Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
107s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
13/11/2023, 14:56
Static task
static1
Behavioral task
behavioral1
Sample
ce1d911aacfe04d7402e5091360c970f3300b97598395857d7f995b69db0f113.exe
Resource
win10v2004-20231023-en
General
-
Target
ce1d911aacfe04d7402e5091360c970f3300b97598395857d7f995b69db0f113.exe
-
Size
1.2MB
-
MD5
1966db4c9273aad741f19080a155f754
-
SHA1
56eeedd20c29e388a102ec400f6136141604d52b
-
SHA256
ce1d911aacfe04d7402e5091360c970f3300b97598395857d7f995b69db0f113
-
SHA512
58d86462755bbb67a59682ef3380d9dcbca5a9de797e9d8148bde4d75cd4e4603eef4d2b27f1a7024bb3b0008a0e85f70ec0bb349ddbd4c39abcd5f89d114b08
-
SSDEEP
24576:Typ/bj4s2aMUH1R8f7t6M9x+pD0ko6FdYz/+WkmQrz84o:m13lMUH1cLxe0U+amQP
Malware Config
Extracted
redline
taiga
5.42.92.51:19057
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/3052-21-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3052-23-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3052-22-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3052-25-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/1216-29-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Executes dropped EXE 5 IoCs
pid Process 544 Ut3pt93.exe 3884 rH8wA78.exe 2668 11iX6412.exe 4824 12IN980.exe 4124 13ur681.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ce1d911aacfe04d7402e5091360c970f3300b97598395857d7f995b69db0f113.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Ut3pt93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" rH8wA78.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2668 set thread context of 3052 2668 11iX6412.exe 98 PID 4824 set thread context of 1216 4824 12IN980.exe 105 -
Program crash 2 IoCs
pid pid_target Process procid_target 1544 3052 WerFault.exe 98 4780 3052 WerFault.exe 98 -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 3616 wrote to memory of 544 3616 ce1d911aacfe04d7402e5091360c970f3300b97598395857d7f995b69db0f113.exe 91 PID 3616 wrote to memory of 544 3616 ce1d911aacfe04d7402e5091360c970f3300b97598395857d7f995b69db0f113.exe 91 PID 3616 wrote to memory of 544 3616 ce1d911aacfe04d7402e5091360c970f3300b97598395857d7f995b69db0f113.exe 91 PID 544 wrote to memory of 3884 544 Ut3pt93.exe 92 PID 544 wrote to memory of 3884 544 Ut3pt93.exe 92 PID 544 wrote to memory of 3884 544 Ut3pt93.exe 92 PID 3884 wrote to memory of 2668 3884 rH8wA78.exe 93 PID 3884 wrote to memory of 2668 3884 rH8wA78.exe 93 PID 3884 wrote to memory of 2668 3884 rH8wA78.exe 93 PID 2668 wrote to memory of 1848 2668 11iX6412.exe 97 PID 2668 wrote to memory of 1848 2668 11iX6412.exe 97 PID 2668 wrote to memory of 1848 2668 11iX6412.exe 97 PID 2668 wrote to memory of 3052 2668 11iX6412.exe 98 PID 2668 wrote to memory of 3052 2668 11iX6412.exe 98 PID 2668 wrote to memory of 3052 2668 11iX6412.exe 98 PID 2668 wrote to memory of 3052 2668 11iX6412.exe 98 PID 2668 wrote to memory of 3052 2668 11iX6412.exe 98 PID 2668 wrote to memory of 3052 2668 11iX6412.exe 98 PID 2668 wrote to memory of 3052 2668 11iX6412.exe 98 PID 2668 wrote to memory of 3052 2668 11iX6412.exe 98 PID 2668 wrote to memory of 3052 2668 11iX6412.exe 98 PID 2668 wrote to memory of 3052 2668 11iX6412.exe 98 PID 3884 wrote to memory of 4824 3884 rH8wA78.exe 102 PID 3884 wrote to memory of 4824 3884 rH8wA78.exe 102 PID 3884 wrote to memory of 4824 3884 rH8wA78.exe 102 PID 3052 wrote to memory of 1544 3052 AppLaunch.exe 104 PID 3052 wrote to memory of 1544 3052 AppLaunch.exe 104 PID 3052 wrote to memory of 1544 3052 AppLaunch.exe 104 PID 4824 wrote to memory of 1216 4824 12IN980.exe 105 PID 4824 wrote to memory of 1216 4824 12IN980.exe 105 PID 4824 wrote to memory of 1216 4824 12IN980.exe 105 PID 4824 wrote to memory of 1216 4824 12IN980.exe 105 PID 4824 wrote to memory of 1216 4824 12IN980.exe 105 PID 4824 wrote to memory of 1216 4824 12IN980.exe 105 PID 4824 wrote to memory of 1216 4824 12IN980.exe 105 PID 4824 wrote to memory of 1216 4824 12IN980.exe 105 PID 544 wrote to memory of 4124 544 Ut3pt93.exe 106 PID 544 wrote to memory of 4124 544 Ut3pt93.exe 106 PID 544 wrote to memory of 4124 544 Ut3pt93.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce1d911aacfe04d7402e5091360c970f3300b97598395857d7f995b69db0f113.exe"C:\Users\Admin\AppData\Local\Temp\ce1d911aacfe04d7402e5091360c970f3300b97598395857d7f995b69db0f113.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ut3pt93.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ut3pt93.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rH8wA78.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rH8wA78.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11iX6412.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\11iX6412.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:1848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 5406⤵
- Program crash
PID:1544
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 5406⤵
- Program crash
PID:4780
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12IN980.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\12IN980.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:1216
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13ur681.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\13ur681.exe3⤵
- Executes dropped EXE
PID:4124
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14Bi903.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\14Bi903.exe2⤵PID:3900
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:3316
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3052 -ip 30521⤵PID:564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717KB
MD5e39d1dd228f12fecc5e49d0fe773ff3a
SHA137bca0f20db407f5b513c9c5266375dbed7b20e3
SHA2567e606dd072802818b03731c9aa0aa59f7cafe268f0b45c7843c719fca3e52b26
SHA5124b16cb49fec6e59f31627b82009c8b38e33298484a5609c0c82e7956e78cad48c0d01a5e7113fdf7a12eab0d381425fd4c8183543ca98992b0a51984f1ae5943
-
Filesize
717KB
MD5e39d1dd228f12fecc5e49d0fe773ff3a
SHA137bca0f20db407f5b513c9c5266375dbed7b20e3
SHA2567e606dd072802818b03731c9aa0aa59f7cafe268f0b45c7843c719fca3e52b26
SHA5124b16cb49fec6e59f31627b82009c8b38e33298484a5609c0c82e7956e78cad48c0d01a5e7113fdf7a12eab0d381425fd4c8183543ca98992b0a51984f1ae5943
-
Filesize
788KB
MD56ed8bc92471c9167e25e78e1c5cf81bc
SHA16de739a21891f719b861c5d6b0c791a3f4989c4b
SHA256f4430c994dc6ec1ef58e41541dec8c7c91d1e81fb5ecedcf34ce1952e6e1ace4
SHA512745858f47b66bb327067ae3b7b4c887a9d37d49bcd62da5198ab7b87a5672341cdab12eab5fd338c40b52a2b632267e75abee75a64beecfc91d6def413878d82
-
Filesize
788KB
MD56ed8bc92471c9167e25e78e1c5cf81bc
SHA16de739a21891f719b861c5d6b0c791a3f4989c4b
SHA256f4430c994dc6ec1ef58e41541dec8c7c91d1e81fb5ecedcf34ce1952e6e1ace4
SHA512745858f47b66bb327067ae3b7b4c887a9d37d49bcd62da5198ab7b87a5672341cdab12eab5fd338c40b52a2b632267e75abee75a64beecfc91d6def413878d82
-
Filesize
529KB
MD5f5753fbbd7e5e53e6217934ec7ac9305
SHA1fe0a1fe8e514d9538149eedb5ceb0e4b6af9dc53
SHA256ea0b316b2303027873752d44ea1a11a63f08c85f54431954c750f844fc087f24
SHA5124942cbe593e4cf4b1f48d8e13aebd3e7aa37f1621f98a343ebac61d72804c88cbe4f2b4c7998bf7e962af318d6a5acbe21a51c5f6ded24746e90fe4fed188d17
-
Filesize
529KB
MD5f5753fbbd7e5e53e6217934ec7ac9305
SHA1fe0a1fe8e514d9538149eedb5ceb0e4b6af9dc53
SHA256ea0b316b2303027873752d44ea1a11a63f08c85f54431954c750f844fc087f24
SHA5124942cbe593e4cf4b1f48d8e13aebd3e7aa37f1621f98a343ebac61d72804c88cbe4f2b4c7998bf7e962af318d6a5acbe21a51c5f6ded24746e90fe4fed188d17
-
Filesize
426KB
MD58256ebfe6d9058d08d3549f09fe11014
SHA1f82e7d1e4964a3077eb73631890ad95b0dd50701
SHA2564a27217f66cd198cf6113c93287e329d19646ee0c19f0e6df3bd6c1803b2c0c0
SHA512ef25b4b19d66a93171e0ced4b5ffd3ef108ce0d687e6e33c02446e4011dc6de59240da57d0ed612ebf32839ce270c906411e3b448dd23bb98caee4c344664449
-
Filesize
426KB
MD58256ebfe6d9058d08d3549f09fe11014
SHA1f82e7d1e4964a3077eb73631890ad95b0dd50701
SHA2564a27217f66cd198cf6113c93287e329d19646ee0c19f0e6df3bd6c1803b2c0c0
SHA512ef25b4b19d66a93171e0ced4b5ffd3ef108ce0d687e6e33c02446e4011dc6de59240da57d0ed612ebf32839ce270c906411e3b448dd23bb98caee4c344664449
-
Filesize
369KB
MD5ebbbfcf56012da92781d4e957895dbfd
SHA1da2272ef5f08bb73a21a9dcc2cb81d087447cf2d
SHA2566db5415086402fc49dc6fa6ef28e0d2f53f66788dfdbb23f3fbad658df94020a
SHA5122cd23d1f1777c110f7e2e4dd56ba35cdffdb20ca217c2c42d089dfb3a140d09d5a0857c3ce2b518265d6995056c39f141e3f46274129bf863b04925221c0c89d
-
Filesize
369KB
MD5ebbbfcf56012da92781d4e957895dbfd
SHA1da2272ef5f08bb73a21a9dcc2cb81d087447cf2d
SHA2566db5415086402fc49dc6fa6ef28e0d2f53f66788dfdbb23f3fbad658df94020a
SHA5122cd23d1f1777c110f7e2e4dd56ba35cdffdb20ca217c2c42d089dfb3a140d09d5a0857c3ce2b518265d6995056c39f141e3f46274129bf863b04925221c0c89d
-
Filesize
408KB
MD5bb6a832bf26e91ddcf78821d34a53102
SHA15f867b0d5c42e900fbc0455048e58f185cfefbbb
SHA256e22251ce626be5bd7708b3be9c517a4c973aa57b07608b385ef3a7179fc949ac
SHA51226e6bcb73ddcdd77721de40cd4b049fd33266238e2e4cb801c85b30ad14f7d6fd9d6daf0ada1e3ec8514d8443d9cd894e717deff982d74c75fdf65b135f7aa8a
-
Filesize
408KB
MD5bb6a832bf26e91ddcf78821d34a53102
SHA15f867b0d5c42e900fbc0455048e58f185cfefbbb
SHA256e22251ce626be5bd7708b3be9c517a4c973aa57b07608b385ef3a7179fc949ac
SHA51226e6bcb73ddcdd77721de40cd4b049fd33266238e2e4cb801c85b30ad14f7d6fd9d6daf0ada1e3ec8514d8443d9cd894e717deff982d74c75fdf65b135f7aa8a