Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 20:30
Static task
static1
Behavioral task
behavioral1
Sample
f4c3ad74e138f66b72ea1591552a72eab30dcfd409902a14f99c159fcb9cda97.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
f4c3ad74e138f66b72ea1591552a72eab30dcfd409902a14f99c159fcb9cda97.exe
Resource
win10v2004-20230220-en
General
-
Target
f4c3ad74e138f66b72ea1591552a72eab30dcfd409902a14f99c159fcb9cda97.exe
-
Size
1.1MB
-
MD5
dfcb9ad3bb5c4f8ca4928eaa87c55a85
-
SHA1
48622dd99d34ff918876e7a950758c6d50d233e4
-
SHA256
f4c3ad74e138f66b72ea1591552a72eab30dcfd409902a14f99c159fcb9cda97
-
SHA512
d19efe6b7b35fda1f99352597f15a4ee5e68ae3ba68291072105d6af4143bf83d5f2a1ad2bb658935e89daebef49a6026962783f902b02fc2abd784034128e80
-
SSDEEP
24576:TycGFZvCy1R55vGKQCn/pbN4JddI50qdEU5GrUQHIriA:mcmCIPOKQwpQdTqtg
Malware Config
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/3168-1057-0x0000000007C60000-0x0000000008278000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 55984350.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 55984350.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 55984350.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 55984350.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" u16371270.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" u16371270.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" u16371270.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 55984350.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 55984350.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" u16371270.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" u16371270.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation w24RT54.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 9 IoCs
pid Process 4984 za822388.exe 2828 za927548.exe 408 za852115.exe 3544 55984350.exe 2252 u16371270.exe 4624 w24RT54.exe 2152 oneetx.exe 3168 xdNqk42.exe 4864 oneetx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" u16371270.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 55984350.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 55984350.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce za852115.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" za852115.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f4c3ad74e138f66b72ea1591552a72eab30dcfd409902a14f99c159fcb9cda97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f4c3ad74e138f66b72ea1591552a72eab30dcfd409902a14f99c159fcb9cda97.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce za822388.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" za822388.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce za927548.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" za927548.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 732 2252 WerFault.exe 84 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1032 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3544 55984350.exe 3544 55984350.exe 2252 u16371270.exe 2252 u16371270.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3544 55984350.exe Token: SeDebugPrivilege 2252 u16371270.exe Token: SeDebugPrivilege 3168 xdNqk42.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4624 w24RT54.