mystic | 8ee265740e734e664a806025412118c1398e5fd5de8de7844c913c144f497faa

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe
Size

1.2MB
MD5

9e0a65a6354df7e961d797ff850db432
SHA1

6760ff14c6890d975c5ffb5a2cb8b6f3300ed115
SHA256

fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb
SHA512

b90ae16f118333db8081b8921138425a6dfd29785c1b9ae884f590a12281d99a255b0ec3abb275ae9ec27468a07ab7393762b4edd6e32f5dcb9e608bf1f4eafb
SSDEEP

24576:fyMGHOJwixm0Y3ELv66HZJxHzSd6T05Efj4Rx891fFOn2bt6Anu:qjHuZY3EWEZfSd00u4qNOnYtNn

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral19/memory/2404-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral19/memory/2404-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral19/memory/2404-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral19/files/0x0007000000023568-40.dat	family_redline
behavioral19/memory/3200-42-0x00000000007C0000-0x00000000007FE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3236	Gl2cZ1op.exe
2832	Jd3tw7ja.exe
4160	WM7te5go.exe
4508	LK3En3pn.exe
5064	1Jm90GG6.exe
3200	2Mr852Yb.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	WM7te5go.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	LK3En3pn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Gl2cZ1op.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Jd3tw7ja.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5064 set thread context of 2404	5064	1Jm90GG6.exe	98

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4432	5064	WerFault.exe	94

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 3236	224	fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe	90
PID 224 wrote to memory of 3236	224	fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe	90
PID 224 wrote to memory of 3236	224	fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe	90
PID 3236 wrote to memory of 2832	3236	Gl2cZ1op.exe	91
PID 3236 wrote to memory of 2832	3236	Gl2cZ1op.exe	91
PID 3236 wrote to memory of 2832	3236	Gl2cZ1op.exe	91
PID 2832 wrote to memory of 4160	2832	Jd3tw7ja.exe	92
PID 2832 wrote to memory of 4160	2832	Jd3tw7ja.exe	92
PID 2832 wrote to memory of 4160	2832	Jd3tw7ja.exe	92
PID 4160 wrote to memory of 4508	4160	WM7te5go.exe	93
PID 4160 wrote to memory of 4508	4160	WM7te5go.exe	93
PID 4160 wrote to memory of 4508	4160	WM7te5go.exe	93
PID 4508 wrote to memory of 5064	4508	LK3En3pn.exe	94
PID 4508 wrote to memory of 5064	4508	LK3En3pn.exe	94
PID 4508 wrote to memory of 5064	4508	LK3En3pn.exe	94
PID 5064 wrote to memory of 3756	5064	1Jm90GG6.exe	97
PID 5064 wrote to memory of 3756	5064	1Jm90GG6.exe	97
PID 5064 wrote to memory of 3756	5064	1Jm90GG6.exe	97
PID 5064 wrote to memory of 2404	5064	1Jm90GG6.exe	98
PID 5064 wrote to memory of 2404	5064	1Jm90GG6.exe	98
PID 5064 wrote to memory of 2404	5064	1Jm90GG6.exe	98
PID 5064 wrote to memory of 2404	5064	1Jm90GG6.exe	98
PID 5064 wrote to memory of 2404	5064	1Jm90GG6.exe	98
PID 5064 wrote to memory of 2404	5064	1Jm90GG6.exe	98
PID 5064 wrote to memory of 2404	5064	1Jm90GG6.exe	98
PID 5064 wrote to memory of 2404	5064	1Jm90GG6.exe	98
PID 5064 wrote to memory of 2404	5064	1Jm90GG6.exe	98
PID 5064 wrote to memory of 2404	5064	1Jm90GG6.exe	98
PID 4508 wrote to memory of 3200	4508	LK3En3pn.exe	104
PID 4508 wrote to memory of 3200	4508	LK3En3pn.exe	104
PID 4508 wrote to memory of 3200	4508	LK3En3pn.exe	104

C:\Users\Admin\AppData\Local\Temp\fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe
"C:\Users\Admin\AppData\Local\Temp\fb8a184cade7544ea1ec897b679edff542000cf31934900525f12e02f85eb9cb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gl2cZ1op.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gl2cZ1op.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jd3tw7ja.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jd3tw7ja.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WM7te5go.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WM7te5go.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4160
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LK3En3pn.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LK3En3pn.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4508
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jm90GG6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jm90GG6.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 596
        7⤵
        Program crash
        
