Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
27/09/2022, 11:39
General
-
Target
d8ca08b15c1a43f966db8f84bae5e678.exe
-
Size
317KB
-
MD5
d8ca08b15c1a43f966db8f84bae5e678
-
SHA1
2402d7403a9af170d7e6296268f24dcfc5c0f277
-
SHA256
beca004dfd77f218a00baeb20a2e0d26ffcb0e8c88abc1fcdec9b8b78e289255
-
SHA512
5927c31941690f796d90861147857fd47daa8f9844fe07b5fc4a5c1b638fe7dde2710174209111ff1ace7b7d900fdb0031e8ff79259dfeea40351f22f3aa377d
-
SSDEEP
3072:OaXPELJFcIttkaeB251cVM5ZlPrZJaaAKV0KwSxceEwM/h3BsxkgaBChU/pZa9uF:O62+HrV2Z4afV00ZnigabwVf
Malware Config
Extracted
redline
11
77.73.134.27:7161
-
auth_value
e6aadafed1fda7723d7655a5894828d2
Signatures
-
Detects Smokeloader packer 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8ca08b15c1a43f966db8f84bae5e678.exe"C:\Users\Admin\AppData\Local\Temp\d8ca08b15c1a43f966db8f84bae5e678.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\EBBC.exeC:\Users\Admin\AppData\Local\Temp\EBBC.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\F860.exeC:\Users\Admin\AppData\Local\Temp\F860.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2E0.exeC:\Users\Admin\AppData\Local\Temp\2E0.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1223.exeC:\Users\Admin\AppData\Local\Temp\1223.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\bsfafjtC:\Users\Admin\AppData\Roaming\bsfafjt1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306KB
MD58f08e6baa2f0c507e4e961769f5c1261
SHA1d3f04db2aa4f31613fde0b8cafaa339ff704141b
SHA256f87ba1386548acfb9894c511e07aca4a4d41ec2f3eeccae2dc5ec18b5bbcc510
SHA51285dd017d496cb4a0944b944c5257e3ca2a2b966fdda314920b045fd419c13b717fc796e6db80173054cac7f2088e33166b3c63aeb1dd35c880a802be85ef8ac2
-
Filesize
306KB
MD58f08e6baa2f0c507e4e961769f5c1261
SHA1d3f04db2aa4f31613fde0b8cafaa339ff704141b
SHA256f87ba1386548acfb9894c511e07aca4a4d41ec2f3eeccae2dc5ec18b5bbcc510
SHA51285dd017d496cb4a0944b944c5257e3ca2a2b966fdda314920b045fd419c13b717fc796e6db80173054cac7f2088e33166b3c63aeb1dd35c880a802be85ef8ac2
-
Filesize
346KB
MD538449a426d17b1a3571eb00afb8af3bc
SHA12a1000c521911cf9696a1b4e5d80fcb17b7823b1
SHA256ae4dbb3b0f3864772c74bca8681e5ed01131fcc8897ced067d1d55825afec5cf
SHA5129786ab5399884512e8be1abf8efb8d69240a5fdfcd4f3d187ac8063cdc8cfa30baab4fd1c4783ee58315ece4f48fb655381c1732a06d28de82f2c206cdea63d0
-
Filesize
346KB
MD538449a426d17b1a3571eb00afb8af3bc
SHA12a1000c521911cf9696a1b4e5d80fcb17b7823b1
SHA256ae4dbb3b0f3864772c74bca8681e5ed01131fcc8897ced067d1d55825afec5cf
SHA5129786ab5399884512e8be1abf8efb8d69240a5fdfcd4f3d187ac8063cdc8cfa30baab4fd1c4783ee58315ece4f48fb655381c1732a06d28de82f2c206cdea63d0
-
Filesize
2.6MB
MD568d0826f868433f44dd9aaf631f7d616
SHA13ba777f68d4e4051317b0676c0eea794f3515dfa
SHA256e51fb04aabdb1102bf3ee0a0dd8d4d19e43b3f7735d5839391af244660152e55
SHA512e00313c5c637f3db1a612c38c4a67bab0b5b5a7443264bb63f8c266e2d5f70d58688c776f301753049ca8f8672b921162fffc8cf563eccf9462fda89f6aaccc2
-
Filesize
2.6MB
MD568d0826f868433f44dd9aaf631f7d616
SHA13ba777f68d4e4051317b0676c0eea794f3515dfa
SHA256e51fb04aabdb1102bf3ee0a0dd8d4d19e43b3f7735d5839391af244660152e55
SHA512e00313c5c637f3db1a612c38c4a67bab0b5b5a7443264bb63f8c266e2d5f70d58688c776f301753049ca8f8672b921162fffc8cf563eccf9462fda89f6aaccc2
-
Filesize
255KB
MD507ea3bc2b9eaacd002de4f59803ef234
SHA18a796069e5eac844f40b4487c80ed1c93316a331
SHA2562302396062d7523a230f0a81ada322bb8907e11d006c0ec29a37821dd084bfe1
SHA512d89e46145536d9b5fc310b72b24a4b1790100bbfd18b39a48dd10938255233132f0d87190c4c84c2b78076d9b0a39c4c9f6f27ece40a9b3f93b3e65aaca2c092
-
Filesize
255KB
MD507ea3bc2b9eaacd002de4f59803ef234
SHA18a796069e5eac844f40b4487c80ed1c93316a331
SHA2562302396062d7523a230f0a81ada322bb8907e11d006c0ec29a37821dd084bfe1
SHA512d89e46145536d9b5fc310b72b24a4b1790100bbfd18b39a48dd10938255233132f0d87190c4c84c2b78076d9b0a39c4c9f6f27ece40a9b3f93b3e65aaca2c092
-
Filesize
317KB
MD5d8ca08b15c1a43f966db8f84bae5e678
SHA12402d7403a9af170d7e6296268f24dcfc5c0f277
SHA256beca004dfd77f218a00baeb20a2e0d26ffcb0e8c88abc1fcdec9b8b78e289255
SHA5125927c31941690f796d90861147857fd47daa8f9844fe07b5fc4a5c1b638fe7dde2710174209111ff1ace7b7d900fdb0031e8ff79259dfeea40351f22f3aa377d
-
Filesize
317KB
MD5d8ca08b15c1a43f966db8f84bae5e678
SHA12402d7403a9af170d7e6296268f24dcfc5c0f277
SHA256beca004dfd77f218a00baeb20a2e0d26ffcb0e8c88abc1fcdec9b8b78e289255
SHA5125927c31941690f796d90861147857fd47daa8f9844fe07b5fc4a5c1b638fe7dde2710174209111ff1ace7b7d900fdb0031e8ff79259dfeea40351f22f3aa377d
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
336KB
-
Filesize
64KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
64KB
-
Filesize
160KB
-
Filesize
240KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
168KB
-
Filesize
408KB
-
Filesize
320KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
168KB
-
Filesize
224KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
24KB