Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0bd57c625c...1b.exe

windows10-2004-x64

10

0e85c02906...31.exe

windows10-2004-x64

10

1ad22f7c20...da.exe

windows10-2004-x64

10

2f0934382a...84.exe

windows7-x64

10

2f0934382a...84.exe

windows10-2004-x64

10

421c712a06...0d.exe

windows10-2004-x64

10

4958361c2a...c0.exe

windows10-2004-x64

10

4ee34ec273...69.exe

windows10-2004-x64

10

54ae781e47...0d.exe

windows10-2004-x64

10

597fd86cf2...51.exe

windows10-2004-x64

10

5af8e5b632...c7.exe

windows10-2004-x64

10

5edd2b7f66...17.exe

windows10-2004-x64

10

5eee268a87...c9.exe

windows10-2004-x64

10

65a4c04d9e...25.exe

windows10-2004-x64

10

6d2e6d5049...21.exe

windows10-2004-x64

10

77dcf40927...b4.exe

windows10-2004-x64

10

8c279e4e62...12.exe

windows10-2004-x64

10

8ee3fa55ce...d5.exe

windows10-2004-x64

10

8efb2f072c...7a.exe

windows10-2004-x64

10

a717651d7f...a0.exe

windows10-2004-x64

10

cecc5213e2...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/05/2024, 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917.exe

  • Size

    382KB

  • MD5

    4d8700ac9e259e9c05ccb05abcd3e55b

  • SHA1

    3ca1f31e449c427a5223165abee3858b8d3a1bc6

  • SHA256

    5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917

  • SHA512

    a52da5997013a09ab0fbcc5516eba9eee0bc6fb971294d8ca48b985a1d2030c495493d02eb7d7646b67787816ba65ad67331aa08411944dede4301d1b01e28cb

  • SSDEEP

    6144:KUy+bnr+Xp0yN90QEvNhYCAaMbdsJNuYI50Y/BJf9+aOwYSlup:MMrny90xNhCbdsLxI+Yd+9w6p

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917.exe
    "C:\Users\Admin\AppData\Local\Temp\5edd2b7f663bf0a7b691bb6245a12b15994b2b4ad9c92c369111de2c68731917.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4492
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1ma43UZ9.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1ma43UZ9.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:1524
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 540
            4⤵
            • Program crash
            PID:1780
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 584
          3⤵
          • Program crash
          PID:3700
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2qB706de.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2qB706de.exe
        2⤵
        • Executes dropped EXE
        PID:5060
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1524 -ip 1524
      1⤵
        PID:4216
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2500 -ip 2500
        1⤵
          PID:3608

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1ma43UZ9.exe
          Filesize

          295KB

          MD5

          314f30b53027f3d7812a7ecc57c2be0d

          SHA1

          35b82de4d7a1bc2cee9d10b7de26616bad1271bd

          SHA256

          460cacca4c0d9d81113eeaeaac4b343acd2e4347dd129183cbd2f58eddfbb9f7

          SHA512

          fe4007c43e1896d3657486f170334ae5a20fd97ca282e2bdeb8783c96c3bbaad046fd81681355652a61bc79f33514f2be5b87d4ab7c404c2a65ad21b1434a480

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2qB706de.exe
          Filesize

          222KB

          MD5

          9b74f1c10b3f8287121fae55eb49628a

          SHA1

          18704ab838447c92b72d8232f8b58c365bde7a81

          SHA256

          1ef108d65269eb110a6f0ef126353b41ca9f086b909bec23dabefb15024eb1fd

          SHA512

          5bcb8cc16d6da308bd0f386a2cfdb2bec091963c4bb97c08487741774d1eebd03836fee6bfb1068fa9369d19f3e41164e3dc073ecaf61eec6bca3abf47a39a52

          Download Submit

        • memory/1524-7-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1524-9-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1524-11-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1524-8-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/5060-17-0x0000000008130000-0x00000000086D4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/5060-16-0x0000000000CA0000-0x0000000000CDE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/5060-15-0x00000000742BE000-0x00000000742BF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5060-18-0x0000000007C20000-0x0000000007CB2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/5060-19-0x0000000002FE0000-0x0000000002FEA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/5060-20-0x00000000742B0000-0x0000000074A60000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/5060-21-0x0000000008D00000-0x0000000009318000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/5060-22-0x0000000007F50000-0x000000000805A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/5060-23-0x0000000007C00000-0x0000000007C12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/5060-24-0x0000000007DF0000-0x0000000007E2C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/5060-25-0x0000000007E40000-0x0000000007E8C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/5060-26-0x00000000742BE000-0x00000000742BF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5060-27-0x00000000742B0000-0x0000000074A60000-memory.dmp

          Filesize

          7.7MB

          Download