mystic | 1aa612c673e0e8506776c3b8740894f0947bb33bd7b5f22dc14212289801a024

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe8bcd4eb9f9d50df43b88607e258c6ee1911bf0d1e6c2d4c67dd6a260684820.exe
Size

1.6MB
MD5

a2298690a5e88cedce3ecba10e3bc84f
SHA1

801ceb0094c01b732486d8948ecdff9c745f0013
SHA256

fe8bcd4eb9f9d50df43b88607e258c6ee1911bf0d1e6c2d4c67dd6a260684820
SHA512

debb36a3933475d4d51ffcb2e7f8ca3adbdb7c441119c641119e095332ccfb758393478f733e1decb6c95835f0b3698bd1e274c8ee869205bd06fe7fd1bbdc7f
SSDEEP

24576:8y7oLYEudNUYC+j0M/mTmfSrIAhUaSaiKpAOcBsIxnKLaOboUZ0PP+f:rMLYdd5j34mf8UNaicAOGt3O8UaX

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral20/memory/4708-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral20/memory/4708-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral20/memory/4708-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral20/files/0x0007000000023292-40.dat	family_redline
behavioral20/memory/3996-42-0x00000000004A0000-0x00000000004DE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2148	Az1vA8fn.exe
3012	ip9uO5Zh.exe
2360	OO5dz4Rg.exe
1380	Mv5Dn1Br.exe
1152	1iB61ja9.exe
3996	2vK713fN.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ip9uO5Zh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	OO5dz4Rg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Mv5Dn1Br.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fe8bcd4eb9f9d50df43b88607e258c6ee1911bf0d1e6c2d4c67dd6a260684820.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Az1vA8fn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1152 set thread context of 4708	1152	1iB61ja9.exe	96

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2628	1152	WerFault.exe	95

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 2148	4616	fe8bcd4eb9f9d50df43b88607e258c6ee1911bf0d1e6c2d4c67dd6a260684820.exe	91
PID 4616 wrote to memory of 2148	4616	fe8bcd4eb9f9d50df43b88607e258c6ee1911bf0d1e6c2d4c67dd6a260684820.exe	91
PID 4616 wrote to memory of 2148	4616	fe8bcd4eb9f9d50df43b88607e258c6ee1911bf0d1e6c2d4c67dd6a260684820.exe	91
PID 2148 wrote to memory of 3012	2148	Az1vA8fn.exe	92
PID 2148 wrote to memory of 3012	2148	Az1vA8fn.exe	92
PID 2148 wrote to memory of 3012	2148	Az1vA8fn.exe	92
PID 3012 wrote to memory of 2360	3012	ip9uO5Zh.exe	93
PID 3012 wrote to memory of 2360	3012	ip9uO5Zh.exe	93
PID 3012 wrote to memory of 2360	3012	ip9uO5Zh.exe	93
PID 2360 wrote to memory of 1380	2360	OO5dz4Rg.exe	94
PID 2360 wrote to memory of 1380	2360	OO5dz4Rg.exe	94
PID 2360 wrote to memory of 1380	2360	OO5dz4Rg.exe	94
PID 1380 wrote to memory of 1152	1380	Mv5Dn1Br.exe	95
PID 1380 wrote to memory of 1152	1380	Mv5Dn1Br.exe	95
PID 1380 wrote to memory of 1152	1380	Mv5Dn1Br.exe	95
PID 1152 wrote to memory of 4708	1152	1iB61ja9.exe	96
PID 1152 wrote to memory of 4708	1152	1iB61ja9.exe	96
PID 1152 wrote to memory of 4708	1152	1iB61ja9.exe	96
PID 1152 wrote to memory of 4708	1152	1iB61ja9.exe	96
PID 1152 wrote to memory of 4708	1152	1iB61ja9.exe	96
PID 1152 wrote to memory of 4708	1152	1iB61ja9.exe	96
PID 1152 wrote to memory of 4708	1152	1iB61ja9.exe	96
PID 1152 wrote to memory of 4708	1152	1iB61ja9.exe	96
PID 1152 wrote to memory of 4708	1152	1iB61ja9.exe	96
PID 1152 wrote to memory of 4708	1152	1iB61ja9.exe	96
PID 1380 wrote to memory of 3996	1380	Mv5Dn1Br.exe	100
PID 1380 wrote to memory of 3996	1380	Mv5Dn1Br.exe	100
PID 1380 wrote to memory of 3996	1380	Mv5Dn1Br.exe	100

