mystic | 1aa612c673e0e8506776c3b8740894f0947bb33bd7b5f22dc14212289801a024

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b.exe
Size

1.2MB
MD5

b81cd3142a789eca2228e02e2a31229c
SHA1

6673628188e3aaa5cc5e3a0fd20cd472a85f237f
SHA256

1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b
SHA512

1b8855f6be99ade9f5d34a9bc69ba574a77957f397cd5015958eea3508e485934c1092aefebdf012b5671570c7fff8b0056b3325b56d0392abc55581599bb19c
SSDEEP

24576:tyg79ARUhCAlCegO5Q+wvF36AFIVjtftkIKVHXKT+w:Ik9ARmwOqjF36N/Nri

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral3/memory/3684-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral3/memory/3684-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral3/memory/3684-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x00070000000235fd-40.dat	family_redline
behavioral3/memory/5108-42-0x0000000000E80000-0x0000000000EBE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4752	TQ8Ny3fX.exe
1372	yI0rw7Oy.exe
1276	ou1po6co.exe
2748	SV7Lf3oJ.exe
2184	1KW20JF5.exe
5108	2mE712ld.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	TQ8Ny3fX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	yI0rw7Oy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ou1po6co.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	SV7Lf3oJ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 3684	2184	1KW20JF5.exe	98

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1448	2184	WerFault.exe	95

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 4752	1228	1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b.exe	91
PID 1228 wrote to memory of 4752	1228	1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b.exe	91
PID 1228 wrote to memory of 4752	1228	1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b.exe	91
PID 4752 wrote to memory of 1372	4752	TQ8Ny3fX.exe	92
PID 4752 wrote to memory of 1372	4752	TQ8Ny3fX.exe	92
PID 4752 wrote to memory of 1372	4752	TQ8Ny3fX.exe	92
PID 1372 wrote to memory of 1276	1372	yI0rw7Oy.exe	93
PID 1372 wrote to memory of 1276	1372	yI0rw7Oy.exe	93
PID 1372 wrote to memory of 1276	1372	yI0rw7Oy.exe	93
PID 1276 wrote to memory of 2748	1276	ou1po6co.exe	94
PID 1276 wrote to memory of 2748	1276	ou1po6co.exe	94
PID 1276 wrote to memory of 2748	1276	ou1po6co.exe	94
PID 2748 wrote to memory of 2184	2748	SV7Lf3oJ.exe	95
PID 2748 wrote to memory of 2184	2748	SV7Lf3oJ.exe	95
PID 2748 wrote to memory of 2184	2748	SV7Lf3oJ.exe	95
PID 2184 wrote to memory of 3684	2184	1KW20JF5.exe	98
PID 2184 wrote to memory of 3684	2184	1KW20JF5.exe	98
PID 2184 wrote to memory of 3684	2184	1KW20JF5.exe	98
PID 2184 wrote to memory of 3684	2184	1KW20JF5.exe	98
PID 2184 wrote to memory of 3684	2184	1KW20JF5.exe	98
PID 2184 wrote to memory of 3684	2184	1KW20JF5.exe	98
PID 2184 wrote to memory of 3684	2184	1KW20JF5.exe	98
PID 2184 wrote to memory of 3684	2184	1KW20JF5.exe	98
PID 2184 wrote to memory of 3684	2184	1KW20JF5.exe	98
PID 2184 wrote to memory of 3684	2184	1KW20JF5.exe	98
PID 2748 wrote to memory of 5108	2748	SV7Lf3oJ.exe	103
PID 2748 wrote to memory of 5108	2748	SV7Lf3oJ.exe	103
PID 2748 wrote to memory of 5108	2748	SV7Lf3oJ.exe	103

C:\Users\Admin\AppData\Local\Temp\1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b.exe
"C:\Users\Admin\AppData\Local\Temp\1f3e03ca7bfcee157393fb94a3450e5a79979b8f5c0b85427ab51908bb78810b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TQ8Ny3fX.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TQ8Ny3fX.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yI0rw7Oy.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yI0rw7Oy.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ou1po6co.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ou1po6co.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1276
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SV7Lf3oJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SV7Lf3oJ.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KW20JF5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KW20JF5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 592
        7⤵
        Program crash
        
        PID:1448
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mE712ld.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mE712ld.exe
        6⤵
        Executes dropped EXE
        
        PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2184 -ip 2184
1⤵
PID:1692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3240,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4588 /prefetch:8
1⤵
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TQ8Ny3fX.exe

Filesize
1.0MB

MD5
8ca2811ee4fae71a570298ebc6efcbac

SHA1
475da0caa3e4b5931344c9a739c46513edbe0830

SHA256
803bdeb4bc4493002015ca620d956227797f6d2e1f4fb5f4b09b86d3c2be303b

SHA512
6e7925228aaf4175a3c7f1e33131fdbcec9cdd9f40408933e7e607e0d6557ce92905ffe6dd90f6b73aaa38b1e769ad2966aacb375f2c660a4f7842dc5e013621

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yI0rw7Oy.exe

Filesize
884KB

MD5
35cd0fa9a92632de1fb8f95616fbaf64

SHA1
54d2761ca84428640771282adb9157faaed6e027

SHA256
32bc699ccaf4a011697be83dacd09a35d622910ec756259f5f88b12b8ebb2feb

SHA512
2756154fed40d0c321f863ec2a8e433fb12351d436418daf7730cc1841641aa26a517ba9dbcbd8f640c5c64cee01b1f089518b5d4777e7cd47ebc9ffbb8b56e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ou1po6co.exe

Filesize
590KB

MD5
3a081b5e807cd77cc2ab1dd8be90b43f

SHA1
950840587b5abce844724558485224ca5ed40c5a

SHA256
6523b66313e8e95df0775befac10035f535ff46b85b23b68d611bff164f8c2db

SHA512
a3abd35d1932ef8070725965f464612be246c38fea6cad04587fa74c1c3affc30cf78ddb9d19c31a68b0ee00cff6dcced40f786bab19acf921681eb212dfe553

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\SV7Lf3oJ.exe

Filesize
417KB

MD5
3d7f340b03b8668120c515eebb21d8e5

SHA1
b6cdff303bc0e96b55684ef7b7b96466e14ee982

SHA256
6b384a445d0a676ec844ef800f820fc0cfb7f0ef8b25d8e2554c823970a34dc1

SHA512
027875ae8292b0e223ee920c57d578623a3b2140475a5f69b4a495d16a1bb142f57943c22f70fb061cf0acc7f2f730a50ae8221743df81449995eb7061fa2869

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1KW20JF5.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mE712ld.exe

Filesize
231KB

MD5
8073d2d3ebad6d4e30393d475a92bb86

SHA1
c51ad178741c1f75c5315236c66dd3acb1350c86

SHA256
956c4bdf9fe0e4700e8158dd17661ffebfda29f11dfe720ecea5a9605ac3bd66

SHA512
159e3ca8e7d7de6004b4fca384d31839a1d79ff31722f617c7f044afb4d772646dbcabcd80d2af92603c3d707091e58012928b6350d9e9f4bf4513cb16036203

Download Submit
memory/3684-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3684-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3684-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5108-42-0x0000000000E80000-0x0000000000EBE000-memory.dmp

Filesize
248KB

Download
memory/5108-43-0x0000000008130000-0x00000000086D4000-memory.dmp

Filesize
5.6MB

Download
memory/5108-44-0x0000000007C20000-0x0000000007CB2000-memory.dmp

Filesize
584KB

Download
memory/5108-45-0x00000000030A0000-0x00000000030AA000-memory.dmp

Filesize
40KB

Download
memory/5108-46-0x0000000008D00000-0x0000000009318000-memory.dmp

Filesize
6.1MB

Download
memory/5108-47-0x0000000007F30000-0x000000000803A000-memory.dmp

Filesize
1.0MB

Download
memory/5108-48-0x0000000007E40000-0x0000000007E52000-memory.dmp

Filesize
72KB

Download
memory/5108-49-0x0000000007EA0000-0x0000000007EDC000-memory.dmp

Filesize
240KB

Download
memory/5108-50-0x0000000007EE0000-0x0000000007F2C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads