Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2022, 11:39
Static task
static1
Behavioral task
behavioral1
Sample
d8ca08b15c1a43f966db8f84bae5e678.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d8ca08b15c1a43f966db8f84bae5e678.exe
Resource
win10v2004-20220812-en
General
-
Target
d8ca08b15c1a43f966db8f84bae5e678.exe
-
Size
317KB
-
MD5
d8ca08b15c1a43f966db8f84bae5e678
-
SHA1
2402d7403a9af170d7e6296268f24dcfc5c0f277
-
SHA256
beca004dfd77f218a00baeb20a2e0d26ffcb0e8c88abc1fcdec9b8b78e289255
-
SHA512
5927c31941690f796d90861147857fd47daa8f9844fe07b5fc4a5c1b638fe7dde2710174209111ff1ace7b7d900fdb0031e8ff79259dfeea40351f22f3aa377d
-
SSDEEP
3072:OaXPELJFcIttkaeB251cVM5ZlPrZJaaAKV0KwSxceEwM/h3BsxkgaBChU/pZa9uF:O62+HrV2Z4afV00ZnigabwVf
Malware Config
Extracted
redline
11
77.73.134.27:7161
-
auth_value
e6aadafed1fda7723d7655a5894828d2
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral2/memory/3424-133-0x0000000000460000-0x0000000000469000-memory.dmp family_smokeloader -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/102816-140-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
pid Process 4840 EBBC.exe 102876 F860.exe 102980 2E0.exe 103124 1223.exe 4348 bsfafjt -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4840 set thread context of 102816 4840 EBBC.exe 88 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d8ca08b15c1a43f966db8f84bae5e678.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d8ca08b15c1a43f966db8f84bae5e678.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bsfafjt Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bsfafjt Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bsfafjt Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d8ca08b15c1a43f966db8f84bae5e678.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3424 d8ca08b15c1a43f966db8f84bae5e678.exe 3424 d8ca08b15c1a43f966db8f84bae5e678.exe 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2824 Process not Found -
Suspicious behavior: MapViewOfSection 20 IoCs
pid Process 3424 d8ca08b15c1a43f966db8f84bae5e678.exe 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 2824 Process not Found 4348 bsfafjt -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeShutdownPrivilege 2824 Process not Found Token: SeCreatePagefilePrivilege 2824 Process not Found Token: SeShutdownPrivilege 2824 Process not Found Token: SeCreatePagefilePrivilege 2824 Process not Found Token: SeShutdownPrivilege 2824 Process not Found Token: SeCreatePagefilePrivilege 2824 Process not Found Token: SeShutdownPrivilege 2824 Process not Found Token: SeCreatePagefilePrivilege 2824 Process not Found Token: SeDebugPrivilege 102876 F860.exe Token: SeShutdownPrivilege 2824 Process not Found Token: SeCreatePagefilePrivilege 2824 Process not Found Token: SeShutdownPrivilege 2824 Process not Found Token: SeCreatePagefilePrivilege 2824 Process not Found Token: SeShutdownPrivilege 2824 Process not Found Token: SeCreatePagefilePrivilege 2824 Process not Found Token: SeShutdownPrivilege 2824 Process not Found Token: SeCreatePagefilePrivilege 2824 Process not Found Token: SeShutdownPrivilege 2824 Process not Found Token: SeCreatePagefilePrivilege 2824 Process not Found Token: SeShutdownPrivilege 2824 Process not Found Token: SeCreatePagefilePrivilege 2824 Process not Found Token: SeShutdownPrivilege 2824 Process not Found Token: SeCreatePagefilePrivilege 2824 Process not Found Token: SeShutdownPrivilege 2824 Process not Found Token: SeCreatePagefilePrivilege 2824 Process not Found Token: SeShutdownPrivilege 2824 Process not Found Token: SeCreatePagefilePrivilege 2824 Process not Found Token: SeShutdownPrivilege 2824 Process not Found Token: SeCreatePagefilePrivilege 2824 Process not Found Token: SeShutdownPrivilege 2824 Process not Found Token: SeCreatePagefilePrivilege 2824 Process not Found Token: SeDebugPrivilege 102816 AppLaunch.exe Token: SeShutdownPrivilege 2824 Process not Found Token: SeCreatePagefilePrivilege 2824 Process not Found -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 2824 wrote to memory of 4840 2824 Process not Found 86 PID 2824 wrote to memory of 4840 2824 Process not Found 86 PID 2824 wrote to memory of 4840 2824 Process not Found 86 PID 4840 wrote to memory of 102816 4840 EBBC.exe 88 PID 4840 wrote to memory of 102816 4840 EBBC.exe 88 PID 4840 wrote to memory of 102816 4840 EBBC.exe 88 PID 4840 wrote to memory of 102816 4840 EBBC.exe 88 PID 4840 wrote to memory of 102816 4840 EBBC.exe 88 PID 2824 wrote to memory of 102876 2824 Process not Found 89 PID 2824 wrote to memory of 102876 2824 Process not Found 89 PID 2824 wrote to memory of 102876 2824 Process not Found 89 PID 2824 wrote to memory of 102980 2824 Process not Found 90 PID 2824 wrote to memory of 102980 2824 Process not Found 90 PID 2824 wrote to memory of 102980 2824 Process not Found 90 PID 2824 wrote to memory of 103124 2824 Process not Found 92 PID 2824 wrote to memory of 103124 2824 Process not Found 92 PID 2824 wrote to memory of 103124 2824 Process not Found 92 PID 2824 wrote to memory of 103180 2824 Process not Found 94 PID 2824 wrote to memory of 103180 2824 Process not Found 94 PID 2824 wrote to memory of 103180 2824 Process not Found 94 PID 2824 wrote to memory of 103180 2824 Process not Found 94 PID 2824 wrote to memory of 103228 2824 Process not Found 95 PID 2824 wrote to memory of 103228 2824 Process not Found 95 PID 2824 wrote to memory of 103228 2824 Process not Found 95 PID 2824 wrote to memory of 103276 2824 Process not Found 96 PID 2824 wrote to memory of 103276 2824 Process not Found 96 PID 2824 wrote to memory of 103276 2824 Process not Found 96 PID 2824 wrote to memory of 103276 2824 Process not Found 96 PID 2824 wrote to memory of 103300 2824 Process not Found 97 PID 2824 wrote to memory of 103300 2824 Process not Found 97 PID 2824 wrote to memory of 103300 2824 Process not Found 97 PID 2824 wrote to memory of 103336 2824 Process not Found 98 PID 2824 wrote to memory of 103336 2824 Process not Found 98 PID 2824 wrote to memory of 103336 2824 Process not Found 98 PID 2824 wrote to memory of 103336 2824 Process not Found 98 PID 2824 wrote to memory of 103368 2824 Process not Found 99 PID 2824 wrote to memory of 103368 2824 Process not Found 99 PID 2824 wrote to memory of 103368 2824 Process not Found 99 PID 2824 wrote to memory of 103368 2824 Process not Found 99 PID 2824 wrote to memory of 103400 2824 Process not Found 100 PID 2824 wrote to memory of 103400 2824 Process not Found 100 PID 2824 wrote to memory of 103400 2824 Process not Found 100 PID 2824 wrote to memory of 103400 2824 Process not Found 100 PID 2824 wrote to memory of 102836 2824 Process not Found 101 PID 2824 wrote to memory of 102836 2824 Process not Found 101 PID 2824 wrote to memory of 102836 2824 Process not Found 101 PID 2824 wrote to memory of 2716 2824 Process not Found 102 PID 2824 wrote to memory of 2716 2824 Process not Found 102 PID 2824 wrote to memory of 2716 2824 Process not Found 102 PID 2824 wrote to memory of 2716 2824 Process not Found 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8ca08b15c1a43f966db8f84bae5e678.exe"C:\Users\Admin\AppData\Local\Temp\d8ca08b15c1a43f966db8f84bae5e678.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3424
-
C:\Users\Admin\AppData\Local\Temp\EBBC.exeC:\Users\Admin\AppData\Local\Temp\EBBC.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:102816
-
-
C:\Users\Admin\AppData\Local\Temp\F860.exeC:\Users\Admin\AppData\Local\Temp\F860.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:102876
-
C:\Users\Admin\AppData\Local\Temp\2E0.exeC:\Users\Admin\AppData\Local\Temp\2E0.exe1⤵
- Executes dropped EXE
PID:102980
-
C:\Users\Admin\AppData\Local\Temp\1223.exeC:\Users\Admin\AppData\Local\Temp\1223.exe1⤵
- Executes dropped EXE
PID:103124
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:103180
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:103228
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:103276
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:103300
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:103336
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:103368
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:103400
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:102836
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2716
-
C:\Users\Admin\AppData\Roaming\bsfafjtC:\Users\Admin\AppData\Roaming\bsfafjt1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4348
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306KB
MD58f08e6baa2f0c507e4e961769f5c1261
SHA1d3f04db2aa4f31613fde0b8cafaa339ff704141b
SHA256f87ba1386548acfb9894c511e07aca4a4d41ec2f3eeccae2dc5ec18b5bbcc510
SHA51285dd017d496cb4a0944b944c5257e3ca2a2b966fdda314920b045fd419c13b717fc796e6db80173054cac7f2088e33166b3c63aeb1dd35c880a802be85ef8ac2
-
Filesize
306KB
MD58f08e6baa2f0c507e4e961769f5c1261
SHA1d3f04db2aa4f31613fde0b8cafaa339ff704141b
SHA256f87ba1386548acfb9894c511e07aca4a4d41ec2f3eeccae2dc5ec18b5bbcc510
SHA51285dd017d496cb4a0944b944c5257e3ca2a2b966fdda314920b045fd419c13b717fc796e6db80173054cac7f2088e33166b3c63aeb1dd35c880a802be85ef8ac2
-
Filesize
346KB
MD538449a426d17b1a3571eb00afb8af3bc
SHA12a1000c521911cf9696a1b4e5d80fcb17b7823b1
SHA256ae4dbb3b0f3864772c74bca8681e5ed01131fcc8897ced067d1d55825afec5cf
SHA5129786ab5399884512e8be1abf8efb8d69240a5fdfcd4f3d187ac8063cdc8cfa30baab4fd1c4783ee58315ece4f48fb655381c1732a06d28de82f2c206cdea63d0
-
Filesize
346KB
MD538449a426d17b1a3571eb00afb8af3bc
SHA12a1000c521911cf9696a1b4e5d80fcb17b7823b1
SHA256ae4dbb3b0f3864772c74bca8681e5ed01131fcc8897ced067d1d55825afec5cf
SHA5129786ab5399884512e8be1abf8efb8d69240a5fdfcd4f3d187ac8063cdc8cfa30baab4fd1c4783ee58315ece4f48fb655381c1732a06d28de82f2c206cdea63d0
-
Filesize
2.6MB
MD568d0826f868433f44dd9aaf631f7d616
SHA13ba777f68d4e4051317b0676c0eea794f3515dfa
SHA256e51fb04aabdb1102bf3ee0a0dd8d4d19e43b3f7735d5839391af244660152e55
SHA512e00313c5c637f3db1a612c38c4a67bab0b5b5a7443264bb63f8c266e2d5f70d58688c776f301753049ca8f8672b921162fffc8cf563eccf9462fda89f6aaccc2
-
Filesize
2.6MB
MD568d0826f868433f44dd9aaf631f7d616
SHA13ba777f68d4e4051317b0676c0eea794f3515dfa
SHA256e51fb04aabdb1102bf3ee0a0dd8d4d19e43b3f7735d5839391af244660152e55
SHA512e00313c5c637f3db1a612c38c4a67bab0b5b5a7443264bb63f8c266e2d5f70d58688c776f301753049ca8f8672b921162fffc8cf563eccf9462fda89f6aaccc2
-
Filesize
255KB
MD507ea3bc2b9eaacd002de4f59803ef234
SHA18a796069e5eac844f40b4487c80ed1c93316a331
SHA2562302396062d7523a230f0a81ada322bb8907e11d006c0ec29a37821dd084bfe1
SHA512d89e46145536d9b5fc310b72b24a4b1790100bbfd18b39a48dd10938255233132f0d87190c4c84c2b78076d9b0a39c4c9f6f27ece40a9b3f93b3e65aaca2c092
-
Filesize
255KB
MD507ea3bc2b9eaacd002de4f59803ef234
SHA18a796069e5eac844f40b4487c80ed1c93316a331
SHA2562302396062d7523a230f0a81ada322bb8907e11d006c0ec29a37821dd084bfe1
SHA512d89e46145536d9b5fc310b72b24a4b1790100bbfd18b39a48dd10938255233132f0d87190c4c84c2b78076d9b0a39c4c9f6f27ece40a9b3f93b3e65aaca2c092
-
Filesize
317KB
MD5d8ca08b15c1a43f966db8f84bae5e678
SHA12402d7403a9af170d7e6296268f24dcfc5c0f277
SHA256beca004dfd77f218a00baeb20a2e0d26ffcb0e8c88abc1fcdec9b8b78e289255
SHA5125927c31941690f796d90861147857fd47daa8f9844fe07b5fc4a5c1b638fe7dde2710174209111ff1ace7b7d900fdb0031e8ff79259dfeea40351f22f3aa377d
-
Filesize
317KB
MD5d8ca08b15c1a43f966db8f84bae5e678
SHA12402d7403a9af170d7e6296268f24dcfc5c0f277
SHA256beca004dfd77f218a00baeb20a2e0d26ffcb0e8c88abc1fcdec9b8b78e289255
SHA5125927c31941690f796d90861147857fd47daa8f9844fe07b5fc4a5c1b638fe7dde2710174209111ff1ace7b7d900fdb0031e8ff79259dfeea40351f22f3aa377d