mystic | 5e831beab1114ac9acd665a6dc93e4478c72f9985bcae804c34864e3b6ee4705

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe
Size

1.2MB
MD5

ffe7a227d672738c32a358a57cec260a
SHA1

510db6cee62d02c4c7c9dad24943bd3f750d7f93
SHA256

c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1
SHA512

5080a0d9e79b757d9892e672291f0124d852fda2be1305f26cebd6c8e1df7c9aeb03a1e76709980aa0c07542f6ba0f2249a1a859bf31d8060bb20635375b598a
SSDEEP

24576:AyrJFM73gR6RI52yQFjnzwgLS/+wkc+Qv+hUbW5:HNFM70El0gLS+PQ5W

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral15/memory/3340-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral15/memory/3340-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral15/memory/3340-37-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tD143sI.exe	family_redline
behavioral15/memory/4564-42-0x0000000000180000-0x00000000001BE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

WQ4sg2Gq.exeZC5pC5Xb.exeGx6DA6Dl.exenW6fu3Dj.exe1oA20VV8.exe2tD143sI.exe

pid process

3748 WQ4sg2Gq.exe
4312 ZC5pC5Xb.exe
1284 Gx6DA6Dl.exe
3372 nW6fu3Dj.exe
4244 1oA20VV8.exe
4564 2tD143sI.exe

pid	process
3748	WQ4sg2Gq.exe
4312	ZC5pC5Xb.exe
1284	Gx6DA6Dl.exe
3372	nW6fu3Dj.exe
4244	1oA20VV8.exe
4564	2tD143sI.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exeWQ4sg2Gq.exeZC5pC5Xb.exeGx6DA6Dl.exenW6fu3Dj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	WQ4sg2Gq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ZC5pC5Xb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Gx6DA6Dl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	nW6fu3Dj.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1oA20VV8.exe

description pid process target process

PID 4244 set thread context of 3340 4244 1oA20VV8.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1432 4244 WerFault.exe 1oA20VV8.exe

description	pid	process	target process
PID 4244 set thread context of 3340	4244	1oA20VV8.exe	AppLaunch.exe

pid	pid_target	process	target process
1432	4244	WerFault.exe	1oA20VV8.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exeWQ4sg2Gq.exeZC5pC5Xb.exeGx6DA6Dl.exenW6fu3Dj.exe1oA20VV8.exe

description	pid	process	target process
PID 2072 wrote to memory of 3748	2072	c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe	WQ4sg2Gq.exe
PID 2072 wrote to memory of 3748	2072	c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe	WQ4sg2Gq.exe
PID 2072 wrote to memory of 3748	2072	c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe	WQ4sg2Gq.exe
PID 3748 wrote to memory of 4312	3748	WQ4sg2Gq.exe	ZC5pC5Xb.exe
PID 3748 wrote to memory of 4312	3748	WQ4sg2Gq.exe	ZC5pC5Xb.exe
PID 3748 wrote to memory of 4312	3748	WQ4sg2Gq.exe	ZC5pC5Xb.exe
PID 4312 wrote to memory of 1284	4312	ZC5pC5Xb.exe	Gx6DA6Dl.exe
PID 4312 wrote to memory of 1284	4312	ZC5pC5Xb.exe	Gx6DA6Dl.exe
PID 4312 wrote to memory of 1284	4312	ZC5pC5Xb.exe	Gx6DA6Dl.exe
PID 1284 wrote to memory of 3372	1284	Gx6DA6Dl.exe	nW6fu3Dj.exe
PID 1284 wrote to memory of 3372	1284	Gx6DA6Dl.exe	nW6fu3Dj.exe
PID 1284 wrote to memory of 3372	1284	Gx6DA6Dl.exe	nW6fu3Dj.exe
PID 3372 wrote to memory of 4244	3372	nW6fu3Dj.exe	1oA20VV8.exe
PID 3372 wrote to memory of 4244	3372	nW6fu3Dj.exe	1oA20VV8.exe
PID 3372 wrote to memory of 4244	3372	nW6fu3Dj.exe	1oA20VV8.exe
PID 4244 wrote to memory of 3340	4244	1oA20VV8.exe	AppLaunch.exe
PID 4244 wrote to memory of 3340	4244	1oA20VV8.exe	AppLaunch.exe
PID 4244 wrote to memory of 3340	4244	1oA20VV8.exe	AppLaunch.exe
PID 4244 wrote to memory of 3340	4244	1oA20VV8.exe	AppLaunch.exe
PID 4244 wrote to memory of 3340	4244	1oA20VV8.exe	AppLaunch.exe
PID 4244 wrote to memory of 3340	4244	1oA20VV8.exe	AppLaunch.exe
PID 4244 wrote to memory of 3340	4244	1oA20VV8.exe	AppLaunch.exe
PID 4244 wrote to memory of 3340	4244	1oA20VV8.exe	AppLaunch.exe
PID 4244 wrote to memory of 3340	4244	1oA20VV8.exe	AppLaunch.exe
PID 4244 wrote to memory of 3340	4244	1oA20VV8.exe	AppLaunch.exe
PID 3372 wrote to memory of 4564	3372	nW6fu3Dj.exe	2tD143sI.exe
PID 3372 wrote to memory of 4564	3372	nW6fu3Dj.exe	2tD143sI.exe
PID 3372 wrote to memory of 4564	3372	nW6fu3Dj.exe	2tD143sI.exe

