mystic | dcf4e78aa4f4a43375e6c66a708f11e84986bd1f7bacc1564324e028fcba76f4

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e48626da66ef50a0f8bd4d374f7aaa4931cc35197cb2826a4f29047dce4edfe6.exe
Size

511KB
MD5

ae9b91adcf67c2bd0ac2a681f05c0adc
SHA1

0da2417ee4c5358398e349e185ab4da6424abef3
SHA256

e48626da66ef50a0f8bd4d374f7aaa4931cc35197cb2826a4f29047dce4edfe6
SHA512

25b43617236d4e9b65bb0ab17b3aeb80ec68420dcf44a43f43844ee41eb38e7b1ab7fa5baff83d68b125bb79168b12a09efda0719f0d6809c83bf5abb8c74712
SSDEEP

12288:IMrNy90+79pyDHwaEmfFr+dJY8TUs2Vum+4+wSR1Fdsjh2h:1y3pBlUFGYSz2VuRUSnYjh2h

Score

10^/10

mystic redline taiga infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral19/memory/1476-14-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral19/memory/1476-15-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral19/memory/1476-16-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral19/memory/1476-18-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral19/memory/1096-22-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	7cy9tj29.exe

Executes dropped EXE 4 IoCs

pid	Process
2172	TA1Ka24.exe
2364	1Qz85yU0.exe
1220	2tE4449.exe
5104	7cy9tj29.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e48626da66ef50a0f8bd4d374f7aaa4931cc35197cb2826a4f29047dce4edfe6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	TA1Ka24.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 1476	2364	1Qz85yU0.exe	85
PID 1220 set thread context of 1096	1220	2tE4449.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1972	1476	WerFault.exe	85

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2172	2992	e48626da66ef50a0f8bd4d374f7aaa4931cc35197cb2826a4f29047dce4edfe6.exe	82
PID 2992 wrote to memory of 2172	2992	e48626da66ef50a0f8bd4d374f7aaa4931cc35197cb2826a4f29047dce4edfe6.exe	82
PID 2992 wrote to memory of 2172	2992	e48626da66ef50a0f8bd4d374f7aaa4931cc35197cb2826a4f29047dce4edfe6.exe	82
PID 2172 wrote to memory of 2364	2172	TA1Ka24.exe	83
PID 2172 wrote to memory of 2364	2172	TA1Ka24.exe	83
PID 2172 wrote to memory of 2364	2172	TA1Ka24.exe	83
PID 2364 wrote to memory of 1476	2364	1Qz85yU0.exe	85
PID 2364 wrote to memory of 1476	2364	1Qz85yU0.exe	85
PID 2364 wrote to memory of 1476	2364	1Qz85yU0.exe	85
PID 2364 wrote to memory of 1476	2364	1Qz85yU0.exe	85
PID 2364 wrote to memory of 1476	2364	1Qz85yU0.exe	85
PID 2364 wrote to memory of 1476	2364	1Qz85yU0.exe	85
PID 2364 wrote to memory of 1476	2364	1Qz85yU0.exe	85
PID 2364 wrote to memory of 1476	2364	1Qz85yU0.exe	85
PID 2364 wrote to memory of 1476	2364	1Qz85yU0.exe	85
PID 2364 wrote to memory of 1476	2364	1Qz85yU0.exe	85
PID 2172 wrote to memory of 1220	2172	TA1Ka24.exe	87
PID 2172 wrote to memory of 1220	2172	TA1Ka24.exe	87
PID 2172 wrote to memory of 1220	2172	TA1Ka24.exe	87
PID 1220 wrote to memory of 1096	1220	2tE4449.exe	92
PID 1220 wrote to memory of 1096	1220	2tE4449.exe	92
PID 1220 wrote to memory of 1096	1220	2tE4449.exe	92
PID 1220 wrote to memory of 1096	1220	2tE4449.exe	92
PID 1220 wrote to memory of 1096	1220	2tE4449.exe	92
PID 1220 wrote to memory of 1096	1220	2tE4449.exe	92
PID 1220 wrote to memory of 1096	1220	2tE4449.exe	92
PID 1220 wrote to memory of 1096	1220	2tE4449.exe	92
PID 2992 wrote to memory of 5104	2992	e48626da66ef50a0f8bd4d374f7aaa4931cc35197cb2826a4f29047dce4edfe6.exe	93
PID 2992 wrote to memory of 5104	2992	e48626da66ef50a0f8bd4d374f7aaa4931cc35197cb2826a4f29047dce4edfe6.exe	93
PID 2992 wrote to memory of 5104	2992	e48626da66ef50a0f8bd4d374f7aaa4931cc35197cb2826a4f29047dce4edfe6.exe	93
PID 5104 wrote to memory of 2080	5104	7cy9tj29.exe	94
PID 5104 wrote to memory of 2080	5104	7cy9tj29.exe	94
PID 5104 wrote to memory of 2080	5104	7cy9tj29.exe	94

