mystic | 58a14f9b353f2c87857a57262951b83d479a20e4ed8c90a2d4152f78a9144648

Analysis

max time kernel
155s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2023, 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.58a14f9b353f2c87857a57262951b83d479a20e4ed8c90a2d4152f78a9144648.exe
Size

522KB
MD5

27dffe6a01bee3e0ee0949a3df239bf0
SHA1

20d9d845df3959952ed5246547ffe75656579963
SHA256

58a14f9b353f2c87857a57262951b83d479a20e4ed8c90a2d4152f78a9144648
SHA512

9e10d2ae5b2786fbd2a4755f9b45f1e05cf01a24a7e3beeb3e7ae86574e3338bd08e5711dfdbee8cba25870ce1faf9945a90302413d022c4150575e7c96829a0
SSDEEP

12288:lMrty90GxYxVLfDOjFr/LxL2RrHlUEwAUkSFL:IyLxIVLfMx/lLKpOkSt

Score

10^/10

mystic redline taiga infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/2600-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2600-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2600-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/2600-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4964-22-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	5oT32Vp.exe

Executes dropped EXE 4 IoCs

pid	Process
1488	UB1Rg79.exe
3340	3RO803zz.exe
2808	4WI3Fs2.exe
4460	5oT32Vp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	UB1Rg79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.58a14f9b353f2c87857a57262951b83d479a20e4ed8c90a2d4152f78a9144648.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3340 set thread context of 2600	3340	3RO803zz.exe	99
PID 2808 set thread context of 4964	2808	4WI3Fs2.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1800	2600	WerFault.exe	99

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 1488	5104	NEAS.58a14f9b353f2c87857a57262951b83d479a20e4ed8c90a2d4152f78a9144648.exe	92
PID 5104 wrote to memory of 1488	5104	NEAS.58a14f9b353f2c87857a57262951b83d479a20e4ed8c90a2d4152f78a9144648.exe	92
PID 5104 wrote to memory of 1488	5104	NEAS.58a14f9b353f2c87857a57262951b83d479a20e4ed8c90a2d4152f78a9144648.exe	92
PID 1488 wrote to memory of 3340	1488	UB1Rg79.exe	93
PID 1488 wrote to memory of 3340	1488	UB1Rg79.exe	93
PID 1488 wrote to memory of 3340	1488	UB1Rg79.exe	93
PID 3340 wrote to memory of 2908	3340	3RO803zz.exe	95
PID 3340 wrote to memory of 2908	3340	3RO803zz.exe	95
PID 3340 wrote to memory of 2908	3340	3RO803zz.exe	95
PID 3340 wrote to memory of 4488	3340	3RO803zz.exe	96
PID 3340 wrote to memory of 4488	3340	3RO803zz.exe	96
PID 3340 wrote to memory of 4488	3340	3RO803zz.exe	96
PID 3340 wrote to memory of 1668	3340	3RO803zz.exe	97
PID 3340 wrote to memory of 1668	3340	3RO803zz.exe	97
PID 3340 wrote to memory of 1668	3340	3RO803zz.exe	97
PID 3340 wrote to memory of 4596	3340	3RO803zz.exe	98
PID 3340 wrote to memory of 4596	3340	3RO803zz.exe	98
PID 3340 wrote to memory of 4596	3340	3RO803zz.exe	98
PID 3340 wrote to memory of 2600	3340	3RO803zz.exe	99
PID 3340 wrote to memory of 2600	3340	3RO803zz.exe	99
PID 3340 wrote to memory of 2600	3340	3RO803zz.exe	99
PID 3340 wrote to memory of 2600	3340	3RO803zz.exe	99
PID 3340 wrote to memory of 2600	3340	3RO803zz.exe	99
PID 3340 wrote to memory of 2600	3340	3RO803zz.exe	99
PID 3340 wrote to memory of 2600	3340	3RO803zz.exe	99
PID 3340 wrote to memory of 2600	3340	3RO803zz.exe	99
PID 3340 wrote to memory of 2600	3340	3RO803zz.exe	99
PID 3340 wrote to memory of 2600	3340	3RO803zz.exe	99
PID 1488 wrote to memory of 2808	1488	UB1Rg79.exe	103
PID 1488 wrote to memory of 2808	1488	UB1Rg79.exe	103
PID 1488 wrote to memory of 2808	1488	UB1Rg79.exe	103
PID 2808 wrote to memory of 4964	2808	4WI3Fs2.exe	106
PID 2808 wrote to memory of 4964	2808	4WI3Fs2.exe	106
PID 2808 wrote to memory of 4964	2808	4WI3Fs2.exe	106
PID 2808 wrote to memory of 4964	2808	4WI3Fs2.exe	106
PID 2808 wrote to memory of 4964	2808	4WI3Fs2.exe	106
PID 2808 wrote to memory of 4964	2808	4WI3Fs2.exe	106
PID 2808 wrote to memory of 4964	2808	4WI3Fs2.exe	106
PID 2808 wrote to memory of 4964	2808	4WI3Fs2.exe	106
PID 5104 wrote to memory of 4460	5104	NEAS.58a14f9b353f2c87857a57262951b83d479a20e4ed8c90a2d4152f78a9144648.exe	107
PID 5104 wrote to memory of 4460	5104	NEAS.58a14f9b353f2c87857a57262951b83d479a20e4ed8c90a2d4152f78a9144648.exe	107
PID 5104 wrote to memory of 4460	5104	NEAS.58a14f9b353f2c87857a57262951b83d479a20e4ed8c90a2d4152f78a9144648.exe	107
PID 4460 wrote to memory of 3956	4460	5oT32Vp.exe	108
PID 4460 wrote to memory of 3956	4460	5oT32Vp.exe	108
PID 4460 wrote to memory of 3956	4460	5oT32Vp.exe	108

C:\Users\Admin\AppData\Local\Temp\NEAS.58a14f9b353f2c87857a57262951b83d479a20e4ed8c90a2d4152f78a9144648.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.58a14f9b353f2c87857a57262951b83d479a20e4ed8c90a2d4152f78a9144648.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UB1Rg79.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UB1Rg79.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3RO803zz.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3RO803zz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2908
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4488
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1668
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4596
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2600
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 556
        5⤵
        Program crash
        
        PID:1800
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4WI3Fs2.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4WI3Fs2.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4964
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5oT32Vp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5oT32Vp.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
    3⤵
    PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2600 -ip 2600
1⤵
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5oT32Vp.exe

Filesize
73KB

MD5
3ba0af1866b9c7a5ecb1a3f141b058c5

SHA1
4333ea9d6f896a6ff5a624a78eb6c45e5602d988

SHA256
327116a89acda2a68da0a2261de81c7765417160e6e0083976d9a3dba218c711

SHA512
82046d3692159849f41895991d684a089ff467962b03bbad622c288b6d65f00808fb267cb9e6785b41173b6eefff512b6bff180dda61c85d794d4d90e245343e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5oT32Vp.exe

Filesize
73KB

MD5
3ba0af1866b9c7a5ecb1a3f141b058c5

SHA1
4333ea9d6f896a6ff5a624a78eb6c45e5602d988

SHA256
327116a89acda2a68da0a2261de81c7765417160e6e0083976d9a3dba218c711

SHA512
82046d3692159849f41895991d684a089ff467962b03bbad622c288b6d65f00808fb267cb9e6785b41173b6eefff512b6bff180dda61c85d794d4d90e245343e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UB1Rg79.exe

Filesize
400KB

MD5
1a542b12187b633587f6d1e29fbf878d

SHA1
d55eabc44b33f1ed7792c6a30e7a20e6eb60dda4

SHA256
4934ce5f052c625e5780534503b803126a2979779f96709d90620a1fbc845347

SHA512
00603be6f38a67bfdc69d28d5fe3237da5c8ca5c1e8df8b61a3c47f2698198251139480f139a3339b2d5b1ff6533824e8748a6057d9ab3d2b74c66552ea66d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UB1Rg79.exe

Filesize
400KB

MD5
1a542b12187b633587f6d1e29fbf878d

SHA1
d55eabc44b33f1ed7792c6a30e7a20e6eb60dda4

SHA256
4934ce5f052c625e5780534503b803126a2979779f96709d90620a1fbc845347

SHA512
00603be6f38a67bfdc69d28d5fe3237da5c8ca5c1e8df8b61a3c47f2698198251139480f139a3339b2d5b1ff6533824e8748a6057d9ab3d2b74c66552ea66d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3RO803zz.exe

Filesize
319KB

MD5
774d1338e4142f35f90872c8fd35e451

SHA1
c496a1d4cd57cea51eb467f2fb646bce0f24ebf3

SHA256
402c2edc046008a66af3322f91d00cd027fdef010d1c7ac53bcfe99dee6c497f

SHA512
f8b1b0b7ec5eedd75f3482a734050ad911ff320723d481073d26f9b9329650638dafd3d59786fd00ba9d740e3fe6af306a1fd91a8d7be117af0d788fdaf546b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3RO803zz.exe

Filesize
319KB

MD5
774d1338e4142f35f90872c8fd35e451

SHA1
c496a1d4cd57cea51eb467f2fb646bce0f24ebf3

SHA256
402c2edc046008a66af3322f91d00cd027fdef010d1c7ac53bcfe99dee6c497f

SHA512
f8b1b0b7ec5eedd75f3482a734050ad911ff320723d481073d26f9b9329650638dafd3d59786fd00ba9d740e3fe6af306a1fd91a8d7be117af0d788fdaf546b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4WI3Fs2.exe

Filesize
358KB

MD5
68f4b56dc2d9906c59fec2dc31c06efd

SHA1
3722413097c9b902ea042ebeeafb895ed18dc7a6

SHA256
0bfc599fc131497db6fb77b7347b4bf065b1a1cba616c57aa4f4df97f63e1628

SHA512
d16f834d8fa0e86bf297a8d70ceda9a58f24255236a51a8e654824b04bf2e7fc6960867d0323fd863dae9383886863d0dee5d06781d4db6967346d918f7541e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4WI3Fs2.exe

Filesize
358KB

MD5
68f4b56dc2d9906c59fec2dc31c06efd

SHA1
3722413097c9b902ea042ebeeafb895ed18dc7a6

SHA256
0bfc599fc131497db6fb77b7347b4bf065b1a1cba616c57aa4f4df97f63e1628

SHA512
d16f834d8fa0e86bf297a8d70ceda9a58f24255236a51a8e654824b04bf2e7fc6960867d0323fd863dae9383886863d0dee5d06781d4db6967346d918f7541e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.bat

Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
memory/2600-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-38-0x0000000007C70000-0x0000000007C7A000-memory.dmp

Filesize
40KB

Download
memory/4964-34-0x0000000073740000-0x0000000073EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4964-35-0x00000000080E0000-0x0000000008684000-memory.dmp

Filesize
5.6MB

Download
memory/4964-36-0x0000000007BD0000-0x0000000007C62000-memory.dmp

Filesize
584KB

Download
memory/4964-37-0x0000000007D10000-0x0000000007D20000-memory.dmp

Filesize
64KB

Download
memory/4964-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4964-39-0x0000000008CB0000-0x00000000092C8000-memory.dmp

Filesize
6.1MB

Download
memory/4964-40-0x0000000008690000-0x000000000879A000-memory.dmp

Filesize
1.0MB

Download
memory/4964-41-0x0000000007F90000-0x0000000007FA2000-memory.dmp

Filesize
72KB

Download
memory/4964-42-0x0000000007FF0000-0x000000000802C000-memory.dmp

Filesize
240KB

Download
memory/4964-43-0x0000000008030000-0x000000000807C000-memory.dmp

Filesize
304KB

Download
memory/4964-44-0x0000000073740000-0x0000000073EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4964-45-0x0000000007D10000-0x0000000007D20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads