Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
14/11/2023, 02:19
Static task
static1
Behavioral task
behavioral1
Sample
c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe
Resource
win10v2004-20231023-en
General
-
Target
c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe
-
Size
373KB
-
MD5
896200690a2a6ace88febc8b4ecb59f7
-
SHA1
d3eb645567d656612bf76cd42a510bbd5fa8196b
-
SHA256
c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7
-
SHA512
dad6d27cc465d112d5e8dd4ac2f1ae20e20ac474b33088945207084586173dd8a270647352850b121c2168f116845a343be314ce5f088c4308aa9809bae373e3
-
SSDEEP
6144:K3y+bnr+Vp0yN90QEEsrTqIhsgUGsz7ceTP7qvH84+IgRq9EoDCKff5KJSP9jF2y:NMrxy90zlhlUJzXiU4+LqlewP2LO
Malware Config
Extracted
redline
taiga
5.42.92.51:19057
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/3280-7-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3280-8-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3280-9-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3280-11-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/4812-15-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 3524 3Ab800Bd.exe 4884 5yA16Xw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3524 set thread context of 3280 3524 3Ab800Bd.exe 86 PID 4884 set thread context of 4812 4884 5yA16Xw.exe 95 -
Program crash 1 IoCs
pid pid_target Process procid_target 2768 3280 WerFault.exe 86 -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 552 wrote to memory of 3524 552 c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe 84 PID 552 wrote to memory of 3524 552 c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe 84 PID 552 wrote to memory of 3524 552 c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe 84 PID 3524 wrote to memory of 3280 3524 3Ab800Bd.exe 86 PID 3524 wrote to memory of 3280 3524 3Ab800Bd.exe 86 PID 3524 wrote to memory of 3280 3524 3Ab800Bd.exe 86 PID 3524 wrote to memory of 3280 3524 3Ab800Bd.exe 86 PID 3524 wrote to memory of 3280 3524 3Ab800Bd.exe 86 PID 3524 wrote to memory of 3280 3524 3Ab800Bd.exe 86 PID 3524 wrote to memory of 3280 3524 3Ab800Bd.exe 86 PID 3524 wrote to memory of 3280 3524 3Ab800Bd.exe 86 PID 3524 wrote to memory of 3280 3524 3Ab800Bd.exe 86 PID 3524 wrote to memory of 3280 3524 3Ab800Bd.exe 86 PID 552 wrote to memory of 4884 552 c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe 90 PID 552 wrote to memory of 4884 552 c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe 90 PID 552 wrote to memory of 4884 552 c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe 90 PID 4884 wrote to memory of 4812 4884 5yA16Xw.exe 95 PID 4884 wrote to memory of 4812 4884 5yA16Xw.exe 95 PID 4884 wrote to memory of 4812 4884 5yA16Xw.exe 95 PID 4884 wrote to memory of 4812 4884 5yA16Xw.exe 95 PID 4884 wrote to memory of 4812 4884 5yA16Xw.exe 95 PID 4884 wrote to memory of 4812 4884 5yA16Xw.exe 95 PID 4884 wrote to memory of 4812 4884 5yA16Xw.exe 95 PID 4884 wrote to memory of 4812 4884 5yA16Xw.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe"C:\Users\Admin\AppData\Local\Temp\c05591f745cbabd44158ae3823bb58f230c0d8acb2210502d626e1724265d0b7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Ab800Bd.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3Ab800Bd.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:3280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 5404⤵
- Program crash
PID:2768
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5yA16Xw.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5yA16Xw.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:4812
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3280 -ip 32801⤵PID:1156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
276KB
MD546a1cccb22ff83973d7613ec41cc30a8
SHA1782ad709284f5e39f726f694186258ea90afd469
SHA256ff8b3c2650cc92971963a2d03fef8acec4ca9f2f6564a6850ae1d60cf53a0bef
SHA51226e71da3e144d3b60adfb75c556d9dfaa5ffb9b1f4aab5690157cf9588aa13a17cda62f506169a7a089bd2a5ee45b8f303e263e7ef2c1366dcb5a4111ca9f833
-
Filesize
276KB
MD546a1cccb22ff83973d7613ec41cc30a8
SHA1782ad709284f5e39f726f694186258ea90afd469
SHA256ff8b3c2650cc92971963a2d03fef8acec4ca9f2f6564a6850ae1d60cf53a0bef
SHA51226e71da3e144d3b60adfb75c556d9dfaa5ffb9b1f4aab5690157cf9588aa13a17cda62f506169a7a089bd2a5ee45b8f303e263e7ef2c1366dcb5a4111ca9f833
-
Filesize
315KB
MD52d5d1d321ed12e197ccc8374dcd756cd
SHA1630240304b96ddb34b862ed906d9805f7ef5cdd9
SHA256cba2f58c33f02b73b27a8793dc8e7757fc3df34642f226ff49d25a742acd1b07
SHA51219966e3e1479e0b537848c71c20a744fba05adf38ecfb150a898ed058a8f757988f9a4bf99d060661ed9cd5ab87bc57e83d7d9069670cee43fb9b9968f54517d
-
Filesize
315KB
MD52d5d1d321ed12e197ccc8374dcd756cd
SHA1630240304b96ddb34b862ed906d9805f7ef5cdd9
SHA256cba2f58c33f02b73b27a8793dc8e7757fc3df34642f226ff49d25a742acd1b07
SHA51219966e3e1479e0b537848c71c20a744fba05adf38ecfb150a898ed058a8f757988f9a4bf99d060661ed9cd5ab87bc57e83d7d9069670cee43fb9b9968f54517d