Malware Analysis Report

2025-08-05 21:01

Sample ID 231007-ga4mfsbf37
Target fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb
SHA256 fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb
Tags
mystic persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb

Threat Level: Known bad

The file fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb was found to be: Known bad.

Malicious Activity Summary

mystic persistence stealer

Detect Mystic stealer payload

Mystic

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-07 05:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-07 05:36

Reported

2023-10-07 05:39

Platform

win10-20230915-en

Max time kernel

127s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 768 set thread context of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3896 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe
PID 3896 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe
PID 3896 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe
PID 4192 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe
PID 4192 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe
PID 4192 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe
PID 3680 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe
PID 3680 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe
PID 3680 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe
PID 3804 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe
PID 3804 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe
PID 3804 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe
PID 5004 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe
PID 5004 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe
PID 5004 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe
PID 768 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 768 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 768 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 768 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 768 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 768 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 768 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 768 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 768 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 768 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe

"C:\Users\Admin\AppData\Local\Temp\fe5b99ae2f24a02b6eb25016c9736c313a779f9de26ca9e883482b8075830bbb.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe

MD5 d3da42e88bd2c11504a978f1be9e2fc2
SHA1 69adf4c22ec9ddf35c8189715d03ffc96d10505b
SHA256 3f1fdb06f2d2df9f56632e7bdbaa7e9dc92d1985f527d7dc1618ba2de3256319
SHA512 bab5d6a51a1146b936e7219b6fb8c9ed4a367c6b35cc204b8301bed664420030c885d82952ac16ccaf1cc2119d3e3b26cbd677a48bac4a66b6954faf31b34da9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bV7tb1zA.exe

MD5 d3da42e88bd2c11504a978f1be9e2fc2
SHA1 69adf4c22ec9ddf35c8189715d03ffc96d10505b
SHA256 3f1fdb06f2d2df9f56632e7bdbaa7e9dc92d1985f527d7dc1618ba2de3256319
SHA512 bab5d6a51a1146b936e7219b6fb8c9ed4a367c6b35cc204b8301bed664420030c885d82952ac16ccaf1cc2119d3e3b26cbd677a48bac4a66b6954faf31b34da9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe

MD5 ca9c01310163d1c147ca4505207e1c9c
SHA1 e8abb26a431267b80f9d621c54bc50c00e4aeb9c
SHA256 8529de491a2a0590d4f22d0e79a61a52401bef71a9a9fa63ef21339090de7a5b
SHA512 fa0fa5afb4debcfcac92afffb45d35f2c08b5b4c389bd9ff2726263b06b512d7f958c4f255caa7420cb0765097448f9dd9ee9127d1f7149e435e957ef8abee41

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qp0HK7Ul.exe

MD5 ca9c01310163d1c147ca4505207e1c9c
SHA1 e8abb26a431267b80f9d621c54bc50c00e4aeb9c
SHA256 8529de491a2a0590d4f22d0e79a61a52401bef71a9a9fa63ef21339090de7a5b
SHA512 fa0fa5afb4debcfcac92afffb45d35f2c08b5b4c389bd9ff2726263b06b512d7f958c4f255caa7420cb0765097448f9dd9ee9127d1f7149e435e957ef8abee41

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe

MD5 9c238ca3a69f0c5b481a0a037a0cf6ef
SHA1 9438335c07c5cf19de7c2302e8a6f98c23aa95c6
SHA256 99feb47969ccc229401f2c996d99e7b9455030104873bfba2b4ddf1ef6fb3504
SHA512 e1c2d51222de3659e92225c79e5ac42e2da41683d87f053f651d7c3a5d1a7526d66bb1815e7e4c59d9f59c59206721d3315b77f0a234aa9d880fea3a9edf2be2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rr4pb6lx.exe

MD5 9c238ca3a69f0c5b481a0a037a0cf6ef
SHA1 9438335c07c5cf19de7c2302e8a6f98c23aa95c6
SHA256 99feb47969ccc229401f2c996d99e7b9455030104873bfba2b4ddf1ef6fb3504
SHA512 e1c2d51222de3659e92225c79e5ac42e2da41683d87f053f651d7c3a5d1a7526d66bb1815e7e4c59d9f59c59206721d3315b77f0a234aa9d880fea3a9edf2be2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe

MD5 a5b1a870dd1633cec15a3b2d218e9ec0
SHA1 5a31e3cb7c5ffd38d740ef7958a87cd75a84e97d
SHA256 65eb5088cac764e5a35252fde315c16772fc54dcad1ff3ecae699f961c55b7f2
SHA512 5dc87525a429a2940d43ed8dbc2e30f94b80be577879af5cb2d7a4ec426bf1f7be16dbdb1920d6f8d9acda14eaa07748a1f4433cb12eb042421204a2906ef8ed

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mm6SB2Dy.exe

MD5 a5b1a870dd1633cec15a3b2d218e9ec0
SHA1 5a31e3cb7c5ffd38d740ef7958a87cd75a84e97d
SHA256 65eb5088cac764e5a35252fde315c16772fc54dcad1ff3ecae699f961c55b7f2
SHA512 5dc87525a429a2940d43ed8dbc2e30f94b80be577879af5cb2d7a4ec426bf1f7be16dbdb1920d6f8d9acda14eaa07748a1f4433cb12eb042421204a2906ef8ed

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qq98rd6.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

memory/3924-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3924-38-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3924-39-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3924-41-0x0000000000400000-0x0000000000428000-memory.dmp