Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
185s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07/05/2023, 06:34
Static task
static1
Behavioral task
behavioral1
Sample
c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe
Resource
win10v2004-20230220-en
General
-
Target
c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe
-
Size
1.2MB
-
MD5
d29f991dff39fe56501f4e530f57f9fc
-
SHA1
33613d88ffee18ce6240032e9134a1ca25e71832
-
SHA256
c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea
-
SHA512
bf9cf8a6e827986d52d49f31995aaa9b40fbfbbafb3624bd0dfe28c72cd1338bfab4e35e8c123c7fba13ce38b79bec6eb59b14c2ac89d934e8a8fb9780d4e581
-
SSDEEP
24576:G8WP6XlIJGBLj1k9E8MK2MipAlFlQoqIhtjrzPnd+DHfsYbvtwgq:goqJG9d8knqlQoqIzPd8Hfsgvn
Malware Config
Signatures
-
Detects Redline Stealer samples 1 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
resource yara_rule behavioral2/memory/4988-985-0x0000000009CD0000-0x000000000A2E8000-memory.dmp redline_stealer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" az975613.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection az975613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" az975613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" az975613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" az975613.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" az975613.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation bu200681.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 8 IoCs
pid Process 4388 ki334387.exe 1584 ki099472.exe 3312 ki127879.exe 1540 az975613.exe 4192 bu200681.exe 4584 oneetx.exe 4988 cf107942.exe 4284 oneetx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" az975613.exe -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ki334387.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ki334387.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ki099472.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ki099472.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ki127879.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" ki127879.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2168 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1540 az975613.exe 1540 az975613.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1540 az975613.exe Token: SeDebugPrivilege 4988 cf107942.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4192 bu200681.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1076 wrote to memory of 4388 1076 c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe 80 PID 1076 wrote to memory of 4388 1076 c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe 80 PID 1076 wrote to memory of 4388 1076 c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe 80 PID 4388 wrote to memory of 1584 4388 ki334387.exe 81 PID 4388 wrote to memory of 1584 4388 ki334387.exe 81 PID 4388 wrote to memory of 1584 4388 ki334387.exe 81 PID 1584 wrote to memory of 3312 1584 ki099472.exe 82 PID 1584 wrote to memory of 3312 1584 ki099472.exe 82 PID 1584 wrote to memory of 3312 1584 ki099472.exe 82 PID 3312 wrote to memory of 1540 3312 ki127879.exe 83 PID 3312 wrote to memory of 1540 3312 ki127879.exe 83 PID 3312 wrote to memory of 4192 3312 ki127879.exe 86 PID 3312 wrote to memory of 4192 3312 ki127879.exe 86 PID 3312 wrote to memory of 4192 3312 ki127879.exe 86 PID 4192 wrote to memory of 4584 4192 bu200681.exe 87 PID 4192 wrote to memory of 4584 4192 bu200681.exe 87 PID 4192 wrote to memory of 4584 4192 bu200681.exe 87 PID 1584 wrote to memory of 4988 1584 ki099472.exe 88 PID 1584 wrote to memory of 4988 1584 ki099472.exe 88 PID 1584 wrote to memory of 4988 1584 ki099472.exe 88 PID 4584 wrote to memory of 2168 4584 oneetx.exe 89 PID 4584 wrote to memory of 2168 4584 oneetx.exe 89 PID 4584 wrote to memory of 2168 4584 oneetx.exe 89 PID 4584 wrote to memory of 4272 4584 oneetx.exe 91 PID 4584 wrote to memory of 4272 4584 oneetx.exe 91 PID 4584 wrote to memory of 4272 4584 oneetx.exe 91 PID 4272 wrote to memory of 1432 4272 cmd.exe 93 PID 4272 wrote to memory of 1432 4272 cmd.exe 93 PID 4272 wrote to memory of 1432 4272 cmd.exe 93 PID 4272 wrote to memory of 968 4272 cmd.exe 94 PID 4272 wrote to memory of 968 4272 cmd.exe 94 PID 4272 wrote to memory of 968 4272 cmd.exe 94 PID 4272 wrote to memory of 392 4272 cmd.exe 95 PID 4272 wrote to memory of 392 4272 cmd.exe 95 PID 4272 wrote to memory of 392 4272 cmd.exe 95 PID 4272 wrote to memory of 2912 4272 cmd.exe 96 PID 4272 wrote to memory of 2912 4272 cmd.exe 96 PID 4272 wrote to memory of 2912 4272 cmd.exe 96 PID 4272 wrote to memory of 948 4272 cmd.exe 97 PID 4272 wrote to memory of 948 4272 cmd.exe 97 PID 4272 wrote to memory of 948 4272 cmd.exe 97 PID 4272 wrote to memory of 444 4272 cmd.exe 98 PID 4272 wrote to memory of 444 4272 cmd.exe 98 PID 4272 wrote to memory of 444 4272 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe"C:\Users\Admin\AppData\Local\Temp\c33a121a0a51f5538be4a3649f7c8d7f2965e5090f83d19030f56d7fbea07fea.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki334387.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki099472.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127879.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az975613.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu200681.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F7⤵
- Creates scheduled task(s)
PID:2168
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:1432
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"8⤵PID:968
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E8⤵PID:392
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:2912
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"8⤵PID:948
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E8⤵PID:444
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf107942.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:4284
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
852KB
MD5f4d5446b7526a88d296ff84e4bfa576e
SHA132adb32e235180b3b5c6af08258814db484a9ca6
SHA256e5ebec2cbd517d24bce4c8ab411b51551ec1700cbc253db0acc9512d4f2fbaf1
SHA512832ee4d62e735c16c447a00665eca7eac12cad02ebb0875fbbbc5a349bfc4fcebcbea69a2235f63311f688c1d5810b688d4e1fe425b1fbf69fd7c71a1bc6cc1d
-
Filesize
852KB
MD5f4d5446b7526a88d296ff84e4bfa576e
SHA132adb32e235180b3b5c6af08258814db484a9ca6
SHA256e5ebec2cbd517d24bce4c8ab411b51551ec1700cbc253db0acc9512d4f2fbaf1
SHA512832ee4d62e735c16c447a00665eca7eac12cad02ebb0875fbbbc5a349bfc4fcebcbea69a2235f63311f688c1d5810b688d4e1fe425b1fbf69fd7c71a1bc6cc1d
-
Filesize
578KB
MD5f97e5dc74a30ee94dcd9308c9a15d629
SHA1aa6f4d56ef656fe46759455cd31c621c449c290c
SHA256e35c7c46ffdb9c2c6fadaa6efa1023d434207e8001a6a6b1868904df955eb3e8
SHA5124ed2494373693007585ff62aded6e5d08b1b081b37452d031dff4ef0fd9a8c3f4b0a45b0454c0d1519057596b50b05b51c8de901ae2cbe088ee286439da1ca85
-
Filesize
578KB
MD5f97e5dc74a30ee94dcd9308c9a15d629
SHA1aa6f4d56ef656fe46759455cd31c621c449c290c
SHA256e35c7c46ffdb9c2c6fadaa6efa1023d434207e8001a6a6b1868904df955eb3e8
SHA5124ed2494373693007585ff62aded6e5d08b1b081b37452d031dff4ef0fd9a8c3f4b0a45b0454c0d1519057596b50b05b51c8de901ae2cbe088ee286439da1ca85
-
Filesize
353KB
MD5de8348a2854e7a051783fc14fb28b95e
SHA17cf59b54a2f5898b02c66d58899c7585e7423eac
SHA2561c5ba61085c5579040b75e5c05357eb0f0f14ae0265b8941cd38f62a623ed57a
SHA512233c668ca4f8df9e2d603e09fb69647465c1a00fb58c8277585fbd4983cf3c49480b892bc4288eae6d16d2e281c602d69da3fa82b03a249f45eaad16194621ad
-
Filesize
353KB
MD5de8348a2854e7a051783fc14fb28b95e
SHA17cf59b54a2f5898b02c66d58899c7585e7423eac
SHA2561c5ba61085c5579040b75e5c05357eb0f0f14ae0265b8941cd38f62a623ed57a
SHA512233c668ca4f8df9e2d603e09fb69647465c1a00fb58c8277585fbd4983cf3c49480b892bc4288eae6d16d2e281c602d69da3fa82b03a249f45eaad16194621ad
-
Filesize
223KB
MD514959501f275d4d39bb38ad94bc50210
SHA14203952ae7f7090a696ccb225a7b23d511887a6e
SHA2567c81324faf9ef8d1dd51c2041f137a0f957f1a517f8a6b1864cac31839091252
SHA5128cd9fc7e75a4c90806fc060c13c1cb844d0238f0a5ad2d73374aabde7a5dc2d97be8bc065eddb9254fefd59f963eb94617dd8e740cd74a013df945cc173b3ef3
-
Filesize
223KB
MD514959501f275d4d39bb38ad94bc50210
SHA14203952ae7f7090a696ccb225a7b23d511887a6e
SHA2567c81324faf9ef8d1dd51c2041f137a0f957f1a517f8a6b1864cac31839091252
SHA5128cd9fc7e75a4c90806fc060c13c1cb844d0238f0a5ad2d73374aabde7a5dc2d97be8bc065eddb9254fefd59f963eb94617dd8e740cd74a013df945cc173b3ef3
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1