Malware Analysis Report

2025-08-05 21:01

Sample ID 231007-gsfncabf94
Target 164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053
SHA256 164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053
Tags
mystic evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053

Threat Level: Known bad

The file 164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053 was found to be: Known bad.

Malicious Activity Summary

mystic evasion persistence stealer trojan

Detect Mystic stealer payload

Modifies Windows Defender Real-time Protection settings

Mystic

Executes dropped EXE

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-07 06:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-07 06:03

Reported

2023-10-07 06:06

Platform

win10-20230915-en

Max time kernel

112s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe N/A

Mystic

stealer mystic

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4292 set thread context of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4252 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe
PID 4252 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe
PID 4252 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe
PID 3528 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe
PID 3528 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe
PID 3528 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe
PID 1336 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe
PID 1336 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe
PID 1336 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe
PID 360 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe
PID 360 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe
PID 360 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe
PID 360 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe
PID 360 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe
PID 360 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe
PID 4292 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4292 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4292 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4292 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4292 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4292 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4292 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4292 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4292 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4292 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053.exe

"C:\Users\Admin\AppData\Local\Temp\164255283eeb9b38d4be91e9216b2f09a103f9cc91fa108aec1d0d350ca6b053.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe

MD5 2fb7beb720c0473999af5c13f0e0c565
SHA1 a0dd87c1dac6e94544f632a7058feb87fc44e510
SHA256 9fe3268ddf21544a41f5da9860a62dc8ea927f37a5ce817a7f8918b1fec2436a
SHA512 27dfaaa7eb74ac0841c6a46061f05744be6bca16eaa569e5bd83ae1f957bca3ddce6d0e6d8ab3ed251e8a9393f0159e09cd8a1784a6db09913d660a5f250ac5c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uQ6fx10.exe

MD5 2fb7beb720c0473999af5c13f0e0c565
SHA1 a0dd87c1dac6e94544f632a7058feb87fc44e510
SHA256 9fe3268ddf21544a41f5da9860a62dc8ea927f37a5ce817a7f8918b1fec2436a
SHA512 27dfaaa7eb74ac0841c6a46061f05744be6bca16eaa569e5bd83ae1f957bca3ddce6d0e6d8ab3ed251e8a9393f0159e09cd8a1784a6db09913d660a5f250ac5c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe

MD5 fd26daf07ff629f52e5bce288bd760cb
SHA1 abbcfe1a49d1aee2b575a2076d02631c6aea7210
SHA256 f8c9b40cce4f22b3bb440369e5f59a709fc64ac1606ee904df15453472e7099e
SHA512 d047c24dceb751d83e53eebe64573f2289eec677d1ae4312600b0084db009b1e8356746971a935d9e225d2493ca506cb8740313611498063f34c44ab13915730

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\It8Bs50.exe

MD5 fd26daf07ff629f52e5bce288bd760cb
SHA1 abbcfe1a49d1aee2b575a2076d02631c6aea7210
SHA256 f8c9b40cce4f22b3bb440369e5f59a709fc64ac1606ee904df15453472e7099e
SHA512 d047c24dceb751d83e53eebe64573f2289eec677d1ae4312600b0084db009b1e8356746971a935d9e225d2493ca506cb8740313611498063f34c44ab13915730

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe

MD5 1eb6aa8674c547a3f0a5786e985a6d2e
SHA1 86c7f53dd032ffc5cef5bda714b1cf3c2fc3eca3
SHA256 e4bc9d516cb00d7926811e95cfc6bb15e85a257d2254d0fb061358c8fddc171a
SHA512 7e26f39d87892c6a562990087183ebc5c9ef19cc939ea7a47a98e98299addb30cbe167521898bc711cc117ed5395c21334f047ec4fd3502e46041457db7cc272

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\In9DE33.exe

MD5 1eb6aa8674c547a3f0a5786e985a6d2e
SHA1 86c7f53dd032ffc5cef5bda714b1cf3c2fc3eca3
SHA256 e4bc9d516cb00d7926811e95cfc6bb15e85a257d2254d0fb061358c8fddc171a
SHA512 7e26f39d87892c6a562990087183ebc5c9ef19cc939ea7a47a98e98299addb30cbe167521898bc711cc117ed5395c21334f047ec4fd3502e46041457db7cc272

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe

MD5 8904f85abd522c7d0cb5789d9583ccff
SHA1 5b34d8595b37c9e1fb9682b06dc5228efe07f0c6
SHA256 7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f
SHA512 04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1RJ79nC7.exe

MD5 8904f85abd522c7d0cb5789d9583ccff
SHA1 5b34d8595b37c9e1fb9682b06dc5228efe07f0c6
SHA256 7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f
SHA512 04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

memory/920-29-0x0000000073520000-0x0000000073C0E000-memory.dmp

memory/920-28-0x0000000001FF0000-0x000000000200E000-memory.dmp

memory/920-30-0x0000000004B60000-0x000000000505E000-memory.dmp

memory/920-31-0x0000000002440000-0x000000000245C000-memory.dmp

memory/920-32-0x0000000002440000-0x0000000002456000-memory.dmp

memory/920-33-0x0000000002440000-0x0000000002456000-memory.dmp

memory/920-35-0x0000000002440000-0x0000000002456000-memory.dmp

memory/920-37-0x0000000002440000-0x0000000002456000-memory.dmp

memory/920-39-0x0000000002440000-0x0000000002456000-memory.dmp

memory/920-41-0x0000000002440000-0x0000000002456000-memory.dmp

memory/920-43-0x0000000002440000-0x0000000002456000-memory.dmp

memory/920-45-0x0000000002440000-0x0000000002456000-memory.dmp

memory/920-47-0x0000000002440000-0x0000000002456000-memory.dmp

memory/920-49-0x0000000002440000-0x0000000002456000-memory.dmp

memory/920-51-0x0000000002440000-0x0000000002456000-memory.dmp

memory/920-53-0x0000000002440000-0x0000000002456000-memory.dmp

memory/920-55-0x0000000002440000-0x0000000002456000-memory.dmp

memory/920-57-0x0000000002440000-0x0000000002456000-memory.dmp

memory/920-59-0x0000000002440000-0x0000000002456000-memory.dmp

memory/920-60-0x0000000073520000-0x0000000073C0E000-memory.dmp

memory/920-62-0x0000000073520000-0x0000000073C0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2hJ3214.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

memory/4576-66-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4576-69-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4576-70-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4576-72-0x0000000000400000-0x0000000000428000-memory.dmp