Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2023, 20:42
Static task
static1
Behavioral task
behavioral1
Sample
b428cc2fafd8b391a52334166a171f065f2b3ada962e9214ae43ff72ae348548.exe
Resource
win10v2004-20230220-en
General
-
Target
b428cc2fafd8b391a52334166a171f065f2b3ada962e9214ae43ff72ae348548.exe
-
Size
489KB
-
MD5
aa6d03446e5c105de4417c5b50d5d6d0
-
SHA1
23e47f16d18006389189291f3b933f0105938049
-
SHA256
b428cc2fafd8b391a52334166a171f065f2b3ada962e9214ae43ff72ae348548
-
SHA512
f4aa199513011c96e502b76a69e507cc918f8f690d573598887e6fb873f34f83b238a2338f2ae3c2671a83da40d7e2d17a3e20cb2a38dbce10f9cfb194dc3bbb
-
SSDEEP
12288:xMruy90dNxb0d1P+5c1u31CTDjh5TFmNXvSQZJa3:/yk8HiXUTHTTFmNXvSQZE3
Malware Config
Extracted
redline
lamp
217.196.96.101:4132
-
auth_value
8a3e8bc22f2496c7c5339eb332073902
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" o2893244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" o2893244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" o2893244.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection o2893244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" o2893244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" o2893244.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation s1054200.exe Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 7 IoCs
pid Process 4980 z4701836.exe 4988 o2893244.exe 3804 r2668286.exe 772 s1054200.exe 1196 oneetx.exe 3760 oneetx.exe 2972 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 3112 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" o2893244.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features o2893244.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b428cc2fafd8b391a52334166a171f065f2b3ada962e9214ae43ff72ae348548.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b428cc2fafd8b391a52334166a171f065f2b3ada962e9214ae43ff72ae348548.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z4701836.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z4701836.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1904 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3748 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4988 o2893244.exe 4988 o2893244.exe 3804 r2668286.exe 3804 r2668286.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4988 o2893244.exe Token: SeDebugPrivilege 3804 r2668286.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 772 s1054200.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2168 wrote to memory of 4980 2168 b428cc2fafd8b391a52334166a171f065f2b3ada962e9214ae43ff72ae348548.exe 84 PID 2168 wrote to memory of 4980 2168 b428cc2fafd8b391a52334166a171f065f2b3ada962e9214ae43ff72ae348548.exe 84 PID 2168 wrote to memory of 4980 2168 b428cc2fafd8b391a52334166a171f065f2b3ada962e9214ae43ff72ae348548.exe 84 PID 4980 wrote to memory of 4988 4980 z4701836.exe 85 PID 4980 wrote to memory of 4988 4980 z4701836.exe 85 PID 4980 wrote to memory of 4988 4980 z4701836.exe 85 PID 4980 wrote to memory of 3804 4980 z4701836.exe 90 PID 4980 wrote to memory of 3804 4980 z4701836.exe 90 PID 4980 wrote to memory of 3804 4980 z4701836.exe 90 PID 2168 wrote to memory of 772 2168 b428cc2fafd8b391a52334166a171f065f2b3ada962e9214ae43ff72ae348548.exe 91 PID 2168 wrote to memory of 772 2168 b428cc2fafd8b391a52334166a171f065f2b3ada962e9214ae43ff72ae348548.exe 91 PID 2168 wrote to memory of 772 2168 b428cc2fafd8b391a52334166a171f065f2b3ada962e9214ae43ff72ae348548.exe 91 PID 772 wrote to memory of 1196 772 s1054200.exe 92 PID 772 wrote to memory of 1196 772 s1054200.exe 92 PID 772 wrote to memory of 1196 772 s1054200.exe 92 PID 1196 wrote to memory of 3748 1196 oneetx.exe 93 PID 1196 wrote to memory of 3748 1196 oneetx.exe 93 PID 1196 wrote to memory of 3748 1196 oneetx.exe 93 PID 1196 wrote to memory of 3112 1196 oneetx.exe 102 PID 1196 wrote to memory of 3112 1196 oneetx.exe 102 PID 1196 wrote to memory of 3112 1196 oneetx.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\b428cc2fafd8b391a52334166a171f065f2b3ada962e9214ae43ff72ae348548.exe"C:\Users\Admin\AppData\Local\Temp\b428cc2fafd8b391a52334166a171f065f2b3ada962e9214ae43ff72ae348548.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4701836.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4701836.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2893244.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2893244.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2668286.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2668286.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1054200.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1054200.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:3748