C:\Users\Admin\AppData\Local\Temp\fe8bcd4eb9f9d50df43b88607e258c6ee1911bf0d1e6c2d4c67dd6a260684820.exe
"C:\Users\Admin\AppData\Local\Temp\fe8bcd4eb9f9d50df43b88607e258c6ee1911bf0d1e6c2d4c67dd6a260684820.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Az1vA8fn.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Az1vA8fn.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ip9uO5Zh.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ip9uO5Zh.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OO5dz4Rg.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OO5dz4Rg.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mv5Dn1Br.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mv5Dn1Br.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1380
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iB61ja9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iB61ja9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 576
        7⤵
        Program crash
        
        PID:2628
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vK713fN.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vK713fN.exe
        6⤵
        Executes dropped EXE
        
        PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1152 -ip 1152
1⤵
PID:5064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4328 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Az1vA8fn.exe

Filesize
1.5MB

MD5
768f7b3eab128dd53e176d547d7617fc

SHA1
638aaafc5a9d50b42cdb7566f662433a79e5f220

SHA256
9f5b870cad28e2da779fc0e7b5a945475b612084390505b9f0143b7eb9ea1694

SHA512
6d36b884ca1de84fe3915d1e291d9ec7fecf2a1e873330678440726f613a061bd98a12fc67ec9f2e8d96a68d1b85fbfe547e90f0055047fa62720e84071de490

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ip9uO5Zh.exe

Filesize
1.3MB

MD5
c87f4287e4ce9fff363ac973fd35d006

SHA1
9ead242c1b39bf1f00b0eca2dc12f343c46f8431

SHA256
d0b8388e2932b571792eea3aaafd61c4ae877145a13e654c8b13ff98f20f2dfc

SHA512
fb64fb900efd37cd2f9a369d3d8aa0ccb14a0c3fb9ffbf38954362012c3c4f6545fdf5d6098ab10d872df0f409261db8a493b02a9856fb87a5560749c57cdbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OO5dz4Rg.exe

Filesize
821KB

MD5
e43cac44e16e3bf19f475b9de1b3ce7a

SHA1
5f342d91ac6385f233818ebf9e4236620f2e6b86

SHA256
6f3201d873b629ebbc51b9b57d39d1a16951d668c346fb601a4d84b00ebc5669

SHA512
bbe9aecf01b606d04a9cc77de65156b5506474d2f42a39ace1fbd050ea6c6114ea94c64ecb9af44569922e74da4a7ab03b937778ccb8fb526ad05d31a67f0195

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Mv5Dn1Br.exe

Filesize
649KB

MD5
025c5985184cc22701e1de50e1603515

SHA1
3864ab2735094a5faf99254501e377515b8b692f

SHA256
1f986a4b66bd72e723668a23d1944e6f1a38210c3b08332090f20651455a0cb5

SHA512
94c1cc43cabbc069aaa33c02b77beec7b8c3698d09b9da73729dc1a7914bc39ba914b88fe31a8abcb7bf9bb05d37b7101d50e360c7930c243fdaf105e243c729

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iB61ja9.exe

Filesize
1.7MB

MD5
144dc3c0a5275a93ff86f00b5c61b9ec

SHA1
784168ab3c4711737656ca13dc4cb59ca267fa45

SHA256
179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787

SHA512
9af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vK713fN.exe

Filesize
231KB

MD5
5d6000d3cd7ff3f70e64f94b7328a970

SHA1
dd0067d65a07c2a04e6c2409cb5f1024032fb285

SHA256
3c5574ba0b345148cb2b6fc51cfa892b9a394419afcce13a0fe53359fea8e94b

SHA512
6793a32d9ecdd39d7071e0e0e23ede43335982ee590134e992d0148d322bbc3dcf8eb3aafeb29c0011957bda01e5cdad10b9c1e487014949841bb7244c49de37

Download Submit
memory/3996-42-0x00000000004A0000-0x00000000004DE000-memory.dmp

Filesize
248KB

Download
memory/3996-43-0x0000000007870000-0x0000000007E14000-memory.dmp

Filesize
5.6MB

Download
memory/3996-44-0x00000000073A0000-0x0000000007432000-memory.dmp

Filesize
584KB

Download
memory/3996-45-0x0000000007560000-0x000000000756A000-memory.dmp

Filesize
40KB

Download
memory/3996-46-0x0000000008440000-0x0000000008A58000-memory.dmp

Filesize
6.1MB

Download
memory/3996-47-0x0000000007710000-0x000000000781A000-memory.dmp

Filesize
1.0MB

Download
memory/3996-48-0x0000000007640000-0x0000000007652000-memory.dmp

Filesize
72KB

Download
memory/3996-49-0x00000000076A0000-0x00000000076DC000-memory.dmp

Filesize
240KB

Download
memory/3996-50-0x0000000007820000-0x000000000786C000-memory.dmp

Filesize
304KB

Download
memory/4708-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4708-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4708-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads