mystic | 54f1280cbcc0fd2100e6d12d2347146ce3553bd2e15524aaeafcc000d14f7ad3

Analysis

max time kernel
133s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54f1280cbcc0fd2100e6d12d2347146ce3553bd2e15524aaeafcc000d14f7ad3.exe
Size

1.6MB
MD5

3e4ec17d3ecded819ae05bffb4acb5da
SHA1

de36df2f44f14ae0f63321ff1963a2743b79181c
SHA256

54f1280cbcc0fd2100e6d12d2347146ce3553bd2e15524aaeafcc000d14f7ad3
SHA512

62d3b31a18ba0cd777dcfb28b29c3e9367f0330bb2232cffb0fcfd1a0da89efb76cfaac08dd9aef157aca5d119a9af8c0b46ec682aac6587fb40818ee4dd05c7
SSDEEP

24576:gycCQhI/+6rjfGYJCbImv0AgsjExiBITAMvprkimrr67yJ85dHeo60n5Hx2n3qHF:nwnzv0AfuiBYBJbzdH96W3EudNXMwSK

Score

10^/10

mystic redline gigant discovery infostealer persistence stealer

Malware Config

Extracted

Family

redline

Botnet

gigant

77.91.124.55:19071

Signatures

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/2268-35-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/2268-36-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral1/memory/2268-38-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023476-40.dat	family_redline
behavioral1/memory/3476-42-0x0000000000660000-0x000000000069E000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
3644	fO9FI2JM.exe
3264	gz6Oe6sA.exe
3016	SU6vs4kH.exe
3492	FO0SK6GX.exe
1988	1aF73Ks9.exe
3476	2vG618Lk.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	fO9FI2JM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	gz6Oe6sA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	SU6vs4kH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	FO0SK6GX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	54f1280cbcc0fd2100e6d12d2347146ce3553bd2e15524aaeafcc000d14f7ad3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1988 set thread context of 2268	1988	1aF73Ks9.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3292	1988	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gz6Oe6sA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SU6vs4kH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FO0SK6GX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1aF73Ks9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2vG618Lk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54f1280cbcc0fd2100e6d12d2347146ce3553bd2e15524aaeafcc000d14f7ad3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fO9FI2JM.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 3644	1856	54f1280cbcc0fd2100e6d12d2347146ce3553bd2e15524aaeafcc000d14f7ad3.exe	82
PID 1856 wrote to memory of 3644	1856	54f1280cbcc0fd2100e6d12d2347146ce3553bd2e15524aaeafcc000d14f7ad3.exe	82
PID 1856 wrote to memory of 3644	1856	54f1280cbcc0fd2100e6d12d2347146ce3553bd2e15524aaeafcc000d14f7ad3.exe	82
PID 3644 wrote to memory of 3264	3644	fO9FI2JM.exe	83
PID 3644 wrote to memory of 3264	3644	fO9FI2JM.exe	83
PID 3644 wrote to memory of 3264	3644	fO9FI2JM.exe	83
PID 3264 wrote to memory of 3016	3264	gz6Oe6sA.exe	84
PID 3264 wrote to memory of 3016	3264	gz6Oe6sA.exe	84
PID 3264 wrote to memory of 3016	3264	gz6Oe6sA.exe	84
PID 3016 wrote to memory of 3492	3016	SU6vs4kH.exe	85
PID 3016 wrote to memory of 3492	3016	SU6vs4kH.exe	85
PID 3016 wrote to memory of 3492	3016	SU6vs4kH.exe	85
PID 3492 wrote to memory of 1988	3492	FO0SK6GX.exe	86
PID 3492 wrote to memory of 1988	3492	FO0SK6GX.exe	86
PID 3492 wrote to memory of 1988	3492	FO0SK6GX.exe	86
PID 1988 wrote to memory of 2268	1988	1aF73Ks9.exe	87
PID 1988 wrote to memory of 2268	1988	1aF73Ks9.exe	87
PID 1988 wrote to memory of 2268	1988	1aF73Ks9.exe	87
PID 1988 wrote to memory of 2268	1988	1aF73Ks9.exe	87
PID 1988 wrote to memory of 2268	1988	1aF73Ks9.exe	87
PID 1988 wrote to memory of 2268	1988	1aF73Ks9.exe	87
PID 1988 wrote to memory of 2268	1988	1aF73Ks9.exe	87
PID 1988 wrote to memory of 2268	1988	1aF73Ks9.exe	87
PID 1988 wrote to memory of 2268	1988	1aF73Ks9.exe	87
PID 1988 wrote to memory of 2268	1988	1aF73Ks9.exe	87
PID 3492 wrote to memory of 3476	3492	FO0SK6GX.exe	91
PID 3492 wrote to memory of 3476	3492	FO0SK6GX.exe	91
PID 3492 wrote to memory of 3476	3492	FO0SK6GX.exe	91

