Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
13/11/2023, 15:46
Static task
static1
Behavioral task
behavioral1
Sample
72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe
Resource
win10v2004-20231023-en
General
-
Target
72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe
-
Size
1.2MB
-
MD5
7640209542642be02bd974dea72d0776
-
SHA1
e37eefba7fb5b74be592ac1c341bc5bdcb39e5e2
-
SHA256
72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f
-
SHA512
1ffedb2d2bff311f56ff327e93eb58a821c98538fb2704f785e103d93f944c01c9e302f4a4672844bbd31cba0123a990b0a8b6a3179373753ae84fedd957e966
-
SSDEEP
24576:Qy6sjYfYXOt6QPkzjljcLv1SrXQXHotyYw4g+qarjTKgAKG:X6saY+tQzj2hIthDbHjTtA
Malware Config
Extracted
redline
taiga
5.42.92.51:19057
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/3352-21-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3352-24-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3352-25-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3352-27-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/4592-29-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 3924 Ax7Bz13.exe 1584 lT2An98.exe 3532 11tb9461.exe 3360 12Lc681.exe 116 13EC572.exe 2868 14mz497.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Ax7Bz13.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" lT2An98.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3532 set thread context of 3352 3532 11tb9461.exe 102 PID 3360 set thread context of 4592 3360 12Lc681.exe 109 PID 2868 set thread context of 2964 2868 14mz497.exe 120 -
Program crash 1 IoCs
pid pid_target Process procid_target 2868 3352 WerFault.exe 102 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 116 13EC572.exe 116 13EC572.exe 2964 AppLaunch.exe 2964 AppLaunch.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 4132 wrote to memory of 3924 4132 72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe 86 PID 4132 wrote to memory of 3924 4132 72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe 86 PID 4132 wrote to memory of 3924 4132 72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe 86 PID 3924 wrote to memory of 1584 3924 Ax7Bz13.exe 88 PID 3924 wrote to memory of 1584 3924 Ax7Bz13.exe 88 PID 3924 wrote to memory of 1584 3924 Ax7Bz13.exe 88 PID 1584 wrote to memory of 3532 1584 lT2An98.exe 89 PID 1584 wrote to memory of 3532 1584 lT2An98.exe 89 PID 1584 wrote to memory of 3532 1584 lT2An98.exe 89 PID 3532 wrote to memory of 3352 3532 11tb9461.exe 102 PID 3532 wrote to memory of 3352 3532 11tb9461.exe 102 PID 3532 wrote to memory of 3352 3532 11tb9461.exe 102 PID 3532 wrote to memory of 3352 3532 11tb9461.exe 102 PID 3532 wrote to memory of 3352 3532 11tb9461.exe 102 PID 3532 wrote to memory of 3352 3532 11tb9461.exe 102 PID 3532 wrote to memory of 3352 3532 11tb9461.exe 102 PID 3532 wrote to memory of 3352 3532 11tb9461.exe 102 PID 3532 wrote to memory of 3352 3532 11tb9461.exe 102 PID 3532 wrote to memory of 3352 3532 11tb9461.exe 102 PID 1584 wrote to memory of 3360 1584 lT2An98.exe 103 PID 1584 wrote to memory of 3360 1584 lT2An98.exe 103 PID 1584 wrote to memory of 3360 1584 lT2An98.exe 103 PID 3360 wrote to memory of 4428 3360 12Lc681.exe 107 PID 3360 wrote to memory of 4428 3360 12Lc681.exe 107 PID 3360 wrote to memory of 4428 3360 12Lc681.exe 107 PID 3360 wrote to memory of 2592 3360 12Lc681.exe 108 PID 3360 wrote to memory of 2592 3360 12Lc681.exe 108 PID 3360 wrote to memory of 2592 3360 12Lc681.exe 108 PID 3360 wrote to memory of 4592 3360 12Lc681.exe 109 PID 3360 wrote to memory of 4592 3360 12Lc681.exe 109 PID 3360 wrote to memory of 4592 3360 12Lc681.exe 109 PID 3360 wrote to memory of 4592 3360 12Lc681.exe 109 PID 3360 wrote to memory of 4592 3360 12Lc681.exe 109 PID 3360 wrote to memory of 4592 3360 12Lc681.exe 109 PID 3360 wrote to memory of 4592 3360 12Lc681.exe 109 PID 3360 wrote to memory of 4592 3360 12Lc681.exe 109 PID 3924 wrote to memory of 116 3924 Ax7Bz13.exe 110 PID 3924 wrote to memory of 116 3924 Ax7Bz13.exe 110 PID 3924 wrote to memory of 116 3924 Ax7Bz13.exe 110 PID 4132 wrote to memory of 2868 4132 72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe 118 PID 4132 wrote to memory of 2868 4132 72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe 118 PID 4132 wrote to memory of 2868 4132 72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe 118 PID 2868 wrote to memory of 2964 2868 14mz497.exe 120 PID 2868 wrote to memory of 2964 2868 14mz497.exe 120 PID 2868 wrote to memory of 2964 2868 14mz497.exe 120 PID 2868 wrote to memory of 2964 2868 14mz497.exe 120 PID 2868 wrote to memory of 2964 2868 14mz497.exe 120 PID 2868 wrote to memory of 2964 2868 14mz497.exe 120 PID 2868 wrote to memory of 2964 2868 14mz497.exe 120 PID 2868 wrote to memory of 2964 2868 14mz497.exe 120 PID 2868 wrote to memory of 2964 2868 14mz497.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe"C:\Users\Admin\AppData\Local\Temp\72bbfe1dac71424882c41d164994fa15629c68fe2e332b3361e0a1475f2ffc9f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ax7Bz13.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ax7Bz13.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lT2An98.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lT2An98.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11tb9461.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11tb9461.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:3352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 5406⤵
- Program crash
PID:2868
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Lc681.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12Lc681.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:4428
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:2592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:4592
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13EC572.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13EC572.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:116
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14mz497.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14mz497.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2964
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3352 -ip 33521⤵PID:4068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717KB
MD582a9e11d65283faee9a133e60e38408d
SHA1c461d5a0ba79b73fd8e48f818c6ee4f48831d296
SHA256c928b1c12d5174917d1535dfd02042ceb0236391df1150835dada8b34570ffb6
SHA51298c7b235cac2cadc1904c2545bdc8fa6271a4232d2f35d8f9dcc83712827f137abb35ceff15e941ae74289f777f6f876fb48778c357c3034e46e3bef7b079eff
-
Filesize
717KB
MD582a9e11d65283faee9a133e60e38408d
SHA1c461d5a0ba79b73fd8e48f818c6ee4f48831d296
SHA256c928b1c12d5174917d1535dfd02042ceb0236391df1150835dada8b34570ffb6
SHA51298c7b235cac2cadc1904c2545bdc8fa6271a4232d2f35d8f9dcc83712827f137abb35ceff15e941ae74289f777f6f876fb48778c357c3034e46e3bef7b079eff
-
Filesize
788KB
MD5f286c63ae193269fe4096e5b63ac66eb
SHA1f690c7f1d755c0394f38d7b52e52d30c0d777aab
SHA25630fa2e5527428d7ed412c34c0d68ce330fe3bfef4d93b4cd42333077b03fbd34
SHA512cd1c1b8bbdb82213fbc399d66c82abfb773725b74bb41c05fed6577d3f01e2c8f6f834de272c0f3f610564543f47e1c51af5ccbbf467b81b3995de8a57fbc71d
-
Filesize
788KB
MD5f286c63ae193269fe4096e5b63ac66eb
SHA1f690c7f1d755c0394f38d7b52e52d30c0d777aab
SHA25630fa2e5527428d7ed412c34c0d68ce330fe3bfef4d93b4cd42333077b03fbd34
SHA512cd1c1b8bbdb82213fbc399d66c82abfb773725b74bb41c05fed6577d3f01e2c8f6f834de272c0f3f610564543f47e1c51af5ccbbf467b81b3995de8a57fbc71d
-
Filesize
529KB
MD5f5753fbbd7e5e53e6217934ec7ac9305
SHA1fe0a1fe8e514d9538149eedb5ceb0e4b6af9dc53
SHA256ea0b316b2303027873752d44ea1a11a63f08c85f54431954c750f844fc087f24
SHA5124942cbe593e4cf4b1f48d8e13aebd3e7aa37f1621f98a343ebac61d72804c88cbe4f2b4c7998bf7e962af318d6a5acbe21a51c5f6ded24746e90fe4fed188d17
-
Filesize
529KB
MD5f5753fbbd7e5e53e6217934ec7ac9305
SHA1fe0a1fe8e514d9538149eedb5ceb0e4b6af9dc53
SHA256ea0b316b2303027873752d44ea1a11a63f08c85f54431954c750f844fc087f24
SHA5124942cbe593e4cf4b1f48d8e13aebd3e7aa37f1621f98a343ebac61d72804c88cbe4f2b4c7998bf7e962af318d6a5acbe21a51c5f6ded24746e90fe4fed188d17
-
Filesize
426KB
MD5603b8ae14a94ed14bc9a1315bb86b70a
SHA112162c06436dec3e701f478f3f5b367e005a78e3
SHA256d3eb5e47e148bb63ffa32afa7c6f38069b1a6fbaf20260e64ed7b27de3d6a7b3
SHA5122396d0343d5559b8b759f4a88dde94b4e8d41615cc3f117eb6f71bf6c5630dff783911d57b421e0edb80c8ed466bd4f6493918a5c49e300d6328d5833b837794
-
Filesize
426KB
MD5603b8ae14a94ed14bc9a1315bb86b70a
SHA112162c06436dec3e701f478f3f5b367e005a78e3
SHA256d3eb5e47e148bb63ffa32afa7c6f38069b1a6fbaf20260e64ed7b27de3d6a7b3
SHA5122396d0343d5559b8b759f4a88dde94b4e8d41615cc3f117eb6f71bf6c5630dff783911d57b421e0edb80c8ed466bd4f6493918a5c49e300d6328d5833b837794
-
Filesize
369KB
MD58e6321145e94770804efd0b7f0476c23
SHA1fcce7837cb406ef7b29172604d88f89aef03684a
SHA2560dda525a242b05cd308ac7534749c53a75600096cd6cb9658856020b003e573a
SHA51293ecf4ad8d3b2f7c619dd3243e931c0de9ea07dc1b5ad08f53d88d5f471cf6d8c0087ded918f8d191c57910f386a307aecab985d8a45fdab6aa45a5a80a1c7bd
-
Filesize
369KB
MD58e6321145e94770804efd0b7f0476c23
SHA1fcce7837cb406ef7b29172604d88f89aef03684a
SHA2560dda525a242b05cd308ac7534749c53a75600096cd6cb9658856020b003e573a
SHA51293ecf4ad8d3b2f7c619dd3243e931c0de9ea07dc1b5ad08f53d88d5f471cf6d8c0087ded918f8d191c57910f386a307aecab985d8a45fdab6aa45a5a80a1c7bd
-
Filesize
408KB
MD59f0d45e8731c26f6b23b3d48f6f6c4a5
SHA14c4af3e08f306aac082cb679f352803b075f52a8
SHA256d4ef70c8edfecbb6d528f3109f214f8222b6b680f2b4dc3cf13e61705d5dd04c
SHA512d63e42296d6287cc1a29907cd5dea47b3789efe66942fcabb2c30a7888fc1e85fa44fef86185a8b537cecdda41857c14e84f65213ec5b8b1c7cca8e6972f8cf8
-
Filesize
408KB
MD59f0d45e8731c26f6b23b3d48f6f6c4a5
SHA14c4af3e08f306aac082cb679f352803b075f52a8
SHA256d4ef70c8edfecbb6d528f3109f214f8222b6b680f2b4dc3cf13e61705d5dd04c
SHA512d63e42296d6287cc1a29907cd5dea47b3789efe66942fcabb2c30a7888fc1e85fa44fef86185a8b537cecdda41857c14e84f65213ec5b8b1c7cca8e6972f8cf8