Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2023, 21:41
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.d57c570e6aa9b0c20fdbeb08c0cbf750.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.d57c570e6aa9b0c20fdbeb08c0cbf750.exe
-
Size
892KB
-
MD5
d57c570e6aa9b0c20fdbeb08c0cbf750
-
SHA1
71be60159d0fb44ccc88d3562f1c575fadf486fd
-
SHA256
ca6fb1056ad147526c05d64ff88ef7d6b904c5d1e70eca73dfc446ef3c6586d0
-
SHA512
9b42d68bf80329af9d7cd5c3d66128035e0fa7fc3dda5d614a88a74dab0a47dceff06be684b37d696121a3ff7f48b6d7b4e362fa37516ebd5649c57ca71a6424
-
SSDEEP
24576:hyNxCHPsDCH4Kxumk3y+B69hVOjT+TeLPpoJYLh:UNxSPssvEaOjaTe7poJYL
Malware Config
Extracted
redline
taiga
5.42.92.51:19057
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/3048-14-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3048-17-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3048-18-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/3048-20-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/1348-22-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1436 GX3HD35.exe 3504 11lo5072.exe 4884 12lo907.exe 1552 13Jf695.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" NEAS.d57c570e6aa9b0c20fdbeb08c0cbf750.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" GX3HD35.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3504 set thread context of 3048 3504 11lo5072.exe 96 PID 4884 set thread context of 1348 4884 12lo907.exe 106 PID 1552 set thread context of 2664 1552 13Jf695.exe 117 -
Program crash 2 IoCs
pid pid_target Process procid_target 3076 3048 WerFault.exe 96 4136 2664 WerFault.exe 117 -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 5044 wrote to memory of 1436 5044 NEAS.d57c570e6aa9b0c20fdbeb08c0cbf750.exe 86 PID 5044 wrote to memory of 1436 5044 NEAS.d57c570e6aa9b0c20fdbeb08c0cbf750.exe 86 PID 5044 wrote to memory of 1436 5044 NEAS.d57c570e6aa9b0c20fdbeb08c0cbf750.exe 86 PID 1436 wrote to memory of 3504 1436 GX3HD35.exe 87 PID 1436 wrote to memory of 3504 1436 GX3HD35.exe 87 PID 1436 wrote to memory of 3504 1436 GX3HD35.exe 87 PID 3504 wrote to memory of 3048 3504 11lo5072.exe 96 PID 3504 wrote to memory of 3048 3504 11lo5072.exe 96 PID 3504 wrote to memory of 3048 3504 11lo5072.exe 96 PID 3504 wrote to memory of 3048 3504 11lo5072.exe 96 PID 3504 wrote to memory of 3048 3504 11lo5072.exe 96 PID 3504 wrote to memory of 3048 3504 11lo5072.exe 96 PID 3504 wrote to memory of 3048 3504 11lo5072.exe 96 PID 3504 wrote to memory of 3048 3504 11lo5072.exe 96 PID 3504 wrote to memory of 3048 3504 11lo5072.exe 96 PID 3504 wrote to memory of 3048 3504 11lo5072.exe 96 PID 1436 wrote to memory of 4884 1436 GX3HD35.exe 97 PID 1436 wrote to memory of 4884 1436 GX3HD35.exe 97 PID 1436 wrote to memory of 4884 1436 GX3HD35.exe 97 PID 4884 wrote to memory of 1348 4884 12lo907.exe 106 PID 4884 wrote to memory of 1348 4884 12lo907.exe 106 PID 4884 wrote to memory of 1348 4884 12lo907.exe 106 PID 4884 wrote to memory of 1348 4884 12lo907.exe 106 PID 4884 wrote to memory of 1348 4884 12lo907.exe 106 PID 4884 wrote to memory of 1348 4884 12lo907.exe 106 PID 4884 wrote to memory of 1348 4884 12lo907.exe 106 PID 4884 wrote to memory of 1348 4884 12lo907.exe 106 PID 5044 wrote to memory of 1552 5044 NEAS.d57c570e6aa9b0c20fdbeb08c0cbf750.exe 107 PID 5044 wrote to memory of 1552 5044 NEAS.d57c570e6aa9b0c20fdbeb08c0cbf750.exe 107 PID 5044 wrote to memory of 1552 5044 NEAS.d57c570e6aa9b0c20fdbeb08c0cbf750.exe 107 PID 1552 wrote to memory of 2664 1552 13Jf695.exe 117 PID 1552 wrote to memory of 2664 1552 13Jf695.exe 117 PID 1552 wrote to memory of 2664 1552 13Jf695.exe 117 PID 1552 wrote to memory of 2664 1552 13Jf695.exe 117 PID 1552 wrote to memory of 2664 1552 13Jf695.exe 117 PID 1552 wrote to memory of 2664 1552 13Jf695.exe 117 PID 1552 wrote to memory of 2664 1552 13Jf695.exe 117 PID 1552 wrote to memory of 2664 1552 13Jf695.exe 117 PID 1552 wrote to memory of 2664 1552 13Jf695.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.d57c570e6aa9b0c20fdbeb08c0cbf750.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.d57c570e6aa9b0c20fdbeb08c0cbf750.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GX3HD35.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GX3HD35.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11lo5072.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11lo5072.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:3048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 5405⤵
- Program crash
PID:3076
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12lo907.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12lo907.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:1348
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13Jf695.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\13Jf695.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:2664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 8364⤵
- Program crash
PID:4136
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3048 -ip 30481⤵PID:3740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2664 -ip 26641⤵PID:3844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
724KB
MD549f9f4cee637c34c465b115a14b87865
SHA172d061aca36b36374b91fa8ba439714dbeb73c81
SHA256796003d5f397f6471e7309573b1bcdb7e9a2dce5fb9cab17a8ad4217d1a206c2
SHA512f08491e6e5a3b1319f389aabbeb7f15839efd25ebf8c496a10aa832eaaea39e32e7c3f5db8bb6cdbbb01f373724ef590827ac7561d4b7dbd94ad16a333dccb9f
-
Filesize
724KB
MD549f9f4cee637c34c465b115a14b87865
SHA172d061aca36b36374b91fa8ba439714dbeb73c81
SHA256796003d5f397f6471e7309573b1bcdb7e9a2dce5fb9cab17a8ad4217d1a206c2
SHA512f08491e6e5a3b1319f389aabbeb7f15839efd25ebf8c496a10aa832eaaea39e32e7c3f5db8bb6cdbbb01f373724ef590827ac7561d4b7dbd94ad16a333dccb9f
-
Filesize
429KB
MD5ce0e6a138ee8ef0942da1936b3642185
SHA18f07ef80b0e26b4e3e070809d3d6caf4355d3c2e
SHA256ec0e29d31f75f0a3f22112e482d5049d170c879d6381d26c858fbf7e89e03c76
SHA512febdd9cca1c8a42e597552be43ccf8f383dd92925218553c3a0fb4b163e8bc8cf6ab31c737bc5f91f66eabd7496a08b86375c9e8a5d7b2a3f37f2aaebe714cc1
-
Filesize
429KB
MD5ce0e6a138ee8ef0942da1936b3642185
SHA18f07ef80b0e26b4e3e070809d3d6caf4355d3c2e
SHA256ec0e29d31f75f0a3f22112e482d5049d170c879d6381d26c858fbf7e89e03c76
SHA512febdd9cca1c8a42e597552be43ccf8f383dd92925218553c3a0fb4b163e8bc8cf6ab31c737bc5f91f66eabd7496a08b86375c9e8a5d7b2a3f37f2aaebe714cc1
-
Filesize
376KB
MD527ff8023ab2e4844bca26c500eae93a4
SHA1e418153a0320318be84968ec7aefd2a0a77b932b
SHA256903227849f6b4f4f4d1f010d669737afe3cc16d3a2ee18fe0c546313157a7ffc
SHA5123549ab856a4a5f74f93c8924f031cc22ec6bfc6c4adc60e4c0a134d78a79f948a95ce805826b54f12737bfc6bf3f693e6c7d6e08bef3f9fb50fbe17c9231b8f3
-
Filesize
376KB
MD527ff8023ab2e4844bca26c500eae93a4
SHA1e418153a0320318be84968ec7aefd2a0a77b932b
SHA256903227849f6b4f4f4d1f010d669737afe3cc16d3a2ee18fe0c546313157a7ffc
SHA5123549ab856a4a5f74f93c8924f031cc22ec6bfc6c4adc60e4c0a134d78a79f948a95ce805826b54f12737bfc6bf3f693e6c7d6e08bef3f9fb50fbe17c9231b8f3
-
Filesize
415KB
MD5abf76ce4c637da4efb89f7a1d3daff9e
SHA1467f43125cb273a652eee490df1d5ad7e1b23d27
SHA25664231a0767c941ef1de7bfd9bfbd78963831bdeafac7400b712a9bd48a34b94b
SHA51251ac3edfa8ea1bbd2044040f0b661b69b165cd41c32ae4e64ef14ca318ba4d55f38b3283ce72095fdb3fd823210324ec9f0e3a85a504c0884bcd56b84eecc23d
-
Filesize
415KB
MD5abf76ce4c637da4efb89f7a1d3daff9e
SHA1467f43125cb273a652eee490df1d5ad7e1b23d27
SHA25664231a0767c941ef1de7bfd9bfbd78963831bdeafac7400b712a9bd48a34b94b
SHA51251ac3edfa8ea1bbd2044040f0b661b69b165cd41c32ae4e64ef14ca318ba4d55f38b3283ce72095fdb3fd823210324ec9f0e3a85a504c0884bcd56b84eecc23d