mystic | 601effd3e0eb5677bfe635c645042851a782c244b120e01eb5934fbad0ee774a

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 13:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

601effd3e0eb5677bfe635c645042851a782c244b120e01eb5934fbad0ee774a.exe
Size

943KB
MD5

c54d795009aabc12674029d959ad3b86
SHA1

a17eb49d8937735d026bb4e36d1c6911f262bdc4
SHA256

601effd3e0eb5677bfe635c645042851a782c244b120e01eb5934fbad0ee774a
SHA512

74a62fd3558da9a5c76b13093e098e37a458e2688667994f574b95ae65e2567d6fa7cc3774b6581a0cf369bc7408854e30e50951e11442a9da6d9a76e14992c6
SSDEEP

12288:RMrDy90vg0fw2xVhJKqERlLQwZ2OH4+Te0Eyf3Yz/unEIPPY+JoGmYRe1J+Pwxj4:2yslgqqvHbxgTunhYSo0ef+oj4

Score

10^/10

mystic redline ramos infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

ramos

77.91.124.82:19071

Attributes

auth_value
42c0ec91d63648bb7119ab787aa3fb94

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3720-28-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3720-29-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3720-30-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3720-32-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2448	x9628675.exe
4212	x4691493.exe
2088	x8140633.exe
4072	g7645872.exe
4388	h2361730.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4691493.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x8140633.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	601effd3e0eb5677bfe635c645042851a782c244b120e01eb5934fbad0ee774a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9628675.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4072 set thread context of 3720	4072	g7645872.exe	90

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4612	3720	WerFault.exe	90
5016	4072	WerFault.exe	89

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 2448	4356	601effd3e0eb5677bfe635c645042851a782c244b120e01eb5934fbad0ee774a.exe	86
PID 4356 wrote to memory of 2448	4356	601effd3e0eb5677bfe635c645042851a782c244b120e01eb5934fbad0ee774a.exe	86
PID 4356 wrote to memory of 2448	4356	601effd3e0eb5677bfe635c645042851a782c244b120e01eb5934fbad0ee774a.exe	86
PID 2448 wrote to memory of 4212	2448	x9628675.exe	87
PID 2448 wrote to memory of 4212	2448	x9628675.exe	87
PID 2448 wrote to memory of 4212	2448	x9628675.exe	87
PID 4212 wrote to memory of 2088	4212	x4691493.exe	88
PID 4212 wrote to memory of 2088	4212	x4691493.exe	88
PID 4212 wrote to memory of 2088	4212	x4691493.exe	88
PID 2088 wrote to memory of 4072	2088	x8140633.exe	89
PID 2088 wrote to memory of 4072	2088	x8140633.exe	89
PID 2088 wrote to memory of 4072	2088	x8140633.exe	89
PID 4072 wrote to memory of 3720	4072	g7645872.exe	90
PID 4072 wrote to memory of 3720	4072	g7645872.exe	90
PID 4072 wrote to memory of 3720	4072	g7645872.exe	90
PID 4072 wrote to memory of 3720	4072	g7645872.exe	90
PID 4072 wrote to memory of 3720	4072	g7645872.exe	90
PID 4072 wrote to memory of 3720	4072	g7645872.exe	90
PID 4072 wrote to memory of 3720	4072	g7645872.exe	90
PID 4072 wrote to memory of 3720	4072	g7645872.exe	90
PID 4072 wrote to memory of 3720	4072	g7645872.exe	90
PID 4072 wrote to memory of 3720	4072	g7645872.exe	90
PID 2088 wrote to memory of 4388	2088	x8140633.exe	101
PID 2088 wrote to memory of 4388	2088	x8140633.exe	101
PID 2088 wrote to memory of 4388	2088	x8140633.exe	101

C:\Users\Admin\AppData\Local\Temp\601effd3e0eb5677bfe635c645042851a782c244b120e01eb5934fbad0ee774a.exe
"C:\Users\Admin\AppData\Local\Temp\601effd3e0eb5677bfe635c645042851a782c244b120e01eb5934fbad0ee774a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9628675.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9628675.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4691493.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4691493.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8140633.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8140633.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7645872.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7645872.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4072
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 540
        7⤵
        Program crash
        
        PID:4612
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 592
        6⤵
        Program crash
        
        PID:5016
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2361730.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2361730.exe
        5⤵
        Executes dropped EXE
        
        PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3720 -ip 3720
1⤵
PID:1360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4072 -ip 4072
1⤵
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9628675.exe

Filesize
841KB

MD5
412d0512e29565f33470d1b5dc614e24

SHA1
b84a7a0c6287ca74723d85f8e302365d5fa77e58

SHA256
761df1529134f551315a750b6c7123667fd379c79beca9ed713a2afd0ff14989

SHA512
95c66b994a2fcd8fac4705931ad9bfa472a8062a3d8e21782d072f563ec0444c3f3a7bcda23974ab50c6ca510e58c86cbd62c42ae1c7548235a3e921c096e1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9628675.exe

Filesize
841KB

MD5
412d0512e29565f33470d1b5dc614e24

SHA1
b84a7a0c6287ca74723d85f8e302365d5fa77e58

SHA256
761df1529134f551315a750b6c7123667fd379c79beca9ed713a2afd0ff14989

SHA512
95c66b994a2fcd8fac4705931ad9bfa472a8062a3d8e21782d072f563ec0444c3f3a7bcda23974ab50c6ca510e58c86cbd62c42ae1c7548235a3e921c096e1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4691493.exe

