mystic | 92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8

Analysis

max time kernel
142s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2023 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe
Size

522KB
MD5

928d302bab98caf3936ef7b66068127e
SHA1

fb979ffe462ae67b99172e5999722008f8bf519c
SHA256

92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8
SHA512

a6448941e57b8d65a3d76bf8176b011aa57e2518eee061d2178fbf81b35928e556b6296f6bbc8a3ad07793b273478c06c7f5118a23420b5c5e3d17d5c0704551
SSDEEP

6144:Koy+bnr+Zp0yN90QEN2Ye6FlquVUZVoQWTMHqudJRNbiFDyVMI49OG4/t9Jk9kSF:MMrly90yYtpkVG4D1iFD99OGEJbWI9e

Score

10^/10

mystic redline taiga infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/5064-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/5064-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/5064-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/5064-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/1456-22-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	5NH30Va.exe

Executes dropped EXE 4 IoCs

pid	Process
4300	NF5zF76.exe
2392	3GR339YR.exe
4768	4Cd2Eb5.exe
1920	5NH30Va.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	NF5zF76.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2392 set thread context of 5064	2392	3GR339YR.exe	92
PID 4768 set thread context of 1456	4768	4Cd2Eb5.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4120	5064	WerFault.exe	92

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4300	4740	NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe	87
PID 4740 wrote to memory of 4300	4740	NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe	87
PID 4740 wrote to memory of 4300	4740	NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe	87
PID 4300 wrote to memory of 2392	4300	NF5zF76.exe	88
PID 4300 wrote to memory of 2392	4300	NF5zF76.exe	88
PID 4300 wrote to memory of 2392	4300	NF5zF76.exe	88
PID 2392 wrote to memory of 5064	2392	3GR339YR.exe	92
PID 2392 wrote to memory of 5064	2392	3GR339YR.exe	92
PID 2392 wrote to memory of 5064	2392	3GR339YR.exe	92
PID 2392 wrote to memory of 5064	2392	3GR339YR.exe	92
PID 2392 wrote to memory of 5064	2392	3GR339YR.exe	92
PID 2392 wrote to memory of 5064	2392	3GR339YR.exe	92
PID 2392 wrote to memory of 5064	2392	3GR339YR.exe	92
PID 2392 wrote to memory of 5064	2392	3GR339YR.exe	92
PID 2392 wrote to memory of 5064	2392	3GR339YR.exe	92
PID 2392 wrote to memory of 5064	2392	3GR339YR.exe	92
PID 4300 wrote to memory of 4768	4300	NF5zF76.exe	95
PID 4300 wrote to memory of 4768	4300	NF5zF76.exe	95
PID 4300 wrote to memory of 4768	4300	NF5zF76.exe	95
PID 4768 wrote to memory of 1456	4768	4Cd2Eb5.exe	99
PID 4768 wrote to memory of 1456	4768	4Cd2Eb5.exe	99
PID 4768 wrote to memory of 1456	4768	4Cd2Eb5.exe	99
PID 4768 wrote to memory of 1456	4768	4Cd2Eb5.exe	99
PID 4768 wrote to memory of 1456	4768	4Cd2Eb5.exe	99
PID 4768 wrote to memory of 1456	4768	4Cd2Eb5.exe	99
PID 4768 wrote to memory of 1456	4768	4Cd2Eb5.exe	99
PID 4768 wrote to memory of 1456	4768	4Cd2Eb5.exe	99
PID 4740 wrote to memory of 1920	4740	NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe	100
PID 4740 wrote to memory of 1920	4740	NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe	100
PID 4740 wrote to memory of 1920	4740	NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe	100
PID 1920 wrote to memory of 1344	1920	5NH30Va.exe	104
PID 1920 wrote to memory of 1344	1920	5NH30Va.exe	104
PID 1920 wrote to memory of 1344	1920	5NH30Va.exe	104

C:\Users\Admin\AppData\Local\Temp\NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.92fcba02829079940f3b9eb68d51f5ec8a7d24415061c1e055a266cf50c39af8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:5064
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 540
        5⤵
        Program crash
        
        PID:4120
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1456
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NH30Va.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NH30Va.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
    3⤵
    PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5064 -ip 5064
1⤵
PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NH30Va.exe

Filesize
73KB

MD5
dc9634d7bd290eef66f99e1484614449

SHA1
842a9b8a739fbd2e55e111b18249cf18add0e5da

SHA256
80e91d414f0db8e29c451c39f27790e3995eeadd491e781187257192365b90ef

SHA512
e907f8e3578434b93afb48f7f5ac9b6be98cd0e5e75e0df1f0a14c218b83931889f10dda189faf8545af1192626bdef39c91f2ff79c7d95618ee54986b0b300e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5NH30Va.exe

