Malware Analysis Report

2025-08-11 01:11

Sample ID 231006-1fm2faac76
Target 7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239
SHA256 7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239
Tags
mystic persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239

Threat Level: Known bad

The file 7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239 was found to be: Known bad.

Malicious Activity Summary

mystic persistence stealer

Mystic

Detect Mystic stealer payload

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-06 21:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-06 21:35

Reported

2023-10-06 21:38

Platform

win10-20230915-en

Max time kernel

112s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OS5Mh4tR.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oU0sX8vu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK2Zo5RQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PZ0cL1Zv.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2284 set thread context of 4544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3108 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK2Zo5RQ.exe
PID 3108 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK2Zo5RQ.exe
PID 3108 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK2Zo5RQ.exe
PID 4800 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK2Zo5RQ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PZ0cL1Zv.exe
PID 4800 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK2Zo5RQ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PZ0cL1Zv.exe
PID 4800 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK2Zo5RQ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PZ0cL1Zv.exe
PID 2988 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PZ0cL1Zv.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OS5Mh4tR.exe
PID 2988 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PZ0cL1Zv.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OS5Mh4tR.exe
PID 2988 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PZ0cL1Zv.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OS5Mh4tR.exe
PID 4688 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OS5Mh4tR.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oU0sX8vu.exe
PID 4688 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OS5Mh4tR.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oU0sX8vu.exe
PID 4688 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OS5Mh4tR.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oU0sX8vu.exe
PID 1036 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oU0sX8vu.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe
PID 1036 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oU0sX8vu.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe
PID 1036 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oU0sX8vu.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2284 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe

"C:\Users\Admin\AppData\Local\Temp\7994c1a62ea89bb9237c4dc0bfb6b4ccc026c4c8971bebe11d13de37352d7239.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK2Zo5RQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK2Zo5RQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PZ0cL1Zv.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PZ0cL1Zv.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OS5Mh4tR.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OS5Mh4tR.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oU0sX8vu.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oU0sX8vu.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.2.9.6.2.2.6.f.7.0.1.0.5.8.4.8.5.e.2.e.b.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK2Zo5RQ.exe

MD5 3d1af630afdf5da35986317a1398ac38
SHA1 cdecbe60afe943b1614708e72d7e67ff5513398b
SHA256 7b8ae81ef1423cead978a62b57b72349a89013cab614dcd409198ae6ce767da6
SHA512 6b9bb1c5da9bdabbded4bd140d2e80f7d2190ed06b75f122087ba60a83ce30d41fc4ed75afbf5c5b2760670d755155fff555d569c036586bce72bfa3d1f80d8c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sK2Zo5RQ.exe

MD5 3d1af630afdf5da35986317a1398ac38
SHA1 cdecbe60afe943b1614708e72d7e67ff5513398b
SHA256 7b8ae81ef1423cead978a62b57b72349a89013cab614dcd409198ae6ce767da6
SHA512 6b9bb1c5da9bdabbded4bd140d2e80f7d2190ed06b75f122087ba60a83ce30d41fc4ed75afbf5c5b2760670d755155fff555d569c036586bce72bfa3d1f80d8c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PZ0cL1Zv.exe

MD5 7d5cfd3832171729e4cc65619b2a3441
SHA1 2cc7eff939fff7190cfa4742bcff6947556e667f
SHA256 e81f500f7d3bfa296c5cbefb21e98d9761c1d0cc3b32dc9e01f9488b9ff29675
SHA512 8bee0e42147bccc5a520bc62562436b1ac39d6814c3cd70c8c987db75ec8e59211605946e85e1d0c6971a3a0dc47572a457d9892455f1113adc3d300b39f9dbf

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PZ0cL1Zv.exe

MD5 7d5cfd3832171729e4cc65619b2a3441
SHA1 2cc7eff939fff7190cfa4742bcff6947556e667f
SHA256 e81f500f7d3bfa296c5cbefb21e98d9761c1d0cc3b32dc9e01f9488b9ff29675
SHA512 8bee0e42147bccc5a520bc62562436b1ac39d6814c3cd70c8c987db75ec8e59211605946e85e1d0c6971a3a0dc47572a457d9892455f1113adc3d300b39f9dbf

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OS5Mh4tR.exe

MD5 5b6852a5a87f1eaddbe0403ff18f44ee
SHA1 5d0041d5fe7c833354f64d8abc6c22cc20bd7576
SHA256 6bb0d3f307a2124ee2291749e593571921675dee18892415af1301ed2bae15f0
SHA512 68168a23d62fc3aec26d65d69f8f3a3f6af0c223251bc12b9070e22851c2acb10ee70f2db5b17cf973f02eaefe0102bbad816eccce22740286e0e800bc45a9cc

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\OS5Mh4tR.exe

MD5 5b6852a5a87f1eaddbe0403ff18f44ee
SHA1 5d0041d5fe7c833354f64d8abc6c22cc20bd7576
SHA256 6bb0d3f307a2124ee2291749e593571921675dee18892415af1301ed2bae15f0
SHA512 68168a23d62fc3aec26d65d69f8f3a3f6af0c223251bc12b9070e22851c2acb10ee70f2db5b17cf973f02eaefe0102bbad816eccce22740286e0e800bc45a9cc

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oU0sX8vu.exe

MD5 072ef02ab1ad22f5d092ca19a7e15a9f
SHA1 90708916718cb37a75787f981bd01431d3cba163
SHA256 b7f75c2a125a90122cc6f851829443b5c3cd7ae18cbeecd4b7c183e43a78d34b
SHA512 616ce8fc830d7ea339b5662eb03df92671dee2574d6655842238133d475e6631fcdb886e137203518615c1975d6941d9f5b2c636ef09d054945c306e20bba716

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oU0sX8vu.exe

MD5 072ef02ab1ad22f5d092ca19a7e15a9f
SHA1 90708916718cb37a75787f981bd01431d3cba163
SHA256 b7f75c2a125a90122cc6f851829443b5c3cd7ae18cbeecd4b7c183e43a78d34b
SHA512 616ce8fc830d7ea339b5662eb03df92671dee2574d6655842238133d475e6631fcdb886e137203518615c1975d6941d9f5b2c636ef09d054945c306e20bba716

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe

MD5 e5493f444443c786ee7a8ef329caf38f
SHA1 116568938dfd71ec67fb19d3c6b774aab8ca69c6
SHA256 8fdb070143618ff3251d4fdd5e8e509d64120ee54c1ae54d5ee2d393350f12ab
SHA512 5a8c1b1d1c0efd5d6a6b393be05919e6162ab08c33379784d59c404204d6cba6646b87628a6c8857cd3b29e9dcfee9bf6bfc161818924029560cc60e28ec065d

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tt38WD9.exe

MD5 e5493f444443c786ee7a8ef329caf38f
SHA1 116568938dfd71ec67fb19d3c6b774aab8ca69c6
SHA256 8fdb070143618ff3251d4fdd5e8e509d64120ee54c1ae54d5ee2d393350f12ab
SHA512 5a8c1b1d1c0efd5d6a6b393be05919e6162ab08c33379784d59c404204d6cba6646b87628a6c8857cd3b29e9dcfee9bf6bfc161818924029560cc60e28ec065d

memory/4544-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4544-38-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4544-39-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4544-41-0x0000000000400000-0x0000000000428000-memory.dmp