Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2023, 20:45
Static task
static1
Behavioral task
behavioral1
Sample
78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9.exe
Resource
win10v2004-20230915-en
General
-
Target
78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9.exe
-
Size
1.0MB
-
MD5
f866e8c43a85c50cc717ae40adb5cb6d
-
SHA1
015f7d1090741a56bcf4179ce82b2d0f9e292ee6
-
SHA256
78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9
-
SHA512
973d56b7c06009415d96ccc7fd4012c2c8b97262bf05c22f69c2ef0161972b56abee12fd37a2c808b72e32c6d922da64c5ace3d319d9107c847f9c0b4c28628b
-
SSDEEP
24576:CylZiL54xBHHS0Ay615EFKrzfOdpCidbjTRelK1:pmd7MA5EErzYpCi1ReM
Malware Config
Extracted
redline
luska
77.91.124.55:19071
-
auth_value
a6797888f51a88afbfd8854a79ac9357
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral2/memory/1000-35-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/1000-36-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/1000-37-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/1000-39-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 6 IoCs
pid Process 1976 x0330471.exe 3664 x3821732.exe 3936 x6844263.exe 4700 x5348639.exe 2676 g6634113.exe 4168 h6807148.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x0330471.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x3821732.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x6844263.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" x5348639.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2676 set thread context of 1000 2676 g6634113.exe 94 -
Program crash 2 IoCs
pid pid_target Process procid_target 2884 1000 WerFault.exe 94 4544 2676 WerFault.exe 92 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3120 wrote to memory of 1976 3120 78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9.exe 88 PID 3120 wrote to memory of 1976 3120 78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9.exe 88 PID 3120 wrote to memory of 1976 3120 78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9.exe 88 PID 1976 wrote to memory of 3664 1976 x0330471.exe 89 PID 1976 wrote to memory of 3664 1976 x0330471.exe 89 PID 1976 wrote to memory of 3664 1976 x0330471.exe 89 PID 3664 wrote to memory of 3936 3664 x3821732.exe 90 PID 3664 wrote to memory of 3936 3664 x3821732.exe 90 PID 3664 wrote to memory of 3936 3664 x3821732.exe 90 PID 3936 wrote to memory of 4700 3936 x6844263.exe 91 PID 3936 wrote to memory of 4700 3936 x6844263.exe 91 PID 3936 wrote to memory of 4700 3936 x6844263.exe 91 PID 4700 wrote to memory of 2676 4700 x5348639.exe 92 PID 4700 wrote to memory of 2676 4700 x5348639.exe 92 PID 4700 wrote to memory of 2676 4700 x5348639.exe 92 PID 2676 wrote to memory of 1000 2676 g6634113.exe 94 PID 2676 wrote to memory of 1000 2676 g6634113.exe 94 PID 2676 wrote to memory of 1000 2676 g6634113.exe 94 PID 2676 wrote to memory of 1000 2676 g6634113.exe 94 PID 2676 wrote to memory of 1000 2676 g6634113.exe 94 PID 2676 wrote to memory of 1000 2676 g6634113.exe 94 PID 2676 wrote to memory of 1000 2676 g6634113.exe 94 PID 2676 wrote to memory of 1000 2676 g6634113.exe 94 PID 2676 wrote to memory of 1000 2676 g6634113.exe 94 PID 2676 wrote to memory of 1000 2676 g6634113.exe 94 PID 4700 wrote to memory of 4168 4700 x5348639.exe 101 PID 4700 wrote to memory of 4168 4700 x5348639.exe 101 PID 4700 wrote to memory of 4168 4700 x5348639.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9.exe"C:\Users\Admin\AppData\Local\Temp\78b21cae87306b40b597c02efc776c5331e3de89c9fb2b74adf60c02752ae2c9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0330471.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0330471.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3821732.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3821732.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6844263.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6844263.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5348639.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x5348639.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g6634113.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\g6634113.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:1000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 1968⤵
- Program crash
PID:2884
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 5887⤵
- Program crash
PID:4544
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h6807148.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h6807148.exe6⤵
- Executes dropped EXE
PID:4168
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2676 -ip 26761⤵PID:1352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1000 -ip 10001⤵PID:5052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
928KB
MD51dd0105374ed2849af4fbea60dc1263a
SHA10f999680dc964fec21909d0e21046961218de86e
SHA2561e6630a4833e362af70b912da480bb86c9fcd9501ddbc5e2b1ebc78a31c404d4
SHA5128c6cd78ade80d95af64cf2f1e192e9214f0f9bc0cef0532371af8ec7171ad12b5a91ac81ff372446fea0929f81153182e8a9c155fcc323de8b9fa3768185ba9f
-
Filesize
928KB
MD51dd0105374ed2849af4fbea60dc1263a
SHA10f999680dc964fec21909d0e21046961218de86e
SHA2561e6630a4833e362af70b912da480bb86c9fcd9501ddbc5e2b1ebc78a31c404d4
SHA5128c6cd78ade80d95af64cf2f1e192e9214f0f9bc0cef0532371af8ec7171ad12b5a91ac81ff372446fea0929f81153182e8a9c155fcc323de8b9fa3768185ba9f
-
Filesize
746KB
MD578ca9edc41564d56fb90571b9a760164
SHA1aaa18dcc7e28adeb383d9bc65a8421d7df8ea88b
SHA25667781bf140b0bb77a91f0d1f9f70a02bf4b4751ca725df38bb783ede01dda5d2
SHA512719d14eefcacb4063317d8699f6ff2ac829c7df2d4cab99bc4967d5dd8074bf970b63f46b4668d7e0efa64246d86b22f91ff56417e07293affe3032772f4ccf5
-
Filesize
746KB
MD578ca9edc41564d56fb90571b9a760164
SHA1aaa18dcc7e28adeb383d9bc65a8421d7df8ea88b
SHA25667781bf140b0bb77a91f0d1f9f70a02bf4b4751ca725df38bb783ede01dda5d2
SHA512719d14eefcacb4063317d8699f6ff2ac829c7df2d4cab99bc4967d5dd8074bf970b63f46b4668d7e0efa64246d86b22f91ff56417e07293affe3032772f4ccf5
-
Filesize
515KB
MD58e7430a8c392dbebc0ddda6a1c170287
SHA16494942f39b9e1d8dc2d2afd20c535aeb6f0f276
SHA2564aab8d2920bac28a115141e6dd41242aeda80941d6f9b46ee22e3eb8326f64c6
SHA51267a5c9fea06e695801b11cde9ec7a04cda12b283e83a9a79b203157c177858547ba88f8d696373403466a2067fba2470b234981aad1bf0a96897a3cfeae99296
-
Filesize
515KB
MD58e7430a8c392dbebc0ddda6a1c170287
SHA16494942f39b9e1d8dc2d2afd20c535aeb6f0f276
SHA2564aab8d2920bac28a115141e6dd41242aeda80941d6f9b46ee22e3eb8326f64c6
SHA51267a5c9fea06e695801b11cde9ec7a04cda12b283e83a9a79b203157c177858547ba88f8d696373403466a2067fba2470b234981aad1bf0a96897a3cfeae99296
-
Filesize
350KB
MD5fe0baded9f0b055f0824d99b647b032d
SHA1b7dffbb66bd35adc884850adaaa130564b8fcb22
SHA25657903b2af8c1ba2b88b3caee1457622209b6eae85cb14cb4b9cba8fff4b9def2
SHA5120b8e1cc86883c3844466f7c668036ade6bac507c780f290f584a3d5d5fdb68b2bc4aee915519732336a16a301f4e6ddf9d56db96941fd5c7c441c0288505fb70
-
Filesize
350KB
MD5fe0baded9f0b055f0824d99b647b032d
SHA1b7dffbb66bd35adc884850adaaa130564b8fcb22
SHA25657903b2af8c1ba2b88b3caee1457622209b6eae85cb14cb4b9cba8fff4b9def2
SHA5120b8e1cc86883c3844466f7c668036ade6bac507c780f290f584a3d5d5fdb68b2bc4aee915519732336a16a301f4e6ddf9d56db96941fd5c7c441c0288505fb70
-
Filesize
276KB
MD54186d77c96511ae22ef295132a469f08
SHA1da0498d6bc8ae72ba77910879523e47875e6a9bf
SHA25628c41fcf920a949921c7c6c43195b9bc38c60eec39c4a156fd704c6c33a43caa
SHA512e0f4104b538089e7fc8ecc818681a2adbf615c2ac0be2be9fb1ba3c1718037da69ded59a894a1a5252400f938fb742deef30bad07d29f95d737f0e8d67b833a8
-
Filesize
276KB
MD54186d77c96511ae22ef295132a469f08
SHA1da0498d6bc8ae72ba77910879523e47875e6a9bf
SHA25628c41fcf920a949921c7c6c43195b9bc38c60eec39c4a156fd704c6c33a43caa
SHA512e0f4104b538089e7fc8ecc818681a2adbf615c2ac0be2be9fb1ba3c1718037da69ded59a894a1a5252400f938fb742deef30bad07d29f95d737f0e8d67b833a8
-
Filesize
174KB
MD57727cb9dfbd2bd64f3a2968fbdab2f63
SHA104cbeb69bae8507360a26e4941e8ff74f5258a48
SHA25672e38390bd5b6ff77efb4ca5e619385938cc57984b6c87048750cd952113b357
SHA51284a6c6a3c58d7cdd71b36e5513d4a662f4c9ff8069c4dc44d03bb92921d7eb42a8ec04963d80f22e5b7441bbf446be94666752ca78547e0d9c9a43833de7949a
-
Filesize
174KB
MD57727cb9dfbd2bd64f3a2968fbdab2f63
SHA104cbeb69bae8507360a26e4941e8ff74f5258a48
SHA25672e38390bd5b6ff77efb4ca5e619385938cc57984b6c87048750cd952113b357
SHA51284a6c6a3c58d7cdd71b36e5513d4a662f4c9ff8069c4dc44d03bb92921d7eb42a8ec04963d80f22e5b7441bbf446be94666752ca78547e0d9c9a43833de7949a