Filesize
73KB

MD5
dc9634d7bd290eef66f99e1484614449

SHA1
842a9b8a739fbd2e55e111b18249cf18add0e5da

SHA256
80e91d414f0db8e29c451c39f27790e3995eeadd491e781187257192365b90ef

SHA512
e907f8e3578434b93afb48f7f5ac9b6be98cd0e5e75e0df1f0a14c218b83931889f10dda189faf8545af1192626bdef39c91f2ff79c7d95618ee54986b0b300e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe

Filesize
400KB

MD5
e77056154234792f28d3592e6fdc1721

SHA1
8e03ba7e4fdcad961d48eabac42adb892b3134f8

SHA256
348eb80e4b319f71d356670f17caf521c99fdd5231bc9a7d19645d2823da0567

SHA512
b2279d0cf6133f60309f340980307e7d9d5767c15df2b4ce4cba7cc197dca0c77e0b4b7750717529f5165cc0e235d7383ab87559c7d30dcf9e90977d1d948daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NF5zF76.exe

Filesize
400KB

MD5
e77056154234792f28d3592e6fdc1721

SHA1
8e03ba7e4fdcad961d48eabac42adb892b3134f8

SHA256
348eb80e4b319f71d356670f17caf521c99fdd5231bc9a7d19645d2823da0567

SHA512
b2279d0cf6133f60309f340980307e7d9d5767c15df2b4ce4cba7cc197dca0c77e0b4b7750717529f5165cc0e235d7383ab87559c7d30dcf9e90977d1d948daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe

Filesize
319KB

MD5
91cc05f030208de23b079cbe82aaef0c

SHA1
d15ae75d12ed4c0f79437c495f1f83e63d1ffc7b

SHA256
12cc053e5a9e10f0b92f8686af41b12b07473600e75c8245256fef575b9262ac

SHA512
73860c4289d338bfbc98d5e5478521c67e9ba76d2c88c3c89a7d1b11e72d2f362de040f22e312b5621e13bd9662f53f27f456b06854c2051031237f361f0b331

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GR339YR.exe

Filesize
319KB

MD5
91cc05f030208de23b079cbe82aaef0c

SHA1
d15ae75d12ed4c0f79437c495f1f83e63d1ffc7b

SHA256
12cc053e5a9e10f0b92f8686af41b12b07473600e75c8245256fef575b9262ac

SHA512
73860c4289d338bfbc98d5e5478521c67e9ba76d2c88c3c89a7d1b11e72d2f362de040f22e312b5621e13bd9662f53f27f456b06854c2051031237f361f0b331

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe

Filesize
358KB

MD5
857a2c0ee66b49fcc334f9b95449597d

SHA1
44bbdb08cca695a151db4ffafdc9bf57f9893054

SHA256
60fcc159b86d37334d5a3b37e4d41203d2348894d023f6cbdda511dfd4b6fe82

SHA512
807a58b3345ac54688f8d0d75951feb2f348775ac3c5132bd0fdebe67eaef080c748ef9be02d1224ee977aa8b52d1a460c45620a76be72778acd7d2a0b7cd94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Cd2Eb5.exe

Filesize
358KB

MD5
857a2c0ee66b49fcc334f9b95449597d

SHA1
44bbdb08cca695a151db4ffafdc9bf57f9893054

SHA256
60fcc159b86d37334d5a3b37e4d41203d2348894d023f6cbdda511dfd4b6fe82

SHA512
807a58b3345ac54688f8d0d75951feb2f348775ac3c5132bd0fdebe67eaef080c748ef9be02d1224ee977aa8b52d1a460c45620a76be72778acd7d2a0b7cd94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.bat

Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
memory/1456-41-0x0000000007380000-0x0000000007392000-memory.dmp

Filesize
72KB

Download
memory/1456-29-0x00000000076D0000-0x0000000007C74000-memory.dmp

Filesize
5.6MB

Download
memory/1456-45-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/1456-28-0x0000000074270000-0x0000000074A20000-memory.dmp

Filesize
7.7MB

Download
memory/1456-38-0x00000000072A0000-0x00000000072AA000-memory.dmp

Filesize
40KB

Download
memory/1456-31-0x0000000007200000-0x0000000007292000-memory.dmp

Filesize
584KB

Download
memory/1456-33-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/1456-39-0x00000000082A0000-0x00000000088B8000-memory.dmp

Filesize
6.1MB

Download
memory/1456-44-0x0000000074270000-0x0000000074A20000-memory.dmp

Filesize
7.7MB

Download
memory/1456-43-0x0000000007530000-0x000000000757C000-memory.dmp

Filesize
304KB

Download
memory/1456-42-0x00000000074F0000-0x000000000752C000-memory.dmp

Filesize
240KB

Download
memory/1456-40-0x00000000075C0000-0x00000000076CA000-memory.dmp

Filesize
1.0MB

Download
memory/1456-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5064-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5064-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads