mystic | 5e831beab1114ac9acd665a6dc93e4478c72f9985bcae804c34864e3b6ee4705

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

803bdeb4bc4493002015ca620d956227797f6d2e1f4fb5f4b09b86d3c2be303b.exe
Size

1.0MB
MD5

8ca2811ee4fae71a570298ebc6efcbac
SHA1

475da0caa3e4b5931344c9a739c46513edbe0830
SHA256

803bdeb4bc4493002015ca620d956227797f6d2e1f4fb5f4b09b86d3c2be303b
SHA512

6e7925228aaf4175a3c7f1e33131fdbcec9cdd9f40408933e7e607e0d6557ce92905ffe6dd90f6b73aaa38b1e769ad2966aacb375f2c660a4f7842dc5e013621
SSDEEP

24576:zyOWwfDsWJGoB1u5p+PTFRk6FLVwtfbk63KdXt01:GoiauTgFRkEQX3Gm

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral10/memory/2648-28-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral10/memory/2648-29-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral10/memory/2648-31-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2mE712ld.exe	family_redline
behavioral10/memory/3436-35-0x00000000003C0000-0x00000000003FE000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

Processes:

yI0rw7Oy.exeou1po6co.exeSV7Lf3oJ.exe1KW20JF5.exe2mE712ld.exe

pid process

4620 yI0rw7Oy.exe
4728 ou1po6co.exe
4552 SV7Lf3oJ.exe
656 1KW20JF5.exe
3436 2mE712ld.exe

pid	process
4620	yI0rw7Oy.exe
4728	ou1po6co.exe
4552	SV7Lf3oJ.exe
656	1KW20JF5.exe
3436	2mE712ld.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

803bdeb4bc4493002015ca620d956227797f6d2e1f4fb5f4b09b86d3c2be303b.exeyI0rw7Oy.exeou1po6co.exeSV7Lf3oJ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	803bdeb4bc4493002015ca620d956227797f6d2e1f4fb5f4b09b86d3c2be303b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	yI0rw7Oy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ou1po6co.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	SV7Lf3oJ.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1KW20JF5.exe

description pid process target process

PID 656 set thread context of 2648 656 1KW20JF5.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3780 656 WerFault.exe 1KW20JF5.exe

description	pid	process	target process
PID 656 set thread context of 2648	656	1KW20JF5.exe	AppLaunch.exe

pid	pid_target	process	target process
3780	656	WerFault.exe	1KW20JF5.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

803bdeb4bc4493002015ca620d956227797f6d2e1f4fb5f4b09b86d3c2be303b.exeyI0rw7Oy.exeou1po6co.exeSV7Lf3oJ.exe1KW20JF5.exe

description	pid	process	target process
PID 544 wrote to memory of 4620	544	803bdeb4bc4493002015ca620d956227797f6d2e1f4fb5f4b09b86d3c2be303b.exe	yI0rw7Oy.exe
PID 544 wrote to memory of 4620	544	803bdeb4bc4493002015ca620d956227797f6d2e1f4fb5f4b09b86d3c2be303b.exe	yI0rw7Oy.exe
PID 544 wrote to memory of 4620	544	803bdeb4bc4493002015ca620d956227797f6d2e1f4fb5f4b09b86d3c2be303b.exe	yI0rw7Oy.exe
PID 4620 wrote to memory of 4728	4620	yI0rw7Oy.exe	ou1po6co.exe
PID 4620 wrote to memory of 4728	4620	yI0rw7Oy.exe	ou1po6co.exe
PID 4620 wrote to memory of 4728	4620	yI0rw7Oy.exe	ou1po6co.exe
PID 4728 wrote to memory of 4552	4728	ou1po6co.exe	SV7Lf3oJ.exe
PID 4728 wrote to memory of 4552	4728	ou1po6co.exe	SV7Lf3oJ.exe
PID 4728 wrote to memory of 4552	4728	ou1po6co.exe	SV7Lf3oJ.exe
PID 4552 wrote to memory of 656	4552	SV7Lf3oJ.exe	1KW20JF5.exe
PID 4552 wrote to memory of 656	4552	SV7Lf3oJ.exe	1KW20JF5.exe
PID 4552 wrote to memory of 656	4552	SV7Lf3oJ.exe	1KW20JF5.exe
PID 656 wrote to memory of 2016	656	1KW20JF5.exe	AppLaunch.exe
PID 656 wrote to memory of 2016	656	1KW20JF5.exe	AppLaunch.exe
PID 656 wrote to memory of 2016	656	1KW20JF5.exe	AppLaunch.exe
PID 656 wrote to memory of 2648	656	1KW20JF5.exe	AppLaunch.exe
PID 656 wrote to memory of 2648	656	1KW20JF5.exe	AppLaunch.exe
PID 656 wrote to memory of 2648	656	1KW20JF5.exe	AppLaunch.exe
PID 656 wrote to memory of 2648	656	1KW20JF5.exe	AppLaunch.exe
PID 656 wrote to memory of 2648	656	1KW20JF5.exe	AppLaunch.exe
PID 656 wrote to memory of 2648	656	1KW20JF5.exe	AppLaunch.exe
PID 656 wrote to memory of 2648	656	1KW20JF5.exe	AppLaunch.exe
PID 656 wrote to memory of 2648	656	1KW20JF5.exe	AppLaunch.exe
PID 656 wrote to memory of 2648	656	1KW20JF5.exe	AppLaunch.exe
PID 656 wrote to memory of 2648	656	1KW20JF5.exe	AppLaunch.exe
PID 4552 wrote to memory of 3436	4552	SV7Lf3oJ.exe	2mE712ld.exe
PID 4552 wrote to memory of 3436	4552	SV7Lf3oJ.exe	2mE712ld.exe
PID 4552 wrote to memory of 3436	4552	SV7Lf3oJ.exe	2mE712ld.exe

C:\Users\Admin\AppData\Local\Temp\803bdeb4bc4493002015ca620d956227797f6d2e1f4fb5f4b09b86d3c2be303b.exe
"C:\Users\Admin\AppData\Local\Temp\803bdeb4bc4493002015ca620d956227797f6d2e1f4fb5f4b09b86d3c2be303b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yI0rw7Oy.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yI0rw7Oy.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4620

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ou1po6co.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ou1po6co.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4728

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SV7Lf3oJ.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SV7Lf3oJ.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4552

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1KW20JF5.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1KW20JF5.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 276
6⤵
- Program crash
PID:3780

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2mE712ld.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2mE712ld.exe
5⤵
- Executes dropped EXE
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 656 -ip 656
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yI0rw7Oy.exe

Filesize
884KB

MD5
35cd0fa9a92632de1fb8f95616fbaf64

SHA1
54d2761ca84428640771282adb9157faaed6e027

SHA256
32bc699ccaf4a011697be83dacd09a35d622910ec756259f5f88b12b8ebb2feb

SHA512
2756154fed40d0c321f863ec2a8e433fb12351d436418daf7730cc1841641aa26a517ba9dbcbd8f640c5c64cee01b1f089518b5d4777e7cd47ebc9ffbb8b56e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ou1po6co.exe

Filesize
590KB

MD5
3a081b5e807cd77cc2ab1dd8be90b43f

SHA1
950840587b5abce844724558485224ca5ed40c5a

SHA256
6523b66313e8e95df0775befac10035f535ff46b85b23b68d611bff164f8c2db

SHA512
a3abd35d1932ef8070725965f464612be246c38fea6cad04587fa74c1c3affc30cf78ddb9d19c31a68b0ee00cff6dcced40f786bab19acf921681eb212dfe553

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SV7Lf3oJ.exe

Filesize
417KB

MD5
3d7f340b03b8668120c515eebb21d8e5

SHA1
b6cdff303bc0e96b55684ef7b7b96466e14ee982

SHA256
6b384a445d0a676ec844ef800f820fc0cfb7f0ef8b25d8e2554c823970a34dc1

SHA512
027875ae8292b0e223ee920c57d578623a3b2140475a5f69b4a495d16a1bb142f57943c22f70fb061cf0acc7f2f730a50ae8221743df81449995eb7061fa2869

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1KW20JF5.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2mE712ld.exe

Filesize
231KB

MD5
8073d2d3ebad6d4e30393d475a92bb86

SHA1
c51ad178741c1f75c5315236c66dd3acb1350c86

SHA256
956c4bdf9fe0e4700e8158dd17661ffebfda29f11dfe720ecea5a9605ac3bd66

SHA512
159e3ca8e7d7de6004b4fca384d31839a1d79ff31722f617c7f044afb4d772646dbcabcd80d2af92603c3d707091e58012928b6350d9e9f4bf4513cb16036203

Download Submit
memory/2648-28-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2648-29-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2648-31-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3436-35-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/3436-36-0x00000000077D0000-0x0000000007D74000-memory.dmp

Filesize
5.6MB

Download
memory/3436-37-0x00000000072C0000-0x0000000007352000-memory.dmp

Filesize
584KB

Download
memory/3436-38-0x0000000002860000-0x000000000286A000-memory.dmp

Filesize
40KB

Download
memory/3436-39-0x00000000083A0000-0x00000000089B8000-memory.dmp

Filesize
6.1MB

Download
memory/3436-40-0x00000000075F0000-0x00000000076FA000-memory.dmp

Filesize
1.0MB

Download
memory/3436-41-0x00000000074B0000-0x00000000074C2000-memory.dmp

Filesize
72KB

Download
memory/3436-42-0x0000000007520000-0x000000000755C000-memory.dmp

Filesize
240KB

Download
memory/3436-43-0x0000000007560000-0x00000000075AC000-memory.dmp

Filesize
304KB

Download