Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
160s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 05:55
Static task
static1
Behavioral task
behavioral1
Sample
6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7.exe
Resource
win10v2004-20230915-en
General
-
Target
6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7.exe
-
Size
929KB
-
MD5
120a44c174787e2468251b13ab4bdfb9
-
SHA1
a19b8b24353513645712f6d8a863d4a87fdc70be
-
SHA256
6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7
-
SHA512
036ff4f9003bc145fe8ed7336445bc61bbe6b2916851d0264adadba9f733649a774b8465b8b09fea59a6210f7388aa026a6b59b4d38ace9507cb221a15a463f7
-
SSDEEP
24576:ZyiBy1sjD7ZfxQZ99PazLhvZD1J9U3q2i:MkyGXJxQZrPazFd1JO3V
Malware Config
Extracted
redline
luska
77.91.124.55:19071
-
auth_value
a6797888f51a88afbfd8854a79ac9357
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral2/memory/2952-28-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/2952-29-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/2952-30-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/2952-32-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 3876 x1725499.exe 1584 x6482262.exe 4708 x9247759.exe 2852 g0075173.exe 4900 h0097819.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1725499.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x6482262.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x9247759.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2852 set thread context of 2952 2852 g0075173.exe 92 -
Program crash 2 IoCs
pid pid_target Process procid_target 4392 2852 WerFault.exe 89 3748 2952 WerFault.exe 92 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4532 wrote to memory of 3876 4532 6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7.exe 86 PID 4532 wrote to memory of 3876 4532 6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7.exe 86 PID 4532 wrote to memory of 3876 4532 6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7.exe 86 PID 3876 wrote to memory of 1584 3876 x1725499.exe 87 PID 3876 wrote to memory of 1584 3876 x1725499.exe 87 PID 3876 wrote to memory of 1584 3876 x1725499.exe 87 PID 1584 wrote to memory of 4708 1584 x6482262.exe 88 PID 1584 wrote to memory of 4708 1584 x6482262.exe 88 PID 1584 wrote to memory of 4708 1584 x6482262.exe 88 PID 4708 wrote to memory of 2852 4708 x9247759.exe 89 PID 4708 wrote to memory of 2852 4708 x9247759.exe 89 PID 4708 wrote to memory of 2852 4708 x9247759.exe 89 PID 2852 wrote to memory of 2844 2852 g0075173.exe 91 PID 2852 wrote to memory of 2844 2852 g0075173.exe 91 PID 2852 wrote to memory of 2844 2852 g0075173.exe 91 PID 2852 wrote to memory of 2952 2852 g0075173.exe 92 PID 2852 wrote to memory of 2952 2852 g0075173.exe 92 PID 2852 wrote to memory of 2952 2852 g0075173.exe 92 PID 2852 wrote to memory of 2952 2852 g0075173.exe 92 PID 2852 wrote to memory of 2952 2852 g0075173.exe 92 PID 2852 wrote to memory of 2952 2852 g0075173.exe 92 PID 2852 wrote to memory of 2952 2852 g0075173.exe 92 PID 2852 wrote to memory of 2952 2852 g0075173.exe 92 PID 2852 wrote to memory of 2952 2852 g0075173.exe 92 PID 2852 wrote to memory of 2952 2852 g0075173.exe 92 PID 4708 wrote to memory of 4900 4708 x9247759.exe 100 PID 4708 wrote to memory of 4900 4708 x9247759.exe 100 PID 4708 wrote to memory of 4900 4708 x9247759.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7.exe"C:\Users\Admin\AppData\Local\Temp\6236cf44c07338a74ded96c336ea4ace6ae82d27b8796bc6a046bbd4c2a5f7e7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1725499.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1725499.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6482262.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6482262.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9247759.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9247759.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0075173.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0075173.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:2844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:2952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 5407⤵
- Program crash
PID:3748
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 6046⤵
- Program crash
PID:4392
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0097819.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0097819.exe5⤵
- Executes dropped EXE
PID:4900
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2852 -ip 28521⤵PID:3436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2952 -ip 29521⤵PID:1532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD52ebdc435d93120f32d30fa312119eab0
SHA1c2ff4bab3e1ec446c9fb7b4286786a2700ddebef
SHA2568e0aeb8776d01888fc1c556293ed8cc1f59c20cc3370d500632bc624ac7a73b0
SHA512da0f2abe94be5175da0274eb5c8956433285939f15ceca64281a6acae86e997b6c8fdf97e050eef73b15eca4f98f429fc3097f2ef648249a93a4ba974df5c249
-
Filesize
827KB
MD52ebdc435d93120f32d30fa312119eab0
SHA1c2ff4bab3e1ec446c9fb7b4286786a2700ddebef
SHA2568e0aeb8776d01888fc1c556293ed8cc1f59c20cc3370d500632bc624ac7a73b0
SHA512da0f2abe94be5175da0274eb5c8956433285939f15ceca64281a6acae86e997b6c8fdf97e050eef73b15eca4f98f429fc3097f2ef648249a93a4ba974df5c249
-
Filesize
555KB
MD52f412ad7797bea87704c7551dbad23b5
SHA17c6239dfd02b43566c308fe538b5fef51b1a6106
SHA25626ad225a92c9c8152a554e2545a2371df814a6298a35ad7d37e4f4806e089e8f
SHA512f9a0d2c8de8c7041d210e9df20af1f2a3155ca5246da1f4d9e0984b0d95a5763c2542c2a6b2890d96717219f8fb540a537a9dd3b196b2ee8f9712add7bca87ee
-
Filesize
555KB
MD52f412ad7797bea87704c7551dbad23b5
SHA17c6239dfd02b43566c308fe538b5fef51b1a6106
SHA25626ad225a92c9c8152a554e2545a2371df814a6298a35ad7d37e4f4806e089e8f
SHA512f9a0d2c8de8c7041d210e9df20af1f2a3155ca5246da1f4d9e0984b0d95a5763c2542c2a6b2890d96717219f8fb540a537a9dd3b196b2ee8f9712add7bca87ee
-
Filesize
389KB
MD5adb516b98c71eb4bbd76ca4110696c67
SHA18d1d2906c8c36b87ebf93108d0c1ae7e8a990d07
SHA256068b579116e1f24cb609e1eb39a97f4baab70b88fc1046b7b4ea095cc7e13c7f
SHA5122367c8bab28c01b916befbd33cb5b83f56fd0813d5e709b4004268992ed1d790f896ad3a1d69953e7efcd42e228b922b462a8f4fcf25ac2242dccfd0ba6600e2
-
Filesize
389KB
MD5adb516b98c71eb4bbd76ca4110696c67
SHA18d1d2906c8c36b87ebf93108d0c1ae7e8a990d07
SHA256068b579116e1f24cb609e1eb39a97f4baab70b88fc1046b7b4ea095cc7e13c7f
SHA5122367c8bab28c01b916befbd33cb5b83f56fd0813d5e709b4004268992ed1d790f896ad3a1d69953e7efcd42e228b922b462a8f4fcf25ac2242dccfd0ba6600e2
-
Filesize
356KB
MD521948e014a020f924f931d2f233a9c89
SHA197a5eeebd9e98967c139d6d23261b52b1b06b05c
SHA256351ce31a07a6b9ab0d3900c7922338feb4ae6fb93c1fa9b77739176ce004dcc1
SHA5126c3d4f4799be35d5eeb2545c487a0fb1135400b9691466abaa4d95262f7091a6e2b277376549db4366fa6ffaf433a735c8811fef85008b4881dc28910ff64a22
-
Filesize
356KB
MD521948e014a020f924f931d2f233a9c89
SHA197a5eeebd9e98967c139d6d23261b52b1b06b05c
SHA256351ce31a07a6b9ab0d3900c7922338feb4ae6fb93c1fa9b77739176ce004dcc1
SHA5126c3d4f4799be35d5eeb2545c487a0fb1135400b9691466abaa4d95262f7091a6e2b277376549db4366fa6ffaf433a735c8811fef85008b4881dc28910ff64a22
-
Filesize
174KB
MD5d0380b704348e2db6c1d8f2870626bb3
SHA1553821e3bfb2bcef38f14738f3f2447172f6b3e4
SHA256a8d5970a68d20a219302e97a0472e74d2f3cb5b1853a07773297c38a7486710f
SHA51256c9d079567e6a496d147d4f03c078a81d71d71c9cac589d75fbd4b59d93c6042acae9ea1e07c5e6ebaf57a3b6a0c90c887a49615dd227978e54b10bd1cf83d6
-
Filesize
174KB
MD5d0380b704348e2db6c1d8f2870626bb3
SHA1553821e3bfb2bcef38f14738f3f2447172f6b3e4
SHA256a8d5970a68d20a219302e97a0472e74d2f3cb5b1853a07773297c38a7486710f
SHA51256c9d079567e6a496d147d4f03c078a81d71d71c9cac589d75fbd4b59d93c6042acae9ea1e07c5e6ebaf57a3b6a0c90c887a49615dd227978e54b10bd1cf83d6