Malware Analysis Report

2025-08-05 21:00

Sample ID 231007-f279aahc8x
Target 00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90
SHA256 00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90
Tags
mystic persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90

Threat Level: Known bad

The file 00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90 was found to be: Known bad.

Malicious Activity Summary

mystic persistence stealer

Detect Mystic stealer payload

Mystic

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-07 05:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-07 05:23

Reported

2023-10-07 05:25

Platform

win10-20230915-en

Max time kernel

127s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MR9gI7qX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fJ5JG9LE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kr1QT9He.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EQ4Nt1rU.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 164 set thread context of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MR9gI7qX.exe
PID 2256 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MR9gI7qX.exe
PID 2256 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MR9gI7qX.exe
PID 208 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MR9gI7qX.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fJ5JG9LE.exe
PID 208 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MR9gI7qX.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fJ5JG9LE.exe
PID 208 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MR9gI7qX.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fJ5JG9LE.exe
PID 4984 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fJ5JG9LE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kr1QT9He.exe
PID 4984 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fJ5JG9LE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kr1QT9He.exe
PID 4984 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fJ5JG9LE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kr1QT9He.exe
PID 2008 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kr1QT9He.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EQ4Nt1rU.exe
PID 2008 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kr1QT9He.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EQ4Nt1rU.exe
PID 2008 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kr1QT9He.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EQ4Nt1rU.exe
PID 4912 wrote to memory of 164 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EQ4Nt1rU.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe
PID 4912 wrote to memory of 164 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EQ4Nt1rU.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe
PID 4912 wrote to memory of 164 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EQ4Nt1rU.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe
PID 164 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 164 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 164 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 164 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 164 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 164 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 164 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 164 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 164 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 164 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90.exe

"C:\Users\Admin\AppData\Local\Temp\00386f027f485e3c325747de08d96436d0da06eabe563f34accef9a6ae02dd90.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MR9gI7qX.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MR9gI7qX.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fJ5JG9LE.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fJ5JG9LE.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kr1QT9He.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kr1QT9He.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EQ4Nt1rU.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EQ4Nt1rU.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 164 -s 148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 80.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MR9gI7qX.exe

MD5 11be9b1ed0d88290867f543ddccc7383
SHA1 83fe9a6e3bc22cfb60a9fd3fe6d3105eb82c838d
SHA256 ce476393b85bb8ed11fdf98681725429c2c94d1dffe4345f60df18e890504eed
SHA512 796b8f2accf182e4671dd586c4860632dcc6772cf29f53ee853aa818c237d7f703f7e8e42ad10cc9349b41a6950b6ff7c06cd50b2d8edba0fc64b1fd3d95207d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MR9gI7qX.exe

MD5 11be9b1ed0d88290867f543ddccc7383
SHA1 83fe9a6e3bc22cfb60a9fd3fe6d3105eb82c838d
SHA256 ce476393b85bb8ed11fdf98681725429c2c94d1dffe4345f60df18e890504eed
SHA512 796b8f2accf182e4671dd586c4860632dcc6772cf29f53ee853aa818c237d7f703f7e8e42ad10cc9349b41a6950b6ff7c06cd50b2d8edba0fc64b1fd3d95207d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fJ5JG9LE.exe

MD5 a6c68e18e8976f1eb1bdb9d3e01061cd
SHA1 2f068a7350b09dbdcab9a98c776aba908173315b
SHA256 59dcec749271a8ac6cdfb815b7c14de0a3a6bcc1fb2a79c9f79b73c768ca29fe
SHA512 b66ac93d29e3a8c15b8ca2f20123fefca6a47fc44cf541d636f77d1dc7c7f3452ec5c56c5564352f7267e47be2e8220b7ee0c2d201f74b6e4d99fb9158e25555

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\fJ5JG9LE.exe

MD5 a6c68e18e8976f1eb1bdb9d3e01061cd
SHA1 2f068a7350b09dbdcab9a98c776aba908173315b
SHA256 59dcec749271a8ac6cdfb815b7c14de0a3a6bcc1fb2a79c9f79b73c768ca29fe
SHA512 b66ac93d29e3a8c15b8ca2f20123fefca6a47fc44cf541d636f77d1dc7c7f3452ec5c56c5564352f7267e47be2e8220b7ee0c2d201f74b6e4d99fb9158e25555

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kr1QT9He.exe

MD5 bd6fecdf36e4658a10bd6f47a8f78e96
SHA1 c82d7b1e5208196c2ee88a67a9220700944aa6f3
SHA256 b13c5041986b9d31a8053fbd7633d2b97453ec36a992c6763a769813d6cc95dc
SHA512 e24581e3766772f38accd06cbd3b95114646945a3e4041f27cfcda122821d0fa382a49102dee6a1fe1065ea110a28b8e67f49e84847aa2c08f09eca0802b5d90

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Kr1QT9He.exe

MD5 bd6fecdf36e4658a10bd6f47a8f78e96
SHA1 c82d7b1e5208196c2ee88a67a9220700944aa6f3
SHA256 b13c5041986b9d31a8053fbd7633d2b97453ec36a992c6763a769813d6cc95dc
SHA512 e24581e3766772f38accd06cbd3b95114646945a3e4041f27cfcda122821d0fa382a49102dee6a1fe1065ea110a28b8e67f49e84847aa2c08f09eca0802b5d90

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EQ4Nt1rU.exe

MD5 62158bf20b7ec53fb62c9b7db0e1a9e6
SHA1 4df8f09acbe1f3bfb9f6df22c46229ed9ad1c525
SHA256 5891716eae66b5d21c6defa6d5b307f29f7d557201240400c359366e2a322dca
SHA512 ddabb843c6a9fc83fed7c7ed4719f90f0b36d994fad90a8e7cd64f0aeda29aac770e480b21df7493f8979b9814c5a694dd296cfb36f62961619fa31aa088aea2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\EQ4Nt1rU.exe

MD5 62158bf20b7ec53fb62c9b7db0e1a9e6
SHA1 4df8f09acbe1f3bfb9f6df22c46229ed9ad1c525
SHA256 5891716eae66b5d21c6defa6d5b307f29f7d557201240400c359366e2a322dca
SHA512 ddabb843c6a9fc83fed7c7ed4719f90f0b36d994fad90a8e7cd64f0aeda29aac770e480b21df7493f8979b9814c5a694dd296cfb36f62961619fa31aa088aea2

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1HD36rL9.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

memory/4812-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4812-38-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4812-39-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4812-41-0x0000000000400000-0x0000000000428000-memory.dmp