Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 18:41
Static task
static1
Behavioral task
behavioral1
Sample
9dfc8f1ddcebee300b0170ddcce671840386e20d7de566de5560ec4997ab3459.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9dfc8f1ddcebee300b0170ddcce671840386e20d7de566de5560ec4997ab3459.exe
Resource
win10v2004-20230220-en
General
-
Target
9dfc8f1ddcebee300b0170ddcce671840386e20d7de566de5560ec4997ab3459.exe
-
Size
590KB
-
MD5
19b833678c3c27ae48d68776b5b15b3c
-
SHA1
285ca45f41ac463a4e2ce25df9d758c29c963e71
-
SHA256
9dfc8f1ddcebee300b0170ddcce671840386e20d7de566de5560ec4997ab3459
-
SHA512
39d97fcde67025df754f9da5fa17e012116607a71561a10ecd688e14f52e9bf0ef43926f3ea2b6e057410b0841754ec8e41d6d46b19d4ed00cabcba81e42bd2f
-
SSDEEP
12288:/Mrny90VVX8/nEa7+KaeEDPNRs8djqKHIb2RS9FO/cR1Dw67qnX:0ymVM8a7+KvEDPQ8djqygFFIcR1DwvX
Malware Config
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/4272-148-0x0000000007620000-0x0000000007C38000-memory.dmp redline_stealer behavioral2/memory/4272-154-0x00000000075B0000-0x0000000007616000-memory.dmp redline_stealer behavioral2/memory/4272-159-0x0000000008AE0000-0x0000000008CA2000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h4483338.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h4483338.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h4483338.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h4483338.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection h4483338.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h4483338.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation i8103379.exe Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 6 IoCs
pid Process 4400 x0252320.exe 4272 g6675168.exe 3600 h4483338.exe 2500 i8103379.exe 1008 oneetx.exe 3352 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 2008 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features h4483338.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" h4483338.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x0252320.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x0252320.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 9dfc8f1ddcebee300b0170ddcce671840386e20d7de566de5560ec4997ab3459.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9dfc8f1ddcebee300b0170ddcce671840386e20d7de566de5560ec4997ab3459.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1540 3600 WerFault.exe 88 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3512 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4272 g6675168.exe 4272 g6675168.exe 3600 h4483338.exe 3600 h4483338.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4272 g6675168.exe Token: SeDebugPrivilege 3600 h4483338.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2500 i8103379.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1780 wrote to memory of 4400 1780 9dfc8f1ddcebee300b0170ddcce671840386e20d7de566de5560ec4997ab3459.exe 85 PID 1780 wrote to memory of 4400 1780 9dfc8f1ddcebee300b0170ddcce671840386e20d7de566de5560ec4997ab3459.exe 85 PID 1780 wrote to memory of 4400 1780 9dfc8f1ddcebee300b0170ddcce671840386e20d7de566de5560ec4997ab3459.exe 85 PID 4400 wrote to memory of 4272 4400 x0252320.exe 86 PID 4400 wrote to memory of 4272 4400 x0252320.exe 86 PID 4400 wrote to memory of 4272 4400 x0252320.exe 86 PID 4400 wrote to memory of 3600 4400 x0252320.exe 88 PID 4400 wrote to memory of 3600 4400 x0252320.exe 88 PID 4400 wrote to memory of 3600 4400 x0252320.exe 88 PID 1780 wrote to memory of 2500 1780 