe	87
PID 3016 wrote to memory of 2060	3016	EX9Pe1xL.exe	88
PID 3016 wrote to memory of 2060	3016	EX9Pe1xL.exe	88
PID 3016 wrote to memory of 2060	3016	EX9Pe1xL.exe	88
PID 2060 wrote to memory of 2584	2060	Dc8Jm1XJ.exe	89
PID 2060 wrote to memory of 2584	2060	Dc8Jm1XJ.exe	89
PID 2060 wrote to memory of 2584	2060	Dc8Jm1XJ.exe	89
PID 2584 wrote to memory of 3616	2584	AD7rJ5YJ.exe	90
PID 2584 wrote to memory of 3616	2584	AD7rJ5YJ.exe	90
PID 2584 wrote to memory of 3616	2584	AD7rJ5YJ.exe	90
PID 3616 wrote to memory of 4300	3616	1tO73Ur4.exe	92
PID 3616 wrote to memory of 4300	3616	1tO73Ur4.exe	92
PID 3616 wrote to memory of 4300	3616	1tO73Ur4.exe	92
PID 3616 wrote to memory of 4300	3616	1tO73Ur4.exe	92
PID 3616 wrote to memory of 4300	3616	1tO73Ur4.exe	92
PID 3616 wrote to memory of 4300	3616	1tO73Ur4.exe	92
PID 3616 wrote to memory of 4300	3616	1tO73Ur4.exe	92
PID 3616 wrote to memory of 4300	3616	1tO73Ur4.exe	92
PID 3616 wrote to memory of 4300	3616	1tO73Ur4.exe	92
PID 3616 wrote to memory of 4300	3616	1tO73Ur4.exe	92
PID 2584 wrote to memory of 5052	2584	AD7rJ5YJ.exe	99
PID 2584 wrote to memory of 5052	2584	AD7rJ5YJ.exe	99
PID 2584 wrote to memory of 5052	2584	AD7rJ5YJ.exe	99

C:\Users\Admin\AppData\Local\Temp\NEAS.c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\md8Ar3Dp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\md8Ar3Dp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EX9Pe1xL.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EX9Pe1xL.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Dc8Jm1XJ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Dc8Jm1XJ.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AD7rJ5YJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AD7rJ5YJ.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tO73Ur4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tO73Ur4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 540
        8⤵
        Program crash
        
        PID:3872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 156
        7⤵
        Program crash
        
        PID:4828
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hq179qA.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hq179qA.exe
        6⤵
        Executes dropped EXE
        
        PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4300 -ip 4300
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3616 -ip 3616
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\md8Ar3Dp.exe

Filesize
1.0MB

MD5
36f7d392aedf5de41ca3e5617ebd9640

SHA1
e771900574966afe1e9184d36bedbe0161ae7dd1

SHA256
3c60c5ec380fb26d4a2aa1e3e0263e2d0a6696b13af147ec8a0e4f6b29707177

SHA512
bbae33dd951cea847b6cc6d59c9b20434174cc77e9c90d9d9cb05d7af20053684da0629f060c0720b5dc4b6e2f47300f68ea03ac642dd0a05372d6cea16a9863

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\md8Ar3Dp.exe

Filesize
1.0MB

MD5
36f7d392aedf5de41ca3e5617ebd9640

SHA1
e771900574966afe1e9184d36bedbe0161ae7dd1

SHA256
3c60c5ec380fb26d4a2aa1e3e0263e2d0a6696b13af147ec8a0e4f6b29707177

SHA512
bbae33dd951cea847b6cc6d59c9b20434174cc77e9c90d9d9cb05d7af20053684da0629f060c0720b5dc4b6e2f47300f68ea03ac642dd0a05372d6cea16a9863

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EX9Pe1xL.exe

Filesize
884KB

MD5
4fdc910ea6dcfeedf85853f11bf8cc43

SHA1
e5bb2f555d260d500113bb43e0a1af127c6eafe3

SHA256
43236a36e7593b90cf40b107df17edb62a64b17fe266b560627c7b11a895a9b9

SHA512
812a9bb60ddbecc8241627b997deb778add57d899d53e0ac8ff48bf86bc2960406f0f071a3342591ca15333c565b1b97c117ad3a555d7116ccdd02519890f813

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EX9Pe1xL.exe

Filesize
884KB

MD5
4fdc910ea6dcfeedf85853f11bf8cc43

SHA1
e5bb2f555d260d500113bb43e0a1af127c6eafe3

SHA256
43236a36e7593b90cf40b107df17edb62a64b17fe266b560627c7b11a895a9b9

SHA512
812a9bb60ddbecc8241627b997deb778add57d899d53e0ac8ff48bf86bc2960406f0f071a3342591ca15333c565b1b97c117ad3a555d7116ccdd02519890f813

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Dc8Jm1XJ.exe

Filesize
590KB

MD5
d0db7f0e77413316a6a701ff3e62ec5b

SHA1
e72180f14f6bf85c1c168db0bd9b8e84e08f72b4

SHA256
a6b628b28bc4e476340bd54002f699f8f7549b6dc89b378f5664a4e54a2eba36

SHA512
f9d96fdd63528cbdc8f69371ac790aeace0d8f4e34f9ec53318d0824c7721f4903254a9399f20e80f831dc30c76140b68a22963ed54adc2e83738c85cb3e09ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Dc8Jm1XJ.exe

Filesize
590KB

MD5
d0db7f0e77413316a6a701ff3e62ec5b

SHA1
e72180f14f6bf85c1c168db0bd9b8e84e08f72b4

SHA256
a6b628b28bc4e476340bd54002f699f8f7549b6dc89b378f5664a4e54a2eba36

SHA512
f9d96fdd63528cbdc8f69371ac790aeace0d8f4e34f9ec53318d0824c7721f4903254a9399f20e80f831dc30c76140b68a22963ed54adc2e83738c85cb3e09ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AD7rJ5YJ.exe

Filesize
417KB

MD5
ca5b08ef4e199df70c31763d453e5e83

SHA1
dddc3086379e005cf931871c972c61eef86be31e

SHA256
d34d2570161fd9a23550b5e361176aa0529e32e0c3a62752eb29b807a8b8a48d

SHA512
54741871f09367017602ef135d53655a410cb11951e5f64a8a2aa9411c38613cc24c95c4f2091c1a8b688c1b15bf4fec11ed68521c3f17b92eb5ac72cdef1ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AD7rJ5YJ.exe

Filesize
417KB

MD5
ca5b08ef4e199df70c31763d453e5e83

SHA1
dddc3086379e005cf931871c972c61eef86be31e

SHA256
d34d2570161fd9a23550b5e361176aa0529e32e0c3a62752eb29b807a8b8a48d

SHA512
54741871f09367017602ef135d53655a410cb11951e5f64a8a2aa9411c38613cc24c95c4f2091c1a8b688c1b15bf4fec11ed68521c3f17b92eb5ac72cdef1ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tO73Ur4.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tO73Ur4.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hq179qA.exe

Filesize
231KB

MD5
d0b0825685abf92d20d5c68f1b42596f

SHA1
2580b4753efc44d9fa6384af5964b676ea666bab

SHA256
e41be3a1c96af35777a0fc697d7d17a011a7ca1b2d8cca39d7e86cbcf1f86553

SHA512
0956b4771073d030f89bf09b74c691b090512c4ad0e2c65071b35986a0db2a06648d0b8fe6d25018ac30b13a0ab7876b5eccb093b76aabbe5728baab0f861608

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hq179qA.exe

Filesize
231KB

MD5
d0b0825685abf92d20d5c68f1b42596f

SHA1
2580b4753efc44d9fa6384af5964b676ea666bab

SHA256
e41be3a1c96af35777a0fc697d7d17a011a7ca1b2d8cca39d7e86cbcf1f86553

SHA512
0956b4771073d030f89bf09b74c691b090512c4ad0e2c65071b35986a0db2a06648d0b8fe6d25018ac30b13a0ab7876b5eccb093b76aabbe5728baab0f861608

Download Submit
memory/4300-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4300-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4300-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4300-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5052-46-0x0000000007CF0000-0x0000000007D82000-memory.dmp

Filesize
584KB

Download
memory/5052-44-0x0000000000F30000-0x0000000000F6E000-memory.dmp

Filesize
248KB

Download
memory/5052-45-0x00000000081A0000-0x0000000008744000-memory.dmp

Filesize
5.6MB

Download
memory/5052-43-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/5052-47-0x0000000007EE0000-0x0000000007EF0000-memory.dmp

Filesize
64KB

Download
memory/5052-48-0x0000000007EA0000-0x0000000007EAA000-memory.dmp

Filesize
40KB

Download
memory/5052-49-0x0000000008D70000-0x0000000009388000-memory.dmp

Filesize
6.1MB

Download
memory/5052-50-0x0000000008750000-0x000000000885A000-memory.dmp

Filesize
1.0MB

Download
memory/5052-51-0x00000000080D0000-0x00000000080E2000-memory.dmp

Filesize
72KB

Download
memory/5052-52-0x0000000008130000-0x000000000816C000-memory.dmp

Filesize
240KB

Download
memory/5052-53-0x0000000008860000-0x00000000088AC000-memory.dmp

Filesize
304KB

Download
memory/5052-54-0x0000000074310000-0x0000000074AC0000-memory.dmp

Filesize
7.7MB

Download
memory/5052-55-0x0000000007EE0000-0x0000000007EF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads