mystic | a44d7397ca2486a37cfbc6cd473037b204a5fe4678303dd2f187c814c85f25db

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d796a364d2a62b12d9a28d63b8503f41de8f9257083f87c02feecdb89c729e4.exe
Size

1.2MB
MD5

df37a77942e209ffd551ccbd8a891298
SHA1

fdfdc4f2d1a99d36ec9094966b13b9d7f363e64b
SHA256

8d796a364d2a62b12d9a28d63b8503f41de8f9257083f87c02feecdb89c729e4
SHA512

2d38aacd910db9858c6c5209cdfd373257a9ad9bec99bb442cb9e6107b5c05f1407d19d7f6ec0938c495e69e199dd918aff1eb72f59abc5d2c2a58737c749ce6
SSDEEP

24576:VyNl1Y8BGfhfMJ4tpDzfS7+JmYXd4EgielWg:wNlW8GZfxjfKBwJD

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral8/memory/4864-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral8/memory/4864-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral8/memory/4864-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2br075zB.exe	family_redline
behavioral8/memory/3872-42-0x0000000000210000-0x000000000024E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

UW6FZ3Vl.exedo6RP2hz.exeZP0Kq8zP.exeYq4IH0Xk.exe1GK84On8.exe2br075zB.exe

pid process

2276 UW6FZ3Vl.exe
2660 do6RP2hz.exe
2172 ZP0Kq8zP.exe
2736 Yq4IH0Xk.exe
4896 1GK84On8.exe
3872 2br075zB.exe

pid	process
2276	UW6FZ3Vl.exe
2660	do6RP2hz.exe
2172	ZP0Kq8zP.exe
2736	Yq4IH0Xk.exe
4896	1GK84On8.exe
3872	2br075zB.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8d796a364d2a62b12d9a28d63b8503f41de8f9257083f87c02feecdb89c729e4.exeUW6FZ3Vl.exedo6RP2hz.exeZP0Kq8zP.exeYq4IH0Xk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8d796a364d2a62b12d9a28d63b8503f41de8f9257083f87c02feecdb89c729e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	UW6FZ3Vl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	do6RP2hz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ZP0Kq8zP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Yq4IH0Xk.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1GK84On8.exe

description pid process target process

PID 4896 set thread context of 4864 4896 1GK84On8.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4420 4896 WerFault.exe 1GK84On8.exe

description	pid	process	target process
PID 4896 set thread context of 4864	4896	1GK84On8.exe	AppLaunch.exe

pid	pid_target	process	target process
4420	4896	WerFault.exe	1GK84On8.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

8d796a364d2a62b12d9a28d63b8503f41de8f9257083f87c02feecdb89c729e4.exeUW6FZ3Vl.exedo6RP2hz.exeZP0Kq8zP.exeYq4IH0Xk.exe1GK84On8.exe

description	pid	process	target process
PID 368 wrote to memory of 2276	368	8d796a364d2a62b12d9a28d63b8503f41de8f9257083f87c02feecdb89c729e4.exe	UW6FZ3Vl.exe
PID 368 wrote to memory of 2276	368	8d796a364d2a62b12d9a28d63b8503f41de8f9257083f87c02feecdb89c729e4.exe	UW6FZ3Vl.exe
PID 368 wrote to memory of 2276	368	8d796a364d2a62b12d9a28d63b8503f41de8f9257083f87c02feecdb89c729e4.exe	UW6FZ3Vl.exe
PID 2276 wrote to memory of 2660	2276	UW6FZ3Vl.exe	do6RP2hz.exe
PID 2276 wrote to memory of 2660	2276	UW6FZ3Vl.exe	do6RP2hz.exe
PID 2276 wrote to memory of 2660	2276	UW6FZ3Vl.exe	do6RP2hz.exe
PID 2660 wrote to memory of 2172	2660	do6RP2hz.exe	ZP0Kq8zP.exe
PID 2660 wrote to memory of 2172	2660	do6RP2hz.exe	ZP0Kq8zP.exe
PID 2660 wrote to memory of 2172	2660	do6RP2hz.exe	ZP0Kq8zP.exe
PID 2172 wrote to memory of 2736	2172	ZP0Kq8zP.exe	Yq4IH0Xk.exe
PID 2172 wrote to memory of 2736	2172	ZP0Kq8zP.exe	Yq4IH0Xk.exe
PID 2172 wrote to memory of 2736	2172	ZP0Kq8zP.exe	Yq4IH0Xk.exe
PID 2736 wrote to memory of 4896	2736	Yq4IH0Xk.exe	1GK84On8.exe
PID 2736 wrote to memory of 4896	2736	Yq4IH0Xk.exe	1GK84On8.exe
PID 2736 wrote to memory of 4896	2736	Yq4IH0Xk.exe	1GK84On8.exe
PID 4896 wrote to memory of 4864	4896	1GK84On8.exe	AppLaunch.exe
PID 4896 wrote to memory of 4864	4896	1GK84On8.exe	AppLaunch.exe
PID 4896 wrote to memory of 4864	4896	1GK84On8.exe	AppLaunch.exe
PID 4896 wrote to memory of 4864	4896	1GK84On8.exe	AppLaunch.exe
PID 4896 wrote to memory of 4864	4896	1GK84On8.exe	AppLaunch.exe
PID 4896 wrote to memory of 4864	4896	1GK84On8.exe	AppLaunch.exe
PID 4896 wrote to memory of 4864	4896	1GK84On8.exe	AppLaunch.exe
PID 4896 wrote to memory of 4864	4896	1GK84On8.exe	AppLaunch.exe
PID 4896 wrote to memory of 4864	4896	1GK84On8.exe	AppLaunch.exe
PID 4896 wrote to memory of 4864	4896	1GK84On8.exe	AppLaunch.exe
PID 2736 wrote to memory of 3872	2736	Yq4IH0Xk.exe	2br075zB.exe
PID 2736 wrote to memory of 3872	2736	Yq4IH0Xk.exe	2br075zB.exe
PID 2736 wrote to memory of 3872	2736	Yq4IH0Xk.exe	2br075zB.exe

