Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
194s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27/08/2021, 16:02
Static task
static1
Behavioral task
behavioral1
Sample
b7e27567f201a840d0f9c12cf0a2d734.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
b7e27567f201a840d0f9c12cf0a2d734.exe
Resource
win10v20210410
General
-
Target
b7e27567f201a840d0f9c12cf0a2d734.exe
-
Size
264KB
-
MD5
b7e27567f201a840d0f9c12cf0a2d734
-
SHA1
1bc2fd9116bffab627b0ea37ff0bb7c49726b9a5
-
SHA256
eedbfa19e0dea5bf1cb8ddd108ecc4ddc8a67481fafa759e588da3125228992e
-
SHA512
30b0f5c7297e83c0ebeef938eea9edc18cc7149d1aef6a1eaa16c83d0f03167bd9fe8bb3a1f21a614af81c589e82a505a3f9d4e98934c7d452bec95eab205aac
Malware Config
Extracted
smokeloader
2020
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
Extracted
raccoon
fe582536ec580228180f270f7cb80a867860e010
-
url4cnc
https://telete.in/xylichanjk
Extracted
redline
pro
95.217.117.91:49317
Extracted
redline
MIX
manazyxsa.xyz:80
Extracted
redline
WORD1
94.26.249.88:1902
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 10 IoCs
resource yara_rule behavioral1/memory/1496-114-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/1496-115-0x000000000041C5DE-mapping.dmp family_redline behavioral1/memory/1496-118-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/272-127-0x00000000003E0000-0x0000000000400000-memory.dmp family_redline behavioral1/memory/272-134-0x00000000024F0000-0x000000000250E000-memory.dmp family_redline behavioral1/memory/780-138-0x000000000041C5DE-mapping.dmp family_redline behavioral1/memory/1772-164-0x000000000041C5DE-mapping.dmp family_redline behavioral1/memory/1572-183-0x000000000041C5DE-mapping.dmp family_redline behavioral1/memory/980-198-0x000000000041C5DE-mapping.dmp family_redline behavioral1/memory/864-206-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
pid Process 1524 C12.exe 844 D2B.exe 1528 100A.exe 1116 213A.exe 1900 239B.exe 1708 24B5.exe 848 2ABE.exe -
Modifies Windows Firewall 1 TTPs
-
Deletes itself 1 IoCs
pid Process 1220 Process not Found -
Loads dropped DLL 1 IoCs
pid Process 844 D2B.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 geoiptool.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1660 set thread context of 1996 1660 b7e27567f201a840d0f9c12cf0a2d734.exe 26 -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b7e27567f201a840d0f9c12cf0a2d734.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b7e27567f201a840d0f9c12cf0a2d734.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b7e27567f201a840d0f9c12cf0a2d734.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 D2B.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 D2B.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1996 b7e27567f201a840d0f9c12cf0a2d734.exe 1996 b7e27567f201a840d0f9c12cf0a2d734.exe 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1996 b7e27567f201a840d0f9c12cf0a2d734.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1220 Process not Found -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1524 C12.exe -
Suspicious use of WriteProcessMemory 55 IoCs
description pid Process procid_target PID 1660 wrote to memory of 1996 1660 b7e27567f201a840d0f9c12cf0a2d734.exe 26 PID 1660 wrote to memory of 1996 1660 b7e27567f201a840d0f9c12cf0a2d734.exe 26 PID 1660 wrote to memory of 1996 1660 b7e27567f201a840d0f9c12cf0a2d734.exe 26 PID 1660 wrote to memory of 1996 1660 b7e27567f201a840d0f9c12cf0a2d734.exe 26 PID 1660 wrote to memory of 1996 1660 b7e27567f201a840d0f9c12cf0a2d734.exe 26 PID 1660 wrote to memory of 1996 1660 b7e27567f201a840d0f9c12cf0a2d734.exe 26 PID 1660 wrote to memory of 1996 1660 b7e27567f201a840d0f9c12cf0a2d734.exe 26 PID 1220 wrote to memory of 1524 1220 Process not Found 30 PID 1220 wrote to memory of 1524 1220 Process not Found 30 PID 1220 wrote to memory of 1524 1220 Process not Found 30 PID 1220 wrote to memory of 1524 1220 Process not Found 30 PID 1220 wrote to memory of 844 1220 Process not Found 31 PID 1220 wrote to memory of 844 1220 Process not Found 31 PID 1220 wrote to memory of 844 1220 Process not Found 31 PID 1220 wrote to memory of 844 1220 Process not Found 31 PID 1220 wrote to memory of 1528 1220 Process not Found 32 PID 1220 wrote to memory of 1528 1220 Process not Found 32 PID 1220 wrote to memory of 1528 1220 Process not Found 32 PID 1220 wrote to memory of 1528 1220 Process not Found 32 PID 1528 wrote to memory of 272 1528 100A.exe 33 PID 1528 wrote to memory of 272 1528 100A.exe 33 PID 1528 wrote to memory of 272 1528 100A.exe 33 PID 1528 wrote to memory of 272 1528 100A.exe 33 PID 1528 wrote to memory of 1940 1528 100A.exe 35 PID 1528 wrote to memory of 1940 1528 100A.exe 35 PID 1528 wrote to memory of 1940 1528 100A.exe 35 PID 1528 wrote to memory of 1940 1528 100A.exe 35 PID 1220 wrote to memory of 1116 1220 Process not Found 37 PID 1220 wrote to memory of 1116 1220 Process not Found 37 PID 1220 wrote to memory of 1116 1220 Process not Found 37 PID 1220 wrote to memory of 1116 1220 Process not Found 37 PID 1528 wrote to memory of 972 1528 100A.exe 39 PID 1528 wrote to memory of 972 1528 100A.exe 39 PID 1528 wrote to memory of 972 1528 100A.exe 39 PID 1528 wrote to memory of 972 1528 100A.exe 39 PID 1220 wrote to memory of 1900 1220 Process not Found 41 PID 1220 wrote to memory of 1900 1220 Process not Found 41 PID 1220 wrote to memory of 1900 1220 Process not Found 41 PID 1220 wrote to memory of 1900 1220 Process not Found 41 PID 1220 wrote to memory of 1708 1220 Process not Found 44 PID 1220 wrote to memory of 1708 1220 Process not Found 44 PID 1220 wrote to memory of 1708 1220 Process not Found 44 PID 1220 wrote to memory of 1708 1220 Process not Found 44 PID 1528 wrote to memory of 540 1528 100A.exe 43 PID 1528 wrote to memory of 540 1528 100A.exe 43 PID 1528 wrote to memory of 540 1528 100A.exe 43 PID 1528 wrote to memory of 540 1528 100A.exe 43 PID 1528 wrote to memory of 1604 1528 100A.exe 46 PID 1528 wrote to memory of 1604 1528 100A.exe 46 PID 1528 wrote to memory of 1604 1528 100A.exe 46 PID 1528 wrote to memory of 1604 1528 100A.exe 46 PID 1220 wrote to memory of 848 1220 Process not Found 49 PID 1220 wrote to memory of 848 1220 Process not Found 49 PID 1220 wrote to memory of 848 1220 Process not Found 49 PID 1220 wrote to memory of 848 1220 Process not Found 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7e27567f201a840d0f9c12cf0a2d734.exe"C:\Users\Admin\AppData\Local\Temp\b7e27567f201a840d0f9c12cf0a2d734.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\b7e27567f201a840d0f9c12cf0a2d734.exe"C:\Users\Admin\AppData\Local\Temp\b7e27567f201a840d0f9c12cf0a2d734.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\C12.exeC:\Users\Admin\AppData\Local\Temp\C12.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1524
-
C:\Users\Admin\AppData\Local\Temp\D2B.exeC:\Users\Admin\AppData\Local\Temp\D2B.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:844
-
C:\Users\Admin\AppData\Local\Temp\100A.exeC:\Users\Admin\AppData\Local\Temp\100A.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fvcnyonv\2⤵PID:272
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xvfddtcs.exe" C:\Windows\SysWOW64\fvcnyonv\2⤵PID:1940
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create fvcnyonv binPath= "C:\Windows\SysWOW64\fvcnyonv\xvfddtcs.exe /d\"C:\Users\Admin\AppData\Local\Temp\100A.exe\"" type= own start= auto DisplayName= "wifi support"2⤵PID:972
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description fvcnyonv "wifi internet conection"2⤵PID:540
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start fvcnyonv2⤵PID:1604
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵PID:560
-
-
C:\Users\Admin\AppData\Local\Temp\213A.exeC:\Users\Admin\AppData\Local\Temp\213A.exe1⤵
- Executes dropped EXE
PID:1116
-
C:\Users\Admin\AppData\Local\Temp\239B.exeC:\Users\Admin\AppData\Local\Temp\239B.exe1⤵
- Executes dropped EXE
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\239B.exeC:\Users\Admin\AppData\Local\Temp\239B.exe2⤵PID:1496
-
-
C:\Users\Admin\AppData\Local\Temp\239B.exeC:\Users\Admin\AppData\Local\Temp\239B.exe2⤵PID:780
-
-
C:\Users\Admin\AppData\Local\Temp\239B.exeC:\Users\Admin\AppData\Local\Temp\239B.exe2⤵PID:1772
-
-
C:\Users\Admin\AppData\Local\Temp\239B.exeC:\Users\Admin\AppData\Local\Temp\239B.exe2⤵PID:1572
-
-
C:\Users\Admin\AppData\Local\Temp\239B.exeC:\Users\Admin\AppData\Local\Temp\239B.exe2⤵PID:980
-
-
C:\Users\Admin\AppData\Local\Temp\239B.exeC:\Users\Admin\AppData\Local\Temp\239B.exe2⤵PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\24B5.exeC:\Users\Admin\AppData\Local\Temp\24B5.exe1⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"2⤵PID:864
-
-
C:\Users\Admin\AppData\Local\Temp\2ABE.exeC:\Users\Admin\AppData\Local\Temp\2ABE.exe1⤵
- Executes dropped EXE
PID:848
-
C:\Windows\SysWOW64\fvcnyonv\xvfddtcs.exeC:\Windows\SysWOW64\fvcnyonv\xvfddtcs.exe /d"C:\Users\Admin\AppData\Local\Temp\100A.exe"1⤵PID:1728
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:1180
-
-
C:\Users\Admin\AppData\Local\Temp\35B7.exeC:\Users\Admin\AppData\Local\Temp\35B7.exe1⤵PID:272
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:824
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1384
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1800
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1528
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1688
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:296
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1684
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1992
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1384