Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2023, 02:09
Static task
static1
Behavioral task
behavioral1
Sample
1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe
Resource
win10v2004-20230915-en
General
-
Target
1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe
-
Size
742KB
-
MD5
29b27b4a1233bb03f71d5339955e3441
-
SHA1
fa5a11c3c9f089d0ae5f58114c135fb0c871aeec
-
SHA256
1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa
-
SHA512
b7eb79cd85dee464b1ef4c64d3adc2cc2f73cfb901576ffb17b62d78d03db242cb1e30f6c064d95d2e00e24750946046d7e67c0d7da8bfc3e57554c6cfb40bf8
-
SSDEEP
12288:Ol//yfYb5BIQZVtxiVSIHl5O8Yg8EWoa5DJN/8GEBQpZFikrgafBiwqeNA89:GiuBtZcHF5O80oaFl3VrgGP
Malware Config
Extracted
redline
moner
77.91.124.82:19071
-
auth_value
a94cd9e01643e1945b296c28a2f28707
Signatures
-
Detect Mystic stealer payload 2 IoCs
resource yara_rule behavioral2/files/0x000900000002308e-16.dat family_mystic behavioral2/files/0x000900000002308e-17.dat family_mystic -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 3 IoCs
pid Process 4352 y4018535.exe 3244 m6885952.exe 3024 n2973399.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" AppLaunch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y4018535.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4132 set thread context of 4312 4132 1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe 90 -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4132 wrote to memory of 3692 4132 1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe 89 PID 4132 wrote to memory of 3692 4132 1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe 89 PID 4132 wrote to memory of 3692 4132 1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe 89 PID 4132 wrote to memory of 4312 4132 1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe 90 PID 4132 wrote to memory of 4312 4132 1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe 90 PID 4132 wrote to memory of 4312 4132 1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe 90 PID 4132 wrote to memory of 4312 4132 1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe 90 PID 4132 wrote to memory of 4312 4132 1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe 90 PID 4132 wrote to memory of 4312 4132 1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe 90 PID 4132 wrote to memory of 4312 4132 1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe 90 PID 4132 wrote to memory of 4312 4132 1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe 90 PID 4132 wrote to memory of 4312 4132 1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe 90 PID 4132 wrote to memory of 4312 4132 1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe 90 PID 4312 wrote to memory of 4352 4312 AppLaunch.exe 91 PID 4312 wrote to memory of 4352 4312 AppLaunch.exe 91 PID 4312 wrote to memory of 4352 4312 AppLaunch.exe 91 PID 4352 wrote to memory of 3244 4352 y4018535.exe 92 PID 4352 wrote to memory of 3244 4352 y4018535.exe 92 PID 4352 wrote to memory of 3244 4352 y4018535.exe 92 PID 4352 wrote to memory of 3024 4352 y4018535.exe 93 PID 4352 wrote to memory of 3024 4352 y4018535.exe 93 PID 4352 wrote to memory of 3024 4352 y4018535.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe"C:\Users\Admin\AppData\Local\Temp\1bc90a375cb0c3411dd26407beadc1c6e0b0c297c69d00f2238d32d11dd1d6fa.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:3692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4018535.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4018535.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6885952.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6885952.exe4⤵
- Executes dropped EXE
PID:3244
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n2973399.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n2973399.exe4⤵
- Executes dropped EXE
PID:3024
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272KB
MD5ba542f1c1d34fe5d5f8e67c8e205921d
SHA142ebf31450682b4a3e701acc50a295208fe913ef
SHA256d878f493898a41e99c974a45fee572608640e86a559d047f3247b0962c40c86e
SHA5124369b119a63457f47f4590c4f50c04baed14b3744e4d8e41f9cecedde26c62b40c38ea7baeb9e76038d4326e39b793559e6384303116eebd6cc34a1e37d59418
-
Filesize
272KB
MD5ba542f1c1d34fe5d5f8e67c8e205921d
SHA142ebf31450682b4a3e701acc50a295208fe913ef
SHA256d878f493898a41e99c974a45fee572608640e86a559d047f3247b0962c40c86e
SHA5124369b119a63457f47f4590c4f50c04baed14b3744e4d8e41f9cecedde26c62b40c38ea7baeb9e76038d4326e39b793559e6384303116eebd6cc34a1e37d59418
-
Filesize
140KB
MD5853dff20cf0a2f19b5a04826d89fc322
SHA11473b1e359318c1bb23fe10caf39c213ec2f692b
SHA2561ae8cdfa8ac3d7afb963585a29900ef9fb5a2b29e45c110e07d4c937ac0021b9
SHA51263cb9571292193fb271b5b8ac66a0d20bf10024cac58edd171ffcc4e43447785a96effc89fcfe2888ac8d4eaa57afac32e8f72f7a6b19d04fc41acbb0f6abf25
-
Filesize
140KB
MD5853dff20cf0a2f19b5a04826d89fc322
SHA11473b1e359318c1bb23fe10caf39c213ec2f692b
SHA2561ae8cdfa8ac3d7afb963585a29900ef9fb5a2b29e45c110e07d4c937ac0021b9
SHA51263cb9571292193fb271b5b8ac66a0d20bf10024cac58edd171ffcc4e43447785a96effc89fcfe2888ac8d4eaa57afac32e8f72f7a6b19d04fc41acbb0f6abf25
-
Filesize
174KB
MD5c720253e37d66daad6d860766a029f67
SHA187a56b493f62476d824ed5385857be59226b0142
SHA25686d29c0c3d8bd382030f1fbd9c495c16de74b6d873286d4acd4ecf2bccaf61b2
SHA512944608b2e9676cff92fac7cdba4fb79ea61e2e667528b02f8cd4f7628f1b0aafca85a2562bebba91030a7e51bbecf3dd606fa89508e106c17ea770fe950fffdf
-
Filesize
174KB
MD5c720253e37d66daad6d860766a029f67
SHA187a56b493f62476d824ed5385857be59226b0142
SHA25686d29c0c3d8bd382030f1fbd9c495c16de74b6d873286d4acd4ecf2bccaf61b2
SHA512944608b2e9676cff92fac7cdba4fb79ea61e2e667528b02f8cd4f7628f1b0aafca85a2562bebba91030a7e51bbecf3dd606fa89508e106c17ea770fe950fffdf