Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2023, 03:02
Static task
static1
Behavioral task
behavioral1
Sample
c469d44db841c9a543f5ad8bd8259a7123be7a898f8436877ae7cf3561b2a772.exe
Resource
win10v2004-20230220-en
General
-
Target
c469d44db841c9a543f5ad8bd8259a7123be7a898f8436877ae7cf3561b2a772.exe
-
Size
481KB
-
MD5
270408e86e994c882c4ec4adfac44e6e
-
SHA1
f8b2af0e4ab4bd17d8dced07e584e895053d90bc
-
SHA256
c469d44db841c9a543f5ad8bd8259a7123be7a898f8436877ae7cf3561b2a772
-
SHA512
c53b256630be15e7c1132833bb1acac6610ed1b21fa526ed0b14b24dee63e1f327f76bfc7e162389bc0fd2ca02a6cad771b43c4408bca5d605e3688bd2930825
-
SSDEEP
12288:7Mrjy90xe2MZ8YrZ3x6x8efAVKOLiPLf:gyyY8Wx6TsKO+PLf
Malware Config
Extracted
redline
mihan
217.196.96.101:4132
-
auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a3443347.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a3443347.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a3443347.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a3443347.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a3443347.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a3443347.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation d0754213.exe Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 7 IoCs
pid Process 1136 v8011842.exe 1452 a3443347.exe 2356 b8346529.exe 3368 d0754213.exe 3008 oneetx.exe 2548 oneetx.exe 4008 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 4240 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a3443347.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a3443347.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v8011842.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce c469d44db841c9a543f5ad8bd8259a7123be7a898f8436877ae7cf3561b2a772.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c469d44db841c9a543f5ad8bd8259a7123be7a898f8436877ae7cf3561b2a772.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v8011842.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1656 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1452 a3443347.exe 1452 a3443347.exe 2356 b8346529.exe 2356 b8346529.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1452 a3443347.exe Token: SeDebugPrivilege 2356 b8346529.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3368 d0754213.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1380 wrote to memory of 1136 1380 c469d44db841c9a543f5ad8bd8259a7123be7a898f8436877ae7cf3561b2a772.exe 82 PID 1380 wrote to memory of 1136 1380 c469d44db841c9a543f5ad8bd8259a7123be7a898f8436877ae7cf3561b2a772.exe 82 PID 1380 wrote to memory of 1136 1380 c469d44db841c9a543f5ad8bd8259a7123be7a898f8436877ae7cf3561b2a772.exe 82 PID 1136 wrote to memory of 1452 1136 v8011842.exe 83 PID 1136 wrote to memory of 1452 1136 v8011842.exe 83 PID 1136 wrote to memory of 1452 1136 v8011842.exe 83 PID 1136 wrote to memory of 2356 1136 v8011842.exe 90 PID 1136 wrote to memory of 2356 1136 v8011842.exe 90 PID 1136 wrote to memory of 2356 1136 v8011842.exe 90 PID 1380 wrote to memory of 3368 1380 c469d44db841c9a543f5ad8bd8259a7123be7a898f8436877ae7cf3561b2a772.exe 93 PID 1380 wrote to memory of 3368 1380 c469d44db841c9a543f5ad8bd8259a7123be7a898f8436877ae7cf3561b2a772.exe 93 PID 1380 wrote to memory of 3368 1380 c469d44db841c9a543f5ad8bd8259a7123be7a898f8436877ae7cf3561b2a772.exe 93 PID 3368 wrote to memory of 3008 3368 d0754213.exe 94 PID 3368 wrote to memory of 3008 3368 d0754213.exe 94 PID 3368 wrote to memory of 3008 3368 d0754213.exe 94 PID 3008 wrote to memory of 1656 3008 oneetx.exe 95 PID 3008 wrote to memory of 1656 3008 oneetx.exe 95 PID 3008 wrote to memory of 1656 3008 oneetx.exe 95 PID 3008 wrote to memory of 1844 3008 oneetx.exe 97 PID 3008 wrote to memory of 1844 3008 oneetx.exe 97 PID 3008 wrote to memory of 1844 3008 oneetx.exe 97 PID 1844 wrote to memory of 4212 1844 cmd.exe 99 PID 1844 wrote to memory of 4212 1844 cmd.exe 99 PID 1844 wrote to memory of 4212 1844 cmd.exe 99 PID 1844 wrote to memory of 3360 1844 cmd.exe 100 PID 1844 wrote to memory of 3360 1844 cmd.exe 100 PID 1844 wrote to memory of 3360 1844 cmd.exe 100 PID 1844 wrote to memory of 3220 1844 cmd.exe 101 PID 1844 wrote to memory of 3220 1844 cmd.exe 101 PID 1844 wrote to memory of 3220 1844 cmd.exe 101 PID 1844 wrote to memory of 1756 1844 cmd.exe 102 PID 1844 wrote to memory of 1756 1844 cmd.exe 102 PID 1844 wrote to memory of 1756 1844 cmd.exe 102 PID 1844 wrote to memory of 4496 1844 cmd.exe 103 PID 1844 wrote to memory of 4496 1844 cmd.exe 103 PID 1844 wrote to memory of 4496 1844 cmd.exe 103 PID 1844 wrote to memory of 2780 1844 cmd.exe 104 PID 1844 wrote to memory of 2780 1844 cmd.exe 104 PID 1844 wrote to memory of 2780 1844 cmd.exe 104 PID 3008 wrote to memory of 4240 3008 oneetx.exe 106 PID 3008 wrote to memory of 4240 3008 oneetx.exe 106 PID 3008 wrote to memory of 4240 3008 oneetx.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\c469d44db841c9a543f5ad8bd8259a7123be7a898f8436877ae7cf3561b2a772.exe"C:\Users\Admin\AppData\Local\Temp\c469d44db841c9a543f5ad8bd8259a7123be7a898f8436877ae7cf3561b2a772.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8011842.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8011842.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3443347.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3443347.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8346529.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8346529.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d0754213.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d0754213.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:1656
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4212
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:3360
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:3220
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1756
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵PID:4496
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵PID:2780
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:4240
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:2548
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:4008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5d66565f71369edda08a47088357b2c25
SHA1cab58e0cbd6f3483f2ab4499f7294579636dbfc0
SHA2569eb8722741f0eeacab579a325c25bb252587c3f716e0fa50c3ab03207297efca
SHA512fe71cff0f6dc130fe19db593d7a49875a309e32d5d400dc7de456165fd194181c3db224ac9af6adf40236a516e2be84c6588256815e5a1ba96e598b49c48006b
-
Filesize
211KB
MD5d66565f71369edda08a47088357b2c25
SHA1cab58e0cbd6f3483f2ab4499f7294579636dbfc0
SHA2569eb8722741f0eeacab579a325c25bb252587c3f716e0fa50c3ab03207297efca
SHA512fe71cff0f6dc130fe19db593d7a49875a309e32d5d400dc7de456165fd194181c3db224ac9af6adf40236a516e2be84c6588256815e5a1ba96e598b49c48006b
-
Filesize
309KB
MD5f6b4be5711d1c57e2480a3cd56406f42
SHA1e21714edb7ae447033a037d699c2585c817d152c
SHA256068151b5fbf6d35c930353090df4b3768769db2d772000a64b0fa9cfd16395c2
SHA512cb3f1cbb189c0e24d574ba759107f8936eae74f86fbb6c13f6697b5a3171c76982a00afc508e396d6f33dee22cfea3116701a1ab8ab2ba882fdb0c1706743316
-
Filesize
309KB
MD5f6b4be5711d1c57e2480a3cd56406f42
SHA1e21714edb7ae447033a037d699c2585c817d152c
SHA256068151b5fbf6d35c930353090df4b3768769db2d772000a64b0fa9cfd16395c2
SHA512cb3f1cbb189c0e24d574ba759107f8936eae74f86fbb6c13f6697b5a3171c76982a00afc508e396d6f33dee22cfea3116701a1ab8ab2ba882fdb0c1706743316
-
Filesize
180KB
MD54b1dce2c192e38f7afd6874d67aaa038
SHA1b9d9733813c812026d68cc9e954c2e2eb5fa0681
SHA2563eaab6172e0c93821bceadc88d1417a4c8dbf6ad0edd68b23d81156efba05e85
SHA5127a88a1ea788b993e4306c153beee3f816bddf254ffd411c9b4edd145eed00a9c65317f35205784fdc4e0b361511f882184d4ae4cfcd4b3b741de0cd0a1f96ad2
-
Filesize
180KB
MD54b1dce2c192e38f7afd6874d67aaa038
SHA1b9d9733813c812026d68cc9e954c2e2eb5fa0681
SHA2563eaab6172e0c93821bceadc88d1417a4c8dbf6ad0edd68b23d81156efba05e85
SHA5127a88a1ea788b993e4306c153beee3f816bddf254ffd411c9b4edd145eed00a9c65317f35205784fdc4e0b361511f882184d4ae4cfcd4b3b741de0cd0a1f96ad2
-
Filesize
168KB
MD5c8e2a27133a32a6f2de7dc1855d79a62
SHA126ebc021152cb5f2a3c5afba4d9ae3841ffc6ec1
SHA256d6a757b5ca51c5569d7838230332418a654da477ea13ed5cc1f98ebfd3ca513c
SHA5128f2322b531852880d43f3cd02eb653f0bfead7deed7b55c9e2d553c97ece2ff3011925e642a5ae6314456884503d4273187582c1ad8c1cc54f72e58dc6bcd09b
-
Filesize
168KB
MD5c8e2a27133a32a6f2de7dc1855d79a62
SHA126ebc021152cb5f2a3c5afba4d9ae3841ffc6ec1
SHA256d6a757b5ca51c5569d7838230332418a654da477ea13ed5cc1f98ebfd3ca513c
SHA5128f2322b531852880d43f3cd02eb653f0bfead7deed7b55c9e2d553c97ece2ff3011925e642a5ae6314456884503d4273187582c1ad8c1cc54f72e58dc6bcd09b
-
Filesize
211KB
MD5d66565f71369edda08a47088357b2c25
SHA1cab58e0cbd6f3483f2ab4499f7294579636dbfc0
SHA2569eb8722741f0eeacab579a325c25bb252587c3f716e0fa50c3ab03207297efca
SHA512fe71cff0f6dc130fe19db593d7a49875a309e32d5d400dc7de456165fd194181c3db224ac9af6adf40236a516e2be84c6588256815e5a1ba96e598b49c48006b
-
Filesize
211KB
MD5d66565f71369edda08a47088357b2c25
SHA1cab58e0cbd6f3483f2ab4499f7294579636dbfc0
SHA2569eb8722741f0eeacab579a325c25bb252587c3f716e0fa50c3ab03207297efca
SHA512fe71cff0f6dc130fe19db593d7a49875a309e32d5d400dc7de456165fd194181c3db224ac9af6adf40236a516e2be84c6588256815e5a1ba96e598b49c48006b
-
Filesize
211KB
MD5d66565f71369edda08a47088357b2c25
SHA1cab58e0cbd6f3483f2ab4499f7294579636dbfc0
SHA2569eb8722741f0eeacab579a325c25bb252587c3f716e0fa50c3ab03207297efca
SHA512fe71cff0f6dc130fe19db593d7a49875a309e32d5d400dc7de456165fd194181c3db224ac9af6adf40236a516e2be84c6588256815e5a1ba96e598b49c48006b
-
Filesize
211KB
MD5d66565f71369edda08a47088357b2c25
SHA1cab58e0cbd6f3483f2ab4499f7294579636dbfc0
SHA2569eb8722741f0eeacab579a325c25bb252587c3f716e0fa50c3ab03207297efca
SHA512fe71cff0f6dc130fe19db593d7a49875a309e32d5d400dc7de456165fd194181c3db224ac9af6adf40236a516e2be84c6588256815e5a1ba96e598b49c48006b
-
Filesize
211KB
MD5d66565f71369edda08a47088357b2c25
SHA1cab58e0cbd6f3483f2ab4499f7294579636dbfc0
SHA2569eb8722741f0eeacab579a325c25bb252587c3f716e0fa50c3ab03207297efca
SHA512fe71cff0f6dc130fe19db593d7a49875a309e32d5d400dc7de456165fd194181c3db224ac9af6adf40236a516e2be84c6588256815e5a1ba96e598b49c48006b
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5