Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06/05/2023, 14:16
Static task
static1
Behavioral task
behavioral1
Sample
7cd74cc15ea82152d9213c7a190f881ac6b9bb47429d7d1819276d10df098784.exe
Resource
win10v2004-20230220-en
General
-
Target
7cd74cc15ea82152d9213c7a190f881ac6b9bb47429d7d1819276d10df098784.exe
-
Size
492KB
-
MD5
d4d6a3534bc863b09a40371057bbd90d
-
SHA1
e62075e240f1b428883886b70db9336582a1c8f6
-
SHA256
7cd74cc15ea82152d9213c7a190f881ac6b9bb47429d7d1819276d10df098784
-
SHA512
b640e83e5222ec51af5dde77998a792334342a50fe4ff1f0237cee3ecf9ca03637aec271e77ad75c32a08e4706cd13c7d037c848a7940794451a330b3ec33ff5
-
SSDEEP
12288:6MrCy90KjUi+gp6urlLyPZf8rxLvVvrJJ1:sy7qM6gOJ8ZVf1
Malware Config
Extracted
redline
luna
217.196.96.101:4132
-
auth_value
3372be6f6fa192ff878fa6fe9be73f6e
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection o2935429.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" o2935429.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" o2935429.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" o2935429.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" o2935429.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" o2935429.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation s6023653.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 7 IoCs
pid Process 1264 z9792631.exe 1656 o2935429.exe 3676 r0987409.exe 212 s6023653.exe 1768 oneetx.exe 1888 oneetx.exe 4760 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 4688 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features o2935429.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" o2935429.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7cd74cc15ea82152d9213c7a190f881ac6b9bb47429d7d1819276d10df098784.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z9792631.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z9792631.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 7cd74cc15ea82152d9213c7a190f881ac6b9bb47429d7d1819276d10df098784.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 836 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1656 o2935429.exe 1656 o2935429.exe 3676 r0987409.exe 3676 r0987409.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1656 o2935429.exe Token: SeDebugPrivilege 3676 r0987409.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 212 s6023653.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 5008 wrote to memory of 1264 5008 7cd74cc15ea82152d9213c7a190f881ac6b9bb47429d7d1819276d10df098784.exe 82 PID 5008 wrote to memory of 1264 5008 7cd74cc15ea82152d9213c7a190f881ac6b9bb47429d7d1819276d10df098784.exe 82 PID 5008 wrote to memory of 1264 5008 7cd74cc15ea82152d9213c7a190f881ac6b9bb47429d7d1819276d10df098784.exe 82 PID 1264 wrote to memory of 1656 1264 z9792631.exe 83 PID 1264 wrote to memory of 1656 1264 z9792631.exe 83 PID 1264 wrote to memory of 1656 1264 z9792631.exe 83 PID 1264 wrote to memory of 3676 1264 z9792631.exe 86 PID 1264 wrote to memory of 3676 1264 z9792631.exe 86 PID 1264 wrote to memory of 3676 1264 z9792631.exe 86 PID 5008 wrote to memory of 212 5008 7cd74cc15ea82152d9213c7a190f881ac6b9bb47429d7d1819276d10df098784.exe 87 PID 5008 wrote to memory of 212 5008 7cd74cc15ea82152d9213c7a190f881ac6b9bb47429d7d1819276d10df098784.exe 87 PID 5008 wrote to memory of 212 5008 7cd74cc15ea82152d9213c7a190f881ac6b9bb47429d7d1819276d10df098784.exe 87 PID 212 wrote to memory of 1768 212 s6023653.exe 88 PID 212 wrote to memory of 1768 212 s6023653.exe 88 PID 212 wrote to memory of 1768 212 s6023653.exe 88 PID 1768 wrote to memory of 836 1768 oneetx.exe 89 PID 1768 wrote to memory of 836 1768 oneetx.exe 89 PID 1768 wrote to memory of 836 1768 oneetx.exe 89 PID 1768 wrote to memory of 4688 1768 oneetx.exe 92 PID 1768 wrote to memory of 4688 1768 oneetx.exe 92 PID 1768 wrote to memory of 4688 1768 oneetx.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cd74cc15ea82152d9213c7a190f881ac6b9bb47429d7d1819276d10df098784.exe"C:\Users\Admin\AppData\Local\Temp\7cd74cc15ea82152d9213c7a190f881ac6b9bb47429d7d1819276d10df098784.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9792631.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9792631.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2935429.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2935429.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0987409.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0987409.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6023653.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6023653.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:836
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
PID:4688
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
PID:1888
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
PID:4760
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230KB
MD560a1f4f45672af47afb222a21634bcbb
SHA1b3f3c255e41eeac3f145a4ebec7ae778fd628b90
SHA256cee95e02c2ae23716ad9cc26632ee8352f44f87230f3552fcb962a5a7c10b974
SHA5122b91fe57409f87357652742e2828f7f197739222e4b7530dad7068cf581ad05628a3417bb37c72ccbe1ab85f91ff38ebcaaac09026c1cca91b8501b5f11d6c13
-
Filesize
230KB
MD560a1f4f45672af47afb222a21634bcbb
SHA1b3f3c255e41eeac3f145a4ebec7ae778fd628b90
SHA256cee95e02c2ae23716ad9cc26632ee8352f44f87230f3552fcb962a5a7c10b974
SHA5122b91fe57409f87357652742e2828f7f197739222e4b7530dad7068cf581ad05628a3417bb37c72ccbe1ab85f91ff38ebcaaac09026c1cca91b8501b5f11d6c13
-
Filesize
230KB
MD560a1f4f45672af47afb222a21634bcbb
SHA1b3f3c255e41eeac3f145a4ebec7ae778fd628b90
SHA256cee95e02c2ae23716ad9cc26632ee8352f44f87230f3552fcb962a5a7c10b974
SHA5122b91fe57409f87357652742e2828f7f197739222e4b7530dad7068cf581ad05628a3417bb37c72ccbe1ab85f91ff38ebcaaac09026c1cca91b8501b5f11d6c13
-
Filesize
230KB
MD560a1f4f45672af47afb222a21634bcbb
SHA1b3f3c255e41eeac3f145a4ebec7ae778fd628b90
SHA256cee95e02c2ae23716ad9cc26632ee8352f44f87230f3552fcb962a5a7c10b974
SHA5122b91fe57409f87357652742e2828f7f197739222e4b7530dad7068cf581ad05628a3417bb37c72ccbe1ab85f91ff38ebcaaac09026c1cca91b8501b5f11d6c13
-
Filesize
230KB
MD560a1f4f45672af47afb222a21634bcbb
SHA1b3f3c255e41eeac3f145a4ebec7ae778fd628b90
SHA256cee95e02c2ae23716ad9cc26632ee8352f44f87230f3552fcb962a5a7c10b974
SHA5122b91fe57409f87357652742e2828f7f197739222e4b7530dad7068cf581ad05628a3417bb37c72ccbe1ab85f91ff38ebcaaac09026c1cca91b8501b5f11d6c13
-
Filesize
230KB
MD560a1f4f45672af47afb222a21634bcbb
SHA1b3f3c255e41eeac3f145a4ebec7ae778fd628b90
SHA256cee95e02c2ae23716ad9cc26632ee8352f44f87230f3552fcb962a5a7c10b974
SHA5122b91fe57409f87357652742e2828f7f197739222e4b7530dad7068cf581ad05628a3417bb37c72ccbe1ab85f91ff38ebcaaac09026c1cca91b8501b5f11d6c13
-
Filesize
230KB
MD560a1f4f45672af47afb222a21634bcbb
SHA1b3f3c255e41eeac3f145a4ebec7ae778fd628b90
SHA256cee95e02c2ae23716ad9cc26632ee8352f44f87230f3552fcb962a5a7c10b974
SHA5122b91fe57409f87357652742e2828f7f197739222e4b7530dad7068cf581ad05628a3417bb37c72ccbe1ab85f91ff38ebcaaac09026c1cca91b8501b5f11d6c13
-
Filesize
309KB
MD5cf9b74b0145ff74a32e07b447a94da0f
SHA1a47018d45280491b26b2c981a4578d98e7fd0064
SHA2568bcf3c9eaed9c1fdc34ba98db35bc8f554ecde661de6bc446048b2521fe0c28f
SHA5123df9997e8e6229a459e6361ce89083a8f34ff9619704b1ec7bd1edb58a6dd70ed0e5c893f35fd8cd90ca2066a6ef91ff5e57619ff95afff33827b1090d8c4dd1
-
Filesize
309KB
MD5cf9b74b0145ff74a32e07b447a94da0f
SHA1a47018d45280491b26b2c981a4578d98e7fd0064
SHA2568bcf3c9eaed9c1fdc34ba98db35bc8f554ecde661de6bc446048b2521fe0c28f
SHA5123df9997e8e6229a459e6361ce89083a8f34ff9619704b1ec7bd1edb58a6dd70ed0e5c893f35fd8cd90ca2066a6ef91ff5e57619ff95afff33827b1090d8c4dd1
-
Filesize
176KB
MD5e996d4c47dec1ae330eeb5ae6fd6d99a
SHA12fd688fbd8efb220272223068b3abac2d1e18398
SHA256fd0aa632acac50109d0ac13e4512d0db4e8b43fe19b9b4f4c784628274d8264c
SHA5121fe22652a6d7871c1f10330741df26cc472fc0d21894fd03a28ae983e101f3342a6639e7e5e896a16b3be1de9f5c3c413ab097b239133dacd5b240f2546a90a3
-
Filesize
176KB
MD5e996d4c47dec1ae330eeb5ae6fd6d99a
SHA12fd688fbd8efb220272223068b3abac2d1e18398
SHA256fd0aa632acac50109d0ac13e4512d0db4e8b43fe19b9b4f4c784628274d8264c
SHA5121fe22652a6d7871c1f10330741df26cc472fc0d21894fd03a28ae983e101f3342a6639e7e5e896a16b3be1de9f5c3c413ab097b239133dacd5b240f2546a90a3
-
Filesize
168KB
MD5c60c1ba8b14d11e2bab4cf22d75ca7e2
SHA1d834261dd1a29e17f8d3f30424f57d547ae41076
SHA2568f1c016219c488443cb0bf1cf3b19fc41dc366b9ade47a58ecf4f0e12039a94e
SHA512e4a8bcc967cd0733e1adbf66d39340eb4fd2cd783d6286bf3f01b6dbbce9159383965534bcc5ce8c2c89a4ee8306f1e538ec6e81b0c1b4d57854bc5d21a2c501
-
Filesize
168KB
MD5c60c1ba8b14d11e2bab4cf22d75ca7e2
SHA1d834261dd1a29e17f8d3f30424f57d547ae41076
SHA2568f1c016219c488443cb0bf1cf3b19fc41dc366b9ade47a58ecf4f0e12039a94e
SHA512e4a8bcc967cd0733e1adbf66d39340eb4fd2cd783d6286bf3f01b6dbbce9159383965534bcc5ce8c2c89a4ee8306f1e538ec6e81b0c1b4d57854bc5d21a2c501
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5