Filesize
563KB

MD5
54b82d736167fe7f0d0a77ea12c1fd95

SHA1
c32d12da962fb85184c15f9cc22885f9ab032b1f

SHA256
e550de37908f4500dff33acb21d15f40ffd5fac1a53761008965dfb8529fdb96

SHA512
7a7e1bcbc77a28d89643731c6e42023af6158b535976239ded83be955f84f78dd4d238bae850790ab4c36f8fcd1a7387717e3afcd95f54215c2037486ba04e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4691493.exe

Filesize
563KB

MD5
54b82d736167fe7f0d0a77ea12c1fd95

SHA1
c32d12da962fb85184c15f9cc22885f9ab032b1f

SHA256
e550de37908f4500dff33acb21d15f40ffd5fac1a53761008965dfb8529fdb96

SHA512
7a7e1bcbc77a28d89643731c6e42023af6158b535976239ded83be955f84f78dd4d238bae850790ab4c36f8fcd1a7387717e3afcd95f54215c2037486ba04e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8140633.exe

Filesize
397KB

MD5
249a048f18d8a42f6df906a910fac3ac

SHA1
f218114dd60fca0067b251f1c654bea7b578bdab

SHA256
e2ad2e7f0649830143f11832da826d5363df3783b25a16ca5520dffcd2074bf5

SHA512
cdd71839c8713b5a2c2ead7360fc1bde1461cbdd20dfe801b6da87c217c3c3a49e875a8550cc03b23509632070d156f12bd46c4011ab8f002617d36158e38863

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8140633.exe

Filesize
397KB

MD5
249a048f18d8a42f6df906a910fac3ac

SHA1
f218114dd60fca0067b251f1c654bea7b578bdab

SHA256
e2ad2e7f0649830143f11832da826d5363df3783b25a16ca5520dffcd2074bf5

SHA512
cdd71839c8713b5a2c2ead7360fc1bde1461cbdd20dfe801b6da87c217c3c3a49e875a8550cc03b23509632070d156f12bd46c4011ab8f002617d36158e38863

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7645872.exe

Filesize
379KB

MD5
49724c80dc7048acd92e135b9739ae90

SHA1
34587d7fe9699a1d75c6e8451e3af1bda66524f3

SHA256
092e5d102677ff1bff407ba7539b14cb5fc514415560c2d6d8bc95c271b37a8f

SHA512
75108264dad81b4ed7cd64824d4215e5f9859b05cd9480667e15b525cdaf973e82528d99eb57d021ac226406d714fd99795bfd4fc8bea874495a67df08aa05c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7645872.exe

Filesize
379KB

MD5
49724c80dc7048acd92e135b9739ae90

SHA1
34587d7fe9699a1d75c6e8451e3af1bda66524f3

SHA256
092e5d102677ff1bff407ba7539b14cb5fc514415560c2d6d8bc95c271b37a8f

SHA512
75108264dad81b4ed7cd64824d4215e5f9859b05cd9480667e15b525cdaf973e82528d99eb57d021ac226406d714fd99795bfd4fc8bea874495a67df08aa05c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2361730.exe

Filesize
174KB

MD5
771e4d010c3348197dfb994720431ab7

SHA1
e20a4dceeeab029f75e97da822e09b597e66e3a6

SHA256
e8b61de6cac49b3da6d84c37134b9d343c8e8fec4ea1d2c5f36049b0b917a96a

SHA512
9d831b449f477156cf73a48ac1088deab82db4cc411510c6d9bb83b6a789507da47ef601ae089ae4cea5950449cef681b8197aa09bc3706945b4b710bc30e339

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2361730.exe

Filesize
174KB

MD5
771e4d010c3348197dfb994720431ab7

SHA1
e20a4dceeeab029f75e97da822e09b597e66e3a6

SHA256
e8b61de6cac49b3da6d84c37134b9d343c8e8fec4ea1d2c5f36049b0b917a96a

SHA512
9d831b449f477156cf73a48ac1088deab82db4cc411510c6d9bb83b6a789507da47ef601ae089ae4cea5950449cef681b8197aa09bc3706945b4b710bc30e339

Download Submit
memory/3720-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3720-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3720-32-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3720-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4388-39-0x0000000005E70000-0x0000000006488000-memory.dmp

Filesize
6.1MB

Download
memory/4388-36-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/4388-38-0x00000000056F0000-0x00000000056F6000-memory.dmp

Filesize
24KB

Download
memory/4388-37-0x0000000000D90000-0x0000000000DC0000-memory.dmp

Filesize
192KB

Download
memory/4388-40-0x0000000005960000-0x0000000005A6A000-memory.dmp

Filesize
1.0MB

Download
memory/4388-42-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/4388-41-0x0000000005870000-0x0000000005882000-memory.dmp

Filesize
72KB

Download
memory/4388-43-0x00000000058D0000-0x000000000590C000-memory.dmp

Filesize
240KB

Download
memory/4388-44-0x0000000005910000-0x000000000595C000-memory.dmp

Filesize
304KB

Download
memory/4388-45-0x00000000749E0000-0x0000000075190000-memory.dmp

Filesize
7.7MB

Download
memory/4388-46-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads