mystic | c35b2a353f3f737fd5d522bda8150c7fe11a4c4773ad1702d174b480462784c6

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa524ac0a848432537ae785725900e93cb6140ebd8edeace3fe041dd64b93f07.exe
Size

1.2MB
MD5

f82666906b563093e7d9151ae07c8201
SHA1

f063119adddd1ebf6b9bc1034032e446195d936d
SHA256

aa524ac0a848432537ae785725900e93cb6140ebd8edeace3fe041dd64b93f07
SHA512

5ba83af323bf600485465ff2b23ea47b2c288f6a8d78353d7531d3c79589e24677a45b79c5278379c078c0add0dd81e44d7bb1250d9b1678ff1340dea3f06ded
SSDEEP

24576:Byu8LIM5kNQegrBPVd4y0P6i5cW0tgsaeA9QVL6E3KpZx:0u1M5km9rHd4vPtZla32H

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral17/memory/4272-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral17/memory/4272-37-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral17/memory/4272-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral17/files/0x000700000002343b-40.dat	family_redline
behavioral17/memory/1412-42-0x0000000000B30000-0x0000000000B6E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
4080	Xm7Sx9Af.exe
4932	hV1Il4hS.exe
2044	jr1ou6oa.exe
3028	WZ5GN2Qv.exe
344	1gT08Rm5.exe
1412	2Og559Kj.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aa524ac0a848432537ae785725900e93cb6140ebd8edeace3fe041dd64b93f07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Xm7Sx9Af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	hV1Il4hS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	jr1ou6oa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	WZ5GN2Qv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 344 set thread context of 4272	344	1gT08Rm5.exe	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
812	344	WerFault.exe	86

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 4080	3800	aa524ac0a848432537ae785725900e93cb6140ebd8edeace3fe041dd64b93f07.exe	82
PID 3800 wrote to memory of 4080	3800	aa524ac0a848432537ae785725900e93cb6140ebd8edeace3fe041dd64b93f07.exe	82
PID 3800 wrote to memory of 4080	3800	aa524ac0a848432537ae785725900e93cb6140ebd8edeace3fe041dd64b93f07.exe	82
PID 4080 wrote to memory of 4932	4080	Xm7Sx9Af.exe	83
PID 4080 wrote to memory of 4932	4080	Xm7Sx9Af.exe	83
PID 4080 wrote to memory of 4932	4080	Xm7Sx9Af.exe	83
PID 4932 wrote to memory of 2044	4932	hV1Il4hS.exe	84
PID 4932 wrote to memory of 2044	4932	hV1Il4hS.exe	84
PID 4932 wrote to memory of 2044	4932	hV1Il4hS.exe	84
PID 2044 wrote to memory of 3028	2044	jr1ou6oa.exe	85
PID 2044 wrote to memory of 3028	2044	jr1ou6oa.exe	85
PID 2044 wrote to memory of 3028	2044	jr1ou6oa.exe	85
PID 3028 wrote to memory of 344	3028	WZ5GN2Qv.exe	86
PID 3028 wrote to memory of 344	3028	WZ5GN2Qv.exe	86
PID 3028 wrote to memory of 344	3028	WZ5GN2Qv.exe	86
PID 344 wrote to memory of 1332	344	1gT08Rm5.exe	90
PID 344 wrote to memory of 1332	344	1gT08Rm5.exe	90
PID 344 wrote to memory of 1332	344	1gT08Rm5.exe	90
PID 344 wrote to memory of 4272	344	1gT08Rm5.exe	91
PID 344 wrote to memory of 4272	344	1gT08Rm5.exe	91
PID 344 wrote to memory of 4272	344	1gT08Rm5.exe	91
PID 344 wrote to memory of 4272	344	1gT08Rm5.exe	91
PID 344 wrote to memory of 4272	344	1gT08Rm5.exe	91
PID 344 wrote to memory of 4272	344	1gT08Rm5.exe	91
PID 344 wrote to memory of 4272	344	1gT08Rm5.exe	91
PID 344 wrote to memory of 4272	344	1gT08Rm5.exe	91
PID 344 wrote to memory of 4272	344	1gT08Rm5.exe	91
PID 344 wrote to memory of 4272	344	1gT08Rm5.exe	91
PID 3028 wrote to memory of 1412	3028	WZ5GN2Qv.exe	96
PID 3028 wrote to memory of 1412	3028	WZ5GN2Qv.exe	96
PID 3028 wrote to memory of 1412	3028	WZ5GN2Qv.exe	96

C:\Users\Admin\AppData\Local\Temp\aa524ac0a848432537ae785725900e93cb6140ebd8edeace3fe041dd64b93f07.exe
"C:\Users\Admin\AppData\Local\Temp\aa524ac0a848432537ae785725900e93cb6140ebd8edeace3fe041dd64b93f07.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xm7Sx9Af.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xm7Sx9Af.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hV1Il4hS.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hV1Il4hS.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr1ou6oa.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr1ou6oa.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WZ5GN2Qv.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WZ5GN2Qv.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3028
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gT08Rm5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gT08Rm5.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 616
        7⤵
        Program crash
        
