Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
09/05/2023, 06:40
Static task
static1
Behavioral task
behavioral1
Sample
efeafb0fdff90ab9e196e58d984ebced44d0f1df51cedebb365ef1767657f6ff.exe
Resource
win10-20230220-en
General
-
Target
efeafb0fdff90ab9e196e58d984ebced44d0f1df51cedebb365ef1767657f6ff.exe
-
Size
479KB
-
MD5
7fd3c6498cbbca7947903742aec028e8
-
SHA1
f75ab14996f856742308aab964881602bdf520ba
-
SHA256
efeafb0fdff90ab9e196e58d984ebced44d0f1df51cedebb365ef1767657f6ff
-
SHA512
b633e110ee59202147e56fcaad1d3c6932fc474b2326c945c315ed39e0ecab75a8f503e73196165cacd2fcd021c06357101df29e5b86d88727f915f9159937dd
-
SSDEEP
12288:BMrhy90VKWgr4xeDrRlZO1OKABL9GmNrfLijC:QyEL45lgpABL9PNrfLUC
Malware Config
Extracted
redline
dumud
217.196.96.101:4132
-
auth_value
3e18d4b90418aa3e78d8822e87c62f5c
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k9638284.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k9638284.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k9638284.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k9638284.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k9638284.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
pid Process 2432 y9706213.exe 2588 k9638284.exe 2308 l3965015.exe 3944 m8289700.exe 3708 oneetx.exe 4856 oneetx.exe 4760 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 3224 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" k9638284.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features k9638284.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" efeafb0fdff90ab9e196e58d984ebced44d0f1df51cedebb365ef1767657f6ff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce y9706213.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y9706213.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce efeafb0fdff90ab9e196e58d984ebced44d0f1df51cedebb365ef1767657f6ff.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4616 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2588 k9638284.exe 2588 k9638284.exe 2308 l3965015.exe 2308 l3965015.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2588 k9638284.exe Token: SeDebugPrivilege 2308 l3965015.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3944 m8289700.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1652 wrote to memory of 2432 1652 efeafb0fdff90ab9e196e58d984ebced44d0f1df51cedebb365ef1767657f6ff.exe 66 PID 1652 wrote to memory of 2432 1652 efeafb0fdff90ab9e196e58d984ebced44d0f1df51cedebb365ef1767657f6ff.exe 66 PID 1652 wrote to memory of 2432 1652 efeafb0fdff90ab9e196e58d984ebced44d0f1df51cedebb365ef1767657f6ff.exe 66 PID 2432 wrote to memory of 2588 2432 y9706213.exe 67 PID 2432 wrote to memory of 2588 2432 y9706213.exe 67 PID 2432 wrote to memory of 2588 2432 y9706213.exe 67 PID 2432 wrote to memory of 2308 2432 y9706213.exe 68 PID 2432 wrote to memory of 2308 2432 y9706213.exe 68 PID 2432 wrote to memory of 2308 2432 y9706213.exe 68 PID 1652 wrote to memory of 3944 1652 efeafb0fdff90ab9e196e58d984ebced44d0f1df51cedebb365ef1767657f6ff.exe 70 PID 1652 wrote to memory of 3944 1652 efeafb0fdff90ab9e196e58d984ebced44d0f1df51cedebb365ef1767657f6ff.exe 70 PID 1652 wrote to memory of 3944 1652 efeafb0fdff90ab9e196e58d984ebced44d0f1df51cedebb365ef1767657f6ff.exe 70 PID 3944 wrote to memory of 3708 3944 m8289700.exe 71 PID 3944 wrote to memory of 3708 3944 m8289700.exe 71 PID 3944 wrote to memory of 3708 3944 m8289700.exe 71 PID 3708 wrote to memory of 4616 3708 oneetx.exe 72 PID 3708 wrote to memory of 4616 3708 oneetx.exe 72 PID 3708 wrote to memory of 4616 3708 oneetx.exe 72 PID 3708 wrote to memory of 3756 3708 oneetx.exe 74 PID 3708 wrote to memory of 3756 3708 oneetx.exe 74 PID 3708 wrote to memory of 3756 3708 oneetx.exe 74 PID 3756 wrote to memory of 4100 3756 cmd.exe 76 PID 3756 wrote to memory of 4100 3756 cmd.exe 76 PID 3756 wrote to memory of 4100 3756 cmd.exe 76 PID 3756 wrote to memory of 3104 3756 cmd.exe 77 PID 3756 wrote to memory of 3104 3756 cmd.exe 77 PID 3756 wrote to memory of 3104 3756 cmd.exe 77 PID 3756 wrote to memory of 2840 3756 cmd.exe 78 PID 3756 wrote to memory of 2840 3756 cmd.exe 78 PID 3756 wrote to memory of 2840 3756 cmd.exe 78 PID 3756 wrote to memory of 4824 3756 cmd.exe 79 PID 3756 wrote to memory of 4824 3756 cmd.exe 79 PID 3756 wrote to memory of 4824 3756 cmd.exe 79 PID 3756 wrote to memory of 4832 3756 cmd.exe 80 PID 3756 wrote to memory of 4832 3756 cmd.exe 80 PID 3756 wrote to memory of 4832 3756 cmd.exe 80 PID 3756 wrote to memory of 1796 3756 cmd.exe 81 PID 3756 wrote to memory of 1796 3756 cmd.exe 81 PID 3756 wrote to memory of 1796 3756 cmd.exe 81 PID 3708 wrote to memory of 3224 3708 oneetx.exe 83 PID 3708 wrote to memory of 3224 3708 oneetx.exe 83 PID 3708 wrote to memory of 3224 3708 oneetx.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\efeafb0fdff90ab9e196e58d984ebced44d0f1df51cedebb365ef1767657f6ff.exe"C:\Users\Admin\AppData\Local\Temp\efeafb0fdff90ab9e196e58d984ebced44d0f1df51cedebb365ef1767657f6ff.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9706213.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9706213.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9638284.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k9638284.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3965015.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3965015.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m8289700.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m8289700.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:4616
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4100
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:3104
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:2840
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4824
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵PID:4832
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵PID:1796
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:3224
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:4856
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:4760
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
211KB
MD5872d03394e38258a14e9a0b4bf9edf2a
SHA17a6e51e69f28d49650485ab568c024a91d32463b
SHA2567946faa35ad811f4dc86c8a9b5fef2276b3e15606895fa73728eb2de4c32fb92
SHA5122dde0656e0e349efef5dff7e26618597931f2b8b8811d7d6c59f5e9f0335c8ffb861f1a0d63a17f186c2af730fb906794484ef803eec8a1db551ab92bb532609
-
Filesize
211KB
MD5872d03394e38258a14e9a0b4bf9edf2a
SHA17a6e51e69f28d49650485ab568c024a91d32463b
SHA2567946faa35ad811f4dc86c8a9b5fef2276b3e15606895fa73728eb2de4c32fb92
SHA5122dde0656e0e349efef5dff7e26618597931f2b8b8811d7d6c59f5e9f0335c8ffb861f1a0d63a17f186c2af730fb906794484ef803eec8a1db551ab92bb532609
-
Filesize
307KB
MD5e2fbd19febe37d5088b8286d5157a385
SHA10b06e60aa3680cbf6aec4e28a7e65e1bc8d8f379
SHA2566fea38b60b893b108b1c3023c3910f5a87a632f9426c6780eecec4566727175b
SHA51263fa893b1d9fdcef3151aef5bb80cd4d4ac4263cd46ef0c92162b90209a61a44171a56ca0ae376ae3e26b2e32232dcd7f1bb3cb5e31a7db00ab966ed6a498c1c
-
Filesize
307KB
MD5e2fbd19febe37d5088b8286d5157a385
SHA10b06e60aa3680cbf6aec4e28a7e65e1bc8d8f379
SHA2566fea38b60b893b108b1c3023c3910f5a87a632f9426c6780eecec4566727175b
SHA51263fa893b1d9fdcef3151aef5bb80cd4d4ac4263cd46ef0c92162b90209a61a44171a56ca0ae376ae3e26b2e32232dcd7f1bb3cb5e31a7db00ab966ed6a498c1c
-
Filesize
180KB
MD570a61bda13effee3ffc1427cc97b4075
SHA12d3de49bedbfd0f39ce3cd9c687ca741dcc25ce6
SHA256651118a62672e53006dcc170b7dd1e5768b7d585a92739fabb0978a66430e76b
SHA512133ceb36c8ba5a722a82c0789cb748b56e26c2e2cf49cbb99b87a3eb8e53165775fa046a4acc17036a07ccec730a7866d77b1b8ccf7d63f151b098330bc5cca6
-
Filesize
180KB
MD570a61bda13effee3ffc1427cc97b4075
SHA12d3de49bedbfd0f39ce3cd9c687ca741dcc25ce6
SHA256651118a62672e53006dcc170b7dd1e5768b7d585a92739fabb0978a66430e76b
SHA512133ceb36c8ba5a722a82c0789cb748b56e26c2e2cf49cbb99b87a3eb8e53165775fa046a4acc17036a07ccec730a7866d77b1b8ccf7d63f151b098330bc5cca6
-
Filesize
168KB
MD5eba3a5fc5beeaa68d74fa2f2cfa0d76a
SHA1feed289727e825cc4386e001a5900d1bae75d03e
SHA2563600aa4cc6066ce5dd4825dd1577f2575d9f1fe0947c722f595be47a986a8d94
SHA5126a1de76d7ec9d0968e313dc6c2e0a5acf04c9ec98a589393b286acb40b33764d17248762f7b82b78cc8bc872071ad420687bcd87eb1d2c9caef819788e4ca5ec
-
Filesize
168KB
MD5eba3a5fc5beeaa68d74fa2f2cfa0d76a
SHA1feed289727e825cc4386e001a5900d1bae75d03e
SHA2563600aa4cc6066ce5dd4825dd1577f2575d9f1fe0947c722f595be47a986a8d94
SHA5126a1de76d7ec9d0968e313dc6c2e0a5acf04c9ec98a589393b286acb40b33764d17248762f7b82b78cc8bc872071ad420687bcd87eb1d2c9caef819788e4ca5ec
-
Filesize
211KB
MD5872d03394e38258a14e9a0b4bf9edf2a
SHA17a6e51e69f28d49650485ab568c024a91d32463b
SHA2567946faa35ad811f4dc86c8a9b5fef2276b3e15606895fa73728eb2de4c32fb92
SHA5122dde0656e0e349efef5dff7e26618597931f2b8b8811d7d6c59f5e9f0335c8ffb861f1a0d63a17f186c2af730fb906794484ef803eec8a1db551ab92bb532609
-
Filesize
211KB
MD5872d03394e38258a14e9a0b4bf9edf2a
SHA17a6e51e69f28d49650485ab568c024a91d32463b
SHA2567946faa35ad811f4dc86c8a9b5fef2276b3e15606895fa73728eb2de4c32fb92
SHA5122dde0656e0e349efef5dff7e26618597931f2b8b8811d7d6c59f5e9f0335c8ffb861f1a0d63a17f186c2af730fb906794484ef803eec8a1db551ab92bb532609
-
Filesize
211KB
MD5872d03394e38258a14e9a0b4bf9edf2a
SHA17a6e51e69f28d49650485ab568c024a91d32463b
SHA2567946faa35ad811f4dc86c8a9b5fef2276b3e15606895fa73728eb2de4c32fb92
SHA5122dde0656e0e349efef5dff7e26618597931f2b8b8811d7d6c59f5e9f0335c8ffb861f1a0d63a17f186c2af730fb906794484ef803eec8a1db551ab92bb532609
-
Filesize
211KB
MD5872d03394e38258a14e9a0b4bf9edf2a
SHA17a6e51e69f28d49650485ab568c024a91d32463b
SHA2567946faa35ad811f4dc86c8a9b5fef2276b3e15606895fa73728eb2de4c32fb92
SHA5122dde0656e0e349efef5dff7e26618597931f2b8b8811d7d6c59f5e9f0335c8ffb861f1a0d63a17f186c2af730fb906794484ef803eec8a1db551ab92bb532609
-
Filesize
211KB
MD5872d03394e38258a14e9a0b4bf9edf2a
SHA17a6e51e69f28d49650485ab568c024a91d32463b
SHA2567946faa35ad811f4dc86c8a9b5fef2276b3e15606895fa73728eb2de4c32fb92
SHA5122dde0656e0e349efef5dff7e26618597931f2b8b8811d7d6c59f5e9f0335c8ffb861f1a0d63a17f186c2af730fb906794484ef803eec8a1db551ab92bb532609
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53