Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
07/09/2022, 16:01
General
-
Target
38397d720f9326ebbcabaafec9a4bcb2b4ffc570f0b13c1286d012d782d8ee21.exe
-
Size
125KB
-
MD5
1848fdc87bdca739ad8afd23f24c9722
-
SHA1
b1d0b0fde7ea1dd7a5c802fc08f03f56e898063d
-
SHA256
38397d720f9326ebbcabaafec9a4bcb2b4ffc570f0b13c1286d012d782d8ee21
-
SHA512
de0755785a33fbb1287749defaa6ecf4ffea7d17e11585a2b54e46347fefb2923520fe31ea7e35e1b8f125e2e3e33c356d7c0b1ac22f0a2c222f4bf49af3e6e9
-
SSDEEP
3072:teDUKLopZwbh7nTmHFQBFjXoPkbBNfp7o1/FwiibX9p:tUMm7n5LXeTibtp
Malware Config
Extracted
redline
1337
78.153.144.6:2510
-
auth_value
b0447922bcbc2eda83260a9e7a638f45
Extracted
redline
nam5
103.89.90.61:34589
-
auth_value
f23be8e9063fe5d0c6fc3ee8e7d565bd
Signatures
-
Detects Smokeloader packer 4 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 58 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\38397d720f9326ebbcabaafec9a4bcb2b4ffc570f0b13c1286d012d782d8ee21.exe"C:\Users\Admin\AppData\Local\Temp\38397d720f9326ebbcabaafec9a4bcb2b4ffc570f0b13c1286d012d782d8ee21.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\DDF1.exeC:\Users\Admin\AppData\Local\Temp\DDF1.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\E2A5.exeC:\Users\Admin\AppData\Local\Temp\E2A5.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\EAE4.exeC:\Users\Admin\AppData\Local\Temp\EAE4.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 16723⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\FA94.exeC:\Users\Admin\AppData\Local\Temp\FA94.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56ea463bc7e8dbc49239da4e1eefb7a8f
SHA1e8007042af8b6d6c43555b93d6d2037192428f4f
SHA2560e2afd73b11258cd0d1f5af3a8b1ac4915652528d2982363fc9b43e2990567f5
SHA512d74c97765fc262877829e3fb660530ac13663052c237c6594f58b1c24363226479ca9bee1aab99a8ac820eab8a95be329d343d76086bc7de17051b446307b98a
-
Filesize
233KB
MD5d008800452979918fb85c925c8502bfa
SHA1a8874a21feef6df04cf08db5da218596f37ef3e4
SHA2561fe43cc3fa96347e211cc0200a1e1a6fdb0b047967e37607d1c83e78e6740625
SHA5120db38b9d8764b17e1c413b9170e195e17152e36dcab2022f6a232fdeb39d784d44558c34d588da2417c25cc2752d778462e5e19d270cce1a16cf1898228d652d
-
Filesize
233KB
MD5d008800452979918fb85c925c8502bfa
SHA1a8874a21feef6df04cf08db5da218596f37ef3e4
SHA2561fe43cc3fa96347e211cc0200a1e1a6fdb0b047967e37607d1c83e78e6740625
SHA5120db38b9d8764b17e1c413b9170e195e17152e36dcab2022f6a232fdeb39d784d44558c34d588da2417c25cc2752d778462e5e19d270cce1a16cf1898228d652d
-
Filesize
203KB
MD51314c623545e504d780a1f44dc38e31b
SHA17d325a5a1a8d253cba6e1bdc3c68d0cd89314c4f
SHA256170eae65c4a82f62b0aa21add0155f0453d927c1dd2e9e6a2b6f4437c9dd523a
SHA5129a2ae093039045040b0774c5e41c5e80b8eeabe97faa7048ec48c028b72735bf196d1e75e5d1c36022ada5125048313588d031be70a6d0762ed2c35495eef7d6
-
Filesize
203KB
MD51314c623545e504d780a1f44dc38e31b
SHA17d325a5a1a8d253cba6e1bdc3c68d0cd89314c4f
SHA256170eae65c4a82f62b0aa21add0155f0453d927c1dd2e9e6a2b6f4437c9dd523a
SHA5129a2ae093039045040b0774c5e41c5e80b8eeabe97faa7048ec48c028b72735bf196d1e75e5d1c36022ada5125048313588d031be70a6d0762ed2c35495eef7d6
-
Filesize
382KB
MD5bc22a7070015014b3b0cf4c26e63c715
SHA130876bf1512107777d0d3429ed06c5fc821dcf47
SHA2568f0a66a28b150d0d3900c165fbcafea5f56297ffda036b64a4f57703a36ce64f
SHA512ebfdd2ec6116959d1d7d1d164cf167c535f886b3d07bf906f727c1131a323a5535070a0555763da38ede95fc02ab2e78ec0391a844e5d432e1c6a799a1a793c1
-
Filesize
382KB
MD5bc22a7070015014b3b0cf4c26e63c715
SHA130876bf1512107777d0d3429ed06c5fc821dcf47
SHA2568f0a66a28b150d0d3900c165fbcafea5f56297ffda036b64a4f57703a36ce64f
SHA512ebfdd2ec6116959d1d7d1d164cf167c535f886b3d07bf906f727c1131a323a5535070a0555763da38ede95fc02ab2e78ec0391a844e5d432e1c6a799a1a793c1
-
Filesize
733KB
MD5a27f8572577dd2e696fec9257a5e1023
SHA12940984cc405cabfa27bf750a88a24b266cd27e4
SHA25636f832025edabb9d4a883f3b7f3fb3264c39bb4620a5a9352f17ce1c84f12b39
SHA5125684be7e2a019f98a72f45d487965b822844b52a3e04eb8ed08721d3de5509eefa9b8fdf4bea824c6c3777d019bfbfa2217acde160885e7edc3f87f1a39fabdf
-
Filesize
733KB
MD5a27f8572577dd2e696fec9257a5e1023
SHA12940984cc405cabfa27bf750a88a24b266cd27e4
SHA25636f832025edabb9d4a883f3b7f3fb3264c39bb4620a5a9352f17ce1c84f12b39
SHA5125684be7e2a019f98a72f45d487965b822844b52a3e04eb8ed08721d3de5509eefa9b8fdf4bea824c6c3777d019bfbfa2217acde160885e7edc3f87f1a39fabdf
-
Filesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
Filesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
1.0MB
-
Filesize
40.0MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
320KB
-
Filesize
128KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.0MB
-
Filesize
160KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
5.0MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
36KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
36KB
-
Filesize
20KB