Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 16:49
Static task
static1
Behavioral task
behavioral1
Sample
48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47.exe
Resource
win10v2004-20230915-en
General
-
Target
48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47.exe
-
Size
929KB
-
MD5
4f6bcdc8cd0bf2db7c617bf1e15ab3e3
-
SHA1
9a35e82cfd978b0ca31ed66040f2249fc6209aac
-
SHA256
48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47
-
SHA512
524e820a0e33709bcfa7f19e789be4938ff9d3eafc30f79d852ccaaa4f81feec0af5f1e168b3ef9f9f1f0a1018b8793563bbb306cd125046752dbd4528a7ad4a
-
SSDEEP
24576:my7I6JpuXR1wXhb8fCV9dsiJ3BK0Qm5Rzl9AHXCx:17BU1AyCzCHQ/zHAS
Malware Config
Extracted
redline
kendo
77.91.124.82:19071
-
auth_value
5a22a881561d49941415902859b51f14
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral2/memory/5060-28-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/5060-29-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/5060-30-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/5060-32-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 4052 x9795912.exe 840 x3046987.exe 4020 x5651660.exe 2476 g4665713.exe 1616 h0730892.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9795912.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x3046987.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x5651660.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2476 set thread context of 5060 2476 g4665713.exe 90 -
Program crash 2 IoCs
pid pid_target Process procid_target 5024 2476 WerFault.exe 89 5100 5060 WerFault.exe 90 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4388 wrote to memory of 4052 4388 48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47.exe 86 PID 4388 wrote to memory of 4052 4388 48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47.exe 86 PID 4388 wrote to memory of 4052 4388 48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47.exe 86 PID 4052 wrote to memory of 840 4052 x9795912.exe 87 PID 4052 wrote to memory of 840 4052 x9795912.exe 87 PID 4052 wrote to memory of 840 4052 x9795912.exe 87 PID 840 wrote to memory of 4020 840 x3046987.exe 88 PID 840 wrote to memory of 4020 840 x3046987.exe 88 PID 840 wrote to memory of 4020 840 x3046987.exe 88 PID 4020 wrote to memory of 2476 4020 x5651660.exe 89 PID 4020 wrote to memory of 2476 4020 x5651660.exe 89 PID 4020 wrote to memory of 2476 4020 x5651660.exe 89 PID 2476 wrote to memory of 5060 2476 g4665713.exe 90 PID 2476 wrote to memory of 5060 2476 g4665713.exe 90 PID 2476 wrote to memory of 5060 2476 g4665713.exe 90 PID 2476 wrote to memory of 5060 2476 g4665713.exe 90 PID 2476 wrote to memory of 5060 2476 g4665713.exe 90 PID 2476 wrote to memory of 5060 2476 g4665713.exe 90 PID 2476 wrote to memory of 5060 2476 g4665713.exe 90 PID 2476 wrote to memory of 5060 2476 g4665713.exe 90 PID 2476 wrote to memory of 5060 2476 g4665713.exe 90 PID 2476 wrote to memory of 5060 2476 g4665713.exe 90 PID 4020 wrote to memory of 1616 4020 x5651660.exe 103 PID 4020 wrote to memory of 1616 4020 x5651660.exe 103 PID 4020 wrote to memory of 1616 4020 x5651660.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47.exe"C:\Users\Admin\AppData\Local\Temp\48dc5abf242d433e67fb2282576087ac89d1873995b4dea68d055d3acb093d47.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9795912.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9795912.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3046987.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3046987.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5651660.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5651660.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4665713.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4665713.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:5060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 5407⤵
- Program crash
PID:5100
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 5526⤵
- Program crash
PID:5024
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0730892.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0730892.exe5⤵
- Executes dropped EXE
PID:1616
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5060 -ip 50601⤵PID:1420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2476 -ip 24761⤵PID:4484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD58920d63c4bb68da11c3c36059587d4b9
SHA1bfe9b45c1e52d6bb0d8ae68195d9c7f9bfd211ae
SHA2566d3f1c36b73adb9199562617a4318cc6bde5ed0670f011d291a0b9bf8b8ed9e3
SHA512b422724ec091482a2458af327650fbd698f97bbb13584dd302a17ee75df7fdd2c89d32cccfe038542c7b4e42d4504ca6b051bd285c930f3144766c6831e7f702
-
Filesize
827KB
MD58920d63c4bb68da11c3c36059587d4b9
SHA1bfe9b45c1e52d6bb0d8ae68195d9c7f9bfd211ae
SHA2566d3f1c36b73adb9199562617a4318cc6bde5ed0670f011d291a0b9bf8b8ed9e3
SHA512b422724ec091482a2458af327650fbd698f97bbb13584dd302a17ee75df7fdd2c89d32cccfe038542c7b4e42d4504ca6b051bd285c930f3144766c6831e7f702
-
Filesize
556KB
MD5c759b5e6c12fa91841c0cb2be5e05b0a
SHA1b776eab718ab2d114174a2fe8e1137ea91d8fba4
SHA25607f97194254429cd44cfd56ce074d00bb5a6fbf2d3a2d286d7a46b5b5772f1d6
SHA512438a879ee937906f69fcd4cb71e30375b5c1a4e6d23a640d77287c21ab5b5d3684d18e18e2ecd28b904fc93bfc3335a647833e60c1cb651a0f97b8fe627dacaa
-
Filesize
556KB
MD5c759b5e6c12fa91841c0cb2be5e05b0a
SHA1b776eab718ab2d114174a2fe8e1137ea91d8fba4
SHA25607f97194254429cd44cfd56ce074d00bb5a6fbf2d3a2d286d7a46b5b5772f1d6
SHA512438a879ee937906f69fcd4cb71e30375b5c1a4e6d23a640d77287c21ab5b5d3684d18e18e2ecd28b904fc93bfc3335a647833e60c1cb651a0f97b8fe627dacaa
-
Filesize
390KB
MD58bf2288317829c4a3fb9b3ab3be93645
SHA1e59530164d4468e7ba6dfa77501c693881d12e7b
SHA256039656c7afb1bfae9474317f6b13e09e2f9e7ae613ff058ebeaf57ba3f3f84c9
SHA51243fc7fd0d88d95d6d7ef6160974b131a3883fc5489b912a7ddf1ae93e8bce9c461ad0ee03c01d989657c2cf52cae6f0c484b7d864a2c5dc2ca463c9d7dfa74e4
-
Filesize
390KB
MD58bf2288317829c4a3fb9b3ab3be93645
SHA1e59530164d4468e7ba6dfa77501c693881d12e7b
SHA256039656c7afb1bfae9474317f6b13e09e2f9e7ae613ff058ebeaf57ba3f3f84c9
SHA51243fc7fd0d88d95d6d7ef6160974b131a3883fc5489b912a7ddf1ae93e8bce9c461ad0ee03c01d989657c2cf52cae6f0c484b7d864a2c5dc2ca463c9d7dfa74e4
-
Filesize
364KB
MD50f7fbe978e9bfe27c05f58be8725bf80
SHA1f07ee35597867a09ba0d1105a2afb3617bf2393e
SHA25626e1dfbe7f76a9d93e25731aeeeeed04f16ad15ba304c37adc5c725110f4c99a
SHA512658d1d5c3621e8c2fde4d2fec821ddae25a269c0a23f20210d41abd42f75e83f6d90a443b89bc6a216e0faed5c3606673cc829604bc777805f46cb1a5c9cca7e
-
Filesize
364KB
MD50f7fbe978e9bfe27c05f58be8725bf80
SHA1f07ee35597867a09ba0d1105a2afb3617bf2393e
SHA25626e1dfbe7f76a9d93e25731aeeeeed04f16ad15ba304c37adc5c725110f4c99a
SHA512658d1d5c3621e8c2fde4d2fec821ddae25a269c0a23f20210d41abd42f75e83f6d90a443b89bc6a216e0faed5c3606673cc829604bc777805f46cb1a5c9cca7e
-
Filesize
173KB
MD539a55d8248f98dfcc15f8508a843bef3
SHA11467c5f45aba0f700d57e8bcd7f7eff12948662c
SHA256b5c6571e18d80e9fbce3482047ff7f326e937b5af7e23e3a966122d1039a5181
SHA51246067acdfd6cd5850d19cf1ee7933fe4cbb818301a91ffc784d60965fb6b17c34c9b332e2bb4ebaa44787003966e5847ff8c1827699459cfed588e0f240c4b1b
-
Filesize
173KB
MD539a55d8248f98dfcc15f8508a843bef3
SHA11467c5f45aba0f700d57e8bcd7f7eff12948662c
SHA256b5c6571e18d80e9fbce3482047ff7f326e937b5af7e23e3a966122d1039a5181
SHA51246067acdfd6cd5850d19cf1ee7933fe4cbb818301a91ffc784d60965fb6b17c34c9b332e2bb4ebaa44787003966e5847ff8c1827699459cfed588e0f240c4b1b