9dfc8f1ddcebee300b0170ddcce671840386e20d7de566de5560ec4997ab3459.exe 91 PID 1780 wrote to memory of 2500 1780 9dfc8f1ddcebee300b0170ddcce671840386e20d7de566de5560ec4997ab3459.exe 91 PID 1780 wrote to memory of 2500 1780 9dfc8f1ddcebee300b0170ddcce671840386e20d7de566de5560ec4997ab3459.exe 91 PID 2500 wrote to memory of 1008 2500 i8103379.exe 92 PID 2500 wrote to memory of 1008 2500 i8103379.exe 92 PID 2500 wrote to memory of 1008 2500 i8103379.exe 92 PID 1008 wrote to memory of 3512 1008 oneetx.exe 93 PID 1008 wrote to memory of 3512 1008 oneetx.exe 93 PID 1008 wrote to memory of 3512 1008 oneetx.exe 93 PID 1008 wrote to memory of 4496 1008 oneetx.exe 95 PID 1008 wrote to memory of 4496 1008 oneetx.exe 95 PID 1008 wrote to memory of 4496 1008 oneetx.exe 95 PID 4496 wrote to memory of 1132 4496 cmd.exe 97 PID 4496 wrote to memory of 1132 4496 cmd.exe 97 PID 4496 wrote to memory of 1132 4496 cmd.exe 97 PID 4496 wrote to memory of 2332 4496 cmd.exe 98 PID 4496 wrote to memory of 2332 4496 cmd.exe 98 PID 4496 wrote to memory of 2332 4496 cmd.exe 98 PID 4496 wrote to memory of 1712 4496 cmd.exe 99 PID 4496 wrote to memory of 1712 4496 cmd.exe 99 PID 4496 wrote to memory of 1712 4496 cmd.exe 99 PID 4496 wrote to memory of 4724 4496 cmd.exe 100 PID 4496 wrote to memory of 4724 4496 cmd.exe 100 PID 4496 wrote to memory of 4724 4496 cmd.exe 100 PID 4496 wrote to memory of 1460 4496 cmd.exe 101 PID 4496 wrote to memory of 1460 4496 cmd.exe 101 PID 4496 wrote to memory of 1460 4496 cmd.exe 101 PID 4496 wrote to memory of 1904 4496 cmd.exe 102 PID 4496 wrote to memory of 1904 4496 cmd.exe 102 PID 4496 wrote to memory of 1904 4496 cmd.exe 102 PID 1008 wrote to memory of 2008 1008 oneetx.exe 103 PID 1008 wrote to memory of 2008 1008 oneetx.exe 103 PID 1008 wrote to memory of 2008 1008 oneetx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9dfc8f1ddcebee300b0170ddcce671840386e20d7de566de5560ec4997ab3459.exe"C:\Users\Admin\AppData\Local\Temp\9dfc8f1ddcebee300b0170ddcce671840386e20d7de566de5560ec4997ab3459.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0252320.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0252320.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6675168.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6675168.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4483338.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4483338.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 10804⤵
- Program crash
PID:1540
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i8103379.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i8103379.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:3512
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1132
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:2332
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:1712
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4724
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵PID:1460
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵PID:1904
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:2008
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3600 -ip 36001⤵PID:4440
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:3352
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD5db9d6209ad744e8c1f68f7cc3fc57c99
SHA17cc104e44b1b46ec193aa01851d639b02c9462cc
SHA25613fb602affc31da0da72d01cf8d93ee835bbeb8877f243b9dc21f01c6fb46385
SHA51220ac50985509ec0e94cb2c90fe116b0710f27652be6450e35ca813572df019501945ac3dfc686472e1e7dfc4048bcb057b2b54e549ce27c9d4864c32c374ba1d
-
Filesize
204KB
MD5db9d6209ad744e8c1f68f7cc3fc57c99
SHA17cc104e44b1b46ec193aa01851d639b02c9462cc
SHA25613fb602affc31da0da72d01cf8d93ee835bbeb8877f243b9dc21f01c6fb46385
SHA51220ac50985509ec0e94cb2c90fe116b0710f27652be6450e35ca813572df019501945ac3dfc686472e1e7dfc4048bcb057b2b54e549ce27c9d4864c32c374ba1d
-
Filesize
417KB
MD5fda5e47c3f4e4b02999f2d5016bfe15e
SHA1cad8f8416a676e44935fbeb83a939f5b2e97827b
SHA2565b0e101faf8c9f40bb22838a80d86c4edf1d701b3020d2d353c4c702b0d4ae70
SHA512acfece14736bfa1a8385022210d5073c481140d841b7c5802ad9ebb174d0a39145c29b06224a68d5a9e96f2fe1da575202a55cf5d59cd20cd66fc37ca04a670d
-
Filesize
417KB
MD5fda5e47c3f4e4b02999f2d5016bfe15e
SHA1cad8f8416a676e44935fbeb83a939f5b2e97827b
SHA2565b0e101faf8c9f40bb22838a80d86c4edf1d701b3020d2d353c4c702b0d4ae70
SHA512acfece14736bfa1a8385022210d5073c481140d841b7c5802ad9ebb174d0a39145c29b06224a68d5a9e96f2fe1da575202a55cf5d59cd20cd66fc37ca04a670d
-
Filesize
136KB
MD5fccc3a4c1b78f718f598cc9dedc38b5e
SHA167d3dbf9c5ca708edee1e5aea14bda6933ee0dbf
SHA256d65aaf0ccd57b3c8c07a6ac554a02e875da0b5ffdc2671e2d538daa0d34203a6
SHA5120fefaf5baa941f030bb7cf2499a45273a28215d8b7e9bc692585f97ae5e94cd19d969349fcaa079ae97aca91537e03f905843d3d2f1139f2963cceb7b5cc96f4
-
Filesize
136KB
MD5fccc3a4c1b78f718f598cc9dedc38b5e
SHA167d3dbf9c5ca708edee1e5aea14bda6933ee0dbf
SHA256d65aaf0ccd57b3c8c07a6ac554a02e875da0b5ffdc2671e2d538daa0d34203a6
SHA5120fefaf5baa941f030bb7cf2499a45273a28215d8b7e9bc692585f97ae5e94cd19d969349fcaa079ae97aca91537e03f905843d3d2f1139f2963cceb7b5cc96f4
-
Filesize
361KB
MD5fb27f46f42eff12b4e3bc8391f9f77c4
SHA1858ea1d2ac6c5bd9bd8ccf3403ceac8dd9f88937
SHA25609ee9ca22de1fe06489c6ac734ecc64de1b63171647a460e53b4b7ad907bc75a
SHA5121e2f001e5aa3b6378221a4dcf2251f352e5fd0b16298c461aba4abd87a04a79293fc1abe254cddf242982407089cb766da961fe35153d38b825474cbf3aa6fd9
-
Filesize
361KB
MD5fb27f46f42eff12b4e3bc8391f9f77c4
SHA1858ea1d2ac6c5bd9bd8ccf3403ceac8dd9f88937
SHA25609ee9ca22de1fe06489c6ac734ecc64de1b63171647a460e53b4b7ad907bc75a
SHA5121e2f001e5aa3b6378221a4dcf2251f352e5fd0b16298c461aba4abd87a04a79293fc1abe254cddf242982407089cb766da961fe35153d38b825474cbf3aa6fd9
-
Filesize
204KB
MD5db9d6209ad744e8c1f68f7cc3fc57c99
SHA17cc104e44b1b46ec193aa01851d639b02c9462cc
SHA25613fb602affc31da0da72d01cf8d93ee835bbeb8877f243b9dc21f01c6fb46385
SHA51220ac50985509ec0e94cb2c90fe116b0710f27652be6450e35ca813572df019501945ac3dfc686472e1e7dfc4048bcb057b2b54e549ce27c9d4864c32c374ba1d
-
Filesize
204KB
MD5db9d6209ad744e8c1f68f7cc3fc57c99
SHA17cc104e44b1b46ec193aa01851d639b02c9462cc
SHA25613fb602affc31da0da72d01cf8d93ee835bbeb8877f243b9dc21f01c6fb46385
SHA51220ac50985509ec0e94cb2c90fe116b0710f27652be6450e35ca813572df019501945ac3dfc686472e1e7dfc4048bcb057b2b54e549ce27c9d4864c32c374ba1d
-
Filesize
204KB
MD5db9d6209ad744e8c1f68f7cc3fc57c99
SHA17cc104e44b1b46ec193aa01851d639b02c9462cc
SHA25613fb602affc31da0da72d01cf8d93ee835bbeb8877f243b9dc21f01c6fb46385
SHA51220ac50985509ec0e94cb2c90fe116b0710f27652be6450e35ca813572df019501945ac3dfc686472e1e7dfc4048bcb057b2b54e549ce27c9d4864c32c374ba1d
-
Filesize
204KB
MD5db9d6209ad744e8c1f68f7cc3fc57c99
SHA17cc104e44b1b46ec193aa01851d639b02c9462cc
SHA25613fb602affc31da0da72d01cf8d93ee835bbeb8877f243b9dc21f01c6fb46385
SHA51220ac50985509ec0e94cb2c90fe116b0710f27652be6450e35ca813572df019501945ac3dfc686472e1e7dfc4048bcb057b2b54e549ce27c9d4864c32c374ba1d
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5