C:\Users\Admin\AppData\Local\Temp\e48626da66ef50a0f8bd4d374f7aaa4931cc35197cb2826a4f29047dce4edfe6.exe
"C:\Users\Admin\AppData\Local\Temp\e48626da66ef50a0f8bd4d374f7aaa4931cc35197cb2826a4f29047dce4edfe6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TA1Ka24.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TA1Ka24.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Qz85yU0.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Qz85yU0.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1476
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 540
        5⤵
        Program crash
        
        PID:1972
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2tE4449.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2tE4449.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1096
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7cy9tj29.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7cy9tj29.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
    3⤵
    PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1476 -ip 1476
1⤵
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7cy9tj29.exe

Filesize
73KB

MD5
2149dd58e781f72f9425e375ef29842c

SHA1
71f092b5c8ab3d3204d152f2f84920b96221e17d

SHA256
dea74a6ffc7924eaa125e335e36cb0710e7458867fcf3d519c2771e852deecc4

SHA512
61cd3b29942cd9fb5ff897fa8401a7523a6c547759f45214b362c540f862e5344a3648255a93001a9dadabbd8db012e7a2cf5e738524f38e6f5fb9294008436b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TA1Ka24.exe

Filesize
389KB

MD5
989b3c1150d18f2c0dc7e96988e68045

SHA1
29259d7f02d47821807c87cc74348ebf384258d3

SHA256
20c4cf8ca2f6d61e14f72361d53534729ed20b38479636cf201293a4565d8b7c

SHA512
8c0ce2b40101a1b5099d1501a4e55c5f94cde74d3d766030c34f1dcbb804406ba25de93f26d2755bacc10e76a8c44589122bdb36b6096684f9f06b85e47f22bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Qz85yU0.exe

Filesize
300KB

MD5
784667bb96ccb30c4cf44f2c5f493769

SHA1
28185165ab4dbbb4a139ae1af0bb6934ebe05c04

SHA256
1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9

SHA512
62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2tE4449.exe

Filesize
339KB

MD5
14d9834611ad581afcfea061652ff6cb

SHA1
802f964d0be7858eb2f1e7c6fcda03501fd1b71c

SHA256
e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60

SHA512
cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.bat

Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
memory/1096-37-0x0000000008DA0000-0x00000000093B8000-memory.dmp

Filesize
6.1MB

Download
memory/1096-22-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1096-30-0x00000000081D0000-0x0000000008774000-memory.dmp

Filesize
5.6MB

Download
memory/1096-31-0x0000000007CC0000-0x0000000007D52000-memory.dmp

Filesize
584KB

Download
memory/1096-32-0x00000000030C0000-0x00000000030CA000-memory.dmp

Filesize
40KB

Download
memory/1096-39-0x0000000007EC0000-0x0000000007ED2000-memory.dmp

Filesize
72KB

Download
memory/1096-38-0x0000000007FA0000-0x00000000080AA000-memory.dmp

Filesize
1.0MB

Download
memory/1096-40-0x0000000007F20000-0x0000000007F5C000-memory.dmp

Filesize
240KB

Download
memory/1096-41-0x00000000080B0000-0x00000000080FC000-memory.dmp

Filesize
304KB

Download
memory/1476-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1476-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads