mystic | 8ee265740e734e664a806025412118c1398e5fd5de8de7844c913c144f497faa

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe
Size

1.2MB
MD5

6166d64607711c5c13d3e34594f2c922
SHA1

5d2d910948e64bfe6e643a7d28f3d584ecd0f892
SHA256

fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb
SHA512

841e8cb00184591e680a67abd5e68999ea4f14659d61775ad4195586e2f051b039837241562f28985bbcd0ef59e5faf7f17cf1c46421ca43af78616b1e3779c1
SSDEEP

24576:tyn6vnWcU7F6V27AD+iul7uBdfm+lQNn2oL4b9/xFh5PQHhCe:IwnsFE27Wk6BdufrL89JZIHs

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral20/memory/2800-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral20/memory/2800-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral20/memory/2800-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral20/files/0x0007000000023276-40.dat	family_redline
behavioral20/memory/3944-42-0x0000000000390000-0x00000000003CE000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4944	bV7tb1zA.exe
2824	qp0HK7Ul.exe
4644	rr4pb6lx.exe
4356	mm6SB2Dy.exe
3432	1Qq98rd6.exe
3944	2oP534VP.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	bV7tb1zA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	qp0HK7Ul.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	rr4pb6lx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	mm6SB2Dy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3432 set thread context of 2800	3432	1Qq98rd6.exe	100

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2096	3432	WerFault.exe	96

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 4944	3304	fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe	92
PID 3304 wrote to memory of 4944	3304	fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe	92
PID 3304 wrote to memory of 4944	3304	fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe	92
PID 4944 wrote to memory of 2824	4944	bV7tb1zA.exe	93
PID 4944 wrote to memory of 2824	4944	bV7tb1zA.exe	93
PID 4944 wrote to memory of 2824	4944	bV7tb1zA.exe	93
PID 2824 wrote to memory of 4644	2824	qp0HK7Ul.exe	94
PID 2824 wrote to memory of 4644	2824	qp0HK7Ul.exe	94
PID 2824 wrote to memory of 4644	2824	qp0HK7Ul.exe	94
PID 4644 wrote to memory of 4356	4644	rr4pb6lx.exe	95
PID 4644 wrote to memory of 4356	4644	rr4pb6lx.exe	95
PID 4644 wrote to memory of 4356	4644	rr4pb6lx.exe	95
PID 4356 wrote to memory of 3432	4356	mm6SB2Dy.exe	96
PID 4356 wrote to memory of 3432	4356	mm6SB2Dy.exe	96
PID 4356 wrote to memory of 3432	4356	mm6SB2Dy.exe	96
PID 3432 wrote to memory of 4420	3432	1Qq98rd6.exe	98
PID 3432 wrote to memory of 4420	3432	1Qq98rd6.exe	98
PID 3432 wrote to memory of 4420	3432	1Qq98rd6.exe	98
PID 3432 wrote to memory of 1176	3432	1Qq98rd6.exe	99
PID 3432 wrote to memory of 1176	3432	1Qq98rd6.exe	99
PID 3432 wrote to memory of 1176	3432	1Qq98rd6.exe	99
PID 3432 wrote to memory of 2800	3432	1Qq98rd6.exe	100
PID 3432 wrote to memory of 2800	3432	1Qq98rd6.exe	100
PID 3432 wrote to memory of 2800	3432	1Qq98rd6.exe	100
PID 3432 wrote to memory of 2800	3432	1Qq98rd6.exe	100
PID 3432 wrote to memory of 2800	3432	1Qq98rd6.exe	100
PID 3432 wrote to memory of 2800	3432	1Qq98rd6.exe	100
PID 3432 wrote to memory of 2800	3432	1Qq98rd6.exe	100
PID 3432 wrote to memory of 2800	3432	1Qq98rd6.exe	100
PID 3432 wrote to memory of 2800	3432	1Qq98rd6.exe	100
PID 3432 wrote to memory of 2800	3432	1Qq98rd6.exe	100
PID 4356 wrote to memory of 3944	4356	mm6SB2Dy.exe	104
PID 4356 wrote to memory of 3944	4356	mm6SB2Dy.exe	104
PID 4356 wrote to memory of 3944	4356	mm6SB2Dy.exe	104

C:\Users\Admin\AppData\Local\Temp\fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe
"C:\Users\Admin\AppData\Local\Temp\fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4356
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 624
        7⤵
        Program crash
        
        PID:2096
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oP534VP.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oP534VP.exe
        6⤵
        Executes dropped EXE
        
        PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3432 -ip 3432
1⤵
PID:2068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe

Filesize
1.0MB

MD5
d3da42e88bd2c11504a978f1be9e2fc2

SHA1
69adf4c22ec9ddf35c8189715d03ffc96d10505b

SHA256
3f1fdb06f2d2df9f56632e7bdbaa7e9dc92d1985f527d7dc1618ba2de3256319

SHA512
bab5d6a51a1146b936e7219b6fb8c9ed4a367c6b35cc204b8301bed664420030c885d82952ac16ccaf1cc2119d3e3b26cbd677a48bac4a66b6954faf31b34da9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe

Filesize
884KB

MD5
ca9c01310163d1c147ca4505207e1c9c

SHA1
e8abb26a431267b80f9d621c54bc50c00e4aeb9c

SHA256
8529de491a2a0590d4f22d0e79a61a52401bef71a9a9fa63ef21339090de7a5b

SHA512
fa0fa5afb4debcfcac92afffb45d35f2c08b5b4c389bd9ff2726263b06b512d7f958c4f255caa7420cb0765097448f9dd9ee9127d1f7149e435e957ef8abee41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe

Filesize
590KB

MD5
9c238ca3a69f0c5b481a0a037a0cf6ef

SHA1
9438335c07c5cf19de7c2302e8a6f98c23aa95c6

SHA256
99feb47969ccc229401f2c996d99e7b9455030104873bfba2b4ddf1ef6fb3504

SHA512
e1c2d51222de3659e92225c79e5ac42e2da41683d87f053f651d7c3a5d1a7526d66bb1815e7e4c59d9f59c59206721d3315b77f0a234aa9d880fea3a9edf2be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe

Filesize
417KB

MD5
a5b1a870dd1633cec15a3b2d218e9ec0

SHA1
5a31e3cb7c5ffd38d740ef7958a87cd75a84e97d

SHA256
65eb5088cac764e5a35252fde315c16772fc54dcad1ff3ecae699f961c55b7f2

SHA512
5dc87525a429a2940d43ed8dbc2e30f94b80be577879af5cb2d7a4ec426bf1f7be16dbdb1920d6f8d9acda14eaa07748a1f4433cb12eb042421204a2906ef8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe

Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oP534VP.exe

Filesize
231KB

MD5
6eca1aab751425412c29fe1ecf16d232

SHA1
12ba9fac83ccfd076703c4d7708df5070e7daea6

SHA256
25ff023fb901f385e7c2422516ea7f1b0000260601b0109076a1f1957ccc9b4d

SHA512
ebb52b1828ac304ecb79d846fd7ecfe3b39b9b5f604cfd8e6f57f53e910353245af9df401c0e85dbd35124c642974d11281277403021adf3e4dcb3a16af8e06a

Download Submit
memory/2800-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2800-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2800-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3944-42-0x0000000000390000-0x00000000003CE000-memory.dmp

Filesize
248KB

Download
memory/3944-43-0x0000000007620000-0x0000000007BC4000-memory.dmp

Filesize
5.6MB

Download
memory/3944-44-0x0000000007110000-0x00000000071A2000-memory.dmp

Filesize
584KB

Download
memory/3944-45-0x0000000007320000-0x000000000732A000-memory.dmp

Filesize
40KB

Download
memory/3944-46-0x00000000081F0000-0x0000000008808000-memory.dmp

Filesize
6.1MB

Download
memory/3944-47-0x00000000074C0000-0x00000000075CA000-memory.dmp

Filesize
1.0MB

Download
memory/3944-48-0x00000000073F0000-0x0000000007402000-memory.dmp

Filesize
72KB

Download
memory/3944-49-0x0000000007450000-0x000000000748C000-memory.dmp

Filesize
240KB

Download
memory/3944-50-0x00000000075D0000-0x000000000761C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads