Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
08/05/2023, 20:11
Static task
static1
Behavioral task
behavioral1
Sample
ae37d33272e035d67debe1a207795e475b06ced834eefc3b3e3f15044efc91ac.exe
Resource
win10-20230220-en
General
-
Target
ae37d33272e035d67debe1a207795e475b06ced834eefc3b3e3f15044efc91ac.exe
-
Size
480KB
-
MD5
cd41b4245390225a7ad52a4bb819944e
-
SHA1
786b7269182481d8f6a448b77c7ea51fc2c4ddf4
-
SHA256
ae37d33272e035d67debe1a207795e475b06ced834eefc3b3e3f15044efc91ac
-
SHA512
31b4a00154f4fa0261f393061447af531062e87f0d415b62d620b873879615161f87a701a2dd3e90c8abcf99e444175224e6b1edaf0200ce15fbd7dcc0783085
-
SSDEEP
12288:fMrty90G1Fd8TprWZ5c1u319ToqzcdPl5S0:+yvFd2pr6XzTHod980
Malware Config
Extracted
redline
mihan
217.196.96.101:4132
-
auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a3320524.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a3320524.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a3320524.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a3320524.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a3320524.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 2548 v4695673.exe 3048 a3320524.exe 4660 b5816649.exe 3912 d4514105.exe 3040 oneetx.exe 4908 oneetx.exe 4064 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 4828 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a3320524.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a3320524.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ae37d33272e035d67debe1a207795e475b06ced834eefc3b3e3f15044efc91ac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ae37d33272e035d67debe1a207795e475b06ced834eefc3b3e3f15044efc91ac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v4695673.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v4695673.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3760 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3048 a3320524.exe 3048 a3320524.exe 4660 b5816649.exe 4660 b5816649.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3048 a3320524.exe Token: SeDebugPrivilege 4660 b5816649.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3912 d4514105.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2428 wrote to memory of 2548 2428 ae37d33272e035d67debe1a207795e475b06ced834eefc3b3e3f15044efc91ac.exe 66 PID 2428 wrote to memory of 2548 2428 ae37d33272e035d67debe1a207795e475b06ced834eefc3b3e3f15044efc91ac.exe 66 PID 2428 wrote to memory of 2548 2428 ae37d33272e035d67debe1a207795e475b06ced834eefc3b3e3f15044efc91ac.exe 66 PID 2548 wrote to memory of 3048 2548 v4695673.exe 67 PID 2548 wrote to memory of 3048 2548 v4695673.exe 67 PID 2548 wrote to memory of 3048 2548 v4695673.exe 67 PID 2548 wrote to memory of 4660 2548 v4695673.exe 68 PID 2548 wrote to memory of 4660 2548 v4695673.exe 68 PID 2548 wrote to memory of 4660 2548 v4695673.exe 68 PID 2428 wrote to memory of 3912 2428 ae37d33272e035d67debe1a207795e475b06ced834eefc3b3e3f15044efc91ac.exe 70 PID 2428 wrote to memory of 3912 2428 ae37d33272e035d67debe1a207795e475b06ced834eefc3b3e3f15044efc91ac.exe 70 PID 2428 wrote to memory of 3912 2428 ae37d33272e035d67debe1a207795e475b06ced834eefc3b3e3f15044efc91ac.exe 70 PID 3912 wrote to memory of 3040 3912 d4514105.exe 71 PID 3912 wrote to memory of 3040 3912 d4514105.exe 71 PID 3912 wrote to memory of 3040 3912 d4514105.exe 71 PID 3040 wrote to memory of 3760 3040 oneetx.exe 72 PID 3040 wrote to memory of 3760 3040 oneetx.exe 72 PID 3040 wrote to memory of 3760 3040 oneetx.exe 72 PID 3040 wrote to memory of 3108 3040 oneetx.exe 74 PID 3040 wrote to memory of 3108 3040 oneetx.exe 74 PID 3040 wrote to memory of 3108 3040 oneetx.exe 74 PID 3108 wrote to memory of 4836 3108 cmd.exe 76 PID 3108 wrote to memory of 4836 3108 cmd.exe 76 PID 3108 wrote to memory of 4836 3108 cmd.exe 76 PID 3108 wrote to memory of 3000 3108 cmd.exe 77 PID 3108 wrote to memory of 3000 3108 cmd.exe 77 PID 3108 wrote to memory of 3000 3108 cmd.exe 77 PID 3108 wrote to memory of 2156 3108 cmd.exe 78 PID 3108 wrote to memory of 2156 3108 cmd.exe 78 PID 3108 wrote to memory of 2156 3108 cmd.exe 78 PID 3108 wrote to memory of 3212 3108 cmd.exe 79 PID 3108 wrote to memory of 3212 3108 cmd.exe 79 PID 3108 wrote to memory of 3212 3108 cmd.exe 79 PID 3108 wrote to memory of 2144 3108 cmd.exe 80 PID 3108 wrote to memory of 2144 3108 cmd.exe 80 PID 3108 wrote to memory of 2144 3108 cmd.exe 80 PID 3108 wrote to memory of 4856 3108 cmd.exe 81 PID 3108 wrote to memory of 4856 3108 cmd.exe 81 PID 3108 wrote to memory of 4856 3108 cmd.exe 81 PID 3040 wrote to memory of 4828 3040 oneetx.exe 82 PID 3040 wrote to memory of 4828 3040 oneetx.exe 82 PID 3040 wrote to memory of 4828 3040 oneetx.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae37d33272e035d67debe1a207795e475b06ced834eefc3b3e3f15044efc91ac.exe"C:\Users\Admin\AppData\Local\Temp\ae37d33272e035d67debe1a207795e475b06ced834eefc3b3e3f15044efc91ac.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4695673.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4695673.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3320524.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3320524.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5816649.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5816649.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4514105.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4514105.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:3760
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4836
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:3000
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:2156
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:3212
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵PID:2144
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵PID:4856
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:4828
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:4908
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:4064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210KB
MD51e7eb2146f267693a396be3337e34f54
SHA1d368f1eaf16854fb01b0f93055028a7dc90658c4
SHA25679ceb30127634b5e664548d0dbf498e9d11a8fce8a813c8c417a68af7576483c
SHA51264d1f2046aa236f53e7d7014ee26b9e642355831d04ae602e1ef832896d205a8f7a40ea0c19aec117cf0137954738bcc460a8117bc223976a76e703aaa1bb891
-
Filesize
210KB
MD51e7eb2146f267693a396be3337e34f54
SHA1d368f1eaf16854fb01b0f93055028a7dc90658c4
SHA25679ceb30127634b5e664548d0dbf498e9d11a8fce8a813c8c417a68af7576483c
SHA51264d1f2046aa236f53e7d7014ee26b9e642355831d04ae602e1ef832896d205a8f7a40ea0c19aec117cf0137954738bcc460a8117bc223976a76e703aaa1bb891
-
Filesize
309KB
MD5a5804e2271adc3ad4e8fd12d574d1dfa
SHA13b6dc51bc0c4c37b32da5038b80bf472a89bd373
SHA256b4c7485f503ac6295efaf3b3423e0e0c0e961d73100846d3ed2b4582c74b0951
SHA5128d359cc90a4b8cd2fd5134e355e80a1e934773a6c885031ceeb39d3e0d2a933ae250d48659525bc949cad6f21d9e4922128b868adc139302b0db500a7825aded
-
Filesize
309KB
MD5a5804e2271adc3ad4e8fd12d574d1dfa
SHA13b6dc51bc0c4c37b32da5038b80bf472a89bd373
SHA256b4c7485f503ac6295efaf3b3423e0e0c0e961d73100846d3ed2b4582c74b0951
SHA5128d359cc90a4b8cd2fd5134e355e80a1e934773a6c885031ceeb39d3e0d2a933ae250d48659525bc949cad6f21d9e4922128b868adc139302b0db500a7825aded
-
Filesize
179KB
MD5c03a0fb4b76e7f7178c2e5317101ae7f
SHA1d8523003547af2634ee9f7837e9ed8de3416487a
SHA256ad93c4232443f9b2af90272b9d511cc0f2a2a427903566a48b591e5b4623c510
SHA51255cfff9b555f3d060c07a285326eff705dc1bd946e4f790a5f57d67b502afe64229b6a8036bea95e103a6c3d68d50e265762547ea04a2e73c23efc73978ec5ad
-
Filesize
179KB
MD5c03a0fb4b76e7f7178c2e5317101ae7f
SHA1d8523003547af2634ee9f7837e9ed8de3416487a
SHA256ad93c4232443f9b2af90272b9d511cc0f2a2a427903566a48b591e5b4623c510
SHA51255cfff9b555f3d060c07a285326eff705dc1bd946e4f790a5f57d67b502afe64229b6a8036bea95e103a6c3d68d50e265762547ea04a2e73c23efc73978ec5ad
-
Filesize
168KB
MD5419ed155dbee1c3f99055a687e06390c
SHA15d37dc90dc529419a2918d41f0c6520ffcf7d059
SHA256213d6bf8e1c89c31983a2d9498714ec456fa9c52313066bc7ac0179e6a40cca2
SHA51267139c3efaa5487a0a1fc99596f5fccd18e3efe4564c226f30f2211425a9ca26530234f7a525c4783281d96242c31cd91dd4ed777a8efb91d0324d8cd28be561
-
Filesize
168KB
MD5419ed155dbee1c3f99055a687e06390c
SHA15d37dc90dc529419a2918d41f0c6520ffcf7d059
SHA256213d6bf8e1c89c31983a2d9498714ec456fa9c52313066bc7ac0179e6a40cca2
SHA51267139c3efaa5487a0a1fc99596f5fccd18e3efe4564c226f30f2211425a9ca26530234f7a525c4783281d96242c31cd91dd4ed777a8efb91d0324d8cd28be561
-
Filesize
210KB
MD51e7eb2146f267693a396be3337e34f54
SHA1d368f1eaf16854fb01b0f93055028a7dc90658c4
SHA25679ceb30127634b5e664548d0dbf498e9d11a8fce8a813c8c417a68af7576483c
SHA51264d1f2046aa236f53e7d7014ee26b9e642355831d04ae602e1ef832896d205a8f7a40ea0c19aec117cf0137954738bcc460a8117bc223976a76e703aaa1bb891
-
Filesize
210KB
MD51e7eb2146f267693a396be3337e34f54
SHA1d368f1eaf16854fb01b0f93055028a7dc90658c4
SHA25679ceb30127634b5e664548d0dbf498e9d11a8fce8a813c8c417a68af7576483c
SHA51264d1f2046aa236f53e7d7014ee26b9e642355831d04ae602e1ef832896d205a8f7a40ea0c19aec117cf0137954738bcc460a8117bc223976a76e703aaa1bb891
-
Filesize
210KB
MD51e7eb2146f267693a396be3337e34f54
SHA1d368f1eaf16854fb01b0f93055028a7dc90658c4
SHA25679ceb30127634b5e664548d0dbf498e9d11a8fce8a813c8c417a68af7576483c
SHA51264d1f2046aa236f53e7d7014ee26b9e642355831d04ae602e1ef832896d205a8f7a40ea0c19aec117cf0137954738bcc460a8117bc223976a76e703aaa1bb891
-
Filesize
210KB
MD51e7eb2146f267693a396be3337e34f54
SHA1d368f1eaf16854fb01b0f93055028a7dc90658c4
SHA25679ceb30127634b5e664548d0dbf498e9d11a8fce8a813c8c417a68af7576483c
SHA51264d1f2046aa236f53e7d7014ee26b9e642355831d04ae602e1ef832896d205a8f7a40ea0c19aec117cf0137954738bcc460a8117bc223976a76e703aaa1bb891
-
Filesize
210KB
MD51e7eb2146f267693a396be3337e34f54
SHA1d368f1eaf16854fb01b0f93055028a7dc90658c4
SHA25679ceb30127634b5e664548d0dbf498e9d11a8fce8a813c8c417a68af7576483c
SHA51264d1f2046aa236f53e7d7014ee26b9e642355831d04ae602e1ef832896d205a8f7a40ea0c19aec117cf0137954738bcc460a8117bc223976a76e703aaa1bb891
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53