Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2023, 03:21
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.e358b45fd5d749157a0dab83f8487130.exe
Resource
win10v2004-20231025-en
General
-
Target
NEAS.e358b45fd5d749157a0dab83f8487130.exe
-
Size
400KB
-
MD5
e358b45fd5d749157a0dab83f8487130
-
SHA1
761d0d798b508382d03d6d6bf3282020969c085f
-
SHA256
980b0532bf7508e78c9ace1ef315105a76ed8dfd6f19d0417c5116cbe94c0fc3
-
SHA512
5fbe898d6b5836a07bf8fcfed9601f51991275cc5f23690f43c98560a93a89f1942fa0dba39f1a7953afd155e1c68a7b55a90da4e230df797a8e8079c4753c54
-
SSDEEP
6144:KVy+bnr+Bp0yN90QElMw4UFYvVSlvUdgqA5OLQJHNRjX3a41KSnThPCOgy:PMrVy90/4UF3viS5OL43XKHS9Chy
Malware Config
Extracted
redline
taiga
5.42.92.51:19057
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/1284-7-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/1284-9-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/1284-11-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral1/memory/1284-8-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/4796-15-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 4960 3bd934uq.exe 1752 4Lg4CB6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" NEAS.e358b45fd5d749157a0dab83f8487130.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4960 set thread context of 1284 4960 3bd934uq.exe 89 PID 1752 set thread context of 4796 1752 4Lg4CB6.exe 96 -
Program crash 1 IoCs
pid pid_target Process procid_target 3956 1284 WerFault.exe 89 -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4232 wrote to memory of 4960 4232 NEAS.e358b45fd5d749157a0dab83f8487130.exe 88 PID 4232 wrote to memory of 4960 4232 NEAS.e358b45fd5d749157a0dab83f8487130.exe 88 PID 4232 wrote to memory of 4960 4232 NEAS.e358b45fd5d749157a0dab83f8487130.exe 88 PID 4960 wrote to memory of 1284 4960 3bd934uq.exe 89 PID 4960 wrote to memory of 1284 4960 3bd934uq.exe 89 PID 4960 wrote to memory of 1284 4960 3bd934uq.exe 89 PID 4960 wrote to memory of 1284 4960 3bd934uq.exe 89 PID 4960 wrote to memory of 1284 4960 3bd934uq.exe 89 PID 4960 wrote to memory of 1284 4960 3bd934uq.exe 89 PID 4960 wrote to memory of 1284 4960 3bd934uq.exe 89 PID 4960 wrote to memory of 1284 4960 3bd934uq.exe 89 PID 4960 wrote to memory of 1284 4960 3bd934uq.exe 89 PID 4960 wrote to memory of 1284 4960 3bd934uq.exe 89 PID 4232 wrote to memory of 1752 4232 NEAS.e358b45fd5d749157a0dab83f8487130.exe 92 PID 4232 wrote to memory of 1752 4232 NEAS.e358b45fd5d749157a0dab83f8487130.exe 92 PID 4232 wrote to memory of 1752 4232 NEAS.e358b45fd5d749157a0dab83f8487130.exe 92 PID 1752 wrote to memory of 4796 1752 4Lg4CB6.exe 96 PID 1752 wrote to memory of 4796 1752 4Lg4CB6.exe 96 PID 1752 wrote to memory of 4796 1752 4Lg4CB6.exe 96 PID 1752 wrote to memory of 4796 1752 4Lg4CB6.exe 96 PID 1752 wrote to memory of 4796 1752 4Lg4CB6.exe 96 PID 1752 wrote to memory of 4796 1752 4Lg4CB6.exe 96 PID 1752 wrote to memory of 4796 1752 4Lg4CB6.exe 96 PID 1752 wrote to memory of 4796 1752 4Lg4CB6.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.e358b45fd5d749157a0dab83f8487130.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e358b45fd5d749157a0dab83f8487130.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3bd934uq.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3bd934uq.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:1284
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 5404⤵
- Program crash
PID:3956
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4Lg4CB6.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4Lg4CB6.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:4796
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1284 -ip 12841⤵PID:3660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319KB
MD54a868c16482f0ab8800d3f1eff627a9b
SHA1c4527bdfb9929627534ca2299d858757e243bbe2
SHA256bda2de9cf44b5c317144c8eef0e229740fda2b537e8c233c1d2117c6942ac3ee
SHA512cc1cfeb3591ecb3d48783f5710dc0bbbe03273f778cec76ba42eb3194f6f8b84e100f73b8ba4fdab49c1c626ac73006de62d327ec5759c0015e1895456f12f10
-
Filesize
319KB
MD54a868c16482f0ab8800d3f1eff627a9b
SHA1c4527bdfb9929627534ca2299d858757e243bbe2
SHA256bda2de9cf44b5c317144c8eef0e229740fda2b537e8c233c1d2117c6942ac3ee
SHA512cc1cfeb3591ecb3d48783f5710dc0bbbe03273f778cec76ba42eb3194f6f8b84e100f73b8ba4fdab49c1c626ac73006de62d327ec5759c0015e1895456f12f10
-
Filesize
358KB
MD5208775d53d5962c2646324462f33c659
SHA1fe220fbe4b9ee76e2f16d3612893c163136ece4e
SHA2567825250a68803aaab13abd864eeb95573ada5acc6605b25239eee1dbbd0ba42c
SHA512d346cf7ac9d69acceb7a72b4ea1834432eb906cb93217e2b5213fedfd0664c8069e62c72c69a96e3f866e84cfd68545ccf594d269079b86bb0b3fa1f152403fe
-
Filesize
358KB
MD5208775d53d5962c2646324462f33c659
SHA1fe220fbe4b9ee76e2f16d3612893c163136ece4e
SHA2567825250a68803aaab13abd864eeb95573ada5acc6605b25239eee1dbbd0ba42c
SHA512d346cf7ac9d69acceb7a72b4ea1834432eb906cb93217e2b5213fedfd0664c8069e62c72c69a96e3f866e84cfd68545ccf594d269079b86bb0b3fa1f152403fe