Malware Analysis Report

2025-08-05 21:01

Sample ID 231007-gsfncahd9v
Target c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1
SHA256 c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1
Tags
mystic persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1

Threat Level: Known bad

The file c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1 was found to be: Known bad.

Malicious Activity Summary

mystic persistence stealer

Detect Mystic stealer payload

Mystic

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-07 06:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-07 06:03

Reported

2023-10-07 06:06

Platform

win10-20230915-en

Max time kernel

122s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ4sg2Gq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5pC5Xb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gx6DA6Dl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nW6fu3Dj.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4568 set thread context of 1588 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ4sg2Gq.exe
PID 2088 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ4sg2Gq.exe
PID 2088 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ4sg2Gq.exe
PID 2188 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ4sg2Gq.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5pC5Xb.exe
PID 2188 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ4sg2Gq.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5pC5Xb.exe
PID 2188 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ4sg2Gq.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5pC5Xb.exe
PID 4784 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5pC5Xb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gx6DA6Dl.exe
PID 4784 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5pC5Xb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gx6DA6Dl.exe
PID 4784 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5pC5Xb.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gx6DA6Dl.exe
PID 2216 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gx6DA6Dl.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nW6fu3Dj.exe
PID 2216 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gx6DA6Dl.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nW6fu3Dj.exe
PID 2216 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gx6DA6Dl.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nW6fu3Dj.exe
PID 1836 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nW6fu3Dj.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe
PID 1836 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nW6fu3Dj.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe
PID 1836 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nW6fu3Dj.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe
PID 4568 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4568 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe

"C:\Users\Admin\AppData\Local\Temp\c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ4sg2Gq.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ4sg2Gq.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5pC5Xb.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5pC5Xb.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gx6DA6Dl.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gx6DA6Dl.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nW6fu3Dj.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nW6fu3Dj.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 80.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ4sg2Gq.exe

MD5 b9cfcc60817c8121977e71ee8c6aebd9
SHA1 ced1e9401ddee75a63c1adeeb1ae3bd072702f1d
SHA256 12166e655475465188552c5503a8d8e5db50d4812b0582d3bd020eb20d5da373
SHA512 c95027be495067c1c39e4ffd950aa113d4a4de23939fcac8264d9c02f07eca691a43a6937b61b0cdf4c0d835487c0b18cafeeca2786f62b2de4d4ebbe2a60b2e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ4sg2Gq.exe

MD5 b9cfcc60817c8121977e71ee8c6aebd9
SHA1 ced1e9401ddee75a63c1adeeb1ae3bd072702f1d
SHA256 12166e655475465188552c5503a8d8e5db50d4812b0582d3bd020eb20d5da373
SHA512 c95027be495067c1c39e4ffd950aa113d4a4de23939fcac8264d9c02f07eca691a43a6937b61b0cdf4c0d835487c0b18cafeeca2786f62b2de4d4ebbe2a60b2e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5pC5Xb.exe

MD5 3a6538c6c794a8776591c48d4d347f44
SHA1 2831c8594e8455f289b4de7e8e7110f0227defdc
SHA256 ee5c3274f5b30bb85e429a54681d54a0841d8244c2644e0a7b30427fb347d03e
SHA512 aa1af6f2b6cdc8e5d42577f24b6e0e9ebc50847f635eb0004a17852b274f4bd1156809f930e37610780063f7f5eb20c8fd752ba5e9fa6f4cb7449fb89af4d9f5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZC5pC5Xb.exe

MD5 3a6538c6c794a8776591c48d4d347f44
SHA1 2831c8594e8455f289b4de7e8e7110f0227defdc
SHA256 ee5c3274f5b30bb85e429a54681d54a0841d8244c2644e0a7b30427fb347d03e
SHA512 aa1af6f2b6cdc8e5d42577f24b6e0e9ebc50847f635eb0004a17852b274f4bd1156809f930e37610780063f7f5eb20c8fd752ba5e9fa6f4cb7449fb89af4d9f5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gx6DA6Dl.exe

MD5 aec2a6ad8432b23e6caea51b4f676d3f
SHA1 47b7b07b86b6b3b165f00bde02bc38d7a94e2d90
SHA256 0c9a20791a0dc9a4a77b2a598c0797583528e60e8caa40172a3b829fcd6d9cc4
SHA512 5f2aed8e5cee75baaccbd98366cbc1abc9a54b590a47de26f7d9ef61721cfb3a7bd804a0ba1619703eba99af49ae858d5825842925b5ae74c78ac5db1a2aa226

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Gx6DA6Dl.exe

MD5 aec2a6ad8432b23e6caea51b4f676d3f
SHA1 47b7b07b86b6b3b165f00bde02bc38d7a94e2d90
SHA256 0c9a20791a0dc9a4a77b2a598c0797583528e60e8caa40172a3b829fcd6d9cc4
SHA512 5f2aed8e5cee75baaccbd98366cbc1abc9a54b590a47de26f7d9ef61721cfb3a7bd804a0ba1619703eba99af49ae858d5825842925b5ae74c78ac5db1a2aa226

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nW6fu3Dj.exe

MD5 08e301a84cf495a48b0bcf65bef50534
SHA1 70f4fecdd000a98aab48f5640b9fe6eafee98226
SHA256 3bf26fe604efcb027de085c469a520483fd73f09ef2d53650d56768847b857aa
SHA512 41ea61ebfdbfdb17b08bfa24b7691def1177f82560fbf69c2cc533bd7a63398acde07766d9f980f667f4149951bf53319f4ab330cd948ef750a7f9465e689e82

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nW6fu3Dj.exe

MD5 08e301a84cf495a48b0bcf65bef50534
SHA1 70f4fecdd000a98aab48f5640b9fe6eafee98226
SHA256 3bf26fe604efcb027de085c469a520483fd73f09ef2d53650d56768847b857aa
SHA512 41ea61ebfdbfdb17b08bfa24b7691def1177f82560fbf69c2cc533bd7a63398acde07766d9f980f667f4149951bf53319f4ab330cd948ef750a7f9465e689e82

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1oA20VV8.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

memory/1588-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1588-38-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1588-39-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1588-41-0x0000000000400000-0x0000000000428000-memory.dmp