mystic | e3acbca31ecca50cc50aabd49400d0db9ad75d8e8ed4559371859c9ecc1fa4e3

Analysis

max time kernel
140s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 12:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e3acbca31ecca50cc50aabd49400d0db9ad75d8e8ed4559371859c9ecc1fa4e3.exe
Size

943KB
MD5

f8c9f189c9adeac0c51a6e9c0cc9cdea
SHA1

0638572d3888b679d1ac88988e41dbd3803a3c54
SHA256

e3acbca31ecca50cc50aabd49400d0db9ad75d8e8ed4559371859c9ecc1fa4e3
SHA512

d3e8d86a8bf671584434acf877a643708e365eb2a2bcc46e66848129949437d1173acc7256b6bf36c9a49ae39dade893e09bc774ca4eb28eb6cecedc3e0b8673
SSDEEP

24576:8yCGjwTfuTosyfw8tEFvX8irbj1TAHAYE:rC4wTyosy1EtLL18HN

Score

10^/10

mystic redline ramos infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

ramos

77.91.124.82:19071

Attributes

auth_value
42c0ec91d63648bb7119ab787aa3fb94

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3096-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3096-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3096-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3096-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3712	x8955268.exe
4708	x9164504.exe
4792	x9718197.exe
2264	g0482851.exe
2304	h4310678.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9718197.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e3acbca31ecca50cc50aabd49400d0db9ad75d8e8ed4559371859c9ecc1fa4e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8955268.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9164504.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2264 set thread context of 3096	2264	g0482851.exe	88

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1484	2264	WerFault.exe	85
4540	3096	WerFault.exe	88

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 3712	4348	e3acbca31ecca50cc50aabd49400d0db9ad75d8e8ed4559371859c9ecc1fa4e3.exe	51
PID 4348 wrote to memory of 3712	4348	e3acbca31ecca50cc50aabd49400d0db9ad75d8e8ed4559371859c9ecc1fa4e3.exe	51
PID 4348 wrote to memory of 3712	4348	e3acbca31ecca50cc50aabd49400d0db9ad75d8e8ed4559371859c9ecc1fa4e3.exe	51
PID 3712 wrote to memory of 4708	3712	x8955268.exe	70
PID 3712 wrote to memory of 4708	3712	x8955268.exe	70
PID 3712 wrote to memory of 4708	3712	x8955268.exe	70
PID 4708 wrote to memory of 4792	4708	x9164504.exe	78
PID 4708 wrote to memory of 4792	4708	x9164504.exe	78
PID 4708 wrote to memory of 4792	4708	x9164504.exe	78
PID 4792 wrote to memory of 2264	4792	x9718197.exe	85
PID 4792 wrote to memory of 2264	4792	x9718197.exe	85
PID 4792 wrote to memory of 2264	4792	x9718197.exe	85
PID 2264 wrote to memory of 3096	2264	g0482851.exe	88
PID 2264 wrote to memory of 3096	2264	g0482851.exe	88
PID 2264 wrote to memory of 3096	2264	g0482851.exe	88
PID 2264 wrote to memory of 3096	2264	g0482851.exe	88
PID 2264 wrote to memory of 3096	2264	g0482851.exe	88
PID 2264 wrote to memory of 3096	2264	g0482851.exe	88
PID 2264 wrote to memory of 3096	2264	g0482851.exe	88
PID 2264 wrote to memory of 3096	2264	g0482851.exe	88
PID 2264 wrote to memory of 3096	2264	g0482851.exe	88
PID 2264 wrote to memory of 3096	2264	g0482851.exe	88
PID 4792 wrote to memory of 2304	4792	x9718197.exe	94
PID 4792 wrote to memory of 2304	4792	x9718197.exe	94
PID 4792 wrote to memory of 2304	4792	x9718197.exe	94

C:\Users\Admin\AppData\Local\Temp\e3acbca31ecca50cc50aabd49400d0db9ad75d8e8ed4559371859c9ecc1fa4e3.exe
"C:\Users\Admin\AppData\Local\Temp\e3acbca31ecca50cc50aabd49400d0db9ad75d8e8ed4559371859c9ecc1fa4e3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8955268.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8955268.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9164504.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9164504.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9718197.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9718197.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4792
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0482851.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0482851.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2264
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 540
        7⤵
        Program crash
        
        PID:4540
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 580
        6⤵
        Program crash
        
        PID:1484
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4310678.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4310678.exe
        5⤵
        Executes dropped EXE
        
        PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3096 -ip 3096
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2264 -ip 2264
1⤵
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8955268.exe

Filesize
841KB

MD5
8d9f300a424d1fcf8e1279199dedbfd2

SHA1
b5cb9f0d5dbe0299955c15f1021b295872b19d24

SHA256
0e239991035dc9607729711575d10f6a25bfcefa8e3af2ffc0553a226909f4b1

SHA512
c8003dbf1bee40dce762fdf1b25aec6eedf7deec21dc8f579de543c0f38e9b7b995d28616515340afff3a49b0f8243234723e6ac0191a2a9995b6d7268280901

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8955268.exe

Filesize
841KB

MD5
8d9f300a424d1fcf8e1279199dedbfd2

SHA1
b5cb9f0d5dbe0299955c15f1021b295872b19d24

SHA256
0e239991035dc9607729711575d10f6a25bfcefa8e3af2ffc0553a226909f4b1

SHA512
c8003dbf1bee40dce762fdf1b25aec6eedf7deec21dc8f579de543c0f38e9b7b995d28616515340afff3a49b0f8243234723e6ac0191a2a9995b6d7268280901

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9164504.exe

Filesize
563KB

MD5
a1aac906d1efc21d5461b08b0fa3f339

SHA1
8f8835c6c98c05feeb70d759e95130d19669d0e3

SHA256
aadaddf72dc5ffff0668d37075bf4ab2774c485d23dd44dd0750cf7b0f27aff8

SHA512
8cd4e2f24f42104ffacf8c85cc01922650a620d02f5e0dc13924c286ca202ab8b6be6093385da944185bf3d8b9cf1cb58b3203048ad405d20a56b0e525bd2e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9164504.exe

Filesize
563KB

MD5
a1aac906d1efc21d5461b08b0fa3f339

SHA1
8f8835c6c98c05feeb70d759e95130d19669d0e3

SHA256
aadaddf72dc5ffff0668d37075bf4ab2774c485d23dd44dd0750cf7b0f27aff8

SHA512
8cd4e2f24f42104ffacf8c85cc01922650a620d02f5e0dc13924c286ca202ab8b6be6093385da944185bf3d8b9cf1cb58b3203048ad405d20a56b0e525bd2e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9718197.exe

Filesize
397KB

MD5
b88ec0e3fb50cfd6ca8a9dffcb8c9906

SHA1
24b70ec0dc8f044f60881f8841bf0c027148c832

SHA256
33e5f59c57d14ee10dd3364dc9188dc566524dcc7101f89eb818b927ec6c329c

SHA512
aba314d93de9a7802dc18ae6329ecd73f8368ccac0de43483787776c984ea18cc1853871c5dd15dde26bdd4f293eeec79c14cb1af634fe6613c530b9db4a6ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9718197.exe

Filesize
397KB

MD5
b88ec0e3fb50cfd6ca8a9dffcb8c9906

SHA1
24b70ec0dc8f044f60881f8841bf0c027148c832

SHA256
33e5f59c57d14ee10dd3364dc9188dc566524dcc7101f89eb818b927ec6c329c

SHA512
aba314d93de9a7802dc18ae6329ecd73f8368ccac0de43483787776c984ea18cc1853871c5dd15dde26bdd4f293eeec79c14cb1af634fe6613c530b9db4a6ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0482851.exe

Filesize
379KB

MD5
e2c84222d2dae3ba62b5a4cb699a0976

SHA1
6fbc05125da0e193f04b5b6cba70251a0e1c3164

SHA256
1037d8f032c6cf946a0aed9b87f7061475d4f3bdfb9c7830e6ff7227d46fddc3

SHA512
645550375a66d6ea6b85d073a3f25ca6149242e3bef8c01b9b89287570944609a49810bc794b1d2bd917df15614b73a1b7285e2b9d3e7533c0d6b827ce68935c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0482851.exe

Filesize
379KB

MD5
e2c84222d2dae3ba62b5a4cb699a0976

SHA1
6fbc05125da0e193f04b5b6cba70251a0e1c3164

SHA256
1037d8f032c6cf946a0aed9b87f7061475d4f3bdfb9c7830e6ff7227d46fddc3

SHA512
645550375a66d6ea6b85d073a3f25ca6149242e3bef8c01b9b89287570944609a49810bc794b1d2bd917df15614b73a1b7285e2b9d3e7533c0d6b827ce68935c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4310678.exe

Filesize
174KB

MD5
4d8a6d651f4b50d4670aff0060b72fd4

SHA1
48377d4aa994127c6281c0e45e3d7e97c394ac20

SHA256
1e0ce7ac86e70c2ac7f31e4f7ccb6c40026011f99fc88535eebd30e5aa035425

SHA512
2b8efc3a6b7ea75348e3b6300eb856c79666dfac1b8867abb3952e39705263495e4d6f74342cd4ecf302063214553b52352391e0940c56d9b98d41dcd60b8faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4310678.exe

Filesize
174KB

MD5
4d8a6d651f4b50d4670aff0060b72fd4

SHA1
48377d4aa994127c6281c0e45e3d7e97c394ac20

SHA256
1e0ce7ac86e70c2ac7f31e4f7ccb6c40026011f99fc88535eebd30e5aa035425

SHA512
2b8efc3a6b7ea75348e3b6300eb856c79666dfac1b8867abb3952e39705263495e4d6f74342cd4ecf302063214553b52352391e0940c56d9b98d41dcd60b8faa

Download Submit
memory/2304-39-0x0000000005180000-0x0000000005798000-memory.dmp

Filesize
6.1MB

Download
memory/2304-41-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/2304-46-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/2304-45-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/2304-36-0x00000000000E0000-0x0000000000110000-memory.dmp

Filesize
192KB

Download
memory/2304-37-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/2304-44-0x0000000004D80000-0x0000000004DCC000-memory.dmp

Filesize
304KB

Download
memory/2304-40-0x0000000004C70000-0x0000000004D7A000-memory.dmp

Filesize
1.0MB

Download
memory/2304-38-0x0000000002530000-0x0000000002536000-memory.dmp

Filesize
24KB

Download
memory/2304-42-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/2304-43-0x0000000004C10000-0x0000000004C4C000-memory.dmp

Filesize
240KB

Download
memory/3096-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3096-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3096-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3096-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads