Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
07/10/2023, 13:30
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c_JC.exe
-
Size
1.2MB
-
MD5
7fd4e883571ac0cd2258ffc3cbe35efa
-
SHA1
1cfe7b432615a93768d3d330da11c2a285cd3c8d
-
SHA256
c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c
-
SHA512
41f7915f73be38cc2f51a55f232ca2d5be374f5fe7a336c5bee7f8d9ff87c918cae804f432d0f64194e5dbdc6aa05151ec060a950a67f17bf0834be757d29c01
-
SSDEEP
24576:SyA79RURQ/FMFNWYePQgq+NGpRMaOL9Sb7h/MPUCjyvJKp:5okS/FMFNIQ1L38wb7hEcAI
Malware Config
Extracted
redline
gigant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral2/memory/4300-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4300-36-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4300-37-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4300-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/files/0x0008000000023249-41.dat family_redline behavioral2/files/0x0008000000023249-42.dat family_redline behavioral2/memory/5052-44-0x0000000000F30000-0x0000000000F6E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 872 md8Ar3Dp.exe 3016 EX9Pe1xL.exe 2060 Dc8Jm1XJ.exe 2584 AD7rJ5YJ.exe 3616 1tO73Ur4.exe 5052 2Hq179qA.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" NEAS.c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" md8Ar3Dp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" EX9Pe1xL.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Dc8Jm1XJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" AD7rJ5YJ.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3616 set thread context of 4300 3616 1tO73Ur4.exe 92 -
Program crash 2 IoCs
pid pid_target Process procid_target 3872 4300 WerFault.exe 92 4828 3616 WerFault.exe 90 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1840 wrote to memory of 872 1840 NEAS.c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c_JC.exe 86 PID 1840 wrote to memory of 872 1840 NEAS.c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c_JC.exe 86 PID 1840 wrote to memory of 872 1840 NEAS.c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c_JC.exe 86 PID 872 wrote to memory of 3016 872 md8Ar3Dp.exe 87 PID 872 wrote to memory of 3016 872 md8Ar3Dp.exe 87 PID 872 wrote to memory of 3016 872 md8Ar3Dp.exe 87 PID 3016 wrote to memory of 2060 3016 EX9Pe1xL.exe 88 PID 3016 wrote to memory of 2060 3016 EX9Pe1xL.exe 88 PID 3016 wrote to memory of 2060 3016 EX9Pe1xL.exe 88 PID 2060 wrote to memory of 2584 2060 Dc8Jm1XJ.exe 89 PID 2060 wrote to memory of 2584 2060 Dc8Jm1XJ.exe 89 PID 2060 wrote to memory of 2584 2060 Dc8Jm1XJ.exe 89 PID 2584 wrote to memory of 3616 2584 AD7rJ5YJ.exe 90 PID 2584 wrote to memory of 3616 2584 AD7rJ5YJ.exe 90 PID 2584 wrote to memory of 3616 2584 AD7rJ5YJ.exe 90 PID 3616 wrote to memory of 4300 3616 1tO73Ur4.exe 92 PID 3616 wrote to memory of 4300 3616 1tO73Ur4.exe 92 PID 3616 wrote to memory of 4300 3616 1tO73Ur4.exe 92 PID 3616 wrote to memory of 4300 3616 1tO73Ur4.exe 92 PID 3616 wrote to memory of 4300 3616 1tO73Ur4.exe 92 PID 3616 wrote to memory of 4300 3616 1tO73Ur4.exe 92 PID 3616 wrote to memory of 4300 3616 1tO73Ur4.exe 92 PID 3616 wrote to memory of 4300 3616 1tO73Ur4.exe 92 PID 3616 wrote to memory of 4300 3616 1tO73Ur4.exe 92 PID 3616 wrote to memory of 4300 3616 1tO73Ur4.exe 92 PID 2584 wrote to memory of 5052 2584 AD7rJ5YJ.exe 99 PID 2584 wrote to memory of 5052 2584 AD7rJ5YJ.exe 99 PID 2584 wrote to memory of 5052 2584 AD7rJ5YJ.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c0dc5b19144d1bd3fd0856e4345ddc919a4177660dffc4244c52f84edfa9282c_JC.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\md8Ar3Dp.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\md8Ar3Dp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EX9Pe1xL.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\EX9Pe1xL.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Dc8Jm1XJ.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Dc8Jm1XJ.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AD7rJ5YJ.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AD7rJ5YJ.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tO73Ur4.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1tO73Ur4.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 5408⤵
- Program crash
PID:3872
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 1567⤵
- Program crash
PID:4828
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hq179qA.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Hq179qA.exe6⤵
- Executes dropped EXE
PID:5052
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4300 -ip 43001⤵PID:1260
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3616 -ip 36161⤵PID:4356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD536f7d392aedf5de41ca3e5617ebd9640
SHA1e771900574966afe1e9184d36bedbe0161ae7dd1
SHA2563c60c5ec380fb26d4a2aa1e3e0263e2d0a6696b13af147ec8a0e4f6b29707177
SHA512bbae33dd951cea847b6cc6d59c9b20434174cc77e9c90d9d9cb05d7af20053684da0629f060c0720b5dc4b6e2f47300f68ea03ac642dd0a05372d6cea16a9863
-
Filesize
1.0MB
MD536f7d392aedf5de41ca3e5617ebd9640
SHA1e771900574966afe1e9184d36bedbe0161ae7dd1
SHA2563c60c5ec380fb26d4a2aa1e3e0263e2d0a6696b13af147ec8a0e4f6b29707177
SHA512bbae33dd951cea847b6cc6d59c9b20434174cc77e9c90d9d9cb05d7af20053684da0629f060c0720b5dc4b6e2f47300f68ea03ac642dd0a05372d6cea16a9863
-
Filesize
884KB
MD54fdc910ea6dcfeedf85853f11bf8cc43
SHA1e5bb2f555d260d500113bb43e0a1af127c6eafe3
SHA25643236a36e7593b90cf40b107df17edb62a64b17fe266b560627c7b11a895a9b9
SHA512812a9bb60ddbecc8241627b997deb778add57d899d53e0ac8ff48bf86bc2960406f0f071a3342591ca15333c565b1b97c117ad3a555d7116ccdd02519890f813
-
Filesize
884KB
MD54fdc910ea6dcfeedf85853f11bf8cc43
SHA1e5bb2f555d260d500113bb43e0a1af127c6eafe3
SHA25643236a36e7593b90cf40b107df17edb62a64b17fe266b560627c7b11a895a9b9
SHA512812a9bb60ddbecc8241627b997deb778add57d899d53e0ac8ff48bf86bc2960406f0f071a3342591ca15333c565b1b97c117ad3a555d7116ccdd02519890f813
-
Filesize
590KB
MD5d0db7f0e77413316a6a701ff3e62ec5b
SHA1e72180f14f6bf85c1c168db0bd9b8e84e08f72b4
SHA256a6b628b28bc4e476340bd54002f699f8f7549b6dc89b378f5664a4e54a2eba36
SHA512f9d96fdd63528cbdc8f69371ac790aeace0d8f4e34f9ec53318d0824c7721f4903254a9399f20e80f831dc30c76140b68a22963ed54adc2e83738c85cb3e09ff
-
Filesize
590KB
MD5d0db7f0e77413316a6a701ff3e62ec5b
SHA1e72180f14f6bf85c1c168db0bd9b8e84e08f72b4
SHA256a6b628b28bc4e476340bd54002f699f8f7549b6dc89b378f5664a4e54a2eba36
SHA512f9d96fdd63528cbdc8f69371ac790aeace0d8f4e34f9ec53318d0824c7721f4903254a9399f20e80f831dc30c76140b68a22963ed54adc2e83738c85cb3e09ff
-
Filesize
417KB
MD5ca5b08ef4e199df70c31763d453e5e83
SHA1dddc3086379e005cf931871c972c61eef86be31e
SHA256d34d2570161fd9a23550b5e361176aa0529e32e0c3a62752eb29b807a8b8a48d
SHA51254741871f09367017602ef135d53655a410cb11951e5f64a8a2aa9411c38613cc24c95c4f2091c1a8b688c1b15bf4fec11ed68521c3f17b92eb5ac72cdef1ff0
-
Filesize
417KB
MD5ca5b08ef4e199df70c31763d453e5e83
SHA1dddc3086379e005cf931871c972c61eef86be31e
SHA256d34d2570161fd9a23550b5e361176aa0529e32e0c3a62752eb29b807a8b8a48d
SHA51254741871f09367017602ef135d53655a410cb11951e5f64a8a2aa9411c38613cc24c95c4f2091c1a8b688c1b15bf4fec11ed68521c3f17b92eb5ac72cdef1ff0
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
Filesize
231KB
MD5d0b0825685abf92d20d5c68f1b42596f
SHA12580b4753efc44d9fa6384af5964b676ea666bab
SHA256e41be3a1c96af35777a0fc697d7d17a011a7ca1b2d8cca39d7e86cbcf1f86553
SHA5120956b4771073d030f89bf09b74c691b090512c4ad0e2c65071b35986a0db2a06648d0b8fe6d25018ac30b13a0ab7876b5eccb093b76aabbe5728baab0f861608
-
Filesize
231KB
MD5d0b0825685abf92d20d5c68f1b42596f
SHA12580b4753efc44d9fa6384af5964b676ea666bab
SHA256e41be3a1c96af35777a0fc697d7d17a011a7ca1b2d8cca39d7e86cbcf1f86553
SHA5120956b4771073d030f89bf09b74c691b090512c4ad0e2c65071b35986a0db2a06648d0b8fe6d25018ac30b13a0ab7876b5eccb093b76aabbe5728baab0f861608