mystic | 492b0af84e2a0bad92ea96b903488694b78d3bd9a95aed38023b3a8c16674270

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

492b0af84e2a0bad92ea96b903488694b78d3bd9a95aed38023b3a8c16674270.exe
Size

1.4MB
MD5

c57d1db87525d08aa37878c1aa228e32
SHA1

17995f6a09c15098b7a6d6d8ba431288a5ac0b41
SHA256

492b0af84e2a0bad92ea96b903488694b78d3bd9a95aed38023b3a8c16674270
SHA512

ffd6a7c35034f74b0299a0e016f216e8a788cfe9c71f38b31a95085f70241b2dff479d2400b7220a3cf06b59d406b520ece7b3ffd7c5bff540514d4293d95ca4
SSDEEP

24576:Dyd9G9QbNKx2J8a6E9s20F+zQvAFng9LpNqcyHne4AIZuqJRvDY:WdIQbYQBR9r0wcoFng9Fg1erIl

Score

10^/10

mystic privateloader redline risepro taiga infostealer loader persistence stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Extracted

Family

risepro

5.42.92.51

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral1/memory/1748-42-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1748-46-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1748-43-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/1748-49-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4332-28-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Executes dropped EXE 6 IoCs

pid	Process
2548	Uf3zm84.exe
2380	bq7VC72.exe
2284	NQ7rW63.exe
5052	2EK0210.exe
4640	3KB95xc.exe
3332	4mH711GC.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	NQ7rW63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	492b0af84e2a0bad92ea96b903488694b78d3bd9a95aed38023b3a8c16674270.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Uf3zm84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	bq7VC72.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5052 set thread context of 4332	5052	2EK0210.exe	100
PID 4640 set thread context of 1748	4640	3KB95xc.exe	109

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2756	1748	WerFault.exe	109

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 2548	3116	492b0af84e2a0bad92ea96b903488694b78d3bd9a95aed38023b3a8c16674270.exe	89
PID 3116 wrote to memory of 2548	3116	492b0af84e2a0bad92ea96b903488694b78d3bd9a95aed38023b3a8c16674270.exe	89
PID 3116 wrote to memory of 2548	3116	492b0af84e2a0bad92ea96b903488694b78d3bd9a95aed38023b3a8c16674270.exe	89
PID 2548 wrote to memory of 2380	2548	Uf3zm84.exe	91
PID 2548 wrote to memory of 2380	2548	Uf3zm84.exe	91
PID 2548 wrote to memory of 2380	2548	Uf3zm84.exe	91
PID 2380 wrote to memory of 2284	2380	bq7VC72.exe	92
PID 2380 wrote to memory of 2284	2380	bq7VC72.exe	92
PID 2380 wrote to memory of 2284	2380	bq7VC72.exe	92
PID 2284 wrote to memory of 5052	2284	NQ7rW63.exe	93
PID 2284 wrote to memory of 5052	2284	NQ7rW63.exe	93
PID 2284 wrote to memory of 5052	2284	NQ7rW63.exe	93
PID 5052 wrote to memory of 4332	5052	2EK0210.exe	100
PID 5052 wrote to memory of 4332	5052	2EK0210.exe	100
PID 5052 wrote to memory of 4332	5052	2EK0210.exe	100
PID 5052 wrote to memory of 4332	5052	2EK0210.exe	100
PID 5052 wrote to memory of 4332	5052	2EK0210.exe	100
PID 5052 wrote to memory of 4332	5052	2EK0210.exe	100
PID 5052 wrote to memory of 4332	5052	2EK0210.exe	100
PID 5052 wrote to memory of 4332	5052	2EK0210.exe	100
PID 2284 wrote to memory of 4640	2284	NQ7rW63.exe	101
PID 2284 wrote to memory of 4640	2284	NQ7rW63.exe	101
PID 2284 wrote to memory of 4640	2284	NQ7rW63.exe	101
PID 4640 wrote to memory of 3280	4640	3KB95xc.exe	108
PID 4640 wrote to memory of 3280	4640	3KB95xc.exe	108
PID 4640 wrote to memory of 3280	4640	3KB95xc.exe	108
PID 4640 wrote to memory of 1748	4640	3KB95xc.exe	109
PID 4640 wrote to memory of 1748	4640	3KB95xc.exe	109
PID 4640 wrote to memory of 1748	4640	3KB95xc.exe	109
PID 4640 wrote to memory of 1748	4640	3KB95xc.exe	109
PID 4640 wrote to memory of 1748	4640	3KB95xc.exe	109
PID 4640 wrote to memory of 1748	4640	3KB95xc.exe	109
PID 4640 wrote to memory of 1748	4640	3KB95xc.exe	109
PID 4640 wrote to memory of 1748	4640	3KB95xc.exe	109
PID 4640 wrote to memory of 1748	4640	3KB95xc.exe	109
PID 4640 wrote to memory of 1748	4640	3KB95xc.exe	109
PID 2380 wrote to memory of 3332	2380	bq7VC72.exe	110
PID 2380 wrote to memory of 3332	2380	bq7VC72.exe	110
PID 2380 wrote to memory of 3332	2380	bq7VC72.exe	110

C:\Users\Admin\AppData\Local\Temp\492b0af84e2a0bad92ea96b903488694b78d3bd9a95aed38023b3a8c16674270.exe
"C:\Users\Admin\AppData\Local\Temp\492b0af84e2a0bad92ea96b903488694b78d3bd9a95aed38023b3a8c16674270.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uf3zm84.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uf3zm84.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bq7VC72.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bq7VC72.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NQ7rW63.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NQ7rW63.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2EK0210.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2EK0210.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5052
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4332
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3KB95xc.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3KB95xc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4640
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3280
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 200
        7⤵
        Program crash
        
        PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4mH711GC.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4mH711GC.exe
      4⤵
      Executes dropped EXE
      PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1748 -ip 1748
1⤵
PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uf3zm84.exe

Filesize
1.2MB

MD5
c56b9a8254dca7f8a941323aed3f45d7

SHA1
eadd0f8e978c558e633b28978b0ac56b75464b24

SHA256
dacbed0c66fc5d3f874696f9e04598792013391c0ecae88d90e4ac34a78bb522

SHA512
4ae89aafca153961231b5052d9af6f562f695300194e3947febcf971b0dcbe5629a6ec9ecc02cae2a199afdbdcf40d1a98ac165a2b8a75781470afd1634ce359

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uf3zm84.exe

Filesize
1.2MB

MD5
c56b9a8254dca7f8a941323aed3f45d7

SHA1
eadd0f8e978c558e633b28978b0ac56b75464b24

SHA256
dacbed0c66fc5d3f874696f9e04598792013391c0ecae88d90e4ac34a78bb522

SHA512
4ae89aafca153961231b5052d9af6f562f695300194e3947febcf971b0dcbe5629a6ec9ecc02cae2a199afdbdcf40d1a98ac165a2b8a75781470afd1634ce359

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bq7VC72.exe

Filesize
1.0MB

MD5
37920d953234ddc3966ca67c4b42769d

SHA1
7728738829ff15c43a3500a08978f0d6f29c88ca

SHA256
f058484fa5562556e174b80aa560ad7ab649201abb3df7e4038b32651770d685

SHA512
daaa401e73c84ed01f8bd6533b15a69d003ddecc91baf2c7f03d69d489082c92035fcf101353bd9bc9a4e1ecab2a0a20d52f5f907cd132eebc080ded119e95e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bq7VC72.exe

Filesize
1.0MB

MD5
37920d953234ddc3966ca67c4b42769d

SHA1
7728738829ff15c43a3500a08978f0d6f29c88ca

SHA256
f058484fa5562556e174b80aa560ad7ab649201abb3df7e4038b32651770d685

SHA512
daaa401e73c84ed01f8bd6533b15a69d003ddecc91baf2c7f03d69d489082c92035fcf101353bd9bc9a4e1ecab2a0a20d52f5f907cd132eebc080ded119e95e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4mH711GC.exe

Filesize
1.3MB

MD5
f3bf53e33d5fa006525f8bdefd4b9740

SHA1
3ef7f6cd01a3aead640b6ff534ca0c29133cd7ea

SHA256
9ac63cffd9d0700dd6abffbce324251655748513b6b8c2161d763161e3922494

SHA512
f2591ab139ab325d6df32ea49691254b1614ec2423c9ce42f542124da05c56c8ae7dde820e75d62edf74e7434239e4170568e57ecbe47626fe1c72c1bffc3a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4mH711GC.exe

Filesize
1.3MB

MD5
f3bf53e33d5fa006525f8bdefd4b9740

SHA1
3ef7f6cd01a3aead640b6ff534ca0c29133cd7ea

SHA256
9ac63cffd9d0700dd6abffbce324251655748513b6b8c2161d763161e3922494

SHA512
f2591ab139ab325d6df32ea49691254b1614ec2423c9ce42f542124da05c56c8ae7dde820e75d62edf74e7434239e4170568e57ecbe47626fe1c72c1bffc3a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NQ7rW63.exe

