Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2023, 11:10
Static task
static1
Behavioral task
behavioral1
Sample
9ebe51422a05265484133f8699a613210f509c71a4f9082ee35e2fda39d3dd0b.exe
Resource
win10v2004-20230220-en
General
-
Target
9ebe51422a05265484133f8699a613210f509c71a4f9082ee35e2fda39d3dd0b.exe
-
Size
479KB
-
MD5
6896301589bd76dca57c3ee389328434
-
SHA1
e59408329dc804eded048a9e02c2191f53f86c5b
-
SHA256
9ebe51422a05265484133f8699a613210f509c71a4f9082ee35e2fda39d3dd0b
-
SHA512
f686ba8cd7159f1a3a564a91cb07b7015c1e598e53be6a68c86bfad0d62027ae711001f96260e6a2ccdf6d8e24cfdcb462a930f496d88cee27743b9ff05ad6f6
-
SSDEEP
12288:HMruy90fBZuP+q5lXegw8VV/TNFp5eC70Ru:ZyLZXL/TNH700
Malware Config
Extracted
redline
dona
217.196.96.101:4132
-
auth_value
9fbb198992bbc83a84ab1f21384813e3
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h6419398.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h6419398.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h6419398.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h6419398.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h6419398.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection h6419398.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation oneetx.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation i0050101.exe -
Executes dropped EXE 7 IoCs
pid Process 4544 x9002165.exe 2272 g4271783.exe 4412 h6419398.exe 1168 i0050101.exe 2336 oneetx.exe 4800 oneetx.exe 3208 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 2820 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features h6419398.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" h6419398.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9002165.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 9ebe51422a05265484133f8699a613210f509c71a4f9082ee35e2fda39d3dd0b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9ebe51422a05265484133f8699a613210f509c71a4f9082ee35e2fda39d3dd0b.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce x9002165.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4272 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2272 g4271783.exe 2272 g4271783.exe 4412 h6419398.exe 4412 h6419398.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2272 g4271783.exe Token: SeDebugPrivilege 4412 h6419398.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1168 i0050101.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3896 wrote to memory of 4544 3896 9ebe51422a05265484133f8699a613210f509c71a4f9082ee35e2fda39d3dd0b.exe 82 PID 3896 wrote to memory of 4544 3896 9ebe51422a05265484133f8699a613210f509c71a4f9082ee35e2fda39d3dd0b.exe 82 PID 3896 wrote to memory of 4544 3896 9ebe51422a05265484133f8699a613210f509c71a4f9082ee35e2fda39d3dd0b.exe 82 PID 4544 wrote to memory of 2272 4544 x9002165.exe 83 PID 4544 wrote to memory of 2272 4544 x9002165.exe 83 PID 4544 wrote to memory of 2272 4544 x9002165.exe 83 PID 4544 wrote to memory of 4412 4544 x9002165.exe 90 PID 4544 wrote to memory of 4412 4544 x9002165.exe 90 PID 4544 wrote to memory of 4412 4544 x9002165.exe 90 PID 3896 wrote to memory of 1168 3896 9ebe51422a05265484133f8699a613210f509c71a4f9082ee35e2fda39d3dd0b.exe 91 PID 3896 wrote to memory of 1168 3896 9ebe51422a05265484133f8699a613210f509c71a4f9082ee35e2fda39d3dd0b.exe 91 PID 3896 wrote to memory of 1168 3896 9ebe51422a05265484133f8699a613210f509c71a4f9082ee35e2fda39d3dd0b.exe 91 PID 1168 wrote to memory of 2336 1168 i0050101.exe 92 PID 1168 wrote to memory of 2336 1168 i0050101.exe 92 PID 1168 wrote to memory of 2336 1168 i0050101.exe 92 PID 2336 wrote to memory of 4272 2336 oneetx.exe 93 PID 2336 wrote to memory of 4272 2336 oneetx.exe 93 PID 2336 wrote to memory of 4272 2336 oneetx.exe 93 PID 2336 wrote to memory of 2700 2336 oneetx.exe 95 PID 2336 wrote to memory of 2700 2336 oneetx.exe 95 PID 2336 wrote to memory of 2700 2336 oneetx.exe 95 PID 2700 wrote to memory of 2372 2700 cmd.exe 97 PID 2700 wrote to memory of 2372 2700 cmd.exe 97 PID 2700 wrote to memory of 2372 2700 cmd.exe 97 PID 2700 wrote to memory of 2064 2700 cmd.exe 98 PID 2700 wrote to memory of 2064 2700 cmd.exe 98 PID 2700 wrote to memory of 2064 2700 cmd.exe 98 PID 2700 wrote to memory of 4760 2700 cmd.exe 99 PID 2700 wrote to memory of 4760 2700 cmd.exe 99 PID 2700 wrote to memory of 4760 2700 cmd.exe 99 PID 2700 wrote to memory of 3824 2700 cmd.exe 100 PID 2700 wrote to memory of 3824 2700 cmd.exe 100 PID 2700 wrote to memory of 3824 2700 cmd.exe 100 PID 2700 wrote to memory of 2524 2700 cmd.exe 101 PID 2700 wrote to memory of 2524 2700 cmd.exe 101 PID 2700 wrote to memory of 2524 2700 cmd.exe 101 PID 2700 wrote to memory of 2948 2700 cmd.exe 102 PID 2700 wrote to memory of 2948 2700 cmd.exe 102 PID 2700 wrote to memory of 2948 2700 cmd.exe 102 PID 2336 wrote to memory of 2820 2336 oneetx.exe 107 PID 2336 wrote to memory of 2820 2336 oneetx.exe 107 PID 2336 wrote to memory of 2820 2336 oneetx.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ebe51422a05265484133f8699a613210f509c71a4f9082ee35e2fda39d3dd0b.exe"C:\Users\Admin\AppData\Local\Temp\9ebe51422a05265484133f8699a613210f509c71a4f9082ee35e2fda39d3dd0b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9002165.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9002165.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4271783.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4271783.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6419398.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6419398.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i0050101.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i0050101.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:4272
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2372
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:2064
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:4760
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:3824
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵PID:2524
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵PID:2948
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:2820
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:4800
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:3208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210KB
MD5f3686d6c5c6929cc9d6534108d2b417f
SHA1bd856bc8566493f6823254a356f511450a179138
SHA256516416a3b6904c494d14ed76446384c88f0ee15d55304d65cc098111ad27bb9c
SHA512d9befeaff0953918c44111a030a9082f752c16c364a20d04dfe6bd9f3b7dfd6ace65b322d765184906bfda76bd42340ec9f028760e223002b950730035b2b3fb
-
Filesize
210KB
MD5f3686d6c5c6929cc9d6534108d2b417f
SHA1bd856bc8566493f6823254a356f511450a179138
SHA256516416a3b6904c494d14ed76446384c88f0ee15d55304d65cc098111ad27bb9c
SHA512d9befeaff0953918c44111a030a9082f752c16c364a20d04dfe6bd9f3b7dfd6ace65b322d765184906bfda76bd42340ec9f028760e223002b950730035b2b3fb
-
Filesize
307KB
MD580791e4a12b8211660f8ca7372a9adad
SHA10bcc3b3799a84f68243678ae5c36e2b0994e52cf
SHA256b99a3291aaea12a83d1011df3eb98c6f6827dcd8024e963863ddde3b6bb56a05
SHA512ff6f48a22e0edf25a63024b0b7ee76b1e37372ac3f3ca21d715cb9545cf797551748f315f0fccf7c0e1a571ba6a30f0b7e8a4dba78f1a52c8d9acfd2fb1b774c
-
Filesize
307KB
MD580791e4a12b8211660f8ca7372a9adad
SHA10bcc3b3799a84f68243678ae5c36e2b0994e52cf
SHA256b99a3291aaea12a83d1011df3eb98c6f6827dcd8024e963863ddde3b6bb56a05
SHA512ff6f48a22e0edf25a63024b0b7ee76b1e37372ac3f3ca21d715cb9545cf797551748f315f0fccf7c0e1a571ba6a30f0b7e8a4dba78f1a52c8d9acfd2fb1b774c
-
Filesize
168KB
MD53adf8cdf298829379512af81808ab85b
SHA1ab365a79698291858aa500fd29b50b46d31b1274
SHA256f6734e09ace61f280721dc477768a61f99ffcc3657dbc3547fa5e8a0841e369b
SHA5120787db345e064e3aa84fd339e4e5fe68dcd653644f3af1f525cb6594d8b0cad62b4cb7b9c23a3cba3f18c09e07b5efaf01a377c288626bee18f67e7b851613a6
-
Filesize
168KB
MD53adf8cdf298829379512af81808ab85b
SHA1ab365a79698291858aa500fd29b50b46d31b1274
SHA256f6734e09ace61f280721dc477768a61f99ffcc3657dbc3547fa5e8a0841e369b
SHA5120787db345e064e3aa84fd339e4e5fe68dcd653644f3af1f525cb6594d8b0cad62b4cb7b9c23a3cba3f18c09e07b5efaf01a377c288626bee18f67e7b851613a6
-
Filesize
179KB
MD585b82c783e1703e3b4cc571e604c3e95
SHA1ed5505e22a75841794321d8ba86f770f1316d49c
SHA2567c30ef2383c172e88dbb7146bd662935a0bd417b2bd7e80d2d9010d39f839b15
SHA512aeb63117d7acfe88f0da4b97320763faf54302776b8b381835712e39547bca6465657b4c25f5614137f5bca41ff84622c72c96ebe22a85af4a7b8dd2545fc970
-
Filesize
179KB
MD585b82c783e1703e3b4cc571e604c3e95
SHA1ed5505e22a75841794321d8ba86f770f1316d49c
SHA2567c30ef2383c172e88dbb7146bd662935a0bd417b2bd7e80d2d9010d39f839b15
SHA512aeb63117d7acfe88f0da4b97320763faf54302776b8b381835712e39547bca6465657b4c25f5614137f5bca41ff84622c72c96ebe22a85af4a7b8dd2545fc970
-
Filesize
210KB
MD5f3686d6c5c6929cc9d6534108d2b417f
SHA1bd856bc8566493f6823254a356f511450a179138
SHA256516416a3b6904c494d14ed76446384c88f0ee15d55304d65cc098111ad27bb9c
SHA512d9befeaff0953918c44111a030a9082f752c16c364a20d04dfe6bd9f3b7dfd6ace65b322d765184906bfda76bd42340ec9f028760e223002b950730035b2b3fb
-
Filesize
210KB
MD5f3686d6c5c6929cc9d6534108d2b417f
SHA1bd856bc8566493f6823254a356f511450a179138
SHA256516416a3b6904c494d14ed76446384c88f0ee15d55304d65cc098111ad27bb9c
SHA512d9befeaff0953918c44111a030a9082f752c16c364a20d04dfe6bd9f3b7dfd6ace65b322d765184906bfda76bd42340ec9f028760e223002b950730035b2b3fb
-
Filesize
210KB
MD5f3686d6c5c6929cc9d6534108d2b417f
SHA1bd856bc8566493f6823254a356f511450a179138
SHA256516416a3b6904c494d14ed76446384c88f0ee15d55304d65cc098111ad27bb9c
SHA512d9befeaff0953918c44111a030a9082f752c16c364a20d04dfe6bd9f3b7dfd6ace65b322d765184906bfda76bd42340ec9f028760e223002b950730035b2b3fb
-
Filesize
210KB
MD5f3686d6c5c6929cc9d6534108d2b417f
SHA1bd856bc8566493f6823254a356f511450a179138
SHA256516416a3b6904c494d14ed76446384c88f0ee15d55304d65cc098111ad27bb9c
SHA512d9befeaff0953918c44111a030a9082f752c16c364a20d04dfe6bd9f3b7dfd6ace65b322d765184906bfda76bd42340ec9f028760e223002b950730035b2b3fb
-
Filesize
210KB
MD5f3686d6c5c6929cc9d6534108d2b417f
SHA1bd856bc8566493f6823254a356f511450a179138
SHA256516416a3b6904c494d14ed76446384c88f0ee15d55304d65cc098111ad27bb9c
SHA512d9befeaff0953918c44111a030a9082f752c16c364a20d04dfe6bd9f3b7dfd6ace65b322d765184906bfda76bd42340ec9f028760e223002b950730035b2b3fb
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5