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4276 wrote to memory of 4984 4276 f4c3ad74e138f66b72ea1591552a72eab30dcfd409902a14f99c159fcb9cda97.exe 80 PID 4276 wrote to memory of 4984 4276 f4c3ad74e138f66b72ea1591552a72eab30dcfd409902a14f99c159fcb9cda97.exe 80 PID 4276 wrote to memory of 4984 4276 f4c3ad74e138f66b72ea1591552a72eab30dcfd409902a14f99c159fcb9cda97.exe 80 PID 4984 wrote to memory of 2828 4984 za822388.exe 81 PID 4984 wrote to memory of 2828 4984 za822388.exe 81 PID 4984 wrote to memory of 2828 4984 za822388.exe 81 PID 2828 wrote to memory of 408 2828 za927548.exe 82 PID 2828 wrote to memory of 408 2828 za927548.exe 82 PID 2828 wrote to memory of 408 2828 za927548.exe 82 PID 408 wrote to memory of 3544 408 za852115.exe 83 PID 408 wrote to memory of 3544 408 za852115.exe 83 PID 408 wrote to memory of 3544 408 za852115.exe 83 PID 408 wrote to memory of 2252 408 za852115.exe 84 PID 408 wrote to memory of 2252 408 za852115.exe 84 PID 408 wrote to memory of 2252 408 za852115.exe 84 PID 2828 wrote to memory of 4624 2828 za927548.exe 89 PID 2828 wrote to memory of 4624 2828 za927548.exe 89 PID 2828 wrote to memory of 4624 2828 za927548.exe 89 PID 4624 wrote to memory of 2152 4624 w24RT54.exe 90 PID 4624 wrote to memory of 2152 4624 w24RT54.exe 90 PID 4624 wrote to memory of 2152 4624 w24RT54.exe 90 PID 4984 wrote to memory of 3168 4984 za822388.exe 91 PID 4984 wrote to memory of 3168 4984 za822388.exe 91 PID 4984 wrote to memory of 3168 4984 za822388.exe 91 PID 2152 wrote to memory of 1032 2152 oneetx.exe 92 PID 2152 wrote to memory of 1032 2152 oneetx.exe 92 PID 2152 wrote to memory of 1032 2152 oneetx.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4c3ad74e138f66b72ea1591552a72eab30dcfd409902a14f99c159fcb9cda97.exe"C:\Users\Admin\AppData\Local\Temp\f4c3ad74e138f66b72ea1591552a72eab30dcfd409902a14f99c159fcb9cda97.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za822388.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za822388.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za927548.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za927548.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za852115.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za852115.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\55984350.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\55984350.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u16371270.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u16371270.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 10766⤵
- Program crash
PID:732
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w24RT54.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w24RT54.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F6⤵
- Creates scheduled task(s)
PID:1032
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xdNqk42.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xdNqk42.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2252 -ip 22521⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
PID:4864
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD53308051ded87b1863a8d92925202c4b3
SHA17834ddc23e7976b07118fb580ae38234466dbdfb
SHA25613b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4
SHA512f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc
-
Filesize
229KB
MD53308051ded87b1863a8d92925202c4b3
SHA17834ddc23e7976b07118fb580ae38234466dbdfb
SHA25613b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4
SHA512f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc
-
Filesize
229KB
MD53308051ded87b1863a8d92925202c4b3
SHA17834ddc23e7976b07118fb580ae38234466dbdfb
SHA25613b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4
SHA512f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc
-
Filesize
229KB
MD53308051ded87b1863a8d92925202c4b3
SHA17834ddc23e7976b07118fb580ae38234466dbdfb
SHA25613b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4
SHA512f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc
-
Filesize
969KB
MD56a57476cf838f2ac33b753cee96fd224
SHA18974d6451384c86318d5aff6c3191c7b28827dd2
SHA25626b8c3ca8a995bbda9997993e07559dd995b075f75a43b914b1d63cd05be40e9
SHA51200d6eb22c346ed5881d8976cc34a5f627d08541e0282d7dd800052faf1c82428bbea18c2889f21a6bdb2e2621ed8c289401f9d4f6d479d1fce8cb6521ca6eb8a
-
Filesize
969KB
MD56a57476cf838f2ac33b753cee96fd224
SHA18974d6451384c86318d5aff6c3191c7b28827dd2
SHA25626b8c3ca8a995bbda9997993e07559dd995b075f75a43b914b1d63cd05be40e9
SHA51200d6eb22c346ed5881d8976cc34a5f627d08541e0282d7dd800052faf1c82428bbea18c2889f21a6bdb2e2621ed8c289401f9d4f6d479d1fce8cb6521ca6eb8a
-
Filesize
366KB
MD5f99f3b030f1df50e0f912044f898e819
SHA13f1353eb93b2dc56fd4674c3b93783d181160fae
SHA256fe79f747721bba920adaa6f24b44b56a9e36e4e37fe172edb5f88f2b4a6f8935
SHA512cb23c53cb8fc6871b14ba111c1438e000b7336fbdb44c61767ee751b5bfe09b24b34b965c345cb76d21525727c0110d8d2989edfde310e00df8790bb7c488991
-
Filesize
366KB
MD5f99f3b030f1df50e0f912044f898e819
SHA13f1353eb93b2dc56fd4674c3b93783d181160fae
SHA256fe79f747721bba920adaa6f24b44b56a9e36e4e37fe172edb5f88f2b4a6f8935
SHA512cb23c53cb8fc6871b14ba111c1438e000b7336fbdb44c61767ee751b5bfe09b24b34b965c345cb76d21525727c0110d8d2989edfde310e00df8790bb7c488991
-
Filesize
602KB
MD52ca85ba118b4fbb37c0e1045b2dda336
SHA1d3049270f5b4d70bf637549bf38887f16e43e926
SHA2568acb22d267705f573bc14dd5fbd27c7a508826d919e861717f01236e9b4ceaf2
SHA512e7a668eaf845e66f9f9ac250fe1e638b05f7fdd29f26db5ab703d6a99beed0684b74b06691038a17ab69a6d9a3f13c5f2702dade51d076400fc192ff2644c321
-
Filesize
602KB
MD52ca85ba118b4fbb37c0e1045b2dda336
SHA1d3049270f5b4d70bf637549bf38887f16e43e926
SHA2568acb22d267705f573bc14dd5fbd27c7a508826d919e861717f01236e9b4ceaf2
SHA512e7a668eaf845e66f9f9ac250fe1e638b05f7fdd29f26db5ab703d6a99beed0684b74b06691038a17ab69a6d9a3f13c5f2702dade51d076400fc192ff2644c321
-
Filesize
229KB
MD53308051ded87b1863a8d92925202c4b3
SHA17834ddc23e7976b07118fb580ae38234466dbdfb
SHA25613b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4
SHA512f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc
-
Filesize
229KB
MD53308051ded87b1863a8d92925202c4b3
SHA17834ddc23e7976b07118fb580ae38234466dbdfb
SHA25613b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4
SHA512f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc
-
Filesize
419KB
MD5469bf680bf8cd814ec54f9d748d40013
SHA1a0b1bdb8d45610d3b37df628785ddbc5d426c772
SHA25658de06517fd259a3057f1655a78c806b6dcf34d7abb58c40b83fefb501db125f
SHA512f73fcc810f550b18b90f8373195ac7c912a55431e910f344006fbc76b47f616fc1c1754dae7471275a9269c55fffe84ac82a106e629708986d355dd3a55643f1
-
Filesize
419KB
MD5469bf680bf8cd814ec54f9d748d40013
SHA1a0b1bdb8d45610d3b37df628785ddbc5d426c772
SHA25658de06517fd259a3057f1655a78c806b6dcf34d7abb58c40b83fefb501db125f
SHA512f73fcc810f550b18b90f8373195ac7c912a55431e910f344006fbc76b47f616fc1c1754dae7471275a9269c55fffe84ac82a106e629708986d355dd3a55643f1
-
Filesize
175KB
MD5a165b5f6b0a4bdf808b71de57bf9347d
SHA139a7b301e819e386c162a47e046fa384bb5ab437
SHA25668349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA5123dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1
-
Filesize
175KB
MD5a165b5f6b0a4bdf808b71de57bf9347d
SHA139a7b301e819e386c162a47e046fa384bb5ab437
SHA25668349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA5123dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1
-
Filesize
282KB
MD5ca9bd6721bf1b92ded5007f764e02c21
SHA18b37dd543f72f7477d6a7c0c9aa3efc73aa92af4
SHA256dc555fd3f673f140e755cbed615c544f3fb0e1f93704f06d284fdde49c9ea52c
SHA5126ecb5ca66f048aaa2e1ed90a58dc462ea69a9eefec4862a4d544327f4d8deaab90488b575f3270bc1830e5beab1cb1bbeb56a0e00f827ad39bf9c27911be012c
-
Filesize
282KB
MD5ca9bd6721bf1b92ded5007f764e02c21
SHA18b37dd543f72f7477d6a7c0c9aa3efc73aa92af4
SHA256dc555fd3f673f140e755cbed615c544f3fb0e1f93704f06d284fdde49c9ea52c
SHA5126ecb5ca66f048aaa2e1ed90a58dc462ea69a9eefec4862a4d544327f4d8deaab90488b575f3270bc1830e5beab1cb1bbeb56a0e00f827ad39bf9c27911be012c