Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
10/05/2023, 01:12
Static task
static1
Behavioral task
behavioral1
Sample
e296a0f2a5d3da9596971bb3aedbca617498216647a3677ee49a68a09953a841.exe
Resource
win10-20230220-en
General
-
Target
e296a0f2a5d3da9596971bb3aedbca617498216647a3677ee49a68a09953a841.exe
-
Size
490KB
-
MD5
f19db1e1ba7eca01ce0231741775fcf9
-
SHA1
e81388a99c1b9f733aa92c17e1e76445c298e571
-
SHA256
e296a0f2a5d3da9596971bb3aedbca617498216647a3677ee49a68a09953a841
-
SHA512
bce53b7ea48697ce249d0f5af60683cc1fae2d36100947518963e37c7e4f3f6c141ec2a247b41cc1e09e66255ad68cc617b41828c0f77a8a5d07447a6fc475b9
-
SSDEEP
12288:fMriy90ucCr6BVx4Fq4m8PCMOUh4SaT8KO5Iww:JyN6BnT4LLmO5Pw
Malware Config
Extracted
redline
lurfa
217.196.96.102:4132
-
auth_value
f6c26c2a5c6c25ae5b2e9abf31f6341d
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Extracted
vidar
3.8
fc67c63025837fde307ba18d95f5f729
https://steamcommunity.com/profiles/76561198272578552
https://t.me/libpcre
-
profile_id_v2
fc67c63025837fde307ba18d95f5f729
-
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" o1245099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" o1245099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" o1245099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" o1245099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" o1245099.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
pid Process 2100 z4988974.exe 2340 o1245099.exe 1428 r6395545.exe 2552 s8032110.exe 3984 oneetx.exe 516 build.exe 5104 oneetx.exe 4112 oneetx.exe -
Loads dropped DLL 3 IoCs
pid Process 516 build.exe 516 build.exe 4512 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features o1245099.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" o1245099.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e296a0f2a5d3da9596971bb3aedbca617498216647a3677ee49a68a09953a841.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce z4988974.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z4988974.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce e296a0f2a5d3da9596971bb3aedbca617498216647a3677ee49a68a09953a841.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3696 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3308 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2340 o1245099.exe 2340 o1245099.exe 1428 r6395545.exe 1428 r6395545.exe 516 build.exe 516 build.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2340 o1245099.exe Token: SeDebugPrivilege 1428 r6395545.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2552 s8032110.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1980 wrote to memory of 2100 1980 e296a0f2a5d3da9596971bb3aedbca617498216647a3677ee49a68a09953a841.exe 66 PID 1980 wrote to memory of 2100 1980 e296a0f2a5d3da9596971bb3aedbca617498216647a3677ee49a68a09953a841.exe 66 PID 1980 wrote to memory of 2100 1980 e296a0f2a5d3da9596971bb3aedbca617498216647a3677ee49a68a09953a841.exe 66 PID 2100 wrote to memory of 2340 2100 z4988974.exe 67 PID 2100 wrote to memory of 2340 2100 z4988974.exe 67 PID 2100 wrote to memory of 2340 2100 z4988974.exe 67 PID 2100 wrote to memory of 1428 2100 z4988974.exe 68 PID 2100 wrote to memory of 1428 2100 z4988974.exe 68 PID 2100 wrote to memory of 1428 2100 z4988974.exe 68 PID 1980 wrote to memory of 2552 1980 e296a0f2a5d3da9596971bb3aedbca617498216647a3677ee49a68a09953a841.exe 70 PID 1980 wrote to memory of 2552 1980 e296a0f2a5d3da9596971bb3aedbca617498216647a3677ee49a68a09953a841.exe 70 PID 1980 wrote to memory of 2552 1980 e296a0f2a5d3da9596971bb3aedbca617498216647a3677ee49a68a09953a841.exe 70 PID 2552 wrote to memory of 3984 2552 s8032110.exe 71 PID 2552 wrote to memory of 3984 2552 s8032110.exe 71 PID 2552 wrote to memory of 3984 2552 s8032110.exe 71 PID 3984 wrote to memory of 3696 3984 oneetx.exe 72 PID 3984 wrote to memory of 3696 3984 oneetx.exe 72 PID 3984 wrote to memory of 3696 3984 oneetx.exe 72 PID 3984 wrote to memory of 516 3984 oneetx.exe 74 PID 3984 wrote to memory of 516 3984 oneetx.exe 74 PID 3984 wrote to memory of 516 3984 oneetx.exe 74 PID 516 wrote to memory of 5028 516 build.exe 75 PID 516 wrote to memory of 5028 516 build.exe 75 PID 516 wrote to memory of 5028 516 build.exe 75 PID 5028 wrote to memory of 3308 5028 cmd.exe 77 PID 5028 wrote to memory of 3308 5028 cmd.exe 77 PID 5028 wrote to memory of 3308 5028 cmd.exe 77 PID 3984 wrote to memory of 4512 3984 oneetx.exe 78 PID 3984 wrote to memory of 4512 3984 oneetx.exe 78 PID 3984 wrote to memory of 4512 3984 oneetx.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\e296a0f2a5d3da9596971bb3aedbca617498216647a3677ee49a68a09953a841.exe"C:\Users\Admin\AppData\Local\Temp\e296a0f2a5d3da9596971bb3aedbca617498216647a3677ee49a68a09953a841.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4988974.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4988974.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1245099.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o1245099.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6395545.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6395545.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8032110.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s8032110.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:3696
-
-
C:\Users\Admin\AppData\Local\Temp\1000095001\build.exe"C:\Users\Admin\AppData\Local\Temp\1000095001\build.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1000095001\build.exe" & exit5⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\timeout.exetimeout /t 66⤵
- Delays execution with timeout.exe
PID:3308
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
PID:4512
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
PID:5104
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
PID:4112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341KB
MD56d236e9e66badd330cbf2982fe0bf9fb
SHA12f275a5f83d8807ec0321e1e9b667271db34903f
SHA256e8324602f5fe73ef4f3d40d6dccea2e532e5f72a65d5dfd6a8916c628dfde5ed
SHA5123168daf9754fd614d8c4968bf12d9527050f0bf3aec144b6743193e19d40d023cefad88d1d7d1adebbd2f5002b5a81261189862394ffef84df33571cb0950dd8
-
Filesize
341KB
MD56d236e9e66badd330cbf2982fe0bf9fb
SHA12f275a5f83d8807ec0321e1e9b667271db34903f
SHA256e8324602f5fe73ef4f3d40d6dccea2e532e5f72a65d5dfd6a8916c628dfde5ed
SHA5123168daf9754fd614d8c4968bf12d9527050f0bf3aec144b6743193e19d40d023cefad88d1d7d1adebbd2f5002b5a81261189862394ffef84df33571cb0950dd8
-
Filesize
341KB
MD56d236e9e66badd330cbf2982fe0bf9fb
SHA12f275a5f83d8807ec0321e1e9b667271db34903f
SHA256e8324602f5fe73ef4f3d40d6dccea2e532e5f72a65d5dfd6a8916c628dfde5ed
SHA5123168daf9754fd614d8c4968bf12d9527050f0bf3aec144b6743193e19d40d023cefad88d1d7d1adebbd2f5002b5a81261189862394ffef84df33571cb0950dd8
-
Filesize
232KB
MD5b015811c78991b02ffe8251b04c86d74
SHA165f830cdca51c1e7fa424a175ce7ec3cc6d63140
SHA256a8e8918e206b8aaecaf70adeca910feb73b627e596e323c718c0ba865bc24856
SHA5126e77c2e62cee6dc59e247d51f63cd6db8052202082b309942567bf5c2d679f366f5aca76ec5eaf3d8bcd3401f0e5289279613ffed7a8802b89b33082a3da5817
-
Filesize
232KB
MD5b015811c78991b02ffe8251b04c86d74
SHA165f830cdca51c1e7fa424a175ce7ec3cc6d63140
SHA256a8e8918e206b8aaecaf70adeca910feb73b627e596e323c718c0ba865bc24856
SHA5126e77c2e62cee6dc59e247d51f63cd6db8052202082b309942567bf5c2d679f366f5aca76ec5eaf3d8bcd3401f0e5289279613ffed7a8802b89b33082a3da5817
-
Filesize
232KB
MD5b015811c78991b02ffe8251b04c86d74
SHA165f830cdca51c1e7fa424a175ce7ec3cc6d63140
SHA256a8e8918e206b8aaecaf70adeca910feb73b627e596e323c718c0ba865bc24856
SHA5126e77c2e62cee6dc59e247d51f63cd6db8052202082b309942567bf5c2d679f366f5aca76ec5eaf3d8bcd3401f0e5289279613ffed7a8802b89b33082a3da5817
-
Filesize
232KB
MD5b015811c78991b02ffe8251b04c86d74
SHA165f830cdca51c1e7fa424a175ce7ec3cc6d63140
SHA256a8e8918e206b8aaecaf70adeca910feb73b627e596e323c718c0ba865bc24856
SHA5126e77c2e62cee6dc59e247d51f63cd6db8052202082b309942567bf5c2d679f366f5aca76ec5eaf3d8bcd3401f0e5289279613ffed7a8802b89b33082a3da5817
-
Filesize
232KB
MD5b015811c78991b02ffe8251b04c86d74
SHA165f830cdca51c1e7fa424a175ce7ec3cc6d63140
SHA256a8e8918e206b8aaecaf70adeca910feb73b627e596e323c718c0ba865bc24856
SHA5126e77c2e62cee6dc59e247d51f63cd6db8052202082b309942567bf5c2d679f366f5aca76ec5eaf3d8bcd3401f0e5289279613ffed7a8802b89b33082a3da5817
-
Filesize
232KB
MD5b015811c78991b02ffe8251b04c86d74
SHA165f830cdca51c1e7fa424a175ce7ec3cc6d63140
SHA256a8e8918e206b8aaecaf70adeca910feb73b627e596e323c718c0ba865bc24856
SHA5126e77c2e62cee6dc59e247d51f63cd6db8052202082b309942567bf5c2d679f366f5aca76ec5eaf3d8bcd3401f0e5289279613ffed7a8802b89b33082a3da5817
-
Filesize
232KB
MD5b015811c78991b02ffe8251b04c86d74
SHA165f830cdca51c1e7fa424a175ce7ec3cc6d63140
SHA256a8e8918e206b8aaecaf70adeca910feb73b627e596e323c718c0ba865bc24856
SHA5126e77c2e62cee6dc59e247d51f63cd6db8052202082b309942567bf5c2d679f366f5aca76ec5eaf3d8bcd3401f0e5289279613ffed7a8802b89b33082a3da5817
-
Filesize
307KB
MD5a99ce32372935b859d254d78da5f3f0b
SHA15da6c750b49cb15f7df033eed0227ae17450d0aa
SHA2566da5f8204420255f83da35008c80bd74085b53ee82da9761c1d04c35ab853d39
SHA51241ca473ec26fa4c9f82c62ace0a68fe935f243bddfa0dcc1ed8acceed1c6de02a374779daa7ce81d4524ed6d1d6b2b34c643fd00e18f97ed42f2101453299f66
-
Filesize
307KB
MD5a99ce32372935b859d254d78da5f3f0b
SHA15da6c750b49cb15f7df033eed0227ae17450d0aa
SHA2566da5f8204420255f83da35008c80bd74085b53ee82da9761c1d04c35ab853d39
SHA51241ca473ec26fa4c9f82c62ace0a68fe935f243bddfa0dcc1ed8acceed1c6de02a374779daa7ce81d4524ed6d1d6b2b34c643fd00e18f97ed42f2101453299f66
-
Filesize
181KB
MD5b1c270441e1bbf22fe4334f690361eea
SHA1ce3b5f6b810a4830712b44da87aad58acda6e383
SHA25626bab96c5e7483ff8f7214dacbcaee52e9a9a6ccf5695ce3e26ce38a564193fd
SHA512fb850a88172322af43a87f4ac786186af37d4cf6e93b24a4a04733f53ee92425518fb531f6d857dffeed7183d683d01034d8bdf33eccdfb6bc67e778f8045af2
-
Filesize
181KB
MD5b1c270441e1bbf22fe4334f690361eea
SHA1ce3b5f6b810a4830712b44da87aad58acda6e383
SHA25626bab96c5e7483ff8f7214dacbcaee52e9a9a6ccf5695ce3e26ce38a564193fd
SHA512fb850a88172322af43a87f4ac786186af37d4cf6e93b24a4a04733f53ee92425518fb531f6d857dffeed7183d683d01034d8bdf33eccdfb6bc67e778f8045af2
-
Filesize
168KB
MD5ad52b9f8e7df74b3a7206edbbb25b75e
SHA1ecd79fce7c281ecd12d58b18aec7624dccbcd575
SHA25696b116788e0fa862709e416779fd63483349c0f621b08140a89ca3535c7ff3d4
SHA51258f9e6239866e9446a9e2fd11e98673451f39c570046402ebce67dd186aab41af9a99d6eca0057910de4422575b5d6f6e7e6ffdb331ec0dd3b09020cda1ef9f3
-
Filesize
168KB
MD5ad52b9f8e7df74b3a7206edbbb25b75e
SHA1ecd79fce7c281ecd12d58b18aec7624dccbcd575
SHA25696b116788e0fa862709e416779fd63483349c0f621b08140a89ca3535c7ff3d4
SHA51258f9e6239866e9446a9e2fd11e98673451f39c570046402ebce67dd186aab41af9a99d6eca0057910de4422575b5d6f6e7e6ffdb331ec0dd3b09020cda1ef9f3
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817