Malware Analysis Report

2025-08-05 21:00

Sample ID 231007-gwz66abg44
Target 1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8
SHA256 1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8
Tags
mystic persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8

Threat Level: Known bad

The file 1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8 was found to be: Known bad.

Malicious Activity Summary

mystic persistence stealer

Detect Mystic stealer payload

Mystic

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-07 06:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-07 06:10

Reported

2023-10-07 06:12

Platform

win10-20230915-en

Max time kernel

72s

Max time network

76s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8.exe"

Signatures

Detect Mystic stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Mystic

stealer mystic

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mc0TS7eZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN5gx5ZB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fG8Qp4EE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\We8on1Qk.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4108 set thread context of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2744 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mc0TS7eZ.exe
PID 2744 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mc0TS7eZ.exe
PID 2744 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mc0TS7eZ.exe
PID 4924 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mc0TS7eZ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN5gx5ZB.exe
PID 4924 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mc0TS7eZ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN5gx5ZB.exe
PID 4924 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mc0TS7eZ.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN5gx5ZB.exe
PID 828 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN5gx5ZB.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fG8Qp4EE.exe
PID 828 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN5gx5ZB.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fG8Qp4EE.exe
PID 828 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN5gx5ZB.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fG8Qp4EE.exe
PID 1184 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fG8Qp4EE.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\We8on1Qk.exe
PID 1184 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fG8Qp4EE.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\We8on1Qk.exe
PID 1184 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fG8Qp4EE.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\We8on1Qk.exe
PID 4860 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\We8on1Qk.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe
PID 4860 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\We8on1Qk.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe
PID 4860 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\We8on1Qk.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe
PID 4108 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4108 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4108 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4108 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4108 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4108 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4108 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4108 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4108 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4108 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8.exe

"C:\Users\Admin\AppData\Local\Temp\1028758d81311bf28fd1a39e9894a3b130c1266ef4daa07d94061457720675c8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mc0TS7eZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mc0TS7eZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN5gx5ZB.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN5gx5ZB.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fG8Qp4EE.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fG8Qp4EE.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\We8on1Qk.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\We8on1Qk.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 600 -s 568

Network

Country Destination Domain Proto
US 8.8.8.8:53 80.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mc0TS7eZ.exe

MD5 82fa0b61cb3aa852ddd135fab8ea05ab
SHA1 c6ae6e27dd90806dd99b83899db68d38ab37a372
SHA256 8f594667b32dbf0b930f70ff8113dc510e8c872f80d7953a203179a3ebeb0d2e
SHA512 aa6627455843eccfceb9919777b9f5e9832293b76d9c0e1620437028d57ce3fea4775116495a4cfc719a8113875b56cb6e985e31cb31dcb88a8804dfc3b913e3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mc0TS7eZ.exe

MD5 82fa0b61cb3aa852ddd135fab8ea05ab
SHA1 c6ae6e27dd90806dd99b83899db68d38ab37a372
SHA256 8f594667b32dbf0b930f70ff8113dc510e8c872f80d7953a203179a3ebeb0d2e
SHA512 aa6627455843eccfceb9919777b9f5e9832293b76d9c0e1620437028d57ce3fea4775116495a4cfc719a8113875b56cb6e985e31cb31dcb88a8804dfc3b913e3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN5gx5ZB.exe

MD5 d3f9c1faa7a01f825aaabd2b5b98970c
SHA1 fb4119e7f3d3e96d43d9f694e10cf12ee0c0e3ae
SHA256 0709711ff39f499d80d03d5f14b19e7137efa414e1a4571d0d892953c6fefa4e
SHA512 40187030302bc19af8d42cb2fcaeefc71480d555d46f3e694cd3a5773e3caeb563c533293d746e6697a0f04587d4200523b099a25c876efd09dbf07cfdc7ab54

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tN5gx5ZB.exe

MD5 d3f9c1faa7a01f825aaabd2b5b98970c
SHA1 fb4119e7f3d3e96d43d9f694e10cf12ee0c0e3ae
SHA256 0709711ff39f499d80d03d5f14b19e7137efa414e1a4571d0d892953c6fefa4e
SHA512 40187030302bc19af8d42cb2fcaeefc71480d555d46f3e694cd3a5773e3caeb563c533293d746e6697a0f04587d4200523b099a25c876efd09dbf07cfdc7ab54

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fG8Qp4EE.exe

MD5 93363bedaf9cd28aae401a6f5bada33b
SHA1 6c477f9ec39bc41e3e577d470b55587704b9208d
SHA256 664e4ec485dba8e32c03a20b68bc6b19883254721d083762abc57acc40686ccf
SHA512 d9947ace95a7c38171c8d3d309b38a7af97bfa23e9f77372078b06326501a54633d5798eb199e98d4e1c46991171eb504438234c873b42b2aa55a4f719946156

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fG8Qp4EE.exe

MD5 93363bedaf9cd28aae401a6f5bada33b
SHA1 6c477f9ec39bc41e3e577d470b55587704b9208d
SHA256 664e4ec485dba8e32c03a20b68bc6b19883254721d083762abc57acc40686ccf
SHA512 d9947ace95a7c38171c8d3d309b38a7af97bfa23e9f77372078b06326501a54633d5798eb199e98d4e1c46991171eb504438234c873b42b2aa55a4f719946156

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\We8on1Qk.exe

MD5 0dc8f7d79cfade9c5dfe760eb92de13a
SHA1 6d258db018fc96ce7baea4be96e8b8db590a832d
SHA256 435aa84120a6944cc73c849059ea1cde5491583ccef37e2c3b78658ebca198cd
SHA512 c4c3eb9b5d4a4f3a6a1397af8a6d37a9808d6cb752d6d7cf9111af979dc07e5eef481e1d4079605185863362ea0b192e6b62dae6a591cbfdbdf863c06f7dc39a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\We8on1Qk.exe

MD5 0dc8f7d79cfade9c5dfe760eb92de13a
SHA1 6d258db018fc96ce7baea4be96e8b8db590a832d
SHA256 435aa84120a6944cc73c849059ea1cde5491583ccef37e2c3b78658ebca198cd
SHA512 c4c3eb9b5d4a4f3a6a1397af8a6d37a9808d6cb752d6d7cf9111af979dc07e5eef481e1d4079605185863362ea0b192e6b62dae6a591cbfdbdf863c06f7dc39a

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pz65pt1.exe

MD5 f0831f173733de08511f3a0739f278a6
SHA1 06dc809d653c5d2c97386084ae13b50a73eb5b60
SHA256 8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA512 19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

memory/600-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/600-38-0x0000000000400000-0x0000000000428000-memory.dmp

memory/600-39-0x0000000000400000-0x0000000000428000-memory.dmp

memory/600-41-0x0000000000400000-0x0000000000428000-memory.dmp