Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 23:35
Static task
static1
Behavioral task
behavioral1
Sample
122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe
Resource
win10v2004-20230915-en
General
-
Target
122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe
-
Size
2.5MB
-
MD5
2f7f146caa6b89738f522f714eead088
-
SHA1
6a54ffc979a13f1d2ec86af63de97db5ffeb0126
-
SHA256
122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b
-
SHA512
61a4692ae87401c64792d1195cee1b0a9e8b0c84409689fb1129dcab46718193adafaa2317a3cb3a94e9951e018a39d635ce8ec5ffec8687ee2c44926645d5a8
-
SSDEEP
49152:MktzA0pHxVZkV6a3vJQyf+74G/w3eL+n9:Mktz1kscGGv
Malware Config
Extracted
redline
ramon
77.91.124.82:19071
-
auth_value
3197576965d9513f115338c233015b40
Signatures
-
Detect Mystic stealer payload 2 IoCs
resource yara_rule behavioral2/files/0x00070000000230ac-17.dat family_mystic behavioral2/files/0x00070000000230ac-18.dat family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 4808 y3499828.exe 1880 m2402832.exe 1384 n9109208.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" AppLaunch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y3499828.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2032 set thread context of 556 2032 122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe 87 -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2032 wrote to memory of 556 2032 122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe 87 PID 2032 wrote to memory of 556 2032 122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe 87 PID 2032 wrote to memory of 556 2032 122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe 87 PID 2032 wrote to memory of 556 2032 122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe 87 PID 2032 wrote to memory of 556 2032 122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe 87 PID 2032 wrote to memory of 556 2032 122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe 87 PID 2032 wrote to memory of 556 2032 122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe 87 PID 2032 wrote to memory of 556 2032 122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe 87 PID 2032 wrote to memory of 556 2032 122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe 87 PID 2032 wrote to memory of 556 2032 122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe 87 PID 556 wrote to memory of 4808 556 AppLaunch.exe 88 PID 556 wrote to memory of 4808 556 AppLaunch.exe 88 PID 556 wrote to memory of 4808 556 AppLaunch.exe 88 PID 4808 wrote to memory of 1880 4808 y3499828.exe 89 PID 4808 wrote to memory of 1880 4808 y3499828.exe 89 PID 4808 wrote to memory of 1880 4808 y3499828.exe 89 PID 4808 wrote to memory of 1384 4808 y3499828.exe 92 PID 4808 wrote to memory of 1384 4808 y3499828.exe 92 PID 4808 wrote to memory of 1384 4808 y3499828.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe"C:\Users\Admin\AppData\Local\Temp\122e4400a931dbdd7aa0ef9d3448ac0032d6dc365514075a808db25fc467769b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3499828.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3499828.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2402832.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2402832.exe4⤵
- Executes dropped EXE
PID:1880
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9109208.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n9109208.exe4⤵
- Executes dropped EXE
PID:1384
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271KB
MD5b603e22cb2e5a96c44580842b8378a87
SHA1a42a2b3638dcd10c5b9b7cf9ca1e5f6860702abe
SHA2561bf4f35f6278d56c1f7151bf3313b763968ff07664bbcf7cd26f9dff6857eabb
SHA512cd2aaabe25fbff836195f266135ea72b40187897091db667ea46ef03888a4b2159de6d1fe24878c84e31ed812caebca43b751458812a6db32f5be81f8f40135b
-
Filesize
271KB
MD5b603e22cb2e5a96c44580842b8378a87
SHA1a42a2b3638dcd10c5b9b7cf9ca1e5f6860702abe
SHA2561bf4f35f6278d56c1f7151bf3313b763968ff07664bbcf7cd26f9dff6857eabb
SHA512cd2aaabe25fbff836195f266135ea72b40187897091db667ea46ef03888a4b2159de6d1fe24878c84e31ed812caebca43b751458812a6db32f5be81f8f40135b
-
Filesize
140KB
MD50f7d89bd2b2cab8f2bb7e75d8cf5d045
SHA15ae7f5d816d4aa6405e5bbe46130e376392e86e6
SHA256c788623dd0900281d25113197c2e2dbff1167b9cddde370cfa84db775ee9ae60
SHA5122ba626e55274414525a05d719d13d2718be93688ba18f72bc208db255b4d3a621c2e66a9706b3344d0b58d18419b10417a263766cf6d40e00f408cad97449754
-
Filesize
140KB
MD50f7d89bd2b2cab8f2bb7e75d8cf5d045
SHA15ae7f5d816d4aa6405e5bbe46130e376392e86e6
SHA256c788623dd0900281d25113197c2e2dbff1167b9cddde370cfa84db775ee9ae60
SHA5122ba626e55274414525a05d719d13d2718be93688ba18f72bc208db255b4d3a621c2e66a9706b3344d0b58d18419b10417a263766cf6d40e00f408cad97449754
-
Filesize
174KB
MD5c5a3567146b7c2b169e457502caa6116
SHA101c96aa80b1a84766b6f74b18c0d3312448e42a0
SHA2568f7fdca3cf5a7a59f2ae53a7ae3263df9b1cdb601ea94dde03fb29c3e958602c
SHA51214ddf5218e027f38c8e62635b4044ac9da0b0f1133e6846f89b6dfb63658ed7571cf92f560789ff846152a50b29340be1c9e43c423828c7f33151b290cf9d3fa
-
Filesize
174KB
MD5c5a3567146b7c2b169e457502caa6116
SHA101c96aa80b1a84766b6f74b18c0d3312448e42a0
SHA2568f7fdca3cf5a7a59f2ae53a7ae3263df9b1cdb601ea94dde03fb29c3e958602c
SHA51214ddf5218e027f38c8e62635b4044ac9da0b0f1133e6846f89b6dfb63658ed7571cf92f560789ff846152a50b29340be1c9e43c423828c7f33151b290cf9d3fa