Malware Analysis Report

2025-08-05 21:01

Sample ID 231007-g2c9ksbg72
Target 1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52
SHA256 1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52
Tags
mystic persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52

Threat Level: Known bad

The file 1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52 was found to be: Known bad.

Malicious Activity Summary

mystic persistence stealer

Detect Mystic stealer payload

Mystic

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-07 06:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-07 06:17

Reported

2023-10-07 06:20

Platform

win10-20230915-en

Max time kernel

118s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oc9qu9gl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XP1vy3DE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FE7zP7SV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX2PD5Dh.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3236 set thread context of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3432 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oc9qu9gl.exe
PID 3432 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oc9qu9gl.exe
PID 3432 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oc9qu9gl.exe
PID 4704 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oc9qu9gl.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XP1vy3DE.exe
PID 4704 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oc9qu9gl.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XP1vy3DE.exe
PID 4704 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oc9qu9gl.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XP1vy3DE.exe
PID 2628 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XP1vy3DE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FE7zP7SV.exe
PID 2628 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XP1vy3DE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FE7zP7SV.exe
PID 2628 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XP1vy3DE.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FE7zP7SV.exe
PID 4112 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FE7zP7SV.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX2PD5Dh.exe
PID 4112 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FE7zP7SV.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX2PD5Dh.exe
PID 4112 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FE7zP7SV.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX2PD5Dh.exe
PID 3044 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX2PD5Dh.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe
PID 3044 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX2PD5Dh.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe
PID 3044 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX2PD5Dh.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe
PID 3236 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe

"C:\Users\Admin\AppData\Local\Temp\1f60f8a805671b18c30ad26852979b68dc897e7aa18adcb07c36ec30dd045e52.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oc9qu9gl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oc9qu9gl.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XP1vy3DE.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XP1vy3DE.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FE7zP7SV.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FE7zP7SV.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX2PD5Dh.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX2PD5Dh.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 176

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oc9qu9gl.exe

MD5 d4f1bfc54555d4cd27c7a0918372e6e5
SHA1 3db83fd1310ddb8a3c311eeaf9b732670daa15c3
SHA256 dac67c730f805dc3c8faaea68d6ba73a08f6e79566eb8d2ebdd1f561d0405cee
SHA512 72ad606b959508db3507e85a0ec3d69bec74a709e48815ee43f190f3cdba0c09500fcfda34afeaf435ef0c669912194d6842a406cddeb60d6e5ed8ea3012c08a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oc9qu9gl.exe

MD5 d4f1bfc54555d4cd27c7a0918372e6e5
SHA1 3db83fd1310ddb8a3c311eeaf9b732670daa15c3
SHA256 dac67c730f805dc3c8faaea68d6ba73a08f6e79566eb8d2ebdd1f561d0405cee
SHA512 72ad606b959508db3507e85a0ec3d69bec74a709e48815ee43f190f3cdba0c09500fcfda34afeaf435ef0c669912194d6842a406cddeb60d6e5ed8ea3012c08a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XP1vy3DE.exe

MD5 bf126308e06d245b6bd0bb5e4c72dd81
SHA1 ac5d015dcb97014346aa3475ddb2b40a70412840
SHA256 7e0b6068e313db54e82451a5414e0ed2a010f2ec958e1e7ddd5c1fd2f5138443
SHA512 34bff4b5ea53a68a2af89c3a3658a56ca4a5418d51bf61e7bce8edb7b4a204687c8732826c6a24a27268b188a32a9dedcb53f30b3da1fe7cd1315ad6e5f252be

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XP1vy3DE.exe

MD5 bf126308e06d245b6bd0bb5e4c72dd81
SHA1 ac5d015dcb97014346aa3475ddb2b40a70412840
SHA256 7e0b6068e313db54e82451a5414e0ed2a010f2ec958e1e7ddd5c1fd2f5138443
SHA512 34bff4b5ea53a68a2af89c3a3658a56ca4a5418d51bf61e7bce8edb7b4a204687c8732826c6a24a27268b188a32a9dedcb53f30b3da1fe7cd1315ad6e5f252be

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FE7zP7SV.exe

MD5 aee972d0841d3d678e9af0da29ac8f15
SHA1 d281198305b064f3aa11ae8aceee551e857ebf7f
SHA256 0b02cd41f451366f66416890a0f7ccf7965f73d77531577720240a27992fbb77
SHA512 520dab402627e34afa3cdb82eaa45690e65a6fab969d48b58df1265ea57d8c0c5defa15bc24079bbc4f2a17ad028b85f4fff6966d702b1dd71c80bb8c42727ae

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FE7zP7SV.exe

MD5 aee972d0841d3d678e9af0da29ac8f15
SHA1 d281198305b064f3aa11ae8aceee551e857ebf7f
SHA256 0b02cd41f451366f66416890a0f7ccf7965f73d77531577720240a27992fbb77
SHA512 520dab402627e34afa3cdb82eaa45690e65a6fab969d48b58df1265ea57d8c0c5defa15bc24079bbc4f2a17ad028b85f4fff6966d702b1dd71c80bb8c42727ae

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX2PD5Dh.exe

MD5 4c6fee8e2637ea49d6983d49aba60998
SHA1 82c597e54eeceadb562819230f571c70fad22c6d
SHA256 b939f197fa860468fac181c6a8b15a9891c6c1b7697e3531bb73edd3692e3bfd
SHA512 a8c6c3fe34902c3d47411d583d0cd755d46abe2ad175f0b5a80fd213bea81576915f0478926e81e0bca6bd698af1a0fd6e47d00367168aa281827b505b170c9c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vX2PD5Dh.exe

MD5 4c6fee8e2637ea49d6983d49aba60998
SHA1 82c597e54eeceadb562819230f571c70fad22c6d
SHA256 b939f197fa860468fac181c6a8b15a9891c6c1b7697e3531bb73edd3692e3bfd
SHA512 a8c6c3fe34902c3d47411d583d0cd755d46abe2ad175f0b5a80fd213bea81576915f0478926e81e0bca6bd698af1a0fd6e47d00367168aa281827b505b170c9c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Vu14NQ5.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

memory/2236-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2236-38-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2236-39-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2236-41-0x0000000000400000-0x0000000000428000-memory.dmp