mystic | d2aa206c87aca2775b60fd9c0af4d84c2be227abceb3f943942b05f9a8c5b9d3

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d2aa206c87aca2775b60fd9c0af4d84c2be227abceb3f943942b05f9a8c5b9d3_JC.exe
Size

1.2MB
MD5

d53f021249eeb32422aa4d1ea70ae49d
SHA1

80b4029e7c184acfa441bfaca358f81442a6bc39
SHA256

d2aa206c87aca2775b60fd9c0af4d84c2be227abceb3f943942b05f9a8c5b9d3
SHA512

2038faaeacfd1535da4174a2c8e4eeb2dd96f1b05aef2db435d5a177974e48ff0d49d6294961c109ffbff9343ee3984acf153967fe9b702bdd5645c31f3f3768
SSDEEP

24576:8yL9WNQ2wtQzKIXoDu9cQ2/QCbGhVSbx4WZ2RK2E6S/39pd:rLgNQ2wtQzK8oynu0hVHWGJS/3X

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/960-35-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/960-36-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/960-37-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/960-39-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2As242xh.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2As242xh.exe	family_redline
behavioral2/memory/1764-43-0x0000000000930000-0x000000000096E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

SB1AI9dA.exesn4Rh3PC.exeZx1sh7BT.exelI8oj0zc.exe1yA36lj6.exe2As242xh.exe

pid process

432 SB1AI9dA.exe
1268 sn4Rh3PC.exe
1704 Zx1sh7BT.exe
3500 lI8oj0zc.exe
1644 1yA36lj6.exe
1764 2As242xh.exe

pid	process
432	SB1AI9dA.exe
1268	sn4Rh3PC.exe
1704	Zx1sh7BT.exe
3500	lI8oj0zc.exe
1644	1yA36lj6.exe
1764	2As242xh.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Zx1sh7BT.exelI8oj0zc.exeNEAS.d2aa206c87aca2775b60fd9c0af4d84c2be227abceb3f943942b05f9a8c5b9d3_JC.exeSB1AI9dA.exesn4Rh3PC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Zx1sh7BT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	lI8oj0zc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.d2aa206c87aca2775b60fd9c0af4d84c2be227abceb3f943942b05f9a8c5b9d3_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	SB1AI9dA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sn4Rh3PC.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1yA36lj6.exe

description pid process target process

PID 1644 set thread context of 960 1644 1yA36lj6.exe AppLaunch.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5048 960 WerFault.exe AppLaunch.exe
3968 1644 WerFault.exe 1yA36lj6.exe

description	pid	process	target process
PID 1644 set thread context of 960	1644	1yA36lj6.exe	AppLaunch.exe

pid	pid_target	process	target process
5048	960	WerFault.exe	AppLaunch.exe
3968	1644	WerFault.exe	1yA36lj6.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

NEAS.d2aa206c87aca2775b60fd9c0af4d84c2be227abceb3f943942b05f9a8c5b9d3_JC.exeSB1AI9dA.exesn4Rh3PC.exeZx1sh7BT.exelI8oj0zc.exe1yA36lj6.exe

description	pid	process	target process
PID 4780 wrote to memory of 432	4780	NEAS.d2aa206c87aca2775b60fd9c0af4d84c2be227abceb3f943942b05f9a8c5b9d3_JC.exe	SB1AI9dA.exe
PID 4780 wrote to memory of 432	4780	NEAS.d2aa206c87aca2775b60fd9c0af4d84c2be227abceb3f943942b05f9a8c5b9d3_JC.exe	SB1AI9dA.exe
PID 4780 wrote to memory of 432	4780	NEAS.d2aa206c87aca2775b60fd9c0af4d84c2be227abceb3f943942b05f9a8c5b9d3_JC.exe	SB1AI9dA.exe
PID 432 wrote to memory of 1268	432	SB1AI9dA.exe	sn4Rh3PC.exe
PID 432 wrote to memory of 1268	432	SB1AI9dA.exe	sn4Rh3PC.exe
PID 432 wrote to memory of 1268	432	SB1AI9dA.exe	sn4Rh3PC.exe
PID 1268 wrote to memory of 1704	1268	sn4Rh3PC.exe	Zx1sh7BT.exe
PID 1268 wrote to memory of 1704	1268	sn4Rh3PC.exe	Zx1sh7BT.exe
PID 1268 wrote to memory of 1704	1268	sn4Rh3PC.exe	Zx1sh7BT.exe
PID 1704 wrote to memory of 3500	1704	Zx1sh7BT.exe	lI8oj0zc.exe
PID 1704 wrote to memory of 3500	1704	Zx1sh7BT.exe	lI8oj0zc.exe
PID 1704 wrote to memory of 3500	1704	Zx1sh7BT.exe	lI8oj0zc.exe
PID 3500 wrote to memory of 1644	3500	lI8oj0zc.exe	1yA36lj6.exe
PID 3500 wrote to memory of 1644	3500	lI8oj0zc.exe	1yA36lj6.exe
PID 3500 wrote to memory of 1644	3500	lI8oj0zc.exe	1yA36lj6.exe
PID 1644 wrote to memory of 960	1644	1yA36lj6.exe	AppLaunch.exe
PID 1644 wrote to memory of 960	1644	1yA36lj6.exe	AppLaunch.exe
PID 1644 wrote to memory of 960	1644	1yA36lj6.exe	AppLaunch.exe
PID 1644 wrote to memory of 960	1644	1yA36lj6.exe	AppLaunch.exe
PID 1644 wrote to memory of 960	1644	1yA36lj6.exe	AppLaunch.exe
PID 1644 wrote to memory of 960	1644	1yA36lj6.exe	AppLaunch.exe
PID 1644 wrote to memory of 960	1644	1yA36lj6.exe	AppLaunch.exe
PID 1644 wrote to memory of 960	1644	1yA36lj6.exe	AppLaunch.exe
PID 1644 wrote to memory of 960	1644	1yA36lj6.exe	AppLaunch.exe
PID 1644 wrote to memory of 960	1644	1yA36lj6.exe	AppLaunch.exe
PID 3500 wrote to memory of 1764	3500	lI8oj0zc.exe	2As242xh.exe
PID 3500 wrote to memory of 1764	3500	lI8oj0zc.exe	2As242xh.exe
PID 3500 wrote to memory of 1764	3500	lI8oj0zc.exe	2As242xh.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.d2aa206c87aca2775b60fd9c0af4d84c2be227abceb3f943942b05f9a8c5b9d3_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d2aa206c87aca2775b60fd9c0af4d84c2be227abceb3f943942b05f9a8c5b9d3_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4780

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SB1AI9dA.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SB1AI9dA.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn4Rh3PC.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn4Rh3PC.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zx1sh7BT.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zx1sh7BT.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lI8oj0zc.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lI8oj0zc.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3500

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1yA36lj6.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1yA36lj6.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 540
8⤵
- Program crash
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 592
7⤵
- Program crash
PID:3968

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2As242xh.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2As242xh.exe
6⤵
- Executes dropped EXE
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 960 -ip 960
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1644 -ip 1644
1⤵
PID:1080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SB1AI9dA.exe
Filesize
1.0MB

MD5
e1d9b2d353b8d0431aca68ebf2d41860

SHA1
b4c90647a4303dc38991304d59b21904b48e322b

SHA256
51dfdbbf5bfe800944e73fa8c02220c79f24a8358f5efd3d8cc741409afbdb85

SHA512
a9d9e60a971e2e88ea3728c697c19a7cbbf8c995480f50ce042f8c9f7ac3ca8d288e3af64aa6bd42ecb46447f020aa41a237bdc82a8ea3d4ecbceebb0953f448

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SB1AI9dA.exe
Filesize
1.0MB

MD5
e1d9b2d353b8d0431aca68ebf2d41860

SHA1
b4c90647a4303dc38991304d59b21904b48e322b

SHA256
51dfdbbf5bfe800944e73fa8c02220c79f24a8358f5efd3d8cc741409afbdb85

SHA512
a9d9e60a971e2e88ea3728c697c19a7cbbf8c995480f50ce042f8c9f7ac3ca8d288e3af64aa6bd42ecb46447f020aa41a237bdc82a8ea3d4ecbceebb0953f448

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn4Rh3PC.exe
Filesize
884KB

MD5
5deda734497bf4349370d5bae26393a2

SHA1
ef51b0dfe46663e64d12e302da4e12a379516f0a

SHA256
e5be2945bc8ccddf20279790ccdb867465fef3e08334be8f992075597ddbf8e0

SHA512
fed0367699c431e8e5f52f6129f84140be3c61ec3de6a0e34e6a758b2f58403699abe347968497dd19898293a81afe804ccc9f3b0cb8edf17c9a88bd92c8066c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sn4Rh3PC.exe
Filesize
884KB

MD5
5deda734497bf4349370d5bae26393a2

SHA1
ef51b0dfe46663e64d12e302da4e12a379516f0a

SHA256
e5be2945bc8ccddf20279790ccdb867465fef3e08334be8f992075597ddbf8e0

SHA512
fed0367699c431e8e5f52f6129f84140be3c61ec3de6a0e34e6a758b2f58403699abe347968497dd19898293a81afe804ccc9f3b0cb8edf17c9a88bd92c8066c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zx1sh7BT.exe
Filesize
590KB

MD5
8b74a463496e5cf1bb9226a8879890e6

SHA1
97bb5d2c5e3c162724e2e4af29e7f751e0a02d5e

SHA256
c5be9811468d560d68dfced57cb14c7f974b61ef8b06e999d8402ae96288ceb3

SHA512
1ffee0d0fd394681b9a6f4eb0711675d3167c38a707de5c383d7de7ec135ead0ad44b79f64cc1a26ede736bd782828cc4b7dd1f8a431f14d16e2691905a30da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Zx1sh7BT.exe
Filesize
590KB

MD5
8b74a463496e5cf1bb9226a8879890e6

SHA1
97bb5d2c5e3c162724e2e4af29e7f751e0a02d5e

SHA256
c5be9811468d560d68dfced57cb14c7f974b61ef8b06e999d8402ae96288ceb3

SHA512
1ffee0d0fd394681b9a6f4eb0711675d3167c38a707de5c383d7de7ec135ead0ad44b79f64cc1a26ede736bd782828cc4b7dd1f8a431f14d16e2691905a30da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lI8oj0zc.exe
Filesize
417KB

MD5
b2c0e82d00411b3540c582a97d8b5ab6

SHA1
19dffdffa6063f6329c81f1f93d18e4da0dfe44f

SHA256
00f258aec4710660285ce0bd7a46e9074c46b9a84da888186271704979a6c9e8

SHA512
fa7839bddd69ba03de38be062255629541f47aeb42f7372281c0b57c906a841d0db49e25e50164bb049ba10f7dbec9f7e808037ec8255148ad4562e03ad07dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\lI8oj0zc.exe
Filesize
417KB

MD5
b2c0e82d00411b3540c582a97d8b5ab6

SHA1
19dffdffa6063f6329c81f1f93d18e4da0dfe44f

SHA256
00f258aec4710660285ce0bd7a46e9074c46b9a84da888186271704979a6c9e8

SHA512
fa7839bddd69ba03de38be062255629541f47aeb42f7372281c0b57c906a841d0db49e25e50164bb049ba10f7dbec9f7e808037ec8255148ad4562e03ad07dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1yA36lj6.exe
Filesize
378KB

MD5
32b9897e8aeda75a8b718044ef406a5b

SHA1
9c7c2edfd89c52099858419482128e4528f3be1a

SHA256
c6a4e06cc2890a2fd4697bf9a95ebb187bf2f041afff1a5e57a3af84785c5e8a

SHA512
b3dc2e6fa817cd7def9911e825d45f55e9e69f7b5f1c26e43c96750331ccf2735e731f5bd57898ba083d45ea67a43f0c88e3d215b1ca5d279eb2db62b2662d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1yA36lj6.exe
Filesize
378KB

MD5
32b9897e8aeda75a8b718044ef406a5b

SHA1
9c7c2edfd89c52099858419482128e4528f3be1a

SHA256
c6a4e06cc2890a2fd4697bf9a95ebb187bf2f041afff1a5e57a3af84785c5e8a

SHA512
b3dc2e6fa817cd7def9911e825d45f55e9e69f7b5f1c26e43c96750331ccf2735e731f5bd57898ba083d45ea67a43f0c88e3d215b1ca5d279eb2db62b2662d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2As242xh.exe
Filesize
231KB

MD5
abc6feb0001c81ffdf56d92ddf0becf2

SHA1
1e2463e8b45e576c94163225339ae6cb79bae136

SHA256
ea89ec1ff2548c23d9052d2e9585d4b90e207b5692d0a539df6ae4ff2503a1b5

SHA512
ebb8678d6d345eda210c265ee26b63a1b1be6d5bd943a6f9d51870309e06bc46dce49f75cb22df1750b6891d8944ef4803d5c07b21ccda16411c9dc0711eed5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2As242xh.exe
Filesize
231KB

MD5
abc6feb0001c81ffdf56d92ddf0becf2

SHA1
1e2463e8b45e576c94163225339ae6cb79bae136

SHA256
ea89ec1ff2548c23d9052d2e9585d4b90e207b5692d0a539df6ae4ff2503a1b5

SHA512
ebb8678d6d345eda210c265ee26b63a1b1be6d5bd943a6f9d51870309e06bc46dce49f75cb22df1750b6891d8944ef4803d5c07b21ccda16411c9dc0711eed5d

Download Submit
memory/960-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/960-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/960-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/960-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1764-46-0x0000000007810000-0x00000000078A2000-memory.dmp

Filesize
584KB

Download
memory/1764-43-0x0000000000930000-0x000000000096E000-memory.dmp

Filesize
248KB

Download
memory/1764-45-0x0000000007CE0000-0x0000000008284000-memory.dmp

Filesize
5.6MB

Download
memory/1764-44-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/1764-47-0x00000000079A0000-0x00000000079B0000-memory.dmp

Filesize
64KB

Download
memory/1764-48-0x0000000007A00000-0x0000000007A0A000-memory.dmp

Filesize
40KB

Download
memory/1764-49-0x00000000088B0000-0x0000000008EC8000-memory.dmp

Filesize
6.1MB

Download
memory/1764-50-0x0000000007BA0000-0x0000000007CAA000-memory.dmp

Filesize
1.0MB

Download
memory/1764-51-0x0000000007AD0000-0x0000000007AE2000-memory.dmp

Filesize
72KB

Download
memory/1764-52-0x0000000007B30000-0x0000000007B6C000-memory.dmp

Filesize
240KB

Download
memory/1764-53-0x0000000008290000-0x00000000082DC000-memory.dmp

Filesize
304KB

Download
memory/1764-54-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/1764-55-0x00000000079A0000-0x00000000079B0000-memory.dmp

Filesize
64KB

Download