Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05/05/2023, 18:35
General
-
Target
8783fd2ba3d6dd34e1331f206c46275ae8f1176d013418ee6adc6f64c70aa3f3.exe
-
Size
479KB
-
MD5
a721e73b38c729697463ef1c07bc2a00
-
SHA1
6f6d263358198952f4388c9db91cd585ae2b02a4
-
SHA256
8783fd2ba3d6dd34e1331f206c46275ae8f1176d013418ee6adc6f64c70aa3f3
-
SHA512
384b34d4c531656fc61203447ceab05e07301b12b0577397bf99c428161367e326d0350b85a1c6f5a880e9c9e2796509990a72f825c4c246e50c2be0adbfe05f
-
SSDEEP
12288:lMrGy904gYtGb/PMV6hrTtBTolYCPfMndf:7y5BtGb3/TokN
Malware Config
Extracted
redline
daris
217.196.96.56:4138
-
auth_value
3491f24ae0250969cd45ce4b3fe77549
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8783fd2ba3d6dd34e1331f206c46275ae8f1176d013418ee6adc6f64c70aa3f3.exe"C:\Users\Admin\AppData\Local\Temp\8783fd2ba3d6dd34e1331f206c46275ae8f1176d013418ee6adc6f64c70aa3f3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2425215.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2425215.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8727957.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8727957.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5134415.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5134415.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5185274.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5185274.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD505544937ec684113f602d348504dc80d
SHA170d82b79eb397262ef236fc23b53e65a17eac2c1
SHA2565fa9c5b9a1c9ed0b2ddb2e09729e2feb9e933d253461c0393f40673f981b61f7
SHA512506118f069fe740d1a2a15be11bb9950699d224666dd9e7d28dbb0dd0e6cdd05aa11a2abcbd049e568bc35c69b363690f4d373091e9e5f5be3ac73a3ce59b51d
-
Filesize
206KB
MD505544937ec684113f602d348504dc80d
SHA170d82b79eb397262ef236fc23b53e65a17eac2c1
SHA2565fa9c5b9a1c9ed0b2ddb2e09729e2feb9e933d253461c0393f40673f981b61f7
SHA512506118f069fe740d1a2a15be11bb9950699d224666dd9e7d28dbb0dd0e6cdd05aa11a2abcbd049e568bc35c69b363690f4d373091e9e5f5be3ac73a3ce59b51d
-
Filesize
308KB
MD5bb43480ad24c02ff323450d73929f755
SHA13dabc91e10135d73f7164e695a191f9a663854fe
SHA256806b7bc1152c80875a7ef7c6b32dddded0b24fa49d1a3ebfb476849ef027b073
SHA5124aa9bfb76dac2bfe6dc0fa5be40941638e9db1ac9dbf1b3b04f668ce7df444c83883d4b6f309e1fd8a01084e8bbc7192efcca8e8bb6f2c71a9fa376e0f4033bd
-
Filesize
308KB
MD5bb43480ad24c02ff323450d73929f755
SHA13dabc91e10135d73f7164e695a191f9a663854fe
SHA256806b7bc1152c80875a7ef7c6b32dddded0b24fa49d1a3ebfb476849ef027b073
SHA5124aa9bfb76dac2bfe6dc0fa5be40941638e9db1ac9dbf1b3b04f668ce7df444c83883d4b6f309e1fd8a01084e8bbc7192efcca8e8bb6f2c71a9fa376e0f4033bd
-
Filesize
168KB
MD51964a0f70bf2622ed2dd509a6f068501
SHA1f2aeeca71a14492f97a46927aff1bff613997fb0
SHA256f8de1a523be05c5ef8c763cd51f2bee994723dc03a90235d4cb4717142c58845
SHA5125a1fb42f761b5a8337115304a740713416646f5de53ccae8452c58644e8aa185689101f103369315380a97400c01dc712611ce0f45937508c31c1b60bfe7a27d
-
Filesize
168KB
MD51964a0f70bf2622ed2dd509a6f068501
SHA1f2aeeca71a14492f97a46927aff1bff613997fb0
SHA256f8de1a523be05c5ef8c763cd51f2bee994723dc03a90235d4cb4717142c58845
SHA5125a1fb42f761b5a8337115304a740713416646f5de53ccae8452c58644e8aa185689101f103369315380a97400c01dc712611ce0f45937508c31c1b60bfe7a27d
-
Filesize
179KB
MD5f26fcfb8419aab93f2421ffa061b0903
SHA11c0e85d69796a4db126bc843df31659a6cbc2581
SHA2565a0acfa53b12eb94a4efb74c92b292f8a2b3da57c33fab1b35afbdb0762a2aaa
SHA5124fb156485380684719e606804b61956a12c0ee69cc72315d6dc1963d5ffa3927f95ceb5ceca3f8b988d81632b9d353d42981600279ee42e8c8fe07ba407cda25
-
Filesize
179KB
MD5f26fcfb8419aab93f2421ffa061b0903
SHA11c0e85d69796a4db126bc843df31659a6cbc2581
SHA2565a0acfa53b12eb94a4efb74c92b292f8a2b3da57c33fab1b35afbdb0762a2aaa
SHA5124fb156485380684719e606804b61956a12c0ee69cc72315d6dc1963d5ffa3927f95ceb5ceca3f8b988d81632b9d353d42981600279ee42e8c8fe07ba407cda25
-
Filesize
206KB
MD505544937ec684113f602d348504dc80d
SHA170d82b79eb397262ef236fc23b53e65a17eac2c1
SHA2565fa9c5b9a1c9ed0b2ddb2e09729e2feb9e933d253461c0393f40673f981b61f7
SHA512506118f069fe740d1a2a15be11bb9950699d224666dd9e7d28dbb0dd0e6cdd05aa11a2abcbd049e568bc35c69b363690f4d373091e9e5f5be3ac73a3ce59b51d
-
Filesize
206KB
MD505544937ec684113f602d348504dc80d
SHA170d82b79eb397262ef236fc23b53e65a17eac2c1
SHA2565fa9c5b9a1c9ed0b2ddb2e09729e2feb9e933d253461c0393f40673f981b61f7
SHA512506118f069fe740d1a2a15be11bb9950699d224666dd9e7d28dbb0dd0e6cdd05aa11a2abcbd049e568bc35c69b363690f4d373091e9e5f5be3ac73a3ce59b51d
-
Filesize
206KB
MD505544937ec684113f602d348504dc80d
SHA170d82b79eb397262ef236fc23b53e65a17eac2c1
SHA2565fa9c5b9a1c9ed0b2ddb2e09729e2feb9e933d253461c0393f40673f981b61f7
SHA512506118f069fe740d1a2a15be11bb9950699d224666dd9e7d28dbb0dd0e6cdd05aa11a2abcbd049e568bc35c69b363690f4d373091e9e5f5be3ac73a3ce59b51d
-
Filesize
206KB
MD505544937ec684113f602d348504dc80d
SHA170d82b79eb397262ef236fc23b53e65a17eac2c1
SHA2565fa9c5b9a1c9ed0b2ddb2e09729e2feb9e933d253461c0393f40673f981b61f7
SHA512506118f069fe740d1a2a15be11bb9950699d224666dd9e7d28dbb0dd0e6cdd05aa11a2abcbd049e568bc35c69b363690f4d373091e9e5f5be3ac73a3ce59b51d
-
Filesize
1.0MB
-
Filesize
472KB
-
Filesize
408KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
320KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
184KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB