mystic | 9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9

Analysis

max time kernel
165s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9.exe
Size

942KB
MD5

5d5ebc7e0ba580b44caaa751f7da5965
SHA1

91cbb2a41d5bcacd64a228dbadb8ad2eadd50acd
SHA256

9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9
SHA512

fd88845fc9aeb0ffda094188f0393b80c3c67ce1d40be433532f8263bd8ad5e6ea3fc487c022101a5a20801adbf14a135cf33980e8819f192fc1e6c371cb80c9
SSDEEP

12288:fMrQy90LsXhBgI5ol9HFRLm8mdpVNLwsSMXAMyuCuAlzsvaGQixSg+SrofLx74oR:PySsLi97Lmf5wACOiGvY2iLJ4oKtvHw

Score

10^/10

mystic redline ramos infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

ramos

77.91.124.82:19071

Attributes

auth_value
42c0ec91d63648bb7119ab787aa3fb94

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3516-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3516-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3516-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3516-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
936	x1016529.exe
3956	x1516362.exe
4124	x9564736.exe
2768	g2570099.exe
4348	h8632078.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1016529.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1516362.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9564736.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 3516	2768	g2570099.exe	92

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3544	3516	WerFault.exe	92
4992	2768	WerFault.exe	91

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 936	4824	9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9.exe	88
PID 4824 wrote to memory of 936	4824	9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9.exe	88
PID 4824 wrote to memory of 936	4824	9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9.exe	88
PID 936 wrote to memory of 3956	936	x1016529.exe	89
PID 936 wrote to memory of 3956	936	x1016529.exe	89
PID 936 wrote to memory of 3956	936	x1016529.exe	89
PID 3956 wrote to memory of 4124	3956	x1516362.exe	90
PID 3956 wrote to memory of 4124	3956	x1516362.exe	90
PID 3956 wrote to memory of 4124	3956	x1516362.exe	90
PID 4124 wrote to memory of 2768	4124	x9564736.exe	91
PID 4124 wrote to memory of 2768	4124	x9564736.exe	91
PID 4124 wrote to memory of 2768	4124	x9564736.exe	91
PID 2768 wrote to memory of 3516	2768	g2570099.exe	92
PID 2768 wrote to memory of 3516	2768	g2570099.exe	92
PID 2768 wrote to memory of 3516	2768	g2570099.exe	92
PID 2768 wrote to memory of 3516	2768	g2570099.exe	92
PID 2768 wrote to memory of 3516	2768	g2570099.exe	92
PID 2768 wrote to memory of 3516	2768	g2570099.exe	92
PID 2768 wrote to memory of 3516	2768	g2570099.exe	92
PID 2768 wrote to memory of 3516	2768	g2570099.exe	92
PID 2768 wrote to memory of 3516	2768	g2570099.exe	92
PID 2768 wrote to memory of 3516	2768	g2570099.exe	92
PID 4124 wrote to memory of 4348	4124	x9564736.exe	99
PID 4124 wrote to memory of 4348	4124	x9564736.exe	99
PID 4124 wrote to memory of 4348	4124	x9564736.exe	99

C:\Users\Admin\AppData\Local\Temp\9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9.exe
"C:\Users\Admin\AppData\Local\Temp\9da7f30d54632e48b35fe2cb1ac12208eeff3f39f737e3840c0c0853f70c0ef9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1016529.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1016529.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1516362.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1516362.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9564736.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9564736.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4124
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2570099.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2570099.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 540
        7⤵
        Program crash
        
        PID:3544
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 564
        6⤵
        Program crash
        
        PID:4992
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8632078.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8632078.exe
        5⤵
        Executes dropped EXE
        
        PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2768 -ip 2768
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3516 -ip 3516
1⤵
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1016529.exe

Filesize
840KB

MD5
d58e531fe14e081a3487aa0217bea776

SHA1
aff688a495cd11adcc8bc72408daf68449b8c7af

SHA256
edad8e439c3f2f5f6048a2981c70f18ee5c75e3b1138f5ef074db5e1d4c4e29d

SHA512
4c67c6c06cc1f8fc4b5638fb384dcdda50244af150a0aa6136cfea38a1fc2a372f06dd8ee5fb5348bcde85ef274ec48299c8a1bd0d5ea6470c4fc3625506fd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1016529.exe

Filesize
840KB

MD5
d58e531fe14e081a3487aa0217bea776

SHA1
aff688a495cd11adcc8bc72408daf68449b8c7af

SHA256
edad8e439c3f2f5f6048a2981c70f18ee5c75e3b1138f5ef074db5e1d4c4e29d

SHA512
4c67c6c06cc1f8fc4b5638fb384dcdda50244af150a0aa6136cfea38a1fc2a372f06dd8ee5fb5348bcde85ef274ec48299c8a1bd0d5ea6470c4fc3625506fd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1516362.exe