        PID:4432
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Mr852Yb.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Mr852Yb.exe
        6⤵
        Executes dropped EXE
        
        PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5064 -ip 5064
1⤵
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3628,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3888 /prefetch:8
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gl2cZ1op.exe

Filesize
1.0MB

MD5
207e39b69d7fcde973111a1f3584b5cc

SHA1
f65911bdbc34f2310aadc194def9528bb64f75d0

SHA256
54b1927c8b0cd0b9a35cb91a8b444127c67d5767343e0cadbc071d60b2a873c2

SHA512
21528a60fa39450a9207764d41cc75c34806a8ef66971a64af6b575e5f4589d574711deaa0960128a9a51183d4a6142057f721aadc5a82f002c021b21595bc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jd3tw7ja.exe

Filesize
884KB

MD5
0a5863d64e23c4f3ef3200779c1ebff4

SHA1
e9bf567f5570e75e76b85b055cb1345a74f27ce8

SHA256
cd9360589c2015aee54ccf40f997c832bf2930ab69211f5d8a4698a5886e3d63

SHA512
ad4a65779b8a1991589f078b8b5016be7535b00762217612fcc5ae82864d8852f400d393b275841b336d09b29aaae501959651c4efabeba50ea1d454adb115d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WM7te5go.exe

Filesize
590KB

MD5
943b112749ec2b1d79d6d9dfbfbc61f6

SHA1
54345a752550c0fb4b7a9f7d604d6ca6e21ec8fb

SHA256
9e866e22f3b5578b8badbfdcbcb9ee9d3052a5bf1c87c22569e90ba464f3c3fa

SHA512
c8f30d5d0da0ff2b8abf6777fc541038e9fb9923e0b365aa0c21ab84c21593c7ba49edc640af0a3c1ae70160911be3d7a9dee4e9df0a57d97b2e41b0c4b08a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\LK3En3pn.exe

Filesize
417KB

MD5
f222096f65e28b52fc018ad530a51db3

SHA1
0c10946b0657300cf01c7103e0f9bc3313d727e4

SHA256
ba63b2fb09ce0756ebbb4f972c35c0cea4079ab86292ac3651960fe46c0173f1

SHA512
047b915ec2ad4fbb6e41a51bd0b9c8672d72d74c3e97851b87150a27891671225303bb0efb660db91653f4256bedf1fbd847fda6cde94391b8e42119750dfb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Jm90GG6.exe

Filesize
378KB

MD5
057684fdcfa64b387fd4c84e88123632

SHA1
2ec62abf9fe6673ef75748a0d89e201907608297

SHA256
91cd87b4da0609ef7b600b7d349deffdae7fcd863ddaf4bb5da0c5dfae1fc986

SHA512
bfccf7d1ee9f070c4b12ecb1062e4ba48b40a738d30b6bf0ee0bfb183021903ee775568ba3015d8be1af0686c16e2ebf610410c2061ec105a2bdf3221f0404b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Mr852Yb.exe

Filesize
231KB

MD5
0e26b34a4953bad439184ed9df9144aa

SHA1
470b2e126601928eaf3a1f9aafe4f59884ea07ab

SHA256
9bb4c8ad8de9222070fbd129e7d7b24224d5fe58522f16a896e4614eddb940c8

SHA512
3d0d3799fff587cb703ea40b121d7d5f3713d521cacb7c42d818349d12d2e9f6f44ffe33e25d8a232acd9a18234d8ea8cbb8eb20174c11c53f4122798e9ad3b0

Download Submit
memory/2404-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2404-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2404-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3200-42-0x00000000007C0000-0x00000000007FE000-memory.dmp

Filesize
248KB

Download
memory/3200-43-0x0000000007C30000-0x00000000081D4000-memory.dmp

Filesize
5.6MB

Download
memory/3200-44-0x0000000007720000-0x00000000077B2000-memory.dmp

Filesize
584KB

Download
memory/3200-45-0x0000000004C60000-0x0000000004C6A000-memory.dmp

Filesize
40KB

Download
memory/3200-46-0x0000000008800000-0x0000000008E18000-memory.dmp

Filesize
6.1MB

Download
memory/3200-47-0x0000000007AA0000-0x0000000007BAA000-memory.dmp

Filesize
1.0MB

Download
memory/3200-48-0x00000000078B0000-0x00000000078C2000-memory.dmp

Filesize
72KB

Download
memory/3200-49-0x0000000007910000-0x000000000794C000-memory.dmp

Filesize
240KB

Download
memory/3200-50-0x0000000007990000-0x00000000079DC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads