Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
172s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
09/05/2023, 23:56
General
-
Target
61d53a1491d53f257d5654316ad2055aba8554d0b05635f9069a7c21ae9bce02.exe
-
Size
479KB
-
MD5
67e949f4c3d6c38347d961a6340704a9
-
SHA1
fedaf1602acc5522a99023e1331cd7f74ff7edf5
-
SHA256
61d53a1491d53f257d5654316ad2055aba8554d0b05635f9069a7c21ae9bce02
-
SHA512
974d5bd870190e232476c9f8189c82307f8ec6e6495b29c7f8e7c229abe12155d1d2ecd64ff40c911da8c9ed829a9372fe604d9f96b08aeb5b55110544bc9bd7
-
SSDEEP
12288:vMrMy909a0mXe21alOuNEEG8HP8YjNB55MkE2/:byhvXkjg8v8gv5akV/
Malware Config
Extracted
redline
divan
217.196.96.102:4132
-
auth_value
b414986bebd7f5a3ec9aee0341b8e769
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\61d53a1491d53f257d5654316ad2055aba8554d0b05635f9069a7c21ae9bce02.exe"C:\Users\Admin\AppData\Local\Temp\61d53a1491d53f257d5654316ad2055aba8554d0b05635f9069a7c21ae9bce02.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7568251.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7568251.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6623662.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6623662.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6651996.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6651996.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i9862228.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i9862228.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD5b7ee7a9a57ac8e60ff91f069aa42611b
SHA121bf90a5dab791d57ab6685eaaa3c29b08de9c6b
SHA25656808b977a30c46b78cb8f0e966e0ed79e2f4c5f47213ac513227878d85e5d47
SHA5127fd511f20cb1ec2b02e1c874cac2da7f3399bd5f3a3fe48217470019f3a9b898338077b7342ae0011b403d25ee9f8dfb9da2101b5d1c6f3eb518b64830adda59
-
Filesize
212KB
MD5b7ee7a9a57ac8e60ff91f069aa42611b
SHA121bf90a5dab791d57ab6685eaaa3c29b08de9c6b
SHA25656808b977a30c46b78cb8f0e966e0ed79e2f4c5f47213ac513227878d85e5d47
SHA5127fd511f20cb1ec2b02e1c874cac2da7f3399bd5f3a3fe48217470019f3a9b898338077b7342ae0011b403d25ee9f8dfb9da2101b5d1c6f3eb518b64830adda59
-
Filesize
307KB
MD5211be941aab6c7f25e84923547043cc6
SHA114a24a61aca8a5bc75d549a644849a58358fe935
SHA256355d79e0a0ffe94dc1e335b896df7e667676d853ba25087aed9cc11e948da6d0
SHA512651df0ebb911b353bd1b4f1f49a9c8d29236f549290a693238e7cc54e2c46a16b0795f697bbf60f56d94d9ac0b896bafeebdb72b177e74b97c64052ab3b57fba
-
Filesize
307KB
MD5211be941aab6c7f25e84923547043cc6
SHA114a24a61aca8a5bc75d549a644849a58358fe935
SHA256355d79e0a0ffe94dc1e335b896df7e667676d853ba25087aed9cc11e948da6d0
SHA512651df0ebb911b353bd1b4f1f49a9c8d29236f549290a693238e7cc54e2c46a16b0795f697bbf60f56d94d9ac0b896bafeebdb72b177e74b97c64052ab3b57fba
-
Filesize
168KB
MD54221c973c04b215f818968c2041e45c2
SHA14ba8dae78ac3f03ce582c9301be3d0593caf9843
SHA2561b36c6ccb64b9e705dbceb160a24dd0b512d58dab7424642fea463db62b255c6
SHA512ae531b39e0f5afcd3bfe13171d26d56df12010ded0d11c0178b200f54fc5775ebf4c8a6239d025b40fa75d348f78406df00dd032b747ea02de95e5a50b9bd8a3
-
Filesize
168KB
MD54221c973c04b215f818968c2041e45c2
SHA14ba8dae78ac3f03ce582c9301be3d0593caf9843
SHA2561b36c6ccb64b9e705dbceb160a24dd0b512d58dab7424642fea463db62b255c6
SHA512ae531b39e0f5afcd3bfe13171d26d56df12010ded0d11c0178b200f54fc5775ebf4c8a6239d025b40fa75d348f78406df00dd032b747ea02de95e5a50b9bd8a3
-
Filesize
181KB
MD5ea8ebdb56a0fa77176991143ea8a1b19
SHA12672b5233e669ea6afc067e8c34b950136db333c
SHA256ea3ea26a6ee5b7efb73847218a1b570f31e312b21c3bc8bba45d18ce072fe28a
SHA51282300c0e77284f0ba9126e8c17329032d216e74330b590d9fb95ec828f840ea4d069ac05c4ed77e89daa89a6d5b049cbe1c00d8224c08e50f9749b31e6809ff3
-
Filesize
181KB
MD5ea8ebdb56a0fa77176991143ea8a1b19
SHA12672b5233e669ea6afc067e8c34b950136db333c
SHA256ea3ea26a6ee5b7efb73847218a1b570f31e312b21c3bc8bba45d18ce072fe28a
SHA51282300c0e77284f0ba9126e8c17329032d216e74330b590d9fb95ec828f840ea4d069ac05c4ed77e89daa89a6d5b049cbe1c00d8224c08e50f9749b31e6809ff3
-
Filesize
212KB
MD5b7ee7a9a57ac8e60ff91f069aa42611b
SHA121bf90a5dab791d57ab6685eaaa3c29b08de9c6b
SHA25656808b977a30c46b78cb8f0e966e0ed79e2f4c5f47213ac513227878d85e5d47
SHA5127fd511f20cb1ec2b02e1c874cac2da7f3399bd5f3a3fe48217470019f3a9b898338077b7342ae0011b403d25ee9f8dfb9da2101b5d1c6f3eb518b64830adda59
-
Filesize
212KB
MD5b7ee7a9a57ac8e60ff91f069aa42611b
SHA121bf90a5dab791d57ab6685eaaa3c29b08de9c6b
SHA25656808b977a30c46b78cb8f0e966e0ed79e2f4c5f47213ac513227878d85e5d47
SHA5127fd511f20cb1ec2b02e1c874cac2da7f3399bd5f3a3fe48217470019f3a9b898338077b7342ae0011b403d25ee9f8dfb9da2101b5d1c6f3eb518b64830adda59
-
Filesize
212KB
MD5b7ee7a9a57ac8e60ff91f069aa42611b
SHA121bf90a5dab791d57ab6685eaaa3c29b08de9c6b
SHA25656808b977a30c46b78cb8f0e966e0ed79e2f4c5f47213ac513227878d85e5d47
SHA5127fd511f20cb1ec2b02e1c874cac2da7f3399bd5f3a3fe48217470019f3a9b898338077b7342ae0011b403d25ee9f8dfb9da2101b5d1c6f3eb518b64830adda59
-
Filesize
1.0MB
-
Filesize
472KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
320KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
184KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB