Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2023, 22:17
Static task
static1
Behavioral task
behavioral1
Sample
fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827.exe
Resource
win10v2004-20230915-en
General
-
Target
fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827.exe
-
Size
928KB
-
MD5
ccdb878d630fde0f0dd9f2b394605f3d
-
SHA1
c73f01d4a171fb9b46b0d8a059551c71d13c355d
-
SHA256
fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827
-
SHA512
471f05d8b31a4f1dd892e00657b2fc90ffdfc8798bf55449e5919503a119be51f7b7b3b1017cfdd3d0aac411a52c436266d135d176922d080b3d2c91f8d4093b
-
SSDEEP
24576:ry/e658JE7Z178dF7TNDPJm9hKoKoOF9QXE4lhbKV8:e/e6FH8xk9hKZuXEs
Malware Config
Extracted
redline
luska
77.91.124.55:19071
-
auth_value
a6797888f51a88afbfd8854a79ac9357
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral2/memory/4960-28-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4960-29-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4960-30-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4960-32-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 3348 x2178722.exe 2876 x2956423.exe 4468 x5762320.exe 1816 g8619343.exe 3568 h9280668.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x2178722.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x2956423.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x5762320.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1816 set thread context of 4960 1816 g8619343.exe 93 -
Program crash 2 IoCs
pid pid_target Process procid_target 2976 4960 WerFault.exe 93 2872 1816 WerFault.exe 91 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 536 wrote to memory of 3348 536 fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827.exe 88 PID 536 wrote to memory of 3348 536 fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827.exe 88 PID 536 wrote to memory of 3348 536 fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827.exe 88 PID 3348 wrote to memory of 2876 3348 x2178722.exe 89 PID 3348 wrote to memory of 2876 3348 x2178722.exe 89 PID 3348 wrote to memory of 2876 3348 x2178722.exe 89 PID 2876 wrote to memory of 4468 2876 x2956423.exe 90 PID 2876 wrote to memory of 4468 2876 x2956423.exe 90 PID 2876 wrote to memory of 4468 2876 x2956423.exe 90 PID 4468 wrote to memory of 1816 4468 x5762320.exe 91 PID 4468 wrote to memory of 1816 4468 x5762320.exe 91 PID 4468 wrote to memory of 1816 4468 x5762320.exe 91 PID 1816 wrote to memory of 4960 1816 g8619343.exe 93 PID 1816 wrote to memory of 4960 1816 g8619343.exe 93 PID 1816 wrote to memory of 4960 1816 g8619343.exe 93 PID 1816 wrote to memory of 4960 1816 g8619343.exe 93 PID 1816 wrote to memory of 4960 1816 g8619343.exe 93 PID 1816 wrote to memory of 4960 1816 g8619343.exe 93 PID 1816 wrote to memory of 4960 1816 g8619343.exe 93 PID 1816 wrote to memory of 4960 1816 g8619343.exe 93 PID 1816 wrote to memory of 4960 1816 g8619343.exe 93 PID 1816 wrote to memory of 4960 1816 g8619343.exe 93 PID 4468 wrote to memory of 3568 4468 x5762320.exe 98 PID 4468 wrote to memory of 3568 4468 x5762320.exe 98 PID 4468 wrote to memory of 3568 4468 x5762320.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827.exe"C:\Users\Admin\AppData\Local\Temp\fea83d0257e158a68f352194a75f8ff5bf350e77f045b2b734698f490b12c827.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2178722.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2178722.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2956423.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2956423.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5762320.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5762320.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8619343.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8619343.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1927⤵
- Program crash
PID:2976
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1566⤵
- Program crash
PID:2872
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9280668.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9280668.exe5⤵
- Executes dropped EXE
PID:3568
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1816 -ip 18161⤵PID:3300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4960 -ip 49601⤵PID:4652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
826KB
MD553205f4f9873e04adee8052e7b2e023c
SHA1f243264aa408081f877ac4d6e41e62c9c7a903d1
SHA256373eb9ddc82c29fe1e0b4b892943d81a7d12a75b17e58700375f5c2d87b2c7d1
SHA5124010ec898899138a61872db4b7f25ff7165a922d2b955d20f7edb7e1458a37378ae0dd0cc90fd4163c2a85b0664762156248ad8d774ba0c3b86343774266140b
-
Filesize
826KB
MD553205f4f9873e04adee8052e7b2e023c
SHA1f243264aa408081f877ac4d6e41e62c9c7a903d1
SHA256373eb9ddc82c29fe1e0b4b892943d81a7d12a75b17e58700375f5c2d87b2c7d1
SHA5124010ec898899138a61872db4b7f25ff7165a922d2b955d20f7edb7e1458a37378ae0dd0cc90fd4163c2a85b0664762156248ad8d774ba0c3b86343774266140b
-
Filesize
556KB
MD5a70aaebe9564cb5398443886fa7dfc18
SHA143a3abd09994152c6bdcf2af35d6da993343d177
SHA2567377e9cd0a05410baa8f0b76b7a7798bf368630042f46d3863068fa966362c00
SHA512965bb70459028af028b5a3b21b1afb7702ca0443199ed126ef8d0d49c6ab3a733d356b70fa33c2062b083509453c933128177ebddc273311d8d9e53561fcdbb0
-
Filesize
556KB
MD5a70aaebe9564cb5398443886fa7dfc18
SHA143a3abd09994152c6bdcf2af35d6da993343d177
SHA2567377e9cd0a05410baa8f0b76b7a7798bf368630042f46d3863068fa966362c00
SHA512965bb70459028af028b5a3b21b1afb7702ca0443199ed126ef8d0d49c6ab3a733d356b70fa33c2062b083509453c933128177ebddc273311d8d9e53561fcdbb0
-
Filesize
390KB
MD552e6bfda11be9c7f5f4fbaa119e54ac8
SHA19c1de1bcbe31b2e2fc1a1b8862571837632b8264
SHA25620f91a9f41f238feb0c67fdf87057b0b4f130a014dc33977989d500381032262
SHA512e8a3a9e24710780d8d0d97c932db6fd4d45490f3ab416dd622bf81ea279c063f6d7db52e7b82b8dba9969a7b05555a67468f907a709f92b53e7212d0fc1f3587
-
Filesize
390KB
MD552e6bfda11be9c7f5f4fbaa119e54ac8
SHA19c1de1bcbe31b2e2fc1a1b8862571837632b8264
SHA25620f91a9f41f238feb0c67fdf87057b0b4f130a014dc33977989d500381032262
SHA512e8a3a9e24710780d8d0d97c932db6fd4d45490f3ab416dd622bf81ea279c063f6d7db52e7b82b8dba9969a7b05555a67468f907a709f92b53e7212d0fc1f3587
-
Filesize
356KB
MD5e2a7fb4215581c10aa65ad047a3a818c
SHA113e0b97e71b42cf7db6dfef300e83feae0416f64
SHA256c826fa04ee7b3744ef3863b2665d1f1d57f25375e237413af032fd52e0b13523
SHA5123cbf489ab7d7815af4c10568f8ddda08f9772ffafed2330b46e72b83f112171620b2792fbfc7e1432c783c09ec7e4584b4f8e859a58f7ea40cdd9b6bbe2b689a
-
Filesize
356KB
MD5e2a7fb4215581c10aa65ad047a3a818c
SHA113e0b97e71b42cf7db6dfef300e83feae0416f64
SHA256c826fa04ee7b3744ef3863b2665d1f1d57f25375e237413af032fd52e0b13523
SHA5123cbf489ab7d7815af4c10568f8ddda08f9772ffafed2330b46e72b83f112171620b2792fbfc7e1432c783c09ec7e4584b4f8e859a58f7ea40cdd9b6bbe2b689a
-
Filesize
174KB
MD50ea9646e8c37a4a955ae6dec7d186211
SHA1efd24aa6fc9db9a2f8ae5e8206cff5ccf41752ff
SHA25665c981a99a5ff2338ab072a12a4335eb0a15e152e7b456cf385c484a34306281
SHA51225c8a506a5aa561a12054df052935e9c9e268031b8408b37ff3bf310927a523a43570ce4319900e8dfe57e5d11e71874e0ae10345c29638832c22fd3a12d0abb
-
Filesize
174KB
MD50ea9646e8c37a4a955ae6dec7d186211
SHA1efd24aa6fc9db9a2f8ae5e8206cff5ccf41752ff
SHA25665c981a99a5ff2338ab072a12a4335eb0a15e152e7b456cf385c484a34306281
SHA51225c8a506a5aa561a12054df052935e9c9e268031b8408b37ff3bf310927a523a43570ce4319900e8dfe57e5d11e71874e0ae10345c29638832c22fd3a12d0abb