        PID:812
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Og559Kj.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Og559Kj.exe
        6⤵
        Executes dropped EXE
        
        PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 344 -ip 344
1⤵
PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xm7Sx9Af.exe

Filesize
1.0MB

MD5
cefeefe958b235d37ba19f6b8ce0c173

SHA1
86fb73886631a17aa013064fa51fdaa702128ef8

SHA256
23f52a948bd1538451e97eaa93e3f4bd737e57bd0d59a66291bbbd469ea0ef39

SHA512
22c31d95bacba1842789c09eb8f1672fb63bb06e45e50ad38160f62d67d1caac8f742ad5529b51ab8b39f70183a85ee545dd7c85fcaf33023be5278274a861c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hV1Il4hS.exe

Filesize
883KB

MD5
fcb186ee4650d49e97258fe485fd0f94

SHA1
402dcac85eaced639ab4caa9dcd71dbc4a4107ed

SHA256
d41c353fe3cd0e3db18706b667d55a80112d348f640f6ddf52be7208b6382fe2

SHA512
409bc8aa18af0ca780943fbf81379cc49374d7e0a4cfa2bfd102d8edb14855fddcb56b7afa375e5500a69959055c0aaeabaca960ff6bb27de56fe85cda4433c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr1ou6oa.exe

Filesize
590KB

MD5
5b82105a37717dc9f031b5ef3ffedfa1

SHA1
e54ef5346db3a530c1acf517f9730bad2fe48c55

SHA256
4ee78e99199efa6235bb094651706eaea5f72f6ddab1fab1b4e7fa7c068738d0

SHA512
c0b0facef771da19994f8c15a751581bd1ad9fb40d346dc7ecf2588f2b5b85eaa31653931f8cd15b17aa833f49462496b2cedf67d58ed1219f045d95d79d0829

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\WZ5GN2Qv.exe

Filesize
417KB

MD5
f66d330f6c4021e92acd6320a67298b8

SHA1
0c0b45e550ff7dc244546f86a9b062012424a596

SHA256
1ccb4ce95194de1d91357d0d1742105bb681d953f6f6d76e80d444e376e90c72

SHA512
5d28d1f553de8c47b3626295b803131b6a3e6e778ce7aa9cdd6991d91448f3c7cdc2a54cd4080f8af2788c74cbf1caaf99ba968f7a82aeab9b6882765f8ffd57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gT08Rm5.exe

Filesize
378KB

MD5
5298a2e202fb71f65065c95782eebd9b

SHA1
a98a5b1bd08605852d24d5152c37997a7a43ac34

SHA256
62c73785b22c56a2b0a1b42101a329eeba4a4b3c59b0746a4b4416e4971b2bf2

SHA512
350294ae1214bc08262ab017c9fd8bf48d56672dfe77f6928232328c9e1d49f9c5c16de006a8b539d25fceebfe308f598a47519f08b8bc0aeeb6bc852addf7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Og559Kj.exe

Filesize
231KB

MD5
f60fb3c66f7a0ea3d638f88963d654ef

SHA1
5cd46229743a713b711e5c528b68f9ee2044b521

SHA256
4c430e77858f4b7c738b3ebef1075c39f6f6102bbd2421d0a4ddedce7d9cbb69

SHA512
1f6ecb64756b6c4cbfd1550569ecd15230fe6f0ce3679f1d71171ba8d042c9eb581590f22aacc938b9d631bddbccb2c6dccebf3080350343765d1124c9b7894f

Download Submit
memory/1412-42-0x0000000000B30000-0x0000000000B6E000-memory.dmp

Filesize
248KB

Download
memory/1412-43-0x0000000007E60000-0x0000000008404000-memory.dmp

Filesize
5.6MB

Download
memory/1412-44-0x0000000007950000-0x00000000079E2000-memory.dmp

Filesize
584KB

Download
memory/1412-45-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

Filesize
40KB

Download
memory/1412-46-0x0000000008A30000-0x0000000009048000-memory.dmp

Filesize
6.1MB

Download
memory/1412-47-0x0000000007C50000-0x0000000007D5A000-memory.dmp

Filesize
1.0MB

Download
memory/1412-48-0x0000000007AE0000-0x0000000007AF2000-memory.dmp

Filesize
72KB

Download
memory/1412-49-0x0000000007B80000-0x0000000007BBC000-memory.dmp

Filesize
240KB

Download
memory/1412-50-0x0000000007BC0000-0x0000000007C0C000-memory.dmp

Filesize
304KB

Download
memory/4272-37-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4272-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4272-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads