Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2023, 06:22
Static task
static1
Behavioral task
behavioral1
Sample
56a3e489fd3419b9eaef27e60f7148a099bdc519611ab2382d7407f32e6963d4.exe
Resource
win10v2004-20230220-en
General
-
Target
56a3e489fd3419b9eaef27e60f7148a099bdc519611ab2382d7407f32e6963d4.exe
-
Size
479KB
-
MD5
cb1fa067e5fa4d2a2ec567c8cb9dee39
-
SHA1
bafc0b73f7bd4216859f9c0db843fb2cd6dd2e9c
-
SHA256
56a3e489fd3419b9eaef27e60f7148a099bdc519611ab2382d7407f32e6963d4
-
SHA512
2d09f22e8c4df72a947f42929dc39a5422e57b8157d6fcada282dafd17bab3e0c2014e0fbfe9e9915e73d5939267f2212a5964652685be39ff8018b3e07aa9a5
-
SSDEEP
12288:lMrxy90NPCqEzpv7mkyiDRFs1QzAuDfL1TsVbNO:8ywCzV9BNFs1QsgL1axO
Malware Config
Extracted
redline
mufos
217.196.96.102:4132
-
auth_value
136f202e6569ad5815c34377858a255c
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection a2878719.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a2878719.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a2878719.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a2878719.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a2878719.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a2878719.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation oneetx.exe Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation d8817933.exe -
Executes dropped EXE 7 IoCs
pid Process 2752 v4136194.exe 4376 a2878719.exe 1948 b6214832.exe 1140 d8817933.exe 1460 oneetx.exe 1764 oneetx.exe 3896 oneetx.exe -
Loads dropped DLL 1 IoCs
pid Process 2204 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features a2878719.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" a2878719.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v4136194.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 56a3e489fd3419b9eaef27e60f7148a099bdc519611ab2382d7407f32e6963d4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 56a3e489fd3419b9eaef27e60f7148a099bdc519611ab2382d7407f32e6963d4.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce v4136194.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 752 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4376 a2878719.exe 4376 a2878719.exe 1948 b6214832.exe 1948 b6214832.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4376 a2878719.exe Token: SeDebugPrivilege 1948 b6214832.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1140 d8817933.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4168 wrote to memory of 2752 4168 56a3e489fd3419b9eaef27e60f7148a099bdc519611ab2382d7407f32e6963d4.exe 85 PID 4168 wrote to memory of 2752 4168 56a3e489fd3419b9eaef27e60f7148a099bdc519611ab2382d7407f32e6963d4.exe 85 PID 4168 wrote to memory of 2752 4168 56a3e489fd3419b9eaef27e60f7148a099bdc519611ab2382d7407f32e6963d4.exe 85 PID 2752 wrote to memory of 4376 2752 v4136194.exe 86 PID 2752 wrote to memory of 4376 2752 v4136194.exe 86 PID 2752 wrote to memory of 4376 2752 v4136194.exe 86 PID 2752 wrote to memory of 1948 2752 v4136194.exe 93 PID 2752 wrote to memory of 1948 2752 v4136194.exe 93 PID 2752 wrote to memory of 1948 2752 v4136194.exe 93 PID 4168 wrote to memory of 1140 4168 56a3e489fd3419b9eaef27e60f7148a099bdc519611ab2382d7407f32e6963d4.exe 95 PID 4168 wrote to memory of 1140 4168 56a3e489fd3419b9eaef27e60f7148a099bdc519611ab2382d7407f32e6963d4.exe 95 PID 4168 wrote to memory of 1140 4168 56a3e489fd3419b9eaef27e60f7148a099bdc519611ab2382d7407f32e6963d4.exe 95 PID 1140 wrote to memory of 1460 1140 d8817933.exe 96 PID 1140 wrote to memory of 1460 1140 d8817933.exe 96 