Malware Analysis Report

2025-08-05 21:01

Sample ID 231007-f6v5hsbf25
Target 618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d
SHA256 618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d
Tags
mystic persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d

Threat Level: Known bad

The file 618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d was found to be: Known bad.

Malicious Activity Summary

mystic persistence stealer

Detect Mystic stealer payload

Mystic

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-07 05:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-07 05:29

Reported

2023-10-07 05:32

Platform

win10-20230915-en

Max time kernel

69s

Max time network

74s

Command Line

"C:\Users\Admin\AppData\Local\Temp\618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sw1ap1AQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bl3AC3oh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\am4Bj5wZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo9Qh0IA.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4156 set thread context of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4800 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\am4Bj5wZ.exe
PID 4800 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\am4Bj5wZ.exe
PID 4800 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\am4Bj5wZ.exe
PID 1372 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\am4Bj5wZ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo9Qh0IA.exe
PID 1372 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\am4Bj5wZ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo9Qh0IA.exe
PID 1372 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\am4Bj5wZ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo9Qh0IA.exe
PID 1748 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo9Qh0IA.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sw1ap1AQ.exe
PID 1748 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo9Qh0IA.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sw1ap1AQ.exe
PID 1748 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo9Qh0IA.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sw1ap1AQ.exe
PID 4248 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sw1ap1AQ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bl3AC3oh.exe
PID 4248 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sw1ap1AQ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bl3AC3oh.exe
PID 4248 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sw1ap1AQ.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bl3AC3oh.exe
PID 4216 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bl3AC3oh.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe
PID 4216 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bl3AC3oh.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe
PID 4216 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bl3AC3oh.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe
PID 4156 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4156 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4156 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4156 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4156 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4156 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4156 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4156 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4156 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4156 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4156 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4156 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4156 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe

"C:\Users\Admin\AppData\Local\Temp\618fb792b6e084b763990ce2b947f940e4c4739f486d149d747935368feeac0d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\am4Bj5wZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\am4Bj5wZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo9Qh0IA.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo9Qh0IA.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sw1ap1AQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sw1ap1AQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bl3AC3oh.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bl3AC3oh.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\am4Bj5wZ.exe

MD5 a1f102d079667028ef76c6707bc29292
SHA1 42a76cfaf591201bfc000e55fa736c5f0e7b534c
SHA256 8f229f70b74527f775caa2811ce76fbd9942d5da2cf6a70d5c3f7115e4a854dc
SHA512 7b5a09932fe5f59b5deee567367defffff51ea224c9dc3839fd5d7af523e1d17fecdfe4579fdddd3c6481cab5fadad8fda6da8bf06d155e282411087fe83fd07

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\am4Bj5wZ.exe

MD5 a1f102d079667028ef76c6707bc29292
SHA1 42a76cfaf591201bfc000e55fa736c5f0e7b534c
SHA256 8f229f70b74527f775caa2811ce76fbd9942d5da2cf6a70d5c3f7115e4a854dc
SHA512 7b5a09932fe5f59b5deee567367defffff51ea224c9dc3839fd5d7af523e1d17fecdfe4579fdddd3c6481cab5fadad8fda6da8bf06d155e282411087fe83fd07

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo9Qh0IA.exe

MD5 0ca21e75ae765e9336894b6f1559e257
SHA1 09f5a2d4ae1883b639c3d4a2d3512b68e2916c13
SHA256 0231a8b245aaa3281d7973118998fed869cc99a44ad56b8715b04d722010196b
SHA512 e0d2714c3f9d715460246342669a3e4f234e4f9a06553648a737eed0ba7ae75bdf00f0cee35bef7209ef3720f5c519a02c3a43c60c33043c933085924fc5d18b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yo9Qh0IA.exe

MD5 0ca21e75ae765e9336894b6f1559e257
SHA1 09f5a2d4ae1883b639c3d4a2d3512b68e2916c13
SHA256 0231a8b245aaa3281d7973118998fed869cc99a44ad56b8715b04d722010196b
SHA512 e0d2714c3f9d715460246342669a3e4f234e4f9a06553648a737eed0ba7ae75bdf00f0cee35bef7209ef3720f5c519a02c3a43c60c33043c933085924fc5d18b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sw1ap1AQ.exe

MD5 953f6f20547811723eef9d2b31995394
SHA1 2108a95bd73dea8b4fd7abc67a3e4333905faacc
SHA256 ec4469f238b205f8fa510a4bd070b0afe98a694c5c9a05b36cffa9d43f80a6bf
SHA512 49701f2ecd294aacb23323a59dab61faab3604e7eefa66b81dc3ef48f7426a996f8da0ff700cacd039f88b1a7dc3d38819c89ea12e8738fb433727199b91f8bd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Sw1ap1AQ.exe

MD5 953f6f20547811723eef9d2b31995394
SHA1 2108a95bd73dea8b4fd7abc67a3e4333905faacc
SHA256 ec4469f238b205f8fa510a4bd070b0afe98a694c5c9a05b36cffa9d43f80a6bf
SHA512 49701f2ecd294aacb23323a59dab61faab3604e7eefa66b81dc3ef48f7426a996f8da0ff700cacd039f88b1a7dc3d38819c89ea12e8738fb433727199b91f8bd

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bl3AC3oh.exe

MD5 68a449da9a3f6b2866d77d751063d403
SHA1 06014bfe82a3ff82dbe81f2705973b15407bbfa0
SHA256 95730b6d23207d6d16569caf3b61d294fc3dedbc65955f8f9cdcc8e98a259c2d
SHA512 7f087ce3bf5004ea2612cacc1fe8038d2a5ac179ecec7cdab86f5174068dd00eb1647f1fb247ab757637edbad0bc50f8922cfec4e1efb5c7eee486ffdf0cbd5f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bl3AC3oh.exe

MD5 68a449da9a3f6b2866d77d751063d403
SHA1 06014bfe82a3ff82dbe81f2705973b15407bbfa0
SHA256 95730b6d23207d6d16569caf3b61d294fc3dedbc65955f8f9cdcc8e98a259c2d
SHA512 7f087ce3bf5004ea2612cacc1fe8038d2a5ac179ecec7cdab86f5174068dd00eb1647f1fb247ab757637edbad0bc50f8922cfec4e1efb5c7eee486ffdf0cbd5f

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1sa00VW0.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

memory/5084-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5084-38-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5084-39-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5084-41-0x0000000000400000-0x0000000000428000-memory.dmp