Filesize
431KB

MD5
546c9d0660476af62b581c0280f226b4

SHA1
85329aaf710ef2c14da803790869438fdae67ede

SHA256
8077f2cd525fda888a2fcb51b97947cb29f436d813b86ad38a74af071c3300d7

SHA512
a388084a517c107f86fa60f1a086b3f1858909bfce15aa6cfcf9b4e488d75049453aacecf8afd0e42b069c26ff90ebf71c26575549763953221eb39e477abb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\NQ7rW63.exe

Filesize
431KB

MD5
546c9d0660476af62b581c0280f226b4

SHA1
85329aaf710ef2c14da803790869438fdae67ede

SHA256
8077f2cd525fda888a2fcb51b97947cb29f436d813b86ad38a74af071c3300d7

SHA512
a388084a517c107f86fa60f1a086b3f1858909bfce15aa6cfcf9b4e488d75049453aacecf8afd0e42b069c26ff90ebf71c26575549763953221eb39e477abb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2EK0210.exe

Filesize
415KB

MD5
2187e2e694a1762cb23f100d69d66977

SHA1
783400fab204e59ac1a20cc403b1ea624e67bb85

SHA256
5a600b37f66d6b6bf7e82ced7b9ecdddc747319f21583164a443a894cc3711a3

SHA512
19a0dd3c0fa1bd5a1a8c1223848219e8b21594fb6eac9d820fcc2edf0ea07862b66b229a01433305b621f1385470f72f92a2e8100c4a2b7db092103af0304378

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2EK0210.exe

Filesize
415KB

MD5
2187e2e694a1762cb23f100d69d66977

SHA1
783400fab204e59ac1a20cc403b1ea624e67bb85

SHA256
5a600b37f66d6b6bf7e82ced7b9ecdddc747319f21583164a443a894cc3711a3

SHA512
19a0dd3c0fa1bd5a1a8c1223848219e8b21594fb6eac9d820fcc2edf0ea07862b66b229a01433305b621f1385470f72f92a2e8100c4a2b7db092103af0304378

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3KB95xc.exe

Filesize
378KB

MD5
516fbd2dfa501b3ffbff57e9e48a1751

SHA1
0fe317862b1e0593bb29631be291ad20c759c439

SHA256
a04b47c36cd01085df4b7c2d5cd749dbf5b726b9a179993f45d13fc64e3f3c5c

SHA512
be8c768e72bf374a1bb6459ba67290729fea9b8dfa540d5116049c940a2c152d51a6c4e083f1531fde2d1c41144b9e33382a937d11e10e2b69a7e0c52a7589a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3KB95xc.exe

Filesize
378KB

MD5
516fbd2dfa501b3ffbff57e9e48a1751

SHA1
0fe317862b1e0593bb29631be291ad20c759c439

SHA256
a04b47c36cd01085df4b7c2d5cd749dbf5b726b9a179993f45d13fc64e3f3c5c

SHA512
be8c768e72bf374a1bb6459ba67290729fea9b8dfa540d5116049c940a2c152d51a6c4e083f1531fde2d1c41144b9e33382a937d11e10e2b69a7e0c52a7589a2

Download Submit
memory/1748-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4332-38-0x0000000008110000-0x000000000821A000-memory.dmp

Filesize
1.0MB

Download
memory/4332-34-0x0000000007690000-0x0000000007722000-memory.dmp

Filesize
584KB

Download
memory/4332-39-0x0000000007970000-0x0000000007982000-memory.dmp

Filesize
72KB

Download
memory/4332-40-0x00000000079D0000-0x0000000007A0C000-memory.dmp

Filesize
240KB

Download
memory/4332-41-0x0000000007A10000-0x0000000007A5C000-memory.dmp

Filesize
304KB

Download
memory/4332-33-0x0000000007B60000-0x0000000008104000-memory.dmp

Filesize
5.6MB

Download
memory/4332-32-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/4332-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4332-37-0x0000000008730000-0x0000000008D48000-memory.dmp

Filesize
6.1MB

Download
memory/4332-36-0x0000000007790000-0x000000000779A000-memory.dmp

Filesize
40KB

Download
memory/4332-35-0x0000000007810000-0x0000000007820000-memory.dmp

Filesize
64KB

Download
memory/4332-50-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/4332-51-0x0000000007810000-0x0000000007820000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads