Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05/05/2023, 20:32
Static task
static1
Behavioral task
behavioral1
Sample
f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176.exe
Resource
win10v2004-20230220-en
General
-
Target
f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176.exe
-
Size
588KB
-
MD5
b07769cdb2ed1a7ef4198c6a67e4a098
-
SHA1
afe54741458db73f2fbf8f86cc697c66b3342aba
-
SHA256
f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176
-
SHA512
94da07dc6bf851df2bb3faa7e97a358c61d2fdf668fc9fec20f2826debc29ad42d7029be0a5e747e5480661a2d672e13d680c759499acdb2e732c1b116d3ce91
-
SSDEEP
12288:GMrzy905ECPeCtcZQkBwi+FhVpqZlfhv4mAmjzjMvnS1ttJWig51:dyImGtUwiOyZlfh6azAAttciI1
Malware Config
Signatures
-
Detects Redline Stealer samples 3 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/4756-148-0x0000000008370000-0x0000000008988000-memory.dmp redline_stealer behavioral2/memory/4756-154-0x0000000002F40000-0x0000000002FA6000-memory.dmp redline_stealer behavioral2/memory/4756-159-0x0000000009020000-0x00000000091E2000-memory.dmp redline_stealer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection h5702663.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h5702663.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h5702663.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h5702663.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h5702663.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h5702663.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation i6233116.exe Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 6 IoCs
pid Process 4184 x8506395.exe 4756 g0589159.exe 4724 h5702663.exe 1956 i6233116.exe 3160 oneetx.exe 4348 oneetx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features h5702663.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" h5702663.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x8506395.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x8506395.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1668 4724 WerFault.exe 85 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4436 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4756 g0589159.exe 4756 g0589159.exe 4724 h5702663.exe 4724 h5702663.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4756 g0589159.exe Token: SeDebugPrivilege 4724 h5702663.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1956 i6233116.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 5008 wrote to memory of 4184 5008 f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176.exe 81 PID 5008 wrote to memory of 4184 5008 f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176.exe 81 PID 5008 wrote to memory of 4184 5008 f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176.exe 81 PID 4184 wrote to memory of 4756 4184 x8506395.exe 82 PID 4184 wrote to memory of 4756 4184 x8506395.exe 82 PID 4184 wrote to memory of 4756 4184 x8506395.exe 82 PID 4184 wrote to memory of 4724 4184 x8506395.exe 85 PID 4184 wrote to memory of 4724 4184 x8506395.exe 85 PID 4184 wrote to memory of 4724 4184 x8506395.exe 85 PID 5008 wrote to memory of 1956 5008 f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176.exe 88 PID 5008 wrote to memory of 1956 5008 f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176.exe 88 PID 5008 wrote to memory of 1956 5008 f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176.exe 88 PID 1956 wrote to memory of 3160 1956 i6233116.exe 89 PID 1956 wrote to memory of 3160 1956 i6233116.exe 89 PID 1956 wrote to memory of 3160 1956 i6233116.exe 89 PID 3160 wrote to memory of 4436 3160 oneetx.exe 90 PID 3160 wrote to memory of 4436 3160 oneetx.exe 90 PID 3160 wrote to memory of 4436 3160 oneetx.exe 90 PID 3160 wrote to memory of 2956 3160 oneetx.exe 92 PID 3160 wrote to memory of 2956 3160 oneetx.exe 92 PID 3160 wrote to memory of 2956 3160 oneetx.exe 92 PID 2956 wrote to memory of 1028 2956 cmd.exe 94 PID 2956 wrote to memory of 1028 2956 cmd.exe 94 PID 2956 wrote to memory of 1028 2956 cmd.exe 94 PID 2956 wrote to memory of 4084 2956 cmd.exe 95 PID 2956 wrote to memory of 4084 2956 cmd.exe 95 PID 2956 wrote to memory of 4084 2956 cmd.exe 95 PID 2956 wrote to memory of 1744 2956 cmd.exe 96 PID 2956 wrote to memory of 1744 2956 cmd.exe 96 PID 2956 wrote to memory of 1744 2956 cmd.exe 96 PID 2956 wrote to memory of 1812 2956 cmd.exe 97 PID 2956 wrote to memory of 1812 2956 cmd.exe 97 PID 2956 wrote to memory of 1812 2956 cmd.exe 97 PID 2956 wrote to memory of 64 2956 cmd.exe 98 PID 2956 wrote to memory of 64 2956 cmd.exe 98 PID 2956 wrote to memory of 64 2956 cmd.exe 98 PID 2956 wrote to memory of 4076 2956 cmd.exe 99 PID 2956 wrote to memory of 4076 2956 cmd.exe 99 PID 2956 wrote to memory of 4076 2956 cmd.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176.exe"C:\Users\Admin\AppData\Local\Temp\f7b090c27b46b30e68816abb3011222de813df272bd4e366200778ca589cf176.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8506395.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8506395.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0589159.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0589159.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5702663.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5702663.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 10804⤵
- Program crash
PID:1668
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i6233116.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i6233116.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:4436
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1028
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:4084
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:1744
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1812
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵PID:64
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵PID:4076
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4724 -ip 47241⤵PID:3040
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:4348
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD55a9e8fb044aa3bc8de299b7487d0bae3
SHA19f5c00a6d46da44a4f22eed64922d135b7a01293
SHA25638d344724af35b8a125be996bb370f0c923d835da050e39b890efc933966362c
SHA512f2dc90e17eaed4161189b26860a64925ed3985ebd981ee72442492e4afc5a0acae1f2280f97971eb6eb5915fd598c6a688967ba67d7f542e4cdc45bd00dcc147
-
Filesize
204KB
MD55a9e8fb044aa3bc8de299b7487d0bae3
SHA19f5c00a6d46da44a4f22eed64922d135b7a01293
SHA25638d344724af35b8a125be996bb370f0c923d835da050e39b890efc933966362c
SHA512f2dc90e17eaed4161189b26860a64925ed3985ebd981ee72442492e4afc5a0acae1f2280f97971eb6eb5915fd598c6a688967ba67d7f542e4cdc45bd00dcc147
-
Filesize
416KB
MD504e21e2372026fac4e40361c835145da
SHA1e479a4f6ec39bfc022b0669995e114f57d873e8a
SHA256bb6178b482db8cc54defcbdcd1d92d5c8b4ca579b67a729e6a09999a07a3f678
SHA512996bf73d64bf7bebd42e7023bda4acb17047eb6561a6a945d4bc2d533c4e87fbac7103820fb73e18e102ba7f5d921829321d142f9d0969c38baed24ab00d6c08
-
Filesize
416KB
MD504e21e2372026fac4e40361c835145da
SHA1e479a4f6ec39bfc022b0669995e114f57d873e8a
SHA256bb6178b482db8cc54defcbdcd1d92d5c8b4ca579b67a729e6a09999a07a3f678
SHA512996bf73d64bf7bebd42e7023bda4acb17047eb6561a6a945d4bc2d533c4e87fbac7103820fb73e18e102ba7f5d921829321d142f9d0969c38baed24ab00d6c08
-
Filesize
136KB
MD51f9c251cec0adb0069d055d5b92838d8
SHA1275e8df0248424d4fb9c7821ec7faea1fabfd335
SHA2564229a082666be90a392bbe2225b58b2f66c6df83a338248c0f0394da3c616047
SHA51233ce32e0cd51dcf6ce7b5a38c0019da40a31303d61e2158d983a8a8b44391f77efb527b48a299c13cff960c6503d0d737ca693c1f56a48a705ce340fb808f120
-
Filesize
136KB
MD51f9c251cec0adb0069d055d5b92838d8
SHA1275e8df0248424d4fb9c7821ec7faea1fabfd335
SHA2564229a082666be90a392bbe2225b58b2f66c6df83a338248c0f0394da3c616047
SHA51233ce32e0cd51dcf6ce7b5a38c0019da40a31303d61e2158d983a8a8b44391f77efb527b48a299c13cff960c6503d0d737ca693c1f56a48a705ce340fb808f120
-
Filesize
361KB
MD52abfe19c2b2399aee75e74fde3f24b69
SHA1081f9857b6986cad726557d22910440f99bbdb20
SHA256dbc05b59855d958bcee452577bf4b541997ae0c634556c387279a5cf494cf6c9
SHA5126378ce73bafec8dc7d9e7512271e4cf4652ae89fac1ee96ae1218be6a5c7b54202a12453540ad858e9692fe22fe86fee42710a269718df8cc9e5a3176ebb44cc
-
Filesize
361KB
MD52abfe19c2b2399aee75e74fde3f24b69
SHA1081f9857b6986cad726557d22910440f99bbdb20
SHA256dbc05b59855d958bcee452577bf4b541997ae0c634556c387279a5cf494cf6c9
SHA5126378ce73bafec8dc7d9e7512271e4cf4652ae89fac1ee96ae1218be6a5c7b54202a12453540ad858e9692fe22fe86fee42710a269718df8cc9e5a3176ebb44cc
-
Filesize
204KB
MD55a9e8fb044aa3bc8de299b7487d0bae3
SHA19f5c00a6d46da44a4f22eed64922d135b7a01293
SHA25638d344724af35b8a125be996bb370f0c923d835da050e39b890efc933966362c
SHA512f2dc90e17eaed4161189b26860a64925ed3985ebd981ee72442492e4afc5a0acae1f2280f97971eb6eb5915fd598c6a688967ba67d7f542e4cdc45bd00dcc147
-
Filesize
204KB
MD55a9e8fb044aa3bc8de299b7487d0bae3
SHA19f5c00a6d46da44a4f22eed64922d135b7a01293
SHA25638d344724af35b8a125be996bb370f0c923d835da050e39b890efc933966362c
SHA512f2dc90e17eaed4161189b26860a64925ed3985ebd981ee72442492e4afc5a0acae1f2280f97971eb6eb5915fd598c6a688967ba67d7f542e4cdc45bd00dcc147
-
Filesize
204KB
MD55a9e8fb044aa3bc8de299b7487d0bae3
SHA19f5c00a6d46da44a4f22eed64922d135b7a01293
SHA25638d344724af35b8a125be996bb370f0c923d835da050e39b890efc933966362c
SHA512f2dc90e17eaed4161189b26860a64925ed3985ebd981ee72442492e4afc5a0acae1f2280f97971eb6eb5915fd598c6a688967ba67d7f542e4cdc45bd00dcc147
-
Filesize
204KB
MD55a9e8fb044aa3bc8de299b7487d0bae3
SHA19f5c00a6d46da44a4f22eed64922d135b7a01293
SHA25638d344724af35b8a125be996bb370f0c923d835da050e39b890efc933966362c
SHA512f2dc90e17eaed4161189b26860a64925ed3985ebd981ee72442492e4afc5a0acae1f2280f97971eb6eb5915fd598c6a688967ba67d7f542e4cdc45bd00dcc147