Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 04:58
Static task
static1
Behavioral task
behavioral1
Sample
c628953c10d54e957d17721468ecd5d954a3096d96b7e4f23823d55cfa6b7359.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
c628953c10d54e957d17721468ecd5d954a3096d96b7e4f23823d55cfa6b7359.exe
Resource
win10v2004-20230915-en
General
-
Target
c628953c10d54e957d17721468ecd5d954a3096d96b7e4f23823d55cfa6b7359.exe
-
Size
928KB
-
MD5
982778b4358e2bfcdcb3d1f9f849cea8
-
SHA1
fe22b58030a0a222f414c5083deb681ac6cda9fc
-
SHA256
c628953c10d54e957d17721468ecd5d954a3096d96b7e4f23823d55cfa6b7359
-
SHA512
efebc7e5db6ea636b85453d914555c33422c6307bbe50dd9bce3aeb940e983a3427a55e580e48826e7b6abf731fa57f257d0ae20f7a24a9a4b5cf45f2bbad71a
-
SSDEEP
24576:lybVUlyjCTtX+fJpwWChynpokECz6rtPFcW1EjYm:AbVK5X+fJpwWCwokECmR6Qh
Malware Config
Extracted
redline
luska
77.91.124.55:19071
-
auth_value
a6797888f51a88afbfd8854a79ac9357
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral2/memory/2528-28-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/2528-29-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/2528-30-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/2528-32-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 2476 x5929040.exe 3352 x7414518.exe 3768 x4237956.exe 3928 g5349699.exe 4428 h4835354.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c628953c10d54e957d17721468ecd5d954a3096d96b7e4f23823d55cfa6b7359.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x5929040.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x7414518.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x4237956.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3928 set thread context of 2528 3928 g5349699.exe 92 -
Program crash 2 IoCs
pid pid_target Process procid_target 3660 3928 WerFault.exe 89 2456 2528 WerFault.exe 92 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3304 wrote to memory of 2476 3304 c628953c10d54e957d17721468ecd5d954a3096d96b7e4f23823d55cfa6b7359.exe 86 PID 3304 wrote to memory of 2476 3304 c628953c10d54e957d17721468ecd5d954a3096d96b7e4f23823d55cfa6b7359.exe 86 PID 3304 wrote to memory of 2476 3304 c628953c10d54e957d17721468ecd5d954a3096d96b7e4f23823d55cfa6b7359.exe 86 PID 2476 wrote to memory of 3352 2476 x5929040.exe 87 PID 2476 wrote to memory of 3352 2476 x5929040.exe 87 PID 2476 wrote to memory of 3352 2476 x5929040.exe 87 PID 3352 wrote to memory of 3768 3352 x7414518.exe 88 PID 3352 wrote to memory of 3768 3352 x7414518.exe 88 PID 3352 wrote to memory of 3768 3352 x7414518.exe 88 PID 3768 wrote to memory of 3928 3768 x4237956.exe 89 PID 3768 wrote to memory of 3928 3768 x4237956.exe 89 PID 3768 wrote to memory of 3928 3768 x4237956.exe 89 PID 3928 wrote to memory of 1112 3928 g5349699.exe 91 PID 3928 wrote to memory of 1112 3928 g5349699.exe 91 PID 3928 wrote to memory of 1112 3928 g5349699.exe 91 PID 3928 wrote to memory of 2528 3928 g5349699.exe 92 PID 3928 wrote to memory of 2528 3928 g5349699.exe 92 PID 3928 wrote to memory of 2528 3928 g5349699.exe 92 PID 3928 wrote to memory of 2528 3928 g5349699.exe 92 PID 3928 wrote to memory of 2528 3928 g5349699.exe 92 PID 3928 wrote to memory of 2528 3928 g5349699.exe 92 PID 3928 wrote to memory of 2528 3928 g5349699.exe 92 PID 3928 wrote to memory of 2528 3928 g5349699.exe 92 PID 3928 wrote to memory of 2528 3928 g5349699.exe 92 PID 3928 wrote to memory of 2528 3928 g5349699.exe 92 PID 3768 wrote to memory of 4428 3768 x4237956.exe 101 PID 3768 wrote to memory of 4428 3768 x4237956.exe 101 PID 3768 wrote to memory of 4428 3768 x4237956.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\c628953c10d54e957d17721468ecd5d954a3096d96b7e4f23823d55cfa6b7359.exe"C:\Users\Admin\AppData\Local\Temp\c628953c10d54e957d17721468ecd5d954a3096d96b7e4f23823d55cfa6b7359.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5929040.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5929040.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7414518.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7414518.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4237956.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4237956.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5349699.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5349699.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:1112
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:2528
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 5407⤵
- Program crash
PID:2456
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 1486⤵
- Program crash
PID:3660
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4835354.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4835354.exe5⤵
- Executes dropped EXE
PID:4428
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3928 -ip 39281⤵PID:3248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2528 -ip 25281⤵PID:5008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
826KB
MD5f186a3ee41e930f5da41ce3f68b4b681
SHA1a584570d2513675a40c6feca50b882f517d5f6f8
SHA2568303a68b5e2204a698d2ed31c768dd0026d84f7d242cfed55d72948b8d999279
SHA5123305d1564a4390ef5a2882e946ee499c484e5a45fa10f883e9d04f064ec7e08744461f618c028d72cf23d6f8723d45ecc46df3630f1b6ed9a0f850945dfed2bd
-
Filesize
826KB
MD5f186a3ee41e930f5da41ce3f68b4b681
SHA1a584570d2513675a40c6feca50b882f517d5f6f8
SHA2568303a68b5e2204a698d2ed31c768dd0026d84f7d242cfed55d72948b8d999279
SHA5123305d1564a4390ef5a2882e946ee499c484e5a45fa10f883e9d04f064ec7e08744461f618c028d72cf23d6f8723d45ecc46df3630f1b6ed9a0f850945dfed2bd
-
Filesize
555KB
MD50e17859cfc66165f8e47674fa21e4c44
SHA1ca626696b487f9f21ce780589f249bc692717ebe
SHA2562e39c69d85a87f57498bc86031b244a253168feb37776324a3a1bc81da173cd4
SHA512faa8390465f351d2eac84217bb91534c6b8190fa40b5e05e479def7e7430cc68ded4d164e806351aa1d5e12334463cc8719468913dd6e91d3d811e43f534ddc6
-
Filesize
555KB
MD50e17859cfc66165f8e47674fa21e4c44
SHA1ca626696b487f9f21ce780589f249bc692717ebe
SHA2562e39c69d85a87f57498bc86031b244a253168feb37776324a3a1bc81da173cd4
SHA512faa8390465f351d2eac84217bb91534c6b8190fa40b5e05e479def7e7430cc68ded4d164e806351aa1d5e12334463cc8719468913dd6e91d3d811e43f534ddc6
-
Filesize
389KB
MD5d0ec86fa6d83c46557cbfbb505aaca8e
SHA1af2fb64884276cd9c327a36248af654c1810ac60
SHA2562536003fadb5857043bd66745889c686803adf1ce3810b4d2967cf3bd9df0b68
SHA512155ec0344a166682b4033801705609b7f309356543c02a1f190ebd2a4555404690bf1f7ceec3dc0458771245001738e8b43e6dc69b0f20f172dc46432c618b5a
-
Filesize
389KB
MD5d0ec86fa6d83c46557cbfbb505aaca8e
SHA1af2fb64884276cd9c327a36248af654c1810ac60
SHA2562536003fadb5857043bd66745889c686803adf1ce3810b4d2967cf3bd9df0b68
SHA512155ec0344a166682b4033801705609b7f309356543c02a1f190ebd2a4555404690bf1f7ceec3dc0458771245001738e8b43e6dc69b0f20f172dc46432c618b5a
-
Filesize
356KB
MD5230f7f2579c06831ed55ec3a685a854b
SHA120cc3172eab9c3123aa23922e5640c1ce7a05eb7
SHA256bffabc8478c1f14bca83c66aefd8836b552f634915f1cdbd0d410eaf4b8a7415
SHA5126e5ae5226e289f04c76bad547b5d7430aa8cd83a060f27281c23476adbc8da1744d5082b7e8d12e35f28b37f25305ea636b231be09a3f754e03310144a8dc124
-
Filesize
356KB
MD5230f7f2579c06831ed55ec3a685a854b
SHA120cc3172eab9c3123aa23922e5640c1ce7a05eb7
SHA256bffabc8478c1f14bca83c66aefd8836b552f634915f1cdbd0d410eaf4b8a7415
SHA5126e5ae5226e289f04c76bad547b5d7430aa8cd83a060f27281c23476adbc8da1744d5082b7e8d12e35f28b37f25305ea636b231be09a3f754e03310144a8dc124
-
Filesize
174KB
MD50ee37e0401582644dbbb276456d8f4df
SHA16d52fb4961bdee1674181e3b9321a72c86284633
SHA2566aca1be0f026fb910b72777414c7fec5496692e21cbf91581dcb1857e1ac928c
SHA5120cd641447333cd08a9a646326ee79079ff76d2d64e423317bea34a82176d5a9f25568256b8e32fb3a53d18068369a60d103adf054b3577d2dc8d54b590cdbb6f
-
Filesize
174KB
MD50ee37e0401582644dbbb276456d8f4df
SHA16d52fb4961bdee1674181e3b9321a72c86284633
SHA2566aca1be0f026fb910b72777414c7fec5496692e21cbf91581dcb1857e1ac928c
SHA5120cd641447333cd08a9a646326ee79079ff76d2d64e423317bea34a82176d5a9f25568256b8e32fb3a53d18068369a60d103adf054b3577d2dc8d54b590cdbb6f