PID 1140 wrote to memory of 1460 1140 d8817933.exe 96 PID 1460 wrote to memory of 752 1460 oneetx.exe 97 PID 1460 wrote to memory of 752 1460 oneetx.exe 97 PID 1460 wrote to memory of 752 1460 oneetx.exe 97 PID 1460 wrote to memory of 4848 1460 oneetx.exe 99 PID 1460 wrote to memory of 4848 1460 oneetx.exe 99 PID 1460 wrote to memory of 4848 1460 oneetx.exe 99 PID 4848 wrote to memory of 4836 4848 cmd.exe 101 PID 4848 wrote to memory of 4836 4848 cmd.exe 101 PID 4848 wrote to memory of 4836 4848 cmd.exe 101 PID 4848 wrote to memory of 4688 4848 cmd.exe 102 PID 4848 wrote to memory of 4688 4848 cmd.exe 102 PID 4848 wrote to memory of 4688 4848 cmd.exe 102 PID 4848 wrote to memory of 3056 4848 cmd.exe 103 PID 4848 wrote to memory of 3056 4848 cmd.exe 103 PID 4848 wrote to memory of 3056 4848 cmd.exe 103 PID 4848 wrote to memory of 2652 4848 cmd.exe 104 PID 4848 wrote to memory of 2652 4848 cmd.exe 104 PID 4848 wrote to memory of 2652 4848 cmd.exe 104 PID 4848 wrote to memory of 4608 4848 cmd.exe 105 PID 4848 wrote to memory of 4608 4848 cmd.exe 105 PID 4848 wrote to memory of 4608 4848 cmd.exe 105 PID 4848 wrote to memory of 4004 4848 cmd.exe 106 PID 4848 wrote to memory of 4004 4848 cmd.exe 106 PID 4848 wrote to memory of 4004 4848 cmd.exe 106 PID 1460 wrote to memory of 2204 1460 oneetx.exe 109 PID 1460 wrote to memory of 2204 1460 oneetx.exe 109 PID 1460 wrote to memory of 2204 1460 oneetx.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\56a3e489fd3419b9eaef27e60f7148a099bdc519611ab2382d7407f32e6963d4.exe"C:\Users\Admin\AppData\Local\Temp\56a3e489fd3419b9eaef27e60f7148a099bdc519611ab2382d7407f32e6963d4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4136194.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4136194.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2878719.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2878719.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6214832.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6214832.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8817933.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8817933.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:752
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4836
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:4688
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:3056
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2652
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:N"5⤵PID:4608
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c3912af058" /P "Admin:R" /E5⤵PID:4004
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:2204
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:1764
-
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe1⤵
- Executes dropped EXE
PID:3896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
212KB
MD593e1ece96a3ad13565bf84c9a56611b6
SHA1adb91f13e9fc73dc3e4f15ff22ddefd361881947
SHA256ead1e6c041010a8abd68d9e1f21f8ac87a50fc32c406a6b8d6a75ddcf7f46531
SHA5125a6122f0b414a0a87be4c490409aa0836274621b7ec0a3c81aa0e93ef497a4158420e21757c215294854295e50b8b9533e5cc10df0f08dba80e20b6652eac697
-
Filesize
212KB
MD593e1ece96a3ad13565bf84c9a56611b6
SHA1adb91f13e9fc73dc3e4f15ff22ddefd361881947
SHA256ead1e6c041010a8abd68d9e1f21f8ac87a50fc32c406a6b8d6a75ddcf7f46531
SHA5125a6122f0b414a0a87be4c490409aa0836274621b7ec0a3c81aa0e93ef497a4158420e21757c215294854295e50b8b9533e5cc10df0f08dba80e20b6652eac697
-
Filesize
307KB
MD52c6cee988cb38419ab2c25b3aa756cb0
SHA18c420d2e868eb84891372eba48625d984bd875bb
SHA2568bb4728298abf41964bbddec2ae1b130f68ed8d522660d689d7c4ed9f11e717e
SHA512609576cbbf88387b3aaf1e571480d33d5f36a3b23f74894235d2dc365a013e326b48e3d4a2615b5f1b663ae9b271f27ae63dcbd1c22c791c9d773e638144a6ec
-
Filesize
307KB
MD52c6cee988cb38419ab2c25b3aa756cb0
SHA18c420d2e868eb84891372eba48625d984bd875bb
SHA2568bb4728298abf41964bbddec2ae1b130f68ed8d522660d689d7c4ed9f11e717e
SHA512609576cbbf88387b3aaf1e571480d33d5f36a3b23f74894235d2dc365a013e326b48e3d4a2615b5f1b663ae9b271f27ae63dcbd1c22c791c9d773e638144a6ec
-
Filesize
182KB
MD5a00952d1eff2f7a5962bbf69d48e7d28
SHA1bcf1d4c8b364771c7856f611cd899cef2a24134e
SHA2560f016362b8a9d418641f46e8bb85c4ff95e156933fc0579bdef3f8f2307a5d1a
SHA512943f5004cab302825ed0c8977193361952aa518e60b08c414d8582bb5b471585b4119975fdce111587ae2e6c98f2185da3ff755ee9b97841791738340119f141
-
Filesize
182KB
MD5a00952d1eff2f7a5962bbf69d48e7d28
SHA1bcf1d4c8b364771c7856f611cd899cef2a24134e
SHA2560f016362b8a9d418641f46e8bb85c4ff95e156933fc0579bdef3f8f2307a5d1a
SHA512943f5004cab302825ed0c8977193361952aa518e60b08c414d8582bb5b471585b4119975fdce111587ae2e6c98f2185da3ff755ee9b97841791738340119f141
-
Filesize
168KB
MD5e1519c6357a3ee4d4dcda394e66815f0
SHA128c49224e9a502e4d118dd751d0c5dac5f8782fe
SHA25674dff92c81aa0da994b057fdaca20a07810a7a835272455a1dc36b9c3b68826f
SHA5123f8361e7c504727ff67cc5cd8f7178e40513c8d708d0802f03b02a332114c0fc81ebaa9c2d441433a6e7c5b901911f49032deb6eae95c4b2df397b79782b1d3f
-
Filesize
168KB
MD5e1519c6357a3ee4d4dcda394e66815f0
SHA128c49224e9a502e4d118dd751d0c5dac5f8782fe
SHA25674dff92c81aa0da994b057fdaca20a07810a7a835272455a1dc36b9c3b68826f
SHA5123f8361e7c504727ff67cc5cd8f7178e40513c8d708d0802f03b02a332114c0fc81ebaa9c2d441433a6e7c5b901911f49032deb6eae95c4b2df397b79782b1d3f
-
Filesize
212KB
MD593e1ece96a3ad13565bf84c9a56611b6
SHA1adb91f13e9fc73dc3e4f15ff22ddefd361881947
SHA256ead1e6c041010a8abd68d9e1f21f8ac87a50fc32c406a6b8d6a75ddcf7f46531
SHA5125a6122f0b414a0a87be4c490409aa0836274621b7ec0a3c81aa0e93ef497a4158420e21757c215294854295e50b8b9533e5cc10df0f08dba80e20b6652eac697
-
Filesize
212KB
MD593e1ece96a3ad13565bf84c9a56611b6
SHA1adb91f13e9fc73dc3e4f15ff22ddefd361881947
SHA256ead1e6c041010a8abd68d9e1f21f8ac87a50fc32c406a6b8d6a75ddcf7f46531
SHA5125a6122f0b414a0a87be4c490409aa0836274621b7ec0a3c81aa0e93ef497a4158420e21757c215294854295e50b8b9533e5cc10df0f08dba80e20b6652eac697
-
Filesize
212KB
MD593e1ece96a3ad13565bf84c9a56611b6
SHA1adb91f13e9fc73dc3e4f15ff22ddefd361881947
SHA256ead1e6c041010a8abd68d9e1f21f8ac87a50fc32c406a6b8d6a75ddcf7f46531
SHA5125a6122f0b414a0a87be4c490409aa0836274621b7ec0a3c81aa0e93ef497a4158420e21757c215294854295e50b8b9533e5cc10df0f08dba80e20b6652eac697
-
Filesize
212KB
MD593e1ece96a3ad13565bf84c9a56611b6
SHA1adb91f13e9fc73dc3e4f15ff22ddefd361881947
SHA256ead1e6c041010a8abd68d9e1f21f8ac87a50fc32c406a6b8d6a75ddcf7f46531
SHA5125a6122f0b414a0a87be4c490409aa0836274621b7ec0a3c81aa0e93ef497a4158420e21757c215294854295e50b8b9533e5cc10df0f08dba80e20b6652eac697
-
Filesize
212KB
MD593e1ece96a3ad13565bf84c9a56611b6
SHA1adb91f13e9fc73dc3e4f15ff22ddefd361881947
SHA256ead1e6c041010a8abd68d9e1f21f8ac87a50fc32c406a6b8d6a75ddcf7f46531
SHA5125a6122f0b414a0a87be4c490409aa0836274621b7ec0a3c81aa0e93ef497a4158420e21757c215294854295e50b8b9533e5cc10df0f08dba80e20b6652eac697
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
89KB
MD58451a2c5daa42b25333b1b2089c5ea39
SHA1700cc99ec8d3113435e657070d2d6bde0a833adc
SHA256b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0
SHA5126d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5