mystic | a44d7397ca2486a37cfbc6cd473037b204a5fe4678303dd2f187c814c85f25db

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aabdc92d3092215c39aff5ff3cdd7b86a2827e8ddaa5a11c8ac53332bfd6fa96.exe
Size

884KB
MD5

b76e5bb2b2bcb1c45f4732bae27648ce
SHA1

582205cbe1ef05c525c49d762bf9d0138d2fabd9
SHA256

aabdc92d3092215c39aff5ff3cdd7b86a2827e8ddaa5a11c8ac53332bfd6fa96
SHA512

b5df9d18ba2fd30ba47211d12d0dce5b79663415b4f67aca0faa27314ecadf9d573bb32d16f767408efe4c906890b8d240abdd415826ff5ec95d519708d01284
SSDEEP

12288:1Mrpy90gle5LilXuWCqZmTn3/Q+O0MiAbc9ntk45+9Egioas4zo/:UypldtpUTn3/Q+HZtN5+992k/

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral9/memory/3100-21-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral9/memory/3100-24-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral9/memory/3100-22-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2kd288nt.exe	family_redline
behavioral9/memory/1404-28-0x0000000000AF0000-0x0000000000B2E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

sL7mS2Tz.exeDp5zA7vB.exe1hD41Mq6.exe2kd288nt.exe

pid process

1428 sL7mS2Tz.exe
2340 Dp5zA7vB.exe
1648 1hD41Mq6.exe
1404 2kd288nt.exe

pid	process
1428	sL7mS2Tz.exe
2340	Dp5zA7vB.exe
1648	1hD41Mq6.exe
1404	2kd288nt.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sL7mS2Tz.exeDp5zA7vB.exeaabdc92d3092215c39aff5ff3cdd7b86a2827e8ddaa5a11c8ac53332bfd6fa96.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sL7mS2Tz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Dp5zA7vB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aabdc92d3092215c39aff5ff3cdd7b86a2827e8ddaa5a11c8ac53332bfd6fa96.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1hD41Mq6.exe

description pid process target process

PID 1648 set thread context of 3100 1648 1hD41Mq6.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3564 1648 WerFault.exe 1hD41Mq6.exe

description	pid	process	target process
PID 1648 set thread context of 3100	1648	1hD41Mq6.exe	AppLaunch.exe

pid	pid_target	process	target process
3564	1648	WerFault.exe	1hD41Mq6.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

aabdc92d3092215c39aff5ff3cdd7b86a2827e8ddaa5a11c8ac53332bfd6fa96.exesL7mS2Tz.exeDp5zA7vB.exe1hD41Mq6.exe

description	pid	process	target process
PID 4452 wrote to memory of 1428	4452	aabdc92d3092215c39aff5ff3cdd7b86a2827e8ddaa5a11c8ac53332bfd6fa96.exe	sL7mS2Tz.exe
PID 4452 wrote to memory of 1428	4452	aabdc92d3092215c39aff5ff3cdd7b86a2827e8ddaa5a11c8ac53332bfd6fa96.exe	sL7mS2Tz.exe
PID 4452 wrote to memory of 1428	4452	aabdc92d3092215c39aff5ff3cdd7b86a2827e8ddaa5a11c8ac53332bfd6fa96.exe	sL7mS2Tz.exe
PID 1428 wrote to memory of 2340	1428	sL7mS2Tz.exe	Dp5zA7vB.exe
PID 1428 wrote to memory of 2340	1428	sL7mS2Tz.exe	Dp5zA7vB.exe
PID 1428 wrote to memory of 2340	1428	sL7mS2Tz.exe	Dp5zA7vB.exe
PID 2340 wrote to memory of 1648	2340	Dp5zA7vB.exe	1hD41Mq6.exe
PID 2340 wrote to memory of 1648	2340	Dp5zA7vB.exe	1hD41Mq6.exe
PID 2340 wrote to memory of 1648	2340	Dp5zA7vB.exe	1hD41Mq6.exe
PID 1648 wrote to memory of 5116	1648	1hD41Mq6.exe	AppLaunch.exe
PID 1648 wrote to memory of 5116	1648	1hD41Mq6.exe	AppLaunch.exe
PID 1648 wrote to memory of 5116	1648	1hD41Mq6.exe	AppLaunch.exe
PID 1648 wrote to memory of 3100	1648	1hD41Mq6.exe	AppLaunch.exe
PID 1648 wrote to memory of 3100	1648	1hD41Mq6.exe	AppLaunch.exe
PID 1648 wrote to memory of 3100	1648	1hD41Mq6.exe	AppLaunch.exe
PID 1648 wrote to memory of 3100	1648	1hD41Mq6.exe	AppLaunch.exe
PID 1648 wrote to memory of 3100	1648	1hD41Mq6.exe	AppLaunch.exe
PID 1648 wrote to memory of 3100	1648	1hD41Mq6.exe	AppLaunch.exe
PID 1648 wrote to memory of 3100	1648	1hD41Mq6.exe	AppLaunch.exe
PID 1648 wrote to memory of 3100	1648	1hD41Mq6.exe	AppLaunch.exe
PID 1648 wrote to memory of 3100	1648	1hD41Mq6.exe	AppLaunch.exe
PID 1648 wrote to memory of 3100	1648	1hD41Mq6.exe	AppLaunch.exe
PID 2340 wrote to memory of 1404	2340	Dp5zA7vB.exe	2kd288nt.exe
PID 2340 wrote to memory of 1404	2340	Dp5zA7vB.exe	2kd288nt.exe
PID 2340 wrote to memory of 1404	2340	Dp5zA7vB.exe	2kd288nt.exe

C:\Users\Admin\AppData\Local\Temp\aabdc92d3092215c39aff5ff3cdd7b86a2827e8ddaa5a11c8ac53332bfd6fa96.exe
"C:\Users\Admin\AppData\Local\Temp\aabdc92d3092215c39aff5ff3cdd7b86a2827e8ddaa5a11c8ac53332bfd6fa96.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sL7mS2Tz.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sL7mS2Tz.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dp5zA7vB.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dp5zA7vB.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hD41Mq6.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hD41Mq6.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:5116
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:3100
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 148
        5⤵
        Program crash
        
        PID:3564
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2kd288nt.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2kd288nt.exe
      4⤵
      Executes dropped EXE
      PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1648 -ip 1648
1⤵
PID:1084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=996,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=3808 /prefetch:8
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sL7mS2Tz.exe

Filesize
590KB

MD5
946af263c73122ad4ee5099272530eb8

SHA1
3f8bf4fec7400c77ff33606e8f976225f9b9652b

SHA256
f1620cc3419a4d787de01a5b658e1d4664280f8a5a75718c213915022285257b

SHA512
3d9794d39b10aa0186ab922307f3f4c2e97bfc95a4fff20587dea0e1be28f54492c4d36d7bc0ab0ca30d4717a9e3032daeec7d2694ada37586dff54c1ba43b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Dp5zA7vB.exe

Filesize
417KB

MD5
e1c9d4f85608f0e6448ed8db61a5896a

SHA1
188fc05f4c991148ea07aca59981c080004a2018

SHA256
fea82e7b3763a4a247e5d137baf84d23cfbc160bafa740755796be846b58f83d

SHA512
59c83eae8949a8346016bd510d6f3ab1fbfdd50591e516c54bec47ff2d55343a05dcc85f279cf31aabdfb4c3dbd4e157bac1d6a9b8b4454911b5f9f0b29d7b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1hD41Mq6.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2kd288nt.exe

Filesize
231KB

MD5
1a97d609f6777eeeca9ea879c1207e2a

SHA1
e908e09d2afe9fb9666ed0b3ad974aa08ba6fe0e

SHA256
e92e21984249eca3d00dbf3a40e5dd72680964c8b24a666eae58134a31b3f9c5

SHA512
dcac25a23ed3ba5ea9732688c5a1217671d60f7736ca3c943e8817a1081252157cbd589db7676212dc462d027a4907c0f8a9fb2cd668498b089680cc06a77b0f

Download Submit
memory/1404-33-0x0000000007C60000-0x0000000007D6A000-memory.dmp

Filesize
1.0MB

Download
memory/1404-28-0x0000000000AF0000-0x0000000000B2E000-memory.dmp

Filesize
248KB

Download
memory/1404-29-0x0000000007DA0000-0x0000000008344000-memory.dmp

Filesize
5.6MB

Download
memory/1404-30-0x0000000007890000-0x0000000007922000-memory.dmp

Filesize
584KB

Download
memory/1404-31-0x0000000002D20000-0x0000000002D2A000-memory.dmp

Filesize
40KB

Download
memory/1404-32-0x0000000008970000-0x0000000008F88000-memory.dmp

Filesize
6.1MB

Download
memory/1404-34-0x00000000079B0000-0x00000000079C2000-memory.dmp

Filesize
72KB

Download
memory/1404-35-0x0000000007A10000-0x0000000007A4C000-memory.dmp

Filesize
240KB

Download
memory/1404-36-0x0000000007B50000-0x0000000007B9C000-memory.dmp

Filesize
304KB

Download
memory/3100-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3100-24-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3100-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download