Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 11:28
Static task
static1
Behavioral task
behavioral1
Sample
6b4520b7b228d550021c6ce04b490397044f4cc15c23ba68a8644b7587b2aa63.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
6b4520b7b228d550021c6ce04b490397044f4cc15c23ba68a8644b7587b2aa63.exe
Resource
win10v2004-20230915-en
General
-
Target
6b4520b7b228d550021c6ce04b490397044f4cc15c23ba68a8644b7587b2aa63.exe
-
Size
912KB
-
MD5
690e065e1cc3e5955b7a1f04d5f09c11
-
SHA1
f97b53a4f70a4acaea3b79faf6d6d4220a3a51ca
-
SHA256
6b4520b7b228d550021c6ce04b490397044f4cc15c23ba68a8644b7587b2aa63
-
SHA512
3b54cbb88667aa772042dbf5f49c6d4859e4cb0d16e85c4710ab42e6cb438b44e2f65cb95eadd75c7a8c765270786cd7a3cc9c3647859902f80ab329182ae6a7
-
SSDEEP
24576:8y5KvCDxr+w0pqSIjOwFoax+zo+1Glvtvx2G:rCWR+DvI6wGjE+Ilv5x2
Malware Config
Extracted
redline
luate
77.91.124.55:19071
-
auth_value
e45cd419aba6c9d372088ffe5629308b
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral2/memory/1224-28-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/1224-29-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/1224-30-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/1224-32-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 4532 x0284435.exe 1916 x8567017.exe 2716 x1404123.exe 2692 g9568525.exe 4548 h9029652.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x8567017.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x1404123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6b4520b7b228d550021c6ce04b490397044f4cc15c23ba68a8644b7587b2aa63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x0284435.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2692 set thread context of 1224 2692 g9568525.exe 96 -
Program crash 2 IoCs
pid pid_target Process procid_target 4460 1224 WerFault.exe 96 2580 2692 WerFault.exe 89 -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 4004 wrote to memory of 4532 4004 6b4520b7b228d550021c6ce04b490397044f4cc15c23ba68a8644b7587b2aa63.exe 86 PID 4004 wrote to memory of 4532 4004 6b4520b7b228d550021c6ce04b490397044f4cc15c23ba68a8644b7587b2aa63.exe 86 PID 4004 wrote to memory of 4532 4004 6b4520b7b228d550021c6ce04b490397044f4cc15c23ba68a8644b7587b2aa63.exe 86 PID 4532 wrote to memory of 1916 4532 x0284435.exe 87 PID 4532 wrote to memory of 1916 4532 x0284435.exe 87 PID 4532 wrote to memory of 1916 4532 x0284435.exe 87 PID 1916 wrote to memory of 2716 1916 x8567017.exe 88 PID 1916 wrote to memory of 2716 1916 x8567017.exe 88 PID 1916 wrote to memory of 2716 1916 x8567017.exe 88 PID 2716 wrote to memory of 2692 2716 x1404123.exe 89 PID 2716 wrote to memory of 2692 2716 x1404123.exe 89 PID 2716 wrote to memory of 2692 2716 x1404123.exe 89 PID 2692 wrote to memory of 1884 2692 g9568525.exe 93 PID 2692 wrote to memory of 1884 2692 g9568525.exe 93 PID 2692 wrote to memory of 1884 2692 g9568525.exe 93 PID 2692 wrote to memory of 1852 2692 g9568525.exe 94 PID 2692 wrote to memory of 1852 2692 g9568525.exe 94 PID 2692 wrote to memory of 1852 2692 g9568525.exe 94 PID 2692 wrote to memory of 1224 2692 g9568525.exe 96 PID 2692 wrote to memory of 1224 2692 g9568525.exe 96 PID 2692 wrote to memory of 1224 2692 g9568525.exe 96 PID 2692 wrote to memory of 1224 2692 g9568525.exe 96 PID 2692 wrote to memory of 1224 2692 g9568525.exe 96 PID 2692 wrote to memory of 1224 2692 g9568525.exe 96 PID 2692 wrote to memory of 1224 2692 g9568525.exe 96 PID 2692 wrote to memory of 1224 2692 g9568525.exe 96 PID 2692 wrote to memory of 1224 2692 g9568525.exe 96 PID 2692 wrote to memory of 1224 2692 g9568525.exe 96 PID 2716 wrote to memory of 4548 2716 x1404123.exe 105 PID 2716 wrote to memory of 4548 2716 x1404123.exe 105 PID 2716 wrote to memory of 4548 2716 x1404123.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b4520b7b228d550021c6ce04b490397044f4cc15c23ba68a8644b7587b2aa63.exe"C:\Users\Admin\AppData\Local\Temp\6b4520b7b228d550021c6ce04b490397044f4cc15c23ba68a8644b7587b2aa63.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0284435.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0284435.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8567017.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8567017.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1404123.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1404123.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9568525.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9568525.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:1884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:1852
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:1224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 5407⤵
- Program crash
PID:4460
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 1526⤵
- Program crash
PID:2580
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9029652.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9029652.exe5⤵
- Executes dropped EXE
PID:4548
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1224 -ip 12241⤵PID:4392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2692 -ip 26921⤵PID:3912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
810KB
MD5228355e9ea9035c57a6d0f924a1aa38a
SHA16a9ed78f28e14fc825c4ea9c8bfb8a3d9cf0fbd6
SHA25699912306d80b1835c689f54964bc7a2cd030149846e7ad938135256749a89d7a
SHA5121d5e5893349dea3d8b3230552dc4e4b3baef035ff147b1854e6cabc117befa90739e058de6dc004b73cc30d0fb0fac070f4deb7e8c78d066caf499ff83112aa4
-
Filesize
810KB
MD5228355e9ea9035c57a6d0f924a1aa38a
SHA16a9ed78f28e14fc825c4ea9c8bfb8a3d9cf0fbd6
SHA25699912306d80b1835c689f54964bc7a2cd030149846e7ad938135256749a89d7a
SHA5121d5e5893349dea3d8b3230552dc4e4b3baef035ff147b1854e6cabc117befa90739e058de6dc004b73cc30d0fb0fac070f4deb7e8c78d066caf499ff83112aa4
-
Filesize
548KB
MD58ed350dac50ca1e2ce3d0f0c30c0a713
SHA176702efb9a95485409fe365ba812e5c6e6822436
SHA2563e6e6ff930a2559ea8722a269997073fcba202ec93ca06398e59896892741c42
SHA512d9457028d8954b6fd6a8147fd021acfdc74db71627918d50cfa46ca25e3f1a49f7b622bf99d32562e7b4992a8669588208c47cb8419b4327d67076d5dce28e5e
-
Filesize
548KB
MD58ed350dac50ca1e2ce3d0f0c30c0a713
SHA176702efb9a95485409fe365ba812e5c6e6822436
SHA2563e6e6ff930a2559ea8722a269997073fcba202ec93ca06398e59896892741c42
SHA512d9457028d8954b6fd6a8147fd021acfdc74db71627918d50cfa46ca25e3f1a49f7b622bf99d32562e7b4992a8669588208c47cb8419b4327d67076d5dce28e5e
-
Filesize
382KB
MD56193742f1b888fac20d35b8da58786b1
SHA15631db5fbb4201d3cc72e8a90e24a4428e33cc00
SHA256cbff7325b92d67d8a839e985c32ecd337691022c384f700957210a52d7d2e497
SHA512ac8c413884862e54b5408635179599e36ddb1dabf117048e0938d58d9da9e406e9d09940929e4f65cddad3b679675f9e57680963f957570befe7def74b065340
-
Filesize
382KB
MD56193742f1b888fac20d35b8da58786b1
SHA15631db5fbb4201d3cc72e8a90e24a4428e33cc00
SHA256cbff7325b92d67d8a839e985c32ecd337691022c384f700957210a52d7d2e497
SHA512ac8c413884862e54b5408635179599e36ddb1dabf117048e0938d58d9da9e406e9d09940929e4f65cddad3b679675f9e57680963f957570befe7def74b065340
-
Filesize
346KB
MD5fcc2426b468af441fee45cfa761d955e
SHA1b4689257c54e5388dc664413d0acb86644b1ca59
SHA2562b469261d5c33ac10e2afd59a255f2f6df7704638a1f840790920f4ca797c15a
SHA5127bfe304710de83519017629d3c10b638c4c1dfea1e993d2309386bd67ca7c3a679639a5847e9f15b9b579ed6aea5afa106f1c95091470232dced58ad69390d26
-
Filesize
346KB
MD5fcc2426b468af441fee45cfa761d955e
SHA1b4689257c54e5388dc664413d0acb86644b1ca59
SHA2562b469261d5c33ac10e2afd59a255f2f6df7704638a1f840790920f4ca797c15a
SHA5127bfe304710de83519017629d3c10b638c4c1dfea1e993d2309386bd67ca7c3a679639a5847e9f15b9b579ed6aea5afa106f1c95091470232dced58ad69390d26
-
Filesize
174KB
MD5714ddb8b4af0c1b651ba0554fc2c5a82
SHA14cee2789514d5e5909ce080599ed56639d950cad
SHA25609005c1aee50dc6b09050b7b415df5d15b0aef96f518cef6e54def680c77b862
SHA51257099f33f9add2794cbce0388ed0fbf19e85f0e1e4cc301caca3bda61cf240252d5fb07283c28c7f4953386781092411b22ab172ab94344fbb67481294c66df6
-
Filesize
174KB
MD5714ddb8b4af0c1b651ba0554fc2c5a82
SHA14cee2789514d5e5909ce080599ed56639d950cad
SHA25609005c1aee50dc6b09050b7b415df5d15b0aef96f518cef6e54def680c77b862
SHA51257099f33f9add2794cbce0388ed0fbf19e85f0e1e4cc301caca3bda61cf240252d5fb07283c28c7f4953386781092411b22ab172ab94344fbb67481294c66df6