Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2023, 07:17
Static task
static1
Behavioral task
behavioral1
Sample
71b7ecd516fdd6c2d28b0335cd04947b7c2c46c045f84923dac54a3ec4fd577a.exe
Resource
win10v2004-20230220-en
General
-
Target
71b7ecd516fdd6c2d28b0335cd04947b7c2c46c045f84923dac54a3ec4fd577a.exe
-
Size
479KB
-
MD5
cf6809560cca1cc3d1fb0099016d216d
-
SHA1
37118872496cdc879ca131111b8c6085523bee9c
-
SHA256
71b7ecd516fdd6c2d28b0335cd04947b7c2c46c045f84923dac54a3ec4fd577a
-
SHA512
350d7f70e9f7b3b85419c89209ff4e7c5f312a595c1513bd9142f41acb123f4f2928d262ba8ee9ed57efabbeed857aaa9da6c1383c95ad2a33d5ea50cf19dd9f
-
SSDEEP
12288:PMr6y905p6tfvd5zrPztYJHOtkC3kD2b6wjYdiw6TDn:ZyQpKV53JY5WkioBwfbTDn
Malware Config
Extracted
redline
ditro
217.196.96.101:4132
-
auth_value
8f24ed370a9b24aa28d3d634ea57912e
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h9593145.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection h9593145.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h9593145.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h9593145.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h9593145.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h9593145.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation i4375115.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 8 IoCs
pid Process 4872 x9637254.exe 1172 g6861200.exe 1528 h9593145.exe 744 i4375115.exe 4040 oneetx.exe 1952 oneetx.exe 4852 oneetx.exe 932 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 4140 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features h9593145.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" h9593145.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x9637254.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9637254.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 71b7ecd516fdd6c2d28b0335cd04947b7c2c46c045f84923dac54a3ec4fd577a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 71b7ecd516fdd6c2d28b0335cd04947b7c2c46c045f84923dac54a3ec4fd577a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2852 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1172 g6861200.exe 1172 g6861200.exe 1528 h9593145.exe 1528 h9593145.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1172 g6861200.exe Token: SeDebugPrivilege 1528 h9593145.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 744 i4375115.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1020 wrote to memory of 4872 1020 71b7ecd516fdd6c2d28b0335cd04947b7c2c46c045f84923dac54a3ec4fd577a.exe 84 PID 1020 wrote to memory of 4872 1020 71b7ecd516fdd6c2d28b0335cd04947b7c2c46c045f84923dac54a3ec4fd577a.exe 84 PID 1020 wrote to memory of 4872 1020 71b7ecd516fdd6c2d28b0335cd04947b7c2c46c045f84923dac54a3ec4fd577a.exe 84 PID 4872 wrote to memory of 1172 4872 x9637254.exe 85 PID 4872 wrote to memory of 1172 4872 x9637254.exe 85 PID 4872 wrote to memory of 1172 4872 x9637254.exe 85 PID 4872 wrote to memory of 1528 4872 x9637254.exe 92 PID 4872 wrote to memory of 1528 4872 x9637254.exe 92 PID 4872 wrote to memory of 1528 4872 x9637254.exe 92 PID 1020 wrote to memory of 744 1020 71b7ecd516fdd6c2d28b0335cd04947b7c2c46c045f84923dac54a3ec4fd577a.exe 93 PID 1020 wrote to memory of 744 1020 71b7ecd516fdd6c2d28b0335cd04947b7c2c46c045f84923dac54a3ec4fd577a.exe 93 PID 1020 wrote to memory of 744 1020 71b7ecd516fdd6c2d28b0335cd04947b7c2c46c045f84923dac54a3ec4fd577a.exe 93 PID 744 wrote to memory of 4040 744 i4375115.exe 94 PID 744 wrote to memory of 4040 744 i4375115.exe 94 PID 744 wrote to memory of 4040 744 i4375115.exe 94 PID 4040 wrote to memory of 2852 4040 oneetx.exe 95 PID 4040 wrote to memory of 2852 4040 oneetx.exe 95 PID 4040 wrote to memory of 2852 4040 oneetx.exe 95 PID 4040 wrote to memory of 4052 4040 oneetx.exe 97 PID 4040 wrote to memory of 4052 4040 oneetx.exe 97 PID 4040 wrote to memory of 4052 4040 oneetx.exe 97 PID 4052 wrote to memory of 4440 4052 cmd.exe 99 PID 4052 wrote to memory of 4440 4052 cmd.exe 99 PID 4052 wrote to memory of 4440 4052 cmd.exe 99 PID 4052 wrote to memory of 960 4052 cmd.exe 100 PID 4052 wrote to memory of 960 4052 cmd.exe 100 PID 4052 wrote to memory of 960 4052 cmd.exe 100 PID 4052 wrote to memory of 1552 4052 cmd.exe 101 PID 4052 wrote to memory of 1552 4052 cmd.exe 101 PID 4052 wrote to memory of 1552 4052 cmd.exe 101 PID 4052 wrote to memory of 4880 4052 cmd.exe 102 PID 4052 wrote to memory of 4880 4052 cmd.exe 102 PID 4052 wrote to memory of 4880 4052 cmd.exe 102 PID 4052 wrote to memory of 3292 4052 cmd.exe 103 PID 4052 wrote to memory of 3292 4052 cmd.exe 103 PID 4052 wrote to memory of 3292 4052 cmd.exe 103 PID 4052 wrote to memory of 2788 4052 cmd.exe 104 PID 4052 wrote to memory of 2788 4052 cmd.exe 104 PID 4052 wrote to memory of 2788 4052 cmd.exe 104 PID 4040 wrote to memory of 4140 4040 oneetx.exe 107 PID 4040 wrote to memory of 4140 4040 oneetx.exe 107 PID 4040 wrote to memory of 4140 4040 oneetx.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\71b7ecd516fdd6c2d28b0335cd04947b7c2c46c045f84923dac54a3ec4fd577a.exe"C:\Users\Admin\AppData\Local\Temp\71b7ecd516fdd6c2d28b0335cd04947b7c2c46c045f84923dac54a3ec4fd577a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9637254.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9637254.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6861200.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6861200.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9593145.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9593145.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i4375115.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i4375115.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:2852
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4440
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:960
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:1552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4880
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵PID:3292
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵PID:2788
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:4140
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:1952
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:4852
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:932
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210KB
MD5d55c6aa3dfcc8d095634cc7f36df0a5f
SHA123f9581a9c6e11ec996f41738545484dcabceda0
SHA2566d5d5b27ca15142c18a0198fe9b5a4c16fb0e17eb6965028a5e18503315fdd67
SHA512ecbd5f248e231d8e7869f04ff53e4c4a21e2a4651eb9814bccd383b3a218ccede6efd16d5392a66c30ae543f4acc33a5df5a132f529b37ac11086a1725fd2248
-
Filesize
210KB
MD5d55c6aa3dfcc8d095634cc7f36df0a5f
SHA123f9581a9c6e11ec996f41738545484dcabceda0
SHA2566d5d5b27ca15142c18a0198fe9b5a4c16fb0e17eb6965028a5e18503315fdd67
SHA512ecbd5f248e231d8e7869f04ff53e4c4a21e2a4651eb9814bccd383b3a218ccede6efd16d5392a66c30ae543f4acc33a5df5a132f529b37ac11086a1725fd2248
-
Filesize
307KB
MD5b9545c0365a7d5c096279292269efe32
SHA1f15a11c497f3c05e0b96eba09346cb1207554eff
SHA256cff54c641fe5fa43e7b32dc414275e9c544c1ab445b7200b93aa2294f521a4a8
SHA5122e9c93dd0739a1b48ca9f46f8a46afc8582a7610f6372c0a7df37e3addb175da0f3eaed25bd990cf9996abb91524421dd64790858e631ba905bb387720425c5b
-
Filesize
307KB
MD5b9545c0365a7d5c096279292269efe32
SHA1f15a11c497f3c05e0b96eba09346cb1207554eff
SHA256cff54c641fe5fa43e7b32dc414275e9c544c1ab445b7200b93aa2294f521a4a8
SHA5122e9c93dd0739a1b48ca9f46f8a46afc8582a7610f6372c0a7df37e3addb175da0f3eaed25bd990cf9996abb91524421dd64790858e631ba905bb387720425c5b
-
Filesize
168KB
MD56d48f591e274fd333bcfc73f92cf4ab3
SHA1db10dd08cf263f00f9b763e6148828dc7e78bce6
SHA256e8440526cbfc7f2e10df22743638f6f94e9370f6bcad0b6f3ac10666e936b4df
SHA51226bc786f3462d02f82c3a1687eb616800dfb7dc78231227feee012c5c983fef6c218d4dbc984e005b18b716a8ac8b014f2882816a78ce1f1e6d5408d4c03ec70
-
Filesize
168KB
MD56d48f591e274fd333bcfc73f92cf4ab3
SHA1db10dd08cf263f00f9b763e6148828dc7e78bce6
SHA256e8440526cbfc7f2e10df22743638f6f94e9370f6bcad0b6f3ac10666e936b4df
SHA51226bc786f3462d02f82c3a1687eb616800dfb7dc78231227feee012c5c983fef6c218d4dbc984e005b18b716a8ac8b014f2882816a78ce1f1e6d5408d4c03ec70
-
Filesize
179KB
MD544e8438b3ec8e6a5f786f5ecd1e56770
SHA1ff68166327986ee689ee312888a545e2ba31a43a
SHA2566c405acc31eefadfaeaa6e5745a4b03ba329fa2d107fde2ec64488a519f51460
SHA512fa4d6fb9809cdd4416c4015a5a95e8aac44c59fe593891ee988d2e25d6aa63698eb46c12d44018c54f4fb471eb27018f7471455231aad1c7c3707edea569594e
-
Filesize
179KB
MD544e8438b3ec8e6a5f786f5ecd1e56770
SHA1ff68166327986ee689ee312888a545e2ba31a43a
SHA2566c405acc31eefadfaeaa6e5745a4b03ba329fa2d107fde2ec64488a519f51460
SHA512fa4d6fb9809cdd4416c4015a5a95e8aac44c59fe593891ee988d2e25d6aa63698eb46c12d44018c54f4fb471eb27018f7471455231aad1c7c3707edea569594e
-
Filesize
210KB
MD5d55c6aa3dfcc8d095634cc7f36df0a5f
SHA123f9581a9c6e11ec996f41738545484dcabceda0
SHA2566d5d5b27ca15142c18a0198fe9b5a4c16fb0e17eb6965028a5e18503315fdd67
SHA512ecbd5f248e231d8e7869f04ff53e4c4a21e2a4651eb9814bccd383b3a218ccede6efd16d5392a66c30ae543f4acc33a5df5a132f529b37ac11086a1725fd2248
-
Filesize
210KB
MD5d55c6aa3dfcc8d095634cc7f36df0a5f
SHA123f9581a9c6e11ec996f41738545484dcabceda0
SHA2566d5d5b27ca15142c18a0198fe9b5a4c16fb0e17eb6965028a5e18503315fdd67
SHA512ecbd5f248e231d8e7869f04ff53e4c4a21e2a4651eb9814bccd383b3a218ccede6efd16d5392a66c30ae543f4acc33a5df5a132f529b37ac11086a1725fd2248
-
Filesize
210KB
MD5d55c6aa3dfcc8d095634cc7f36df0a5f
SHA123f9581a9c6e11ec996f41738545484dcabceda0
SHA2566d5d5b27ca15142c18a0198fe9b5a4c16fb0e17eb6965028a5e18503315fdd67
SHA512ecbd5f248e231d8e7869f04ff53e4c4a21e2a4651eb9814bccd383b3a218ccede6efd16d5392a66c30ae543f4acc33a5df5a132f529b37ac11086a1725fd2248
-
Filesize
210KB
MD5d55c6aa3dfcc8d095634cc7f36df0a5f
SHA123f9581a9c6e11ec996f41738545484dcabceda0
SHA2566d5d5b27ca15142c18a0198fe9b5a4c16fb0e17eb6965028a5e18503315fdd67
SHA512ecbd5f248e231d8e7869f04ff53e4c4a21e2a4651eb9814bccd383b3a218ccede6efd16d5392a66c30ae543f4acc33a5df5a132f529b37ac11086a1725fd2248
-
Filesize
210KB
MD5d55c6aa3dfcc8d095634cc7f36df0a5f
SHA123f9581a9c6e11ec996f41738545484dcabceda0
SHA2566d5d5b27ca15142c18a0198fe9b5a4c16fb0e17eb6965028a5e18503315fdd67
SHA512ecbd5f248e231d8e7869f04ff53e4c4a21e2a4651eb9814bccd383b3a218ccede6efd16d5392a66c30ae543f4acc33a5df5a132f529b37ac11086a1725fd2248
-
Filesize
210KB
MD5d55c6aa3dfcc8d095634cc7f36df0a5f
SHA123f9581a9c6e11ec996f41738545484dcabceda0
SHA2566d5d5b27ca15142c18a0198fe9b5a4c16fb0e17eb6965028a5e18503315fdd67
SHA512ecbd5f248e231d8e7869f04ff53e4c4a21e2a4651eb9814bccd383b3a218ccede6efd16d5392a66c30ae543f4acc33a5df5a132f529b37ac11086a1725fd2248
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5