mystic | f6a395732f5dfe45c1b53e1a544f31826d5f310499de2170e9064ac9605a913e

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20811d5e089d4e2f65301bba6dbb3776615b8a82ea39cd03d088665a7bf27384.exe
Size

1.5MB
MD5

22911db4f8ba085ab5a96d55b39857a1
SHA1

d583bce9bfe82d3b8c69f182fc854c305f99657a
SHA256

20811d5e089d4e2f65301bba6dbb3776615b8a82ea39cd03d088665a7bf27384
SHA512

38d972095a46d503281eb0eb94c9b1d447021f2778086633f43a28a28600c0edc148065eb31f1b4ba841ea87e8db74863ec80444013cfb1a6c466a0c1cd4969b
SSDEEP

24576:QyTuRq2rq3dv5GDA3BhnPJbCI1ej1a6LJg6fTvKBNdY88bSHv9kQFIyt:XTu5gGDAR1PFz12aau6fTvKljzP99Iy

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral5/memory/3076-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral5/memory/3076-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral5/memory/3076-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Xg962QI.exe	family_redline
behavioral5/memory/3504-42-0x0000000000330000-0x000000000036E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

CY5UU5Dk.exeTT8hm9Bg.exekJ0iJ0we.exeVB1La5Qa.exe1mM59SY2.exe2Xg962QI.exe

pid process

3200 CY5UU5Dk.exe
3168 TT8hm9Bg.exe
5108 kJ0iJ0we.exe
1408 VB1La5Qa.exe
2108 1mM59SY2.exe
3504 2Xg962QI.exe

pid	process
3200	CY5UU5Dk.exe
3168	TT8hm9Bg.exe
5108	kJ0iJ0we.exe
1408	VB1La5Qa.exe
2108	1mM59SY2.exe
3504	2Xg962QI.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

20811d5e089d4e2f65301bba6dbb3776615b8a82ea39cd03d088665a7bf27384.exeCY5UU5Dk.exeTT8hm9Bg.exekJ0iJ0we.exeVB1La5Qa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	20811d5e089d4e2f65301bba6dbb3776615b8a82ea39cd03d088665a7bf27384.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	CY5UU5Dk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	TT8hm9Bg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kJ0iJ0we.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	VB1La5Qa.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1mM59SY2.exe

description pid process target process

PID 2108 set thread context of 3076 2108 1mM59SY2.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1996 2108 WerFault.exe 1mM59SY2.exe

description	pid	process	target process
PID 2108 set thread context of 3076	2108	1mM59SY2.exe	AppLaunch.exe

pid	pid_target	process	target process
1996	2108	WerFault.exe	1mM59SY2.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

20811d5e089d4e2f65301bba6dbb3776615b8a82ea39cd03d088665a7bf27384.exeCY5UU5Dk.exeTT8hm9Bg.exekJ0iJ0we.exeVB1La5Qa.exe1mM59SY2.exe

description	pid	process	target process
PID 3628 wrote to memory of 3200	3628	20811d5e089d4e2f65301bba6dbb3776615b8a82ea39cd03d088665a7bf27384.exe	CY5UU5Dk.exe
PID 3628 wrote to memory of 3200	3628	20811d5e089d4e2f65301bba6dbb3776615b8a82ea39cd03d088665a7bf27384.exe	CY5UU5Dk.exe
PID 3628 wrote to memory of 3200	3628	20811d5e089d4e2f65301bba6dbb3776615b8a82ea39cd03d088665a7bf27384.exe	CY5UU5Dk.exe
PID 3200 wrote to memory of 3168	3200	CY5UU5Dk.exe	TT8hm9Bg.exe
PID 3200 wrote to memory of 3168	3200	CY5UU5Dk.exe	TT8hm9Bg.exe
PID 3200 wrote to memory of 3168	3200	CY5UU5Dk.exe	TT8hm9Bg.exe
PID 3168 wrote to memory of 5108	3168	TT8hm9Bg.exe	kJ0iJ0we.exe
PID 3168 wrote to memory of 5108	3168	TT8hm9Bg.exe	kJ0iJ0we.exe
PID 3168 wrote to memory of 5108	3168	TT8hm9Bg.exe	kJ0iJ0we.exe
PID 5108 wrote to memory of 1408	5108	kJ0iJ0we.exe	VB1La5Qa.exe
PID 5108 wrote to memory of 1408	5108	kJ0iJ0we.exe	VB1La5Qa.exe
PID 5108 wrote to memory of 1408	5108	kJ0iJ0we.exe	VB1La5Qa.exe
PID 1408 wrote to memory of 2108	1408	VB1La5Qa.exe	1mM59SY2.exe
PID 1408 wrote to memory of 2108	1408	VB1La5Qa.exe	1mM59SY2.exe
PID 1408 wrote to memory of 2108	1408	VB1La5Qa.exe	1mM59SY2.exe
PID 2108 wrote to memory of 3076	2108	1mM59SY2.exe	AppLaunch.exe
PID 2108 wrote to memory of 3076	2108	1mM59SY2.exe	AppLaunch.exe
PID 2108 wrote to memory of 3076	2108	1mM59SY2.exe	AppLaunch.exe
PID 2108 wrote to memory of 3076	2108	1mM59SY2.exe	AppLaunch.exe
PID 2108 wrote to memory of 3076	2108	1mM59SY2.exe	AppLaunch.exe
PID 2108 wrote to memory of 3076	2108	1mM59SY2.exe	AppLaunch.exe
PID 2108 wrote to memory of 3076	2108	1mM59SY2.exe	AppLaunch.exe
PID 2108 wrote to memory of 3076	2108	1mM59SY2.exe	AppLaunch.exe
PID 2108 wrote to memory of 3076	2108	1mM59SY2.exe	AppLaunch.exe
PID 2108 wrote to memory of 3076	2108	1mM59SY2.exe	AppLaunch.exe
PID 1408 wrote to memory of 3504	1408	VB1La5Qa.exe	2Xg962QI.exe
PID 1408 wrote to memory of 3504	1408	VB1La5Qa.exe	2Xg962QI.exe
PID 1408 wrote to memory of 3504	1408	VB1La5Qa.exe	2Xg962QI.exe

C:\Users\Admin\AppData\Local\Temp\20811d5e089d4e2f65301bba6dbb3776615b8a82ea39cd03d088665a7bf27384.exe
"C:\Users\Admin\AppData\Local\Temp\20811d5e089d4e2f65301bba6dbb3776615b8a82ea39cd03d088665a7bf27384.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CY5UU5Dk.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CY5UU5Dk.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TT8hm9Bg.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TT8hm9Bg.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kJ0iJ0we.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kJ0iJ0we.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VB1La5Qa.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VB1La5Qa.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1408
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mM59SY2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mM59SY2.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 600
        7⤵
        Program crash
        
        PID:1996
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Xg962QI.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Xg962QI.exe
        6⤵
        Executes dropped EXE
        
        PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2108 -ip 2108
1⤵
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CY5UU5Dk.exe

Filesize
1.3MB

MD5
7ac3feeefc1ae629015ca97064825bbd

SHA1
d1866623fa383c293fc623a7682f486b83c552a0

SHA256
c802eaadbead0381d81d2d5444b484fea153bda01ec46518fa2691096dc9b354

SHA512
09de92f6cf87cbbba053a3290647b94b9a3429484362b1a86b6e8929898f6c06eba99c9d0b5c1cc00e68de34289f9cda723dfd72cb3d9dc84f613d39a1facc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TT8hm9Bg.exe

Filesize
1.1MB

MD5
2618e8f19123347d461abc734faa2a59

SHA1
61db55176671cdd49299952c35628f17897a7254

SHA256
58b2c937e991416bdc8305133dbe7f551705be1baa52ddbd0f88cc83608de9b0

SHA512
9eddb309f7e5e4f33ef6dd83354a7f2ba2bc5e9efe7d83628da54a85c3a15f9e6caca3a2c64a9de7ccfed086fe7d1e0abbb141676a81d46acab10c5de55b5bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kJ0iJ0we.exe

Filesize
735KB

MD5
d4016838708742d1ac9565119552d853

SHA1
f78fafc6ad20d58883f3f2670cf1b7545568266a

SHA256
6ae4f1c2a66e7e1857f3654e173860d4a2d458efa43ca2505274c06411923d9e

SHA512
a3698568a37f1143fe04cdaeb59d8688bb62f469820da83f673fed7f5eebab3c32ab7bdc093f42a92a9a52b81c37310be136426f3a8d45878a6936f857d6946f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\VB1La5Qa.exe

Filesize
563KB

MD5
9371aad7698b3e129d894dd433c65384

SHA1
f18fba151e490c9fe73ce07fc42743165e0109c2

SHA256
af749ce5caaea742113b941820fd674cf2724d07bb5418312533027c009c0f03

SHA512
249807c7ee1895ad261c15fe7f514ba3660e8b9a476450055052a3b6294377a6d5c5e2763212c3a695659be52c83590c7bdb321f3dac373f52c691273d4a6c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mM59SY2.exe

Filesize
1.4MB

MD5
668ffd9213287dbd6836a4525a9df81f

SHA1
9b80bad95e9c220c0020ac08695085db699b6569

SHA256
077cfef9cdbb3b6ff5f7b455943aa68cbca34d899a46b66c21d67960eeb19108

SHA512
000deb374b6ac7be612a2f94be1cefa76c6e760eaf0a3c4a1d08cf2cb0a0d1f8ad4effe72f6f004ed38b60268ee12ae9772c889f0d7ec8d6480b7f9863d49d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Xg962QI.exe

Filesize
230KB

MD5
a7fa5c150791c5208838875e8e110ec8

SHA1
43bb1cd7f5ad6495c65d37638826ced59ba21692

SHA256
1e409a291550783021f15db52b53cb281a908be391368507452ace57f6b46771

SHA512
8b70c50eff357680d4786d013f8ff26d8213ae2fcbd30bd4996e6a7899740f0bbd4163ff77229b28e182cd385f46a083a21276c1c6a341a1fd0eab0184048113

Download Submit
memory/3076-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3076-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3076-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3504-42-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/3504-43-0x0000000007660000-0x0000000007C04000-memory.dmp

Filesize
5.6MB

Download
memory/3504-44-0x0000000007150000-0x00000000071E2000-memory.dmp

Filesize
584KB

Download
memory/3504-45-0x0000000002530000-0x000000000253A000-memory.dmp

Filesize
40KB

Download
memory/3504-46-0x0000000008230000-0x0000000008848000-memory.dmp

Filesize
6.1MB

Download
memory/3504-48-0x00000000071F0000-0x0000000007202000-memory.dmp

Filesize
72KB

Download
memory/3504-49-0x0000000007250000-0x000000000728C000-memory.dmp

Filesize
240KB

Download
memory/3504-50-0x00000000073C0000-0x000000000740C000-memory.dmp

Filesize
304KB

Download
memory/3504-47-0x00000000074D0000-0x00000000075DA000-memory.dmp

Filesize
1.0MB

Download