mystic | 3c91163ea40ad7e35bac48ded16235cfe9003c914f570e27b4e2d7b3c9c46c05

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d8e30863d6679d9b977e23a385bd4ab7c86293390507196e2c2a60350006a60.exe
Size

884KB
MD5

8747aac71d50b90e3d130826a4ac1325
SHA1

37843108fccb569bc9e09e02f74e8f2c239f7a97
SHA256

5d8e30863d6679d9b977e23a385bd4ab7c86293390507196e2c2a60350006a60
SHA512

a2ac56f6c745bdd65f1a4331828d3b6299f5d1c579d196a485825efdbf9a59601b8f2f73afb881db17f1897d5d95ae677839e67ea52fbe061897ffb286102db0
SSDEEP

24576:Nykf9GM0FvYyBo/d++og75riw6DrtBxr:okVGRFvVBoV8gNGV3tB

Score

10^/10

mystic redline gigant infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral9/memory/1532-21-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral9/memory/1532-22-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral9/memory/1532-24-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ct739An.exe	family_redline
behavioral9/memory/64-28-0x00000000009F0000-0x0000000000A2E000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

Processes:

Cy2nX9Bh.exeGs8EO4gz.exe1at72DO6.exe2ct739An.exe

pid process

3696 Cy2nX9Bh.exe
396 Gs8EO4gz.exe
3228 1at72DO6.exe
64 2ct739An.exe

pid	process
3696	Cy2nX9Bh.exe
396	Gs8EO4gz.exe
3228	1at72DO6.exe
64	2ct739An.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5d8e30863d6679d9b977e23a385bd4ab7c86293390507196e2c2a60350006a60.exeCy2nX9Bh.exeGs8EO4gz.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5d8e30863d6679d9b977e23a385bd4ab7c86293390507196e2c2a60350006a60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Cy2nX9Bh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Gs8EO4gz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1at72DO6.exe

description pid process target process

PID 3228 set thread context of 1532 3228 1at72DO6.exe AppLaunch.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3452 3228 WerFault.exe 1at72DO6.exe

description	pid	process	target process
PID 3228 set thread context of 1532	3228	1at72DO6.exe	AppLaunch.exe

pid	pid_target	process	target process
3452	3228	WerFault.exe	1at72DO6.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

5d8e30863d6679d9b977e23a385bd4ab7c86293390507196e2c2a60350006a60.exeCy2nX9Bh.exeGs8EO4gz.exe1at72DO6.exe

description	pid	process	target process
PID 4612 wrote to memory of 3696	4612	5d8e30863d6679d9b977e23a385bd4ab7c86293390507196e2c2a60350006a60.exe	Cy2nX9Bh.exe
PID 4612 wrote to memory of 3696	4612	5d8e30863d6679d9b977e23a385bd4ab7c86293390507196e2c2a60350006a60.exe	Cy2nX9Bh.exe
PID 4612 wrote to memory of 3696	4612	5d8e30863d6679d9b977e23a385bd4ab7c86293390507196e2c2a60350006a60.exe	Cy2nX9Bh.exe
PID 3696 wrote to memory of 396	3696	Cy2nX9Bh.exe	Gs8EO4gz.exe
PID 3696 wrote to memory of 396	3696	Cy2nX9Bh.exe	Gs8EO4gz.exe
PID 3696 wrote to memory of 396	3696	Cy2nX9Bh.exe	Gs8EO4gz.exe
PID 396 wrote to memory of 3228	396	Gs8EO4gz.exe	1at72DO6.exe
PID 396 wrote to memory of 3228	396	Gs8EO4gz.exe	1at72DO6.exe
PID 396 wrote to memory of 3228	396	Gs8EO4gz.exe	1at72DO6.exe
PID 3228 wrote to memory of 1532	3228	1at72DO6.exe	AppLaunch.exe
PID 3228 wrote to memory of 1532	3228	1at72DO6.exe	AppLaunch.exe
PID 3228 wrote to memory of 1532	3228	1at72DO6.exe	AppLaunch.exe
PID 3228 wrote to memory of 1532	3228	1at72DO6.exe	AppLaunch.exe
PID 3228 wrote to memory of 1532	3228	1at72DO6.exe	AppLaunch.exe
PID 3228 wrote to memory of 1532	3228	1at72DO6.exe	AppLaunch.exe
PID 3228 wrote to memory of 1532	3228	1at72DO6.exe	AppLaunch.exe
PID 3228 wrote to memory of 1532	3228	1at72DO6.exe	AppLaunch.exe
PID 3228 wrote to memory of 1532	3228	1at72DO6.exe	AppLaunch.exe
PID 3228 wrote to memory of 1532	3228	1at72DO6.exe	AppLaunch.exe
PID 396 wrote to memory of 64	396	Gs8EO4gz.exe	2ct739An.exe
PID 396 wrote to memory of 64	396	Gs8EO4gz.exe	2ct739An.exe
PID 396 wrote to memory of 64	396	Gs8EO4gz.exe	2ct739An.exe

