Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
08/05/2023, 14:58
Static task
static1
Behavioral task
behavioral1
Sample
0d60479b5f27880b29b3c8e34485205db637c842f21c48df19ffe7e0f1d09add.exe
Resource
win10-20230220-en
General
-
Target
0d60479b5f27880b29b3c8e34485205db637c842f21c48df19ffe7e0f1d09add.exe
-
Size
479KB
-
MD5
d808fb85bc274a79429fa4d86df30033
-
SHA1
319db477b5c5e3ca1693d593af93a272890747c1
-
SHA256
0d60479b5f27880b29b3c8e34485205db637c842f21c48df19ffe7e0f1d09add
-
SHA512
963abb547ecbfacb90735aa99ef891de72582d770f915f0c33e489ea5e220200da85b87a7cd44962de2e8d813dc141bb88e7f42b9f1d940a3c5c7a2ff052e81f
-
SSDEEP
12288:7Mrey90mIz84uI4RoGIhTG+ww4goxuR3xa4gqXXB:ty4yWhTh4pa3jgqXR
Malware Config
Extracted
redline
dona
217.196.96.101:4132
-
auth_value
9fbb198992bbc83a84ab1f21384813e3
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k4758422.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k4758422.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k4758422.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k4758422.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k4758422.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 4280 y3096655.exe 4612 k4758422.exe 4732 l5411114.exe 4248 m5649430.exe 4492 oneetx.exe 3516 oneetx.exe 3396 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 692 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k4758422.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k4758422.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 0d60479b5f27880b29b3c8e34485205db637c842f21c48df19ffe7e0f1d09add.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0d60479b5f27880b29b3c8e34485205db637c842f21c48df19ffe7e0f1d09add.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y3096655.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y3096655.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 968 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4612 k4758422.exe 4612 k4758422.exe 4732 l5411114.exe 4732 l5411114.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4612 k4758422.exe Token: SeDebugPrivilege 4732 l5411114.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4248 m5649430.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4264 wrote to memory of 4280 4264 0d60479b5f27880b29b3c8e34485205db637c842f21c48df19ffe7e0f1d09add.exe 66 PID 4264 wrote to memory of 4280 4264 0d60479b5f27880b29b3c8e34485205db637c842f21c48df19ffe7e0f1d09add.exe 66 PID 4264 wrote to memory of 4280 4264 0d60479b5f27880b29b3c8e34485205db637c842f21c48df19ffe7e0f1d09add.exe 66 PID 4280 wrote to memory of 4612 4280 y3096655.exe 67 PID 4280 wrote to memory of 4612 4280 y3096655.exe 67 PID 4280 wrote to memory of 4612 4280 y3096655.exe 67 PID 4280 wrote to memory of 4732 4280 y3096655.exe 68 PID 4280 wrote to memory of 4732 4280 y3096655.exe 68 PID 4280 wrote to memory of 4732 4280 y3096655.exe 68 PID 4264 wrote to memory of 4248 4264 0d60479b5f27880b29b3c8e34485205db637c842f21c48df19ffe7e0f1d09add.exe 70 PID 4264 wrote to memory of 4248 4264 0d60479b5f27880b29b3c8e34485205db637c842f21c48df19ffe7e0f1d09add.exe 70 PID 4264 wrote to memory of 4248 4264 0d60479b5f27880b29b3c8e34485205db637c842f21c48df19ffe7e0f1d09add.exe 70 PID 4248 wrote to memory of 4492 4248 m5649430.exe 71 PID 4248 wrote to memory of 4492 4248 m5649430.exe 71 PID 4248 wrote to memory of 4492 4248 m5649430.exe 71 PID 4492 wrote to memory of 968 4492 oneetx.exe 72 PID 4492 wrote to memory of 968 4492 oneetx.exe 72 PID 4492 wrote to memory of 968 4492 oneetx.exe 72 PID 4492 wrote to memory of 4560 4492 oneetx.exe 73 PID 4492 wrote to memory of 4560 4492 oneetx.exe 73 PID 4492 wrote to memory of 4560 4492 oneetx.exe 73 PID 4560 wrote to memory of 2080 4560 cmd.exe 76 PID 4560 wrote to memory of 2080 4560 cmd.exe 76 PID 4560 wrote to memory of 2080 4560 cmd.exe 76 PID 4560 wrote to memory of 1748 4560 cmd.exe 77 PID 4560 wrote to memory of 1748 4560 cmd.exe 77 PID 4560 wrote to memory of 1748 4560 cmd.exe 77 PID 4560 wrote to memory of 3616 4560 cmd.exe 78 PID 4560 wrote to memory of 3616 4560 cmd.exe 78 PID 4560 wrote to memory of 3616 4560 cmd.exe 78 PID 4560 wrote to memory of 2924 4560 cmd.exe 79 PID 4560 wrote to memory of 2924 4560 cmd.exe 79 PID 4560 wrote to memory of 2924 4560 cmd.exe 79 PID 4560 wrote to memory of 3032 4560 cmd.exe 80 PID 4560 wrote to memory of 3032 4560 cmd.exe 80 PID 4560 wrote to memory of 3032 4560 cmd.exe 80 PID 4560 wrote to memory of 4084 4560 cmd.exe 81 PID 4560 wrote to memory of 4084 4560 cmd.exe 81 PID 4560 wrote to memory of 4084 4560 cmd.exe 81 PID 4492 wrote to memory of 692 4492 oneetx.exe 83 PID 4492 wrote to memory of 692 4492 oneetx.exe 83 PID 4492 wrote to memory of 692 4492 oneetx.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d60479b5f27880b29b3c8e34485205db637c842f21c48df19ffe7e0f1d09add.exe"C:\Users\Admin\AppData\Local\Temp\0d60479b5f27880b29b3c8e34485205db637c842f21c48df19ffe7e0f1d09add.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3096655.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3096655.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4758422.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k4758422.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5411114.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5411114.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5649430.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5649430.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:968
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2080
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:1748
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:3616
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2924
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵PID:3032
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵PID:4084
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:692
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:3516
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:3396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210KB
MD54125c6280081762faef6b2abb0ea6ca0
SHA12d88bd8f4faaccd04ff1ba698476ccbad2ef3ce2
SHA256c316b4a4cef1b13e03f2498e95a8b8fb487b00ee2ec492cc8f6df17d7814fb70
SHA512eea0808ed0f30b454135467aa32807cf8d59b713cff20bf36fc1fd195207b01c164d1017b9afbb45d62734257a704dcf9bde773dc4bf2e0ff76919a2b701a5d7
-
Filesize
210KB
MD54125c6280081762faef6b2abb0ea6ca0
SHA12d88bd8f4faaccd04ff1ba698476ccbad2ef3ce2
SHA256c316b4a4cef1b13e03f2498e95a8b8fb487b00ee2ec492cc8f6df17d7814fb70
SHA512eea0808ed0f30b454135467aa32807cf8d59b713cff20bf36fc1fd195207b01c164d1017b9afbb45d62734257a704dcf9bde773dc4bf2e0ff76919a2b701a5d7
-
Filesize
307KB
MD5029a3d4ed847dc37426846cddb444dca
SHA1d7b0fa69f2533771284cc06d3099e851076e32a4
SHA2562ee7d2fb7a1d6f244b1855e889813a27529e369dd7cf5f2a3f329c3a620cf372
SHA5123312ee2083f361509ac16ffadd8c08e883e278242a68cdee5903c49caad3411f90cd4bf4220424796ad3ba42d8d010afb53f816e65de872851230b47c31e7825
-
Filesize
307KB
MD5029a3d4ed847dc37426846cddb444dca
SHA1d7b0fa69f2533771284cc06d3099e851076e32a4
SHA2562ee7d2fb7a1d6f244b1855e889813a27529e369dd7cf5f2a3f329c3a620cf372
SHA5123312ee2083f361509ac16ffadd8c08e883e278242a68cdee5903c49caad3411f90cd4bf4220424796ad3ba42d8d010afb53f816e65de872851230b47c31e7825
-
Filesize
179KB
MD5ea3703b18227cff39e860aecfa65ec76
SHA1294c8d8746b0d36f75a6e22098d1370466b44c8a
SHA2564f2aade6311fc2fa7127d785c9445a2c068a7db0872333a7d83f65007de8d187
SHA5125ecb5ea6ac548dc61b06837d16c994286775a8b6a401d381a1822aade760d91b1c613b49ddd5eb1295cbe0bcbc3fc58c0a4074b1e6a382c54ae03d06668901a0
-
Filesize
179KB
MD5ea3703b18227cff39e860aecfa65ec76
SHA1294c8d8746b0d36f75a6e22098d1370466b44c8a
SHA2564f2aade6311fc2fa7127d785c9445a2c068a7db0872333a7d83f65007de8d187
SHA5125ecb5ea6ac548dc61b06837d16c994286775a8b6a401d381a1822aade760d91b1c613b49ddd5eb1295cbe0bcbc3fc58c0a4074b1e6a382c54ae03d06668901a0
-
Filesize
168KB
MD5939e0ee605eb621e4dd82b51b3a8504c
SHA189b16991e4173d169170b9f0083883dc73651c6e
SHA256af6663a562884857bcbe0a59da890b36bc6e75277072d6735310f3c149b7daa2
SHA51254ea639f3d769f634344a22af4d3f3804e43b594b5786e6d780fd669135b9febb3429aca77a280179933f24797ba16e8b974f55b94d6d8fb83719e284ca34344
-
Filesize
168KB
MD5939e0ee605eb621e4dd82b51b3a8504c
SHA189b16991e4173d169170b9f0083883dc73651c6e
SHA256af6663a562884857bcbe0a59da890b36bc6e75277072d6735310f3c149b7daa2
SHA51254ea639f3d769f634344a22af4d3f3804e43b594b5786e6d780fd669135b9febb3429aca77a280179933f24797ba16e8b974f55b94d6d8fb83719e284ca34344
-
Filesize
210KB
MD54125c6280081762faef6b2abb0ea6ca0
SHA12d88bd8f4faaccd04ff1ba698476ccbad2ef3ce2
SHA256c316b4a4cef1b13e03f2498e95a8b8fb487b00ee2ec492cc8f6df17d7814fb70
SHA512eea0808ed0f30b454135467aa32807cf8d59b713cff20bf36fc1fd195207b01c164d1017b9afbb45d62734257a704dcf9bde773dc4bf2e0ff76919a2b701a5d7
-
Filesize
210KB
MD54125c6280081762faef6b2abb0ea6ca0
SHA12d88bd8f4faaccd04ff1ba698476ccbad2ef3ce2
SHA256c316b4a4cef1b13e03f2498e95a8b8fb487b00ee2ec492cc8f6df17d7814fb70
SHA512eea0808ed0f30b454135467aa32807cf8d59b713cff20bf36fc1fd195207b01c164d1017b9afbb45d62734257a704dcf9bde773dc4bf2e0ff76919a2b701a5d7
-
Filesize
210KB
MD54125c6280081762faef6b2abb0ea6ca0
SHA12d88bd8f4faaccd04ff1ba698476ccbad2ef3ce2
SHA256c316b4a4cef1b13e03f2498e95a8b8fb487b00ee2ec492cc8f6df17d7814fb70
SHA512eea0808ed0f30b454135467aa32807cf8d59b713cff20bf36fc1fd195207b01c164d1017b9afbb45d62734257a704dcf9bde773dc4bf2e0ff76919a2b701a5d7
-
Filesize
210KB
MD54125c6280081762faef6b2abb0ea6ca0
SHA12d88bd8f4faaccd04ff1ba698476ccbad2ef3ce2
SHA256c316b4a4cef1b13e03f2498e95a8b8fb487b00ee2ec492cc8f6df17d7814fb70
SHA512eea0808ed0f30b454135467aa32807cf8d59b713cff20bf36fc1fd195207b01c164d1017b9afbb45d62734257a704dcf9bde773dc4bf2e0ff76919a2b701a5d7
-
Filesize
210KB
MD54125c6280081762faef6b2abb0ea6ca0
SHA12d88bd8f4faaccd04ff1ba698476ccbad2ef3ce2
SHA256c316b4a4cef1b13e03f2498e95a8b8fb487b00ee2ec492cc8f6df17d7814fb70
SHA512eea0808ed0f30b454135467aa32807cf8d59b713cff20bf36fc1fd195207b01c164d1017b9afbb45d62734257a704dcf9bde773dc4bf2e0ff76919a2b701a5d7
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53