C:\Users\Admin\AppData\Local\Temp\c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe
"C:\Users\Admin\AppData\Local\Temp\c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2072

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ4sg2Gq.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ4sg2Gq.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3748

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5pC5Xb.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5pC5Xb.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4312

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gx6DA6Dl.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gx6DA6Dl.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nW6fu3Dj.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nW6fu3Dj.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3372

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 592
7⤵
- Program crash
PID:1432

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tD143sI.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tD143sI.exe
6⤵
- Executes dropped EXE
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4244 -ip 4244
1⤵
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ4sg2Gq.exe

Filesize
1.0MB

MD5
b9cfcc60817c8121977e71ee8c6aebd9

SHA1
ced1e9401ddee75a63c1adeeb1ae3bd072702f1d

SHA256
12166e655475465188552c5503a8d8e5db50d4812b0582d3bd020eb20d5da373

SHA512
c95027be495067c1c39e4ffd950aa113d4a4de23939fcac8264d9c02f07eca691a43a6937b61b0cdf4c0d835487c0b18cafeeca2786f62b2de4d4ebbe2a60b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5pC5Xb.exe

Filesize
884KB

MD5
3a6538c6c794a8776591c48d4d347f44

SHA1
2831c8594e8455f289b4de7e8e7110f0227defdc

SHA256
ee5c3274f5b30bb85e429a54681d54a0841d8244c2644e0a7b30427fb347d03e

SHA512
aa1af6f2b6cdc8e5d42577f24b6e0e9ebc50847f635eb0004a17852b274f4bd1156809f930e37610780063f7f5eb20c8fd752ba5e9fa6f4cb7449fb89af4d9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gx6DA6Dl.exe

Filesize
590KB

MD5
aec2a6ad8432b23e6caea51b4f676d3f

SHA1
47b7b07b86b6b3b165f00bde02bc38d7a94e2d90

SHA256
0c9a20791a0dc9a4a77b2a598c0797583528e60e8caa40172a3b829fcd6d9cc4

SHA512
5f2aed8e5cee75baaccbd98366cbc1abc9a54b590a47de26f7d9ef61721cfb3a7bd804a0ba1619703eba99af49ae858d5825842925b5ae74c78ac5db1a2aa226

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nW6fu3Dj.exe

Filesize
417KB

MD5
08e301a84cf495a48b0bcf65bef50534

SHA1
70f4fecdd000a98aab48f5640b9fe6eafee98226

SHA256
3bf26fe604efcb027de085c469a520483fd73f09ef2d53650d56768847b857aa

SHA512
41ea61ebfdbfdb17b08bfa24b7691def1177f82560fbf69c2cc533bd7a63398acde07766d9f980f667f4149951bf53319f4ab330cd948ef750a7f9465e689e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tD143sI.exe

Filesize
231KB

MD5
e4fbfa85365d7d406f20a94b2de975d4

SHA1
6e828d088d936f3497b12507a8aca862e3167be9

SHA256
5233eb436934c081c6061ee05a0ec1fb6f6214ebf140f35b54c4ac759f4b093b

SHA512
230ad7f8535a9a0f80a06fdd136acc5b2d389ea1ca23cddaea04c151812dcc515bd2972f32b3d8a7c47cc166bc48e200e8720ad9396cab666d1b3da33ef34bdc

Download Submit
memory/3340-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3340-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3340-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4564-42-0x0000000000180000-0x00000000001BE000-memory.dmp

Filesize
248KB

Download
memory/4564-43-0x00000000074D0000-0x0000000007A74000-memory.dmp

Filesize
5.6MB

Download
memory/4564-44-0x0000000006FC0000-0x0000000007052000-memory.dmp

Filesize
584KB

Download
memory/4564-45-0x0000000004540000-0x000000000454A000-memory.dmp

Filesize
40KB

Download
memory/4564-46-0x00000000080A0000-0x00000000086B8000-memory.dmp

Filesize
6.1MB

Download
memory/4564-47-0x0000000007300000-0x000000000740A000-memory.dmp

Filesize
1.0MB

Download
memory/4564-48-0x0000000006F90000-0x0000000006FA2000-memory.dmp

Filesize
72KB

Download
memory/4564-49-0x00000000071F0000-0x000000000722C000-memory.dmp

Filesize
240KB

Download
memory/4564-50-0x0000000007150000-0x000000000719C000-memory.dmp

Filesize
304KB

Download