Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3839C4E0DC...50.exe

windows7_x64

3839C4E0DC...50.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    15/05/2021, 19:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3839C4E0DC64B64D407F864221198B50.exe

  • Size

    3.6MB

  • MD5

    3839c4e0dc64b64d407f864221198b50

  • SHA1

    4f2417a99b0ef785376d88c3745c88a5a28eb196

  • SHA256

    541ebfa6dd694728edd3cf536a13c739179edadcd880e7c28e074b60da1bcac8

  • SHA512

    536473d9884d6e29e46dff43c89c70afba1d265b7b80076e4a6a1cb2dd0cbc898c6b577cf01130bcf9bc15a494ccfed7199f1e87c24392579d2913347074ae79

Score
10/10
plugxredlinesmokeloadersource1backdoorevasioninfostealerpersistencespywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

redline

Botnet

source1

C2

199.195.251.96:43073

Extracted

Family

smokeloader

Version

2020

C2

http://khaleelahmed.com/upload/

http://twvickiassociation.com/upload/

http://www20833.com/upload/

http://cocinasintonterias.com/upload/

http://masaofukunaga.com/upload/

http://gnckids.com/upload/
rc4.i32
rc4.i32

Signatures

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 10 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
    1⤵
      PID:1096
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Themes
      1⤵
        PID:1180
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s SENS
        1⤵
          PID:1428
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s UserManager
          1⤵
            PID:1376
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s Schedule
            1⤵
            • Drops file in System32 directory
            PID:68
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
            1⤵
              PID:1908
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
              1⤵
                PID:340
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
                1⤵
                  PID:2576
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                  1⤵
                    PID:2608
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
                    1⤵
                      PID:2852
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s WpnService
                      1⤵
                        PID:2836
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s Browser
                        1⤵
                          PID:2756
                        • C:\Users\Admin\AppData\Local\Temp\3839C4E0DC64B64D407F864221198B50.exe
                          "C:\Users\Admin\AppData\Local\Temp\3839C4E0DC64B64D407F864221198B50.exe"
                          1⤵
                          • Checks computer location settings
                          • Suspicious use of WriteProcessMemory
                          PID:3164
                          • C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe
                            "C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe"
                            2⤵
                            • Executes dropped EXE
                            • Checks whether UAC is enabled
                            PID:3672
                          • C:\Users\Admin\AppData\Local\Temp\Files.exe
                            "C:\Users\Admin\AppData\Local\Temp\Files.exe"
                            2⤵
                            • Executes dropped EXE
                            • Checks computer location settings
                            • Suspicious use of WriteProcessMemory
                            PID:2804
                            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
                              "C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"
                              3⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:3852
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                4⤵
                                  PID:4624
                            • C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
                              "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
                              2⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1384
                            • C:\Users\Admin\AppData\Local\Temp\wf-game.exe
                              "C:\Users\Admin\AppData\Local\Temp\wf-game.exe"
                              2⤵
                              • Executes dropped EXE
                              • Checks computer location settings
                              • Suspicious use of WriteProcessMemory
                              PID:4104
                              • C:\Windows\SysWOW64\rUNdlL32.eXe
                                "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
                                3⤵
                                • Loads dropped DLL
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:4576
                            • C:\Users\Admin\AppData\Local\Temp\agdsk.exe
                              "C:\Users\Admin\AppData\Local\Temp\agdsk.exe"
                              2⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:4160
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd.exe /c taskkill /f /im chrome.exe
                                3⤵
                                  PID:5220
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im chrome.exe
                                    4⤵
                                    • Kills process with taskkill
                                    PID:5272
                              • C:\Users\Admin\AppData\Local\Temp\pzyh.exe
                                "C:\Users\Admin\AppData\Local\Temp\pzyh.exe"
                                2⤵
                                • Executes dropped EXE
                                • Adds Run key to start application
                                PID:4204
                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                  3⤵
                                  • Executes dropped EXE
                                  PID:5308
                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                  3⤵
                                  • Executes dropped EXE
                                  PID:6004
                              • C:\Users\Admin\AppData\Local\Temp\pub2.exe
                                "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
                                2⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Checks SCSI registry key(s)
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious behavior: MapViewOfSection
                                PID:4232
                            • \??\c:\windows\system32\svchost.exe
                              c:\windows\system32\svchost.exe -k netsvcs -s BITS
                              1⤵
                              • Suspicious use of SetThreadContext
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:380
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k SystemNetworkService
                                2⤵
                                • Modifies registry class
                                PID:4772
                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                              1⤵
                              • Drops file in Windows directory
                              • Modifies Internet Explorer settings
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              PID:4088
                            • C:\Windows\system32\browser_broker.exe
                              C:\Windows\system32\browser_broker.exe -Embedding
                              1⤵
                              • Modifies Internet Explorer settings
                              PID:2548
                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                              1⤵
                              • Modifies registry class
                              • Suspicious behavior: MapViewOfSection
                              • Suspicious use of SetWindowsHookEx
                              • Suspicious use of WriteProcessMemory
                              PID:4412
                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                              1⤵
                              • Modifies Internet Explorer settings
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4492
                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                              1⤵
                              • Modifies registry class
                              PID:4648
                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                              1⤵
                              • Modifies registry class
                              PID:5116
                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                              1⤵
                              • Modifies registry class
                              PID:4292
                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                              1⤵
                              • Modifies registry class
                              PID:4696

                            Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • memory/68-230-0x0000027FAC210000-0x0000027FAC280000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/340-222-0x0000026116740000-0x00000261167B0000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/380-195-0x000001CFE9C00000-0x000001CFE9C4B000-memory.dmp

                              Filesize

                              300KB

                              Download

                            • memory/380-196-0x000001CFE9FC0000-0x000001CFEA030000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/1096-228-0x0000029F00770000-0x0000029F007E0000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/1180-203-0x0000026034FB0000-0x0000026035020000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/1376-213-0x000002AD6F400000-0x000002AD6F470000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/1384-137-0x00000000000E0000-0x00000000000E1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1384-155-0x000000001AD30000-0x000000001AD32000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/1384-142-0x00000000006F0000-0x00000000006F1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1384-153-0x0000000000730000-0x0000000000731000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1384-151-0x0000000000710000-0x000000000072B000-memory.dmp

                              Filesize

                              108KB

                              Download

                            • memory/1428-232-0x000001F56A200000-0x000001F56A270000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/1908-197-0x000001430C400000-0x000001430C470000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/2568-236-0x0000000000DD0000-0x0000000000DE6000-memory.dmp

                              Filesize

                              88KB

                              Download

                            • memory/2576-226-0x00000154C7CD0000-0x00000154C7D40000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/2608-224-0x000002209B490000-0x000002209B500000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/2756-208-0x0000028AEBFA0000-0x0000028AEC010000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/2836-220-0x000001B333A40000-0x000001B333AB0000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/2852-214-0x000001D2CBC70000-0x000001D2CBCE0000-memory.dmp

                              Filesize

                              448KB

                              Download

                            • memory/3672-245-0x0000000003560000-0x0000000003570000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/3672-124-0x0000000000400000-0x000000000060A000-memory.dmp

                              Filesize

                              2.0MB

                              Download

                            • memory/3852-131-0x0000000004F80000-0x0000000004F81000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3852-157-0x0000000006010000-0x0000000006011000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3852-130-0x00000000055E0000-0x00000000055E1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3852-128-0x0000000000640000-0x0000000000641000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3852-147-0x00000000050E0000-0x00000000055DE000-memory.dmp

                              Filesize

                              5.0MB

                              Download

                            • memory/3852-150-0x0000000004F00000-0x0000000004F01000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/3852-154-0x0000000005020000-0x000000000505B000-memory.dmp

                              Filesize

                              236KB

                              Download

                            • memory/3852-156-0x0000000005280000-0x0000000005296000-memory.dmp

                              Filesize

                              88KB

                              Download

                            • memory/4232-170-0x0000000000400000-0x0000000000845000-memory.dmp

                              Filesize

                              4.3MB

                              Download

                            • memory/4232-169-0x0000000000850000-0x00000000008FE000-memory.dmp

                              Filesize

                              696KB

                              Download

                            • memory/4576-167-0x0000000004E88000-0x0000000004F89000-memory.dmp

                              Filesize

                              1.0MB

                              Download

                            • memory/4576-168-0x0000000004DB0000-0x0000000004E0C000-memory.dmp

                              Filesize

                              368KB

                              Download

                            • memory/4624-209-0x0000000005040000-0x0000000005646000-memory.dmp

                              Filesize

                              6.0MB

                              Download

                            • memory/4624-234-0x0000000005360000-0x0000000005361000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4624-166-0x0000000005650000-0x0000000005651000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4624-162-0x0000000000400000-0x000000000041C000-memory.dmp

                              Filesize

                              112KB

                              Download

                            • memory/4624-189-0x00000000050C0000-0x00000000050C1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4624-179-0x0000000005060000-0x0000000005061000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4624-216-0x0000000005100000-0x0000000005101000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/4772-221-0x000001D9A60D0000-0x000001D9A6140000-memory.dmp

                              Filesize

                              448KB

                              Download