Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 09:21
Static task
static1
Behavioral task
behavioral1
Sample
b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea.exe
Resource
win10v2004-20230915-en
General
-
Target
b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea.exe
-
Size
907KB
-
MD5
02ddc57e766bf186b0a848221839e5e9
-
SHA1
59d13a4f71ff1321e7bed568cb670843539dc6e7
-
SHA256
b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea
-
SHA512
63dcc3ef1b6af81e6605f6bdc125e7b6202e20196c858a0abd1a92a3e80656628514aff9bc6f7d2ee157bb80f2acd49bc12c540b404fa7ea9b6c3e1f89d8b110
-
SSDEEP
24576:Vy8D1RsaswjByhRFr9udCv7q0LP2gh2E2o:wwsgoF52Cv7l2
Malware Config
Extracted
redline
luate
77.91.124.55:19071
-
auth_value
e45cd419aba6c9d372088ffe5629308b
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral2/memory/4552-28-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4552-29-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4552-30-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4552-32-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 2952 x1468711.exe 3644 x8504553.exe 1476 x3417916.exe 2044 g2006911.exe 3868 h5982249.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1468711.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x8504553.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x3417916.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2044 set thread context of 4552 2044 g2006911.exe 90 -
Program crash 2 IoCs
pid pid_target Process procid_target 4396 4552 WerFault.exe 90 2180 2044 WerFault.exe 86 -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2708 wrote to memory of 2952 2708 b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea.exe 83 PID 2708 wrote to memory of 2952 2708 b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea.exe 83 PID 2708 wrote to memory of 2952 2708 b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea.exe 83 PID 2952 wrote to memory of 3644 2952 x1468711.exe 84 PID 2952 wrote to memory of 3644 2952 x1468711.exe 84 PID 2952 wrote to memory of 3644 2952 x1468711.exe 84 PID 3644 wrote to memory of 1476 3644 x8504553.exe 85 PID 3644 wrote to memory of 1476 3644 x8504553.exe 85 PID 3644 wrote to memory of 1476 3644 x8504553.exe 85 PID 1476 wrote to memory of 2044 1476 x3417916.exe 86 PID 1476 wrote to memory of 2044 1476 x3417916.exe 86 PID 1476 wrote to memory of 2044 1476 x3417916.exe 86 PID 2044 wrote to memory of 3504 2044 g2006911.exe 88 PID 2044 wrote to memory of 3504 2044 g2006911.exe 88 PID 2044 wrote to memory of 3504 2044 g2006911.exe 88 PID 2044 wrote to memory of 3664 2044 g2006911.exe 89 PID 2044 wrote to memory of 3664 2044 g2006911.exe 89 PID 2044 wrote to memory of 3664 2044 g2006911.exe 89 PID 2044 wrote to memory of 4552 2044 g2006911.exe 90 PID 2044 wrote to memory of 4552 2044 g2006911.exe 90 PID 2044 wrote to memory of 4552 2044 g2006911.exe 90 PID 2044 wrote to memory of 4552 2044 g2006911.exe 90 PID 2044 wrote to memory of 4552 2044 g2006911.exe 90 PID 2044 wrote to memory of 4552 2044 g2006911.exe 90 PID 2044 wrote to memory of 4552 2044 g2006911.exe 90 PID 2044 wrote to memory of 4552 2044 g2006911.exe 90 PID 2044 wrote to memory of 4552 2044 g2006911.exe 90 PID 2044 wrote to memory of 4552 2044 g2006911.exe 90 PID 1476 wrote to memory of 3868 1476 x3417916.exe 97 PID 1476 wrote to memory of 3868 1476 x3417916.exe 97 PID 1476 wrote to memory of 3868 1476 x3417916.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea.exe"C:\Users\Admin\AppData\Local\Temp\b1d5633d84850bec1bbe92b72f80ebb8f95ce9c0642f0930b8f9bfa95da130ea.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1468711.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1468711.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8504553.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8504553.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3417916.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3417916.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2006911.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2006911.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:3504
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:3664
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4552
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 5407⤵
- Program crash
PID:4396
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 5806⤵
- Program crash
PID:2180
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5982249.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5982249.exe5⤵
- Executes dropped EXE
PID:3868
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4552 -ip 45521⤵PID:564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2044 -ip 20441⤵PID:760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
805KB
MD59e2376d62bfccf554beef1a4a7147e39
SHA19ece230fd8dd9aab9f6daa81f8613b45bf697603
SHA256e20795ca09c0e0bbae859b0e914854520bbaaf732706f46075356f6f24e80c5b
SHA512b58ea4b7f194d81d69db9c052b681b4113d2317c2dea646e331572da43ca834f45c2fe7bd913b37f6dbe20189e51a07de2ee9f6a4ce6c4f504f1cf165a09e463
-
Filesize
805KB
MD59e2376d62bfccf554beef1a4a7147e39
SHA19ece230fd8dd9aab9f6daa81f8613b45bf697603
SHA256e20795ca09c0e0bbae859b0e914854520bbaaf732706f46075356f6f24e80c5b
SHA512b58ea4b7f194d81d69db9c052b681b4113d2317c2dea646e331572da43ca834f45c2fe7bd913b37f6dbe20189e51a07de2ee9f6a4ce6c4f504f1cf165a09e463
-
Filesize
545KB
MD50e32f58d90566b81ac003ba00774335f
SHA11963f1c6a3a2c987d77ed3b406f70a40690b9ad8
SHA256be6de7c9f17fdd66d1e6e0123c36291634067294ba39b6f739c0d0fc584c11b1
SHA51233ac378a4e3925ca852df5889461e38f1d92c6df55bb00d1b1fe06eca140749936bc710b9a4e46c00c9de25206825fdd64d9d895076e533fa81cbd0990691ecc
-
Filesize
545KB
MD50e32f58d90566b81ac003ba00774335f
SHA11963f1c6a3a2c987d77ed3b406f70a40690b9ad8
SHA256be6de7c9f17fdd66d1e6e0123c36291634067294ba39b6f739c0d0fc584c11b1
SHA51233ac378a4e3925ca852df5889461e38f1d92c6df55bb00d1b1fe06eca140749936bc710b9a4e46c00c9de25206825fdd64d9d895076e533fa81cbd0990691ecc
-
Filesize
379KB
MD52c21e5272217a3b911b60af74e4982fe
SHA1d2dfb17b589cfa6d1901cbec5b94c53b2292d211
SHA2569f501c5317e05f2d9a339af4b919b5b2ad2060727204a970de7a9ebb3d4ce9b7
SHA512cea2050ff4ecc68a3cf188baa6f0010b395ad7f1b290745af9910a91ec9894a65c101d452c890bb3ec2066d8807ca2907b2fd40a346eb16bd6d81bc3538f4e49
-
Filesize
379KB
MD52c21e5272217a3b911b60af74e4982fe
SHA1d2dfb17b589cfa6d1901cbec5b94c53b2292d211
SHA2569f501c5317e05f2d9a339af4b919b5b2ad2060727204a970de7a9ebb3d4ce9b7
SHA512cea2050ff4ecc68a3cf188baa6f0010b395ad7f1b290745af9910a91ec9894a65c101d452c890bb3ec2066d8807ca2907b2fd40a346eb16bd6d81bc3538f4e49
-
Filesize
350KB
MD5250c84e2bdae167f99d625dbc5527bc8
SHA1411f67107c17395b3db5d93317c77bf20fb3cbe1
SHA25649201f7755a0dfa7e8e3ac53e0185f5b6452cce7cc9d7355f9188fa6434a8a08
SHA512ff35c8d88a602187f7aa28f67bb65495072918ddc8fc9911b2940339797aed9c70036c67fec8ba08bcde7da3d08bfd38b614e24c159ebac3a51fab5ba53fbb4f
-
Filesize
350KB
MD5250c84e2bdae167f99d625dbc5527bc8
SHA1411f67107c17395b3db5d93317c77bf20fb3cbe1
SHA25649201f7755a0dfa7e8e3ac53e0185f5b6452cce7cc9d7355f9188fa6434a8a08
SHA512ff35c8d88a602187f7aa28f67bb65495072918ddc8fc9911b2940339797aed9c70036c67fec8ba08bcde7da3d08bfd38b614e24c159ebac3a51fab5ba53fbb4f
-
Filesize
174KB
MD556e445f9e5a1ccd9673bd5cf50d8301e
SHA1f512675779269b91dc8dee283500da1d38a16790
SHA25632c59896cc299ce07c7e12b6db489512c8a434df8d04f7a796eb6f2019445f95
SHA5123ab6761a747e2d47cb587720dc425d370d0427ecc16826d6b489cd1a32fb26792a785f231828248c1485537fff77c8c7a5d767197edec7c9d649d6c2404145f6
-
Filesize
174KB
MD556e445f9e5a1ccd9673bd5cf50d8301e
SHA1f512675779269b91dc8dee283500da1d38a16790
SHA25632c59896cc299ce07c7e12b6db489512c8a434df8d04f7a796eb6f2019445f95
SHA5123ab6761a747e2d47cb587720dc425d370d0427ecc16826d6b489cd1a32fb26792a785f231828248c1485537fff77c8c7a5d767197edec7c9d649d6c2404145f6