C:\Users\Admin\AppData\Local\Temp\54f1280cbcc0fd2100e6d12d2347146ce3553bd2e15524aaeafcc000d14f7ad3.exe
"C:\Users\Admin\AppData\Local\Temp\54f1280cbcc0fd2100e6d12d2347146ce3553bd2e15524aaeafcc000d14f7ad3.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fO9FI2JM.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fO9FI2JM.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gz6Oe6sA.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gz6Oe6sA.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SU6vs4kH.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SU6vs4kH.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FO0SK6GX.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FO0SK6GX.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3492
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1aF73Ks9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1aF73Ks9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 600
        7⤵
        Program crash
        
        PID:3292
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vG618Lk.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vG618Lk.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1988 -ip 1988
1⤵
PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fO9FI2JM.exe

Filesize
1.5MB

MD5
b79fd622571d7c4c2e3fb68f309121b1

SHA1
efdb0426e12c5f3a178eaf2e0b5988f6594a659c

SHA256
225c8f086b1d1beae96d5093890ed1f16625e8909180e657821267e78f178670

SHA512
bb8a314db185a5c31b79b245726c9bd994bbdf272050449e843c34a3b82471440a40507da416501e40cfd655f554240410f850811eab0d926a2dde15f6537a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gz6Oe6sA.exe

Filesize
1.3MB

MD5
791dfc7d68a5ef38c9e4a83085a71b48

SHA1
e3320756bd55f7c2878f6e2d07175445c0547571

SHA256
d1e352bf68b077f487a99984e083727a1f489f973bc6188751408108f6221912

SHA512
875b1fd2550829801c232c95f5e840e9a3aabe120859ac5721c87f7169e0838b87be60528843d63920ef8589a10588fe81105c90dd9731fd4b25336fdf9443ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SU6vs4kH.exe

Filesize
823KB

MD5
8c439b8c4ac6bb3148620799f663c720

SHA1
2aa27c0a9c7a12a43cee468b2e8e3c6b2dc39ac8

SHA256
f52ef8e0352a992e80e8cb6bda0dcb4dc8a3dc8b34c52c3ca08fc6dca1501c54

SHA512
ed463fadd1463370793410ede579a567dd74b1a24a2834bcb9d0bd3c8f503bd30ee609589d9382a2fb76249f2f7e4b8b02d520ca3b5d82a5dd5ed33f2bdfc0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FO0SK6GX.exe

Filesize
651KB

MD5
610abd59310220ada2082b8655e54a81

SHA1
611b68534b2d41f5639936f95ee9a58760dbab8b

SHA256
48d0473efce24adc3e5fde095a3164decb53994dc8c6dbcd27b7cb5a462ce957

SHA512
189b39916b34945bf1a06f070d13b4836f0802722cfcc173906a9c47056bc62f14ef3b60f950a83b2cf8786a375e9c621517259b9023f6e3a8b5c49402cf7d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1aF73Ks9.exe

Filesize
1.7MB

MD5
30cb67b1c318ba32f1c30437e5bb90d5

SHA1
4dd04bd3e390014d6fd268bc704b1018c9f016ba

SHA256
985cc3c155469ebaf0cf407263786240117a59dd95e82576ca329dfe131da2e2

SHA512
0e95e5f2f9cef8e45ce2c67635a11eab2024e66df2f8faa4bb4fc8c51b1b22eb57c30dad9b25654ae3fb7f00b1ba61abe00c2245769c4ebea67dd9180d8d8de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vG618Lk.exe

Filesize
230KB

MD5
6b0346f146a8746fca5a09ef9ad1098e

SHA1
640b5cd9c8a37883c96ff75fe3365dbc69695f95

SHA256
574f98a97bf7d6f71235196e571110daee30688ca6df1f0977d55b75665639ee

SHA512
5d8ca1690220bdcf45ec48bfa077ef6048281bb0f26d00529c4a5af2a1efe834a22b24d1fabb28fce30d50c812be85dc01570c96e3ac461d87566a1a6da04cee

Download Submit
memory/2268-36-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2268-38-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2268-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3476-42-0x0000000000660000-0x000000000069E000-memory.dmp

Filesize
248KB

Download
memory/3476-43-0x0000000007990000-0x0000000007F34000-memory.dmp

Filesize
5.6MB

Download
memory/3476-44-0x0000000007480000-0x0000000007512000-memory.dmp

Filesize
584KB

Download
memory/3476-45-0x0000000004A40000-0x0000000004A4A000-memory.dmp

Filesize
40KB

Download
memory/3476-46-0x0000000008560000-0x0000000008B78000-memory.dmp

Filesize
6.1MB

Download
memory/3476-47-0x0000000007F40000-0x000000000804A000-memory.dmp

Filesize
1.0MB

Download
memory/3476-48-0x0000000007650000-0x0000000007662000-memory.dmp

Filesize
72KB

Download
memory/3476-49-0x00000000077E0000-0x000000000781C000-memory.dmp

Filesize
240KB

Download
memory/3476-50-0x0000000007820000-0x000000000786C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads