Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 20:20
Static task
static1
Behavioral task
behavioral1
Sample
a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc.exe
Resource
win10v2004-20230915-en
General
-
Target
a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc.exe
-
Size
935KB
-
MD5
393529959f49656c9a795558ed054a56
-
SHA1
10cf407d485a22b9f61d1351a96c7886f2705d0c
-
SHA256
a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc
-
SHA512
4ac6953de2a0d4160f7c599fb1eb2b2c786bf5c1160557d741d7097a3d5c81b72382c9da33149cfbccfe7f19467f0a348e5b4f92f400aada64957efac5555070
-
SSDEEP
12288:1MrKy90jEUQB+ahcWxI4kO0QCkbHNzlRvrpLB6YpG3mYFA72sZyy0nAXH0d7ilgP:PyAEdkahR9BCMrFLYrn+H0ygK3G
Malware Config
Extracted
redline
kendo
77.91.124.82:19071
-
auth_value
5a22a881561d49941415902859b51f14
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral2/memory/2644-28-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/2644-29-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/2644-30-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/2644-32-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 5 IoCs
pid Process 464 x5156724.exe 4472 x4130575.exe 2680 x4640084.exe 180 g0654549.exe 3468 h7919418.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x5156724.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x4130575.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x4640084.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 180 set thread context of 2644 180 g0654549.exe 92 -
Program crash 2 IoCs
pid pid_target Process procid_target 528 2644 WerFault.exe 92 3744 180 WerFault.exe 91 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4484 wrote to memory of 464 4484 a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc.exe 86 PID 4484 wrote to memory of 464 4484 a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc.exe 86 PID 4484 wrote to memory of 464 4484 a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc.exe 86 PID 464 wrote to memory of 4472 464 x5156724.exe 88 PID 464 wrote to memory of 4472 464 x5156724.exe 88 PID 464 wrote to memory of 4472 464 x5156724.exe 88 PID 4472 wrote to memory of 2680 4472 x4130575.exe 90 PID 4472 wrote to memory of 2680 4472 x4130575.exe 90 PID 4472 wrote to memory of 2680 4472 x4130575.exe 90 PID 2680 wrote to memory of 180 2680 x4640084.exe 91 PID 2680 wrote to memory of 180 2680 x4640084.exe 91 PID 2680 wrote to memory of 180 2680 x4640084.exe 91 PID 180 wrote to memory of 2644 180 g0654549.exe 92 PID 180 wrote to memory of 2644 180 g0654549.exe 92 PID 180 wrote to memory of 2644 180 g0654549.exe 92 PID 180 wrote to memory of 2644 180 g0654549.exe 92 PID 180 wrote to memory of 2644 180 g0654549.exe 92 PID 180 wrote to memory of 2644 180 g0654549.exe 92 PID 180 wrote to memory of 2644 180 g0654549.exe 92 PID 180 wrote to memory of 2644 180 g0654549.exe 92 PID 180 wrote to memory of 2644 180 g0654549.exe 92 PID 180 wrote to memory of 2644 180 g0654549.exe 92 PID 2680 wrote to memory of 3468 2680 x4640084.exe 100 PID 2680 wrote to memory of 3468 2680 x4640084.exe 100 PID 2680 wrote to memory of 3468 2680 x4640084.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc.exe"C:\Users\Admin\AppData\Local\Temp\a417ed0ab5fb6857593f4311da5fdb85ab10f94132f44c6cde60a70077c5a1fc.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5156724.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5156724.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4130575.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4130575.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4640084.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4640084.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0654549.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0654549.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:180 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:2644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 5407⤵
- Program crash
PID:528
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 180 -s 5526⤵
- Program crash
PID:3744
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7919418.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7919418.exe5⤵
- Executes dropped EXE
PID:3468
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 180 -ip 1801⤵PID:2472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2644 -ip 26441⤵PID:4188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
833KB
MD50bf7f136829434a3c375b04afe87a4f1
SHA15c6feaad5dd3aa0dec8392b400ee9cccf23dad10
SHA256e32358f37ff29bbfbe36d91575b955a5bfb574d97f081c8cfb4ab0f4384b4b94
SHA512fb882ec6a8f52971146aac238f77d7af749791dd6e803f82577d57a9ff9bf313f148d22212e5849c741047b2af13acc0418f2ed891f49d3b7be85787543b19dd
-
Filesize
833KB
MD50bf7f136829434a3c375b04afe87a4f1
SHA15c6feaad5dd3aa0dec8392b400ee9cccf23dad10
SHA256e32358f37ff29bbfbe36d91575b955a5bfb574d97f081c8cfb4ab0f4384b4b94
SHA512fb882ec6a8f52971146aac238f77d7af749791dd6e803f82577d57a9ff9bf313f148d22212e5849c741047b2af13acc0418f2ed891f49d3b7be85787543b19dd
-
Filesize
559KB
MD5ca0f3114e295830673920a666d86b12b
SHA1843a86f9e50efed658d570dde5958eaa2db5cdad
SHA256b5e278860f1ac67f8655b656d4e397521813d89258b653fbca8f8b926bb50d7c
SHA51281fdd2c32b2510e6135baef824d749ea2175c5e341aa73ff081c0093ad9927745c046b1811aaf3dc9df085c7036310dcfce1ad7f8b9fdd31f528f3ed47483cb4
-
Filesize
559KB
MD5ca0f3114e295830673920a666d86b12b
SHA1843a86f9e50efed658d570dde5958eaa2db5cdad
SHA256b5e278860f1ac67f8655b656d4e397521813d89258b653fbca8f8b926bb50d7c
SHA51281fdd2c32b2510e6135baef824d749ea2175c5e341aa73ff081c0093ad9927745c046b1811aaf3dc9df085c7036310dcfce1ad7f8b9fdd31f528f3ed47483cb4
-
Filesize
393KB
MD5d16a35d49a18fa6aa0ea71858385a0e8
SHA1e616e31653af9292a61d5f29fedc20ab533d9119
SHA256ab906839b241662329e5fc01c04818ab455705370aee3412fc2cfff0a8e7f2b7
SHA5128b50d98f3aa5ba347d54188d5028b8f99658277e7cbfa09891404cb6ac253e88ba98b27c77cfee40f6c6f0d3a9b0512afc0edb5e3c1fcb851a29c096ab924ba0
-
Filesize
393KB
MD5d16a35d49a18fa6aa0ea71858385a0e8
SHA1e616e31653af9292a61d5f29fedc20ab533d9119
SHA256ab906839b241662329e5fc01c04818ab455705370aee3412fc2cfff0a8e7f2b7
SHA5128b50d98f3aa5ba347d54188d5028b8f99658277e7cbfa09891404cb6ac253e88ba98b27c77cfee40f6c6f0d3a9b0512afc0edb5e3c1fcb851a29c096ab924ba0
-
Filesize
380KB
MD5929437a5c5a9a45ea960b7037e32b71d
SHA1b6e577052e0190b65209a744de9faf361faa3633
SHA2560da42dfcb536b9121da124409c9b72423f9fa52eb2f3f6df93e0f4884f70086f
SHA512b34dc95cc33d90ad33072fe1fb76c25b91982f7296b866c584940b53996b68c87e376fd91cb5f1f548745c86d9bc2fca84fcee7d67c3bc8eddc75db97af39b89
-
Filesize
380KB
MD5929437a5c5a9a45ea960b7037e32b71d
SHA1b6e577052e0190b65209a744de9faf361faa3633
SHA2560da42dfcb536b9121da124409c9b72423f9fa52eb2f3f6df93e0f4884f70086f
SHA512b34dc95cc33d90ad33072fe1fb76c25b91982f7296b866c584940b53996b68c87e376fd91cb5f1f548745c86d9bc2fca84fcee7d67c3bc8eddc75db97af39b89
-
Filesize
173KB
MD5cdcb94fb196fa578c0ef270d687dbc59
SHA16d79a5138651172afb20b867b81d50fbb7308ff0
SHA2560a0380070297fa16e2bdbf4963a4bda65541b75bd50fe12e6a2cd7880601f6d6
SHA512c412b84dfb1c7d418fcc185c8c1a8fd78a0cf0ae47078d765b4368d1322b23cecfb5a20210cffef06d4ab7ca4d6975115f5c56e687f532e4376cf1eb4bcdc3b2
-
Filesize
173KB
MD5cdcb94fb196fa578c0ef270d687dbc59
SHA16d79a5138651172afb20b867b81d50fbb7308ff0
SHA2560a0380070297fa16e2bdbf4963a4bda65541b75bd50fe12e6a2cd7880601f6d6
SHA512c412b84dfb1c7d418fcc185c8c1a8fd78a0cf0ae47078d765b4368d1322b23cecfb5a20210cffef06d4ab7ca4d6975115f5c56e687f532e4376cf1eb4bcdc3b2