C:\Users\Admin\AppData\Local\Temp\5d8e30863d6679d9b977e23a385bd4ab7c86293390507196e2c2a60350006a60.exe
"C:\Users\Admin\AppData\Local\Temp\5d8e30863d6679d9b977e23a385bd4ab7c86293390507196e2c2a60350006a60.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4612

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cy2nX9Bh.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cy2nX9Bh.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3696

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gs8EO4gz.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gs8EO4gz.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:396

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1at72DO6.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1at72DO6.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 164
5⤵
- Program crash
PID:3452

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ct739An.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ct739An.exe
4⤵
- Executes dropped EXE
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3228 -ip 3228
1⤵
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cy2nX9Bh.exe
Filesize
590KB

MD5
2a63b01135d3f4a8f857df234c71da29

SHA1
e3cd234b6f9453e0aaf7e520590dc919f99b57ca

SHA256
cbdc47df4acb7bec90dbadb330f10cc090b96518f8034306810d83a9fce4057f

SHA512
b7baa657beb2a24c6591e7f9409d1ee475bf13ee89c2eab29881be03af83266e1148bf4f7ae744bf4b7bcd96162a43850610517a8421cb0fd052db28c501222e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gs8EO4gz.exe
Filesize
417KB

MD5
a653cd0026823bb444bc27def3cf27b4

SHA1
8600c671ffdc6e02703fff5456d8a76af424a77f

SHA256
c2d2fca40f7e8c84e3f238bdc82cba1e2220a5dcbba1b94f9c925a8aa3aa3e62

SHA512
7f11d66c69cbda9483970c247f4b24f100aab730a5b93fda8e16c15a118d2429ccc5053b555d311232197b36e1ec6b577291fcd8b36a1715ee5ba2abba49e3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1at72DO6.exe
Filesize
378KB

MD5
f0831f173733de08511f3a0739f278a6

SHA1
06dc809d653c5d2c97386084ae13b50a73eb5b60

SHA256
8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

SHA512
19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ct739An.exe
Filesize
231KB

MD5
0bd71299dd4975b52678e94953e877db

SHA1
48e91fa816bf2d444ad80bec51c3aec4585cc5bd

SHA256
d2199270533f567bfe7e44512b6ddc8f02fe74d26a990974f59fb6c6ab29aa31

SHA512
6cf98b6ceb32a6b844a2e77cdf5f67210b56c708ca73ea16dc4ff4be51fe094edc8aefad03e43e83de869c1a36cf64c057e41ca53483b2f452100aabe60cadd7

Download Submit
memory/64-33-0x0000000007BC0000-0x0000000007CCA000-memory.dmp

Filesize
1.0MB

Download
memory/64-28-0x00000000009F0000-0x0000000000A2E000-memory.dmp

Filesize
248KB

Download
memory/64-29-0x0000000007E10000-0x00000000083B4000-memory.dmp

Filesize
5.6MB

Download
memory/64-30-0x0000000007900000-0x0000000007992000-memory.dmp

Filesize
584KB

Download
memory/64-31-0x0000000002E70000-0x0000000002E7A000-memory.dmp

Filesize
40KB

Download
memory/64-32-0x00000000089E0000-0x0000000008FF8000-memory.dmp

Filesize
6.1MB

Download
memory/64-34-0x0000000007AF0000-0x0000000007B02000-memory.dmp

Filesize
72KB

Download
memory/64-35-0x0000000007B50000-0x0000000007B8C000-memory.dmp

Filesize
240KB

Download
memory/64-36-0x0000000007CD0000-0x0000000007D1C000-memory.dmp

Filesize
304KB

Download
memory/1532-24-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1532-22-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1532-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download