C:\Users\Admin\AppData\Local\Temp\8d796a364d2a62b12d9a28d63b8503f41de8f9257083f87c02feecdb89c729e4.exe
"C:\Users\Admin\AppData\Local\Temp\8d796a364d2a62b12d9a28d63b8503f41de8f9257083f87c02feecdb89c729e4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:368
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UW6FZ3Vl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UW6FZ3Vl.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\do6RP2hz.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\do6RP2hz.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZP0Kq8zP.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZP0Kq8zP.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Yq4IH0Xk.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Yq4IH0Xk.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GK84On8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GK84On8.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 156
        7⤵
        Program crash
        
        PID:4420
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2br075zB.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2br075zB.exe
        6⤵
        Executes dropped EXE
        
        PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4896 -ip 4896
1⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UW6FZ3Vl.exe

Filesize
1.0MB

MD5
27dbb0272a39b749b745624bb236de0e

SHA1
c4dd54d96a963c6a013f365152ee77261e1b2f4a

SHA256
96bd4482f3b25b52e8fcafa080c44ae713f839fe919e0703a3b62c757da0818f

SHA512
7cc1360b2e551421bdcdf647c5a90045147972692f24ea4279fc4a0cb4289c7a002a905538bbc75753722c2e4cfc391f7685c56adef81b563ddecb45d118b4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\do6RP2hz.exe

Filesize
884KB

MD5
564952dc9f3c4f6702e576b07255b0be

SHA1
c9bf90a4c67c758c347108c63e53b08f163a483d

SHA256
3f3e4d5a68aea2065f6b663b62efcc2da4f04a92f61be54c3f2e0e1a592c4cf6

SHA512
aebd37e3fdbfe708a3378a76f1ae4f5b4a9e513d1f5abda6e5de7db544771d65ea9631ddd85fbff3953be61a01d8870885df404410e701ff7a9b810ab779eda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ZP0Kq8zP.exe

Filesize
590KB

MD5
a93ee1614442319766231e3f5bcbc0ba

SHA1
7db998c834672f5cd42c63bf3b50afcdb8f9fb66

SHA256
4698bdfd0a4c4aa8e841025b1a141e47bc9f5049c4aa00a99c7be92ebf84b38d

SHA512
887a1c18491f7e4cb69d8adc8d822e697363394b97d4f4ac806bf7872bc73ab6ff92c049299054097688e41e26d9623f6c8c967e6b7b50f256250ceb92865eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Yq4IH0Xk.exe

Filesize
417KB

MD5
87744e4253915431e4801a00475cd769

SHA1
e047e13f7fac443feaf654b98fdc1a0d8c6af6bb

SHA256
8d5b9755c4f2d24b6bfdceada25f3c1808bf3c8490fbc4cf9935f76f766cbdcc

SHA512
7d1cbd26f3907e6035c326caf69e6ce134106d676ac6b8472e8cfd680567f212decd31c485084a1798a2ed678ed28f6cfef218e07237f9237e4e6735c59652ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1GK84On8.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2br075zB.exe

Filesize
231KB

MD5
954c2366ccd1ffa681067fcb3a3424e8

SHA1
c45ed144003d74c7af993061b2397077b4a30265

SHA256
efb1c10f218b2deff9f9cf30b11e3cdde35e463dbded71816b7a67d8d545efa6

SHA512
e188b8f4b38e686eff0ddac69d138c4ca696c583bafd37e7e1da250c66ff8cc8e59165757223534bb407bf81b7ccb6d399e3200bb3df5ba2610aca2db03966db

Download Submit
memory/3872-42-0x0000000000210000-0x000000000024E000-memory.dmp

Filesize
248KB

Download
memory/3872-43-0x00000000074A0000-0x0000000007A44000-memory.dmp

Filesize
5.6MB

Download
memory/3872-44-0x0000000006F90000-0x0000000007022000-memory.dmp

Filesize
584KB

Download
memory/3872-45-0x00000000024E0000-0x00000000024EA000-memory.dmp

Filesize
40KB

Download
memory/3872-46-0x0000000008070000-0x0000000008688000-memory.dmp

Filesize
6.1MB

Download
memory/3872-47-0x0000000007310000-0x000000000741A000-memory.dmp

Filesize
1.0MB

Download
memory/3872-48-0x00000000071C0000-0x00000000071D2000-memory.dmp

Filesize
72KB

Download
memory/3872-49-0x0000000007240000-0x000000000727C000-memory.dmp

Filesize
240KB

Download
memory/3872-50-0x0000000007280000-0x00000000072CC000-memory.dmp

Filesize
304KB

Download
memory/4864-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4864-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4864-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download