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
PID:3112
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
PID:3760
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
PID:2972
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1904
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231KB
MD52372c7a8c085eefa4608778f8e62b4b0
SHA1d6d352bea571e0c2c881e96347b3ccfa1b230f7b
SHA2569e3c185da47bed64faa15adf398955a76a69a70af7fd4237046fff997cad60ca
SHA512828c9eaf1ac4c4931ae6f38f9d455ce8ef3380d1caa881ff60b79300af9cb64694618b92eea89f516258e2e36f197d23cf73f11dcea97f9c0c0cc8033655b0aa
-
Filesize
231KB
MD52372c7a8c085eefa4608778f8e62b4b0
SHA1d6d352bea571e0c2c881e96347b3ccfa1b230f7b
SHA2569e3c185da47bed64faa15adf398955a76a69a70af7fd4237046fff997cad60ca
SHA512828c9eaf1ac4c4931ae6f38f9d455ce8ef3380d1caa881ff60b79300af9cb64694618b92eea89f516258e2e36f197d23cf73f11dcea97f9c0c0cc8033655b0aa
-
Filesize
231KB
MD52372c7a8c085eefa4608778f8e62b4b0
SHA1d6d352bea571e0c2c881e96347b3ccfa1b230f7b
SHA2569e3c185da47bed64faa15adf398955a76a69a70af7fd4237046fff997cad60ca
SHA512828c9eaf1ac4c4931ae6f38f9d455ce8ef3380d1caa881ff60b79300af9cb64694618b92eea89f516258e2e36f197d23cf73f11dcea97f9c0c0cc8033655b0aa
-
Filesize
231KB
MD52372c7a8c085eefa4608778f8e62b4b0
SHA1d6d352bea571e0c2c881e96347b3ccfa1b230f7b
SHA2569e3c185da47bed64faa15adf398955a76a69a70af7fd4237046fff997cad60ca
SHA512828c9eaf1ac4c4931ae6f38f9d455ce8ef3380d1caa881ff60b79300af9cb64694618b92eea89f516258e2e36f197d23cf73f11dcea97f9c0c0cc8033655b0aa
-
Filesize
231KB
MD52372c7a8c085eefa4608778f8e62b4b0
SHA1d6d352bea571e0c2c881e96347b3ccfa1b230f7b
SHA2569e3c185da47bed64faa15adf398955a76a69a70af7fd4237046fff997cad60ca
SHA512828c9eaf1ac4c4931ae6f38f9d455ce8ef3380d1caa881ff60b79300af9cb64694618b92eea89f516258e2e36f197d23cf73f11dcea97f9c0c0cc8033655b0aa
-
Filesize
231KB
MD52372c7a8c085eefa4608778f8e62b4b0
SHA1d6d352bea571e0c2c881e96347b3ccfa1b230f7b
SHA2569e3c185da47bed64faa15adf398955a76a69a70af7fd4237046fff997cad60ca
SHA512828c9eaf1ac4c4931ae6f38f9d455ce8ef3380d1caa881ff60b79300af9cb64694618b92eea89f516258e2e36f197d23cf73f11dcea97f9c0c0cc8033655b0aa
-
Filesize
231KB
MD52372c7a8c085eefa4608778f8e62b4b0
SHA1d6d352bea571e0c2c881e96347b3ccfa1b230f7b
SHA2569e3c185da47bed64faa15adf398955a76a69a70af7fd4237046fff997cad60ca
SHA512828c9eaf1ac4c4931ae6f38f9d455ce8ef3380d1caa881ff60b79300af9cb64694618b92eea89f516258e2e36f197d23cf73f11dcea97f9c0c0cc8033655b0aa
-
Filesize
307KB
MD5e76eaff8de70325df26dda3ac9203ce0
SHA1f4aa1f93ad8a60cf502b4e524db464b9190a698b
SHA256ffbb9b0f98526528ff889f803cb8c54114ae9dc6fb34add13e035c6a62942682
SHA51279572110c52b2268739a276250d9824533c4455ed9c9e8ef5cf668af822c26a20343ae8b74ca63224f10140f98c11309a769629ce38234247b37f77dbf602e2e
-
Filesize
307KB
MD5e76eaff8de70325df26dda3ac9203ce0
SHA1f4aa1f93ad8a60cf502b4e524db464b9190a698b
SHA256ffbb9b0f98526528ff889f803cb8c54114ae9dc6fb34add13e035c6a62942682
SHA51279572110c52b2268739a276250d9824533c4455ed9c9e8ef5cf668af822c26a20343ae8b74ca63224f10140f98c11309a769629ce38234247b37f77dbf602e2e
-
Filesize
179KB
MD5b6f6a993fc1e40151c3cb02718271b39
SHA13d88563df2b1604bc6d737f642bc552e3f225b75
SHA2566a698066b6d017ff3a4112c925a98ba71ebf39098025433f3e9d37fcbf5231a2
SHA5128b05b0cd66e5c4eb63ca1352b911740edb5122aba2f78f624d80fe4e10f72349c9794b9cdd0e3d537bf3ed38671154634e5fbb0e662ebe67f16c914f9135e675
-
Filesize
179KB
MD5b6f6a993fc1e40151c3cb02718271b39
SHA13d88563df2b1604bc6d737f642bc552e3f225b75
SHA2566a698066b6d017ff3a4112c925a98ba71ebf39098025433f3e9d37fcbf5231a2
SHA5128b05b0cd66e5c4eb63ca1352b911740edb5122aba2f78f624d80fe4e10f72349c9794b9cdd0e3d537bf3ed38671154634e5fbb0e662ebe67f16c914f9135e675
-
Filesize
168KB
MD5049adcc67079cc89ff23244263ba0d3a
SHA14c1b30cbf7aaa2285ac75c6d38ae23515866e856
SHA25663546851a6792f2e1e82aefd3a4c6a4999e59c34c4ede8cd63248b686d86c6f8
SHA512c405c21262a251f6ca8900623a336e18d7f300e541a4db10de52393e227f40a3cb2d5bb31173529171d82c9ccc9d344f616a9475b1ca147bb2e7ac5342e9b048
-
Filesize
168KB
MD5049adcc67079cc89ff23244263ba0d3a
SHA14c1b30cbf7aaa2285ac75c6d38ae23515866e856
SHA25663546851a6792f2e1e82aefd3a4c6a4999e59c34c4ede8cd63248b686d86c6f8
SHA512c405c21262a251f6ca8900623a336e18d7f300e541a4db10de52393e227f40a3cb2d5bb31173529171d82c9ccc9d344f616a9475b1ca147bb2e7ac5342e9b048
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5