Filesize
562KB

MD5
ee54b1196dc84dbce0dde1520a3f7684

SHA1
599091311e1df6476d37cca87f912fa1b101107c

SHA256
511f2cae1f9b7e71e244d17db11e01070e0801fcfd14f8908e784ef5909f1743

SHA512
67df098dad6e15c3c0e2dcab99015f564fdcedb2a35d3d455a3c6763913735d95d228f5193ef3d46cc97a4d5885c4a5d3974eb02fb69316b9764ff69d1038124

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1516362.exe

Filesize
562KB

MD5
ee54b1196dc84dbce0dde1520a3f7684

SHA1
599091311e1df6476d37cca87f912fa1b101107c

SHA256
511f2cae1f9b7e71e244d17db11e01070e0801fcfd14f8908e784ef5909f1743

SHA512
67df098dad6e15c3c0e2dcab99015f564fdcedb2a35d3d455a3c6763913735d95d228f5193ef3d46cc97a4d5885c4a5d3974eb02fb69316b9764ff69d1038124

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9564736.exe

Filesize
396KB

MD5
0e0dd7d2d24831b3d7d92418cbb9f612

SHA1
63857e22eb4fcdd614982da1b9257569929da5b6

SHA256
c08f31e22aa7a06918a7ec37f58138cab06b9ae9dab84016216615a56c352ea7

SHA512
4ab7be88c5736a6a96cdcf0166e43f95c6781d07564581488c3635a79513d453cab988052da050ef28ab40d302449a55a6091ee660b1da52172fc89a79257871

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9564736.exe

Filesize
396KB

MD5
0e0dd7d2d24831b3d7d92418cbb9f612

SHA1
63857e22eb4fcdd614982da1b9257569929da5b6

SHA256
c08f31e22aa7a06918a7ec37f58138cab06b9ae9dab84016216615a56c352ea7

SHA512
4ab7be88c5736a6a96cdcf0166e43f95c6781d07564581488c3635a79513d453cab988052da050ef28ab40d302449a55a6091ee660b1da52172fc89a79257871

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2570099.exe

Filesize
379KB

MD5
3842b43cab0215976e1bb12f498a320d

SHA1
b3b2b679f5b573d6d7c61a726f3a16f49ebdcc89

SHA256
767ff488adb690d860af9cd23645350a69f1b0efaee985ec16abdb8d33732ec2

SHA512
ff49e6adb2ebe1849e5fd530abafd71d5c690b4f8cdba32f6a62c62603edddf701c0a4286fca4254c182178606f54161df5f8e5f5d6ef289e9ef9068d695798c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2570099.exe

Filesize
379KB

MD5
3842b43cab0215976e1bb12f498a320d

SHA1
b3b2b679f5b573d6d7c61a726f3a16f49ebdcc89

SHA256
767ff488adb690d860af9cd23645350a69f1b0efaee985ec16abdb8d33732ec2

SHA512
ff49e6adb2ebe1849e5fd530abafd71d5c690b4f8cdba32f6a62c62603edddf701c0a4286fca4254c182178606f54161df5f8e5f5d6ef289e9ef9068d695798c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8632078.exe

Filesize
174KB

MD5
2f53fba949ae81f4641d3ec43b0e6fd0

SHA1
c211be0128fcfa598b9600842d5809f1567b0c4b

SHA256
9e1f55484f4d038b9f674de5c64250534bffd5de6640104d14c2c319b5b4be32

SHA512
a9654a5211e67fa73691fcd1dcaa1047270c4d83dc09351d047632a789823ae8dc53c4ee7e57cf4e7d48802cf11cb5aad7f7355ad952a9984884227c48495bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8632078.exe

Filesize
174KB

MD5
2f53fba949ae81f4641d3ec43b0e6fd0

SHA1
c211be0128fcfa598b9600842d5809f1567b0c4b

SHA256
9e1f55484f4d038b9f674de5c64250534bffd5de6640104d14c2c319b5b4be32

SHA512
a9654a5211e67fa73691fcd1dcaa1047270c4d83dc09351d047632a789823ae8dc53c4ee7e57cf4e7d48802cf11cb5aad7f7355ad952a9984884227c48495bb4

Download Submit
memory/3516-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3516-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3516-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3516-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4348-39-0x0000000005850000-0x0000000005E68000-memory.dmp

Filesize
6.1MB

Download
memory/4348-37-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-38-0x0000000002AC0000-0x0000000002AC6000-memory.dmp

Filesize
24KB

Download
memory/4348-36-0x00000000007D0000-0x0000000000800000-memory.dmp

Filesize
192KB

Download
memory/4348-40-0x0000000005360000-0x000000000546A000-memory.dmp

Filesize
1.0MB

Download
memory/4348-41-0x00000000052A0000-0x00000000052B2000-memory.dmp

Filesize
72KB

Download
memory/4348-42-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4348-43-0x0000000005300000-0x000000000533C000-memory.dmp

Filesize
240KB

Download
memory/4348-44-0x0000000005470000-0x00000000054BC000-memory.dmp

Filesize
304KB

Download
memory/4348-45-0x00000000742F0000-0x0000000074AA0000-memory.dmp

Filesize
7.7MB

Download
memory/4348-46-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads