Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
178s -
max time network
315s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 14:56
Static task
static1
Behavioral task
behavioral1
Sample
14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d.exe
Resource
win10v2004-20230915-en
General
-
Target
14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d.exe
-
Size
929KB
-
MD5
299cd7a2e02c1750355def68009a316e
-
SHA1
1940e007e036b2491e3167792dd13adb74dd231c
-
SHA256
14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d
-
SHA512
0182a16b0990007d380e7a6d02390d27c094e4801f5607053597ed8f6c8afab9aa95373e041c47b7d22d588d0528d42e62ed75922bd3f524ae72938fc7412e04
-
SSDEEP
24576:pyN6kW2AV6b/11GMCW29D6SKE/yWah3n4:cXWBO/vCWCeRJ
Malware Config
Extracted
redline
kendo
77.91.124.82:19071
-
auth_value
5a22a881561d49941415902859b51f14
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral2/memory/1028-28-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/1028-29-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/1028-30-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/1028-32-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 636 x7746723.exe 2684 x1697115.exe 536 x9833609.exe 3856 g1472671.exe 4668 h2124964.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x7746723.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x1697115.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x9833609.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3856 set thread context of 1028 3856 g1472671.exe 94 -
Program crash 3 IoCs
pid pid_target Process procid_target 4112 1028 WerFault.exe 94 1140 1028 WerFault.exe 94 544 3856 WerFault.exe 90 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4588 wrote to memory of 636 4588 14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d.exe 86 PID 4588 wrote to memory of 636 4588 14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d.exe 86 PID 4588 wrote to memory of 636 4588 14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d.exe 86 PID 636 wrote to memory of 2684 636 x7746723.exe 88 PID 636 wrote to memory of 2684 636 x7746723.exe 88 PID 636 wrote to memory of 2684 636 x7746723.exe 88 PID 2684 wrote to memory of 536 2684 x1697115.exe 89 PID 2684 wrote to memory of 536 2684 x1697115.exe 89 PID 2684 wrote to memory of 536 2684 x1697115.exe 89 PID 536 wrote to memory of 3856 536 x9833609.exe 90 PID 536 wrote to memory of 3856 536 x9833609.exe 90 PID 536 wrote to memory of 3856 536 x9833609.exe 90 PID 3856 wrote to memory of 1028 3856 g1472671.exe 94 PID 3856 wrote to memory of 1028 3856 g1472671.exe 94 PID 3856 wrote to memory of 1028 3856 g1472671.exe 94 PID 3856 wrote to memory of 1028 3856 g1472671.exe 94 PID 3856 wrote to memory of 1028 3856 g1472671.exe 94 PID 3856 wrote to memory of 1028 3856 g1472671.exe 94 PID 3856 wrote to memory of 1028 3856 g1472671.exe 94 PID 3856 wrote to memory of 1028 3856 g1472671.exe 94 PID 3856 wrote to memory of 1028 3856 g1472671.exe 94 PID 3856 wrote to memory of 1028 3856 g1472671.exe 94 PID 1028 wrote to memory of 4112 1028 AppLaunch.exe 99 PID 1028 wrote to memory of 4112 1028 AppLaunch.exe 99 PID 1028 wrote to memory of 4112 1028 AppLaunch.exe 99 PID 536 wrote to memory of 4668 536 x9833609.exe 104 PID 536 wrote to memory of 4668 536 x9833609.exe 104 PID 536 wrote to memory of 4668 536 x9833609.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d.exe"C:\Users\Admin\AppData\Local\Temp\14d695c1ec9a73ee2293603902be95508f6378f78737a51ce70901b602a1c85d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7746723.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7746723.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1697115.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1697115.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9833609.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9833609.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1472671.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1472671.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 5407⤵
- Program crash
PID:4112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 5407⤵
- Program crash
PID:1140
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 5806⤵
- Program crash
PID:544
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2124964.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2124964.exe5⤵
- Executes dropped EXE
PID:4668
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3856 -ip 38561⤵PID:4240
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1028 -ip 10281⤵PID:2464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD5c3fdb3b40ca2d65e2e4af55bce498de2
SHA19d151d7809273f241835d541a2a2977861196137
SHA2567b452398ec5d8d7b96497e8825b207f55d5e5b710120508325773a27cb162e4a
SHA5127155d7a6e58a8b574cd964261477eb3e936939e3837356e7efe594f84ab2802a7569c19c9daf265afd72080c7524388ca80c448da07439ef811386c7a69513ff
-
Filesize
827KB
MD5c3fdb3b40ca2d65e2e4af55bce498de2
SHA19d151d7809273f241835d541a2a2977861196137
SHA2567b452398ec5d8d7b96497e8825b207f55d5e5b710120508325773a27cb162e4a
SHA5127155d7a6e58a8b574cd964261477eb3e936939e3837356e7efe594f84ab2802a7569c19c9daf265afd72080c7524388ca80c448da07439ef811386c7a69513ff
-
Filesize
556KB
MD5c33744d8cad19bfd740ce6cabcb9f1ac
SHA13675b10687c7ddd481a0d0fc1d39366a5fe4be3e
SHA256bee2bb9ebd6874d9ff991a9ca87a1d4aea05fe048f1fb267b14e598183654175
SHA512c9024a67cf9a071ea1143adf84951c4f07579bb8fd027020656e1de9212a616e758ee3eeb256b9fc88fb625cb700e3e20e229710c7ab8005b09c8ec66150a9e2
-
Filesize
556KB
MD5c33744d8cad19bfd740ce6cabcb9f1ac
SHA13675b10687c7ddd481a0d0fc1d39366a5fe4be3e
SHA256bee2bb9ebd6874d9ff991a9ca87a1d4aea05fe048f1fb267b14e598183654175
SHA512c9024a67cf9a071ea1143adf84951c4f07579bb8fd027020656e1de9212a616e758ee3eeb256b9fc88fb625cb700e3e20e229710c7ab8005b09c8ec66150a9e2
-
Filesize
390KB
MD5933339ff4765f9e3630baed076868467
SHA1c6b708b7f9f98278d87a1c6ec87921ddb4c217b7
SHA256105a2d1aff2df1fc57b8f8856fe1510ae920588d178186337b16145fcf7ba003
SHA5123eaae45c982559afbdc331a5556f9848377523e98d46ea9b0c29762496ffb0f560132312b7e62a4664835b53e11a09212bf1b9018259f8f19a89c1d43ad0fb29
-
Filesize
390KB
MD5933339ff4765f9e3630baed076868467
SHA1c6b708b7f9f98278d87a1c6ec87921ddb4c217b7
SHA256105a2d1aff2df1fc57b8f8856fe1510ae920588d178186337b16145fcf7ba003
SHA5123eaae45c982559afbdc331a5556f9848377523e98d46ea9b0c29762496ffb0f560132312b7e62a4664835b53e11a09212bf1b9018259f8f19a89c1d43ad0fb29
-
Filesize
364KB
MD54e1c7fbe3241183f21f6c7a072c0e6f2
SHA194c6fef9d18edee7ac9a5f7e34426a19b6ac66ac
SHA2564ae13bd7742258b4d5a7c0b584ffa5528fb716c39effb970872a7d7206059ae7
SHA51219af1f44c93dd6f93ae8de060b4bde3e3ca4d009249d1f52908673161fa53ccc1c30d5fdf50e41b7b296b384310f75d075fe11b966f3e932a1b4745a424f8992
-
Filesize
364KB
MD54e1c7fbe3241183f21f6c7a072c0e6f2
SHA194c6fef9d18edee7ac9a5f7e34426a19b6ac66ac
SHA2564ae13bd7742258b4d5a7c0b584ffa5528fb716c39effb970872a7d7206059ae7
SHA51219af1f44c93dd6f93ae8de060b4bde3e3ca4d009249d1f52908673161fa53ccc1c30d5fdf50e41b7b296b384310f75d075fe11b966f3e932a1b4745a424f8992
-
Filesize
174KB
MD57e4c41523355a20df5aec47e8bcb7662
SHA1956e017a956c98c54b8c0cd42043c8fc8182dc3f
SHA256981781d0bff90f633f405b4961ae84e5268be233e68750e81fcc16b67f74dcd7
SHA512a08db4f9f6feb1446ea742a6bbfde59aade8c69849c227db4863e46d2560c3772fc0c9630bcdd01f344cdb203061cc9b3d61a3f16e598a5c928d3716c306919d