Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
21/10/2022, 14:49
221021-r7edyaffe2 1019/10/2022, 14:15
221019-rknzvsbggq 1019/10/2022, 09:36
221019-lkxn4sfgcq 10Analysis
-
max time kernel
84s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2022, 14:49
Static task
static1
Behavioral task
behavioral1
Sample
20540f8cbd1837c3d99da3b542a7155d.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
20540f8cbd1837c3d99da3b542a7155d.exe
Resource
win10v2004-20220901-en
General
-
Target
20540f8cbd1837c3d99da3b542a7155d.exe
-
Size
687KB
-
MD5
20540f8cbd1837c3d99da3b542a7155d
-
SHA1
1b33b15b168d69b6d594ea049f8d92812f25b9a6
-
SHA256
a0bf7c1184092027ccea8b4381e7f359662bcc317ac4c7a2e02459d1b66d9da6
-
SHA512
2ab4669b9429aab13e43993e6dd7cdbcfdaa0c8942364081bc8ace85997c6b641769615f54f41ba1e7751fbd83639644f533294392617c201e6951c9188e2de0
-
SSDEEP
3072:9ahKyd2n31s5nFiizBaaAjLtdyuIIkIA4QWMHb030FhCt64yo:9ahOABdGLnyuIIkIxV0FB
Malware Config
Extracted
redline
Testing
46.3.199.124:27968
-
auth_value
2e03f2e71c0fde73929d6d088968e2de
Signatures
-
Detects Smokeloader packer 3 IoCs
resource yara_rule behavioral2/memory/2032-175-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral2/memory/2032-177-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral2/memory/2032-178-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/324-156-0x0000000000400000-0x0000000000428000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 6 IoCs
pid Process 2620 CARNAT~2.EXE 4252 Gvnufnpwhsacqcarnature_s.exe 4388 CARNAT~2.EXE 1324 CARNAT~2.EXE 1484 CARNAT~2.EXE 324 CARNAT~2.EXE -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation CARNAT~2.EXE Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Gvnufnpwhsacqcarnature_s.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 20540f8cbd1837c3d99da3b542a7155d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 20540f8cbd1837c3d99da3b542a7155d.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2620 set thread context of 324 2620 CARNAT~2.EXE 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 5036 powershell.exe 5036 powershell.exe 2620 CARNAT~2.EXE 2620 CARNAT~2.EXE 2620 CARNAT~2.EXE 2620 CARNAT~2.EXE 2620 CARNAT~2.EXE 2620 CARNAT~2.EXE 3064 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2620 CARNAT~2.EXE Token: SeDebugPrivilege 5036 powershell.exe Token: SeDebugPrivilege 4252 Gvnufnpwhsacqcarnature_s.exe Token: SeDebugPrivilege 3064 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1128 wrote to memory of 2620 1128 20540f8cbd1837c3d99da3b542a7155d.exe 83 PID 1128 wrote to memory of 2620 1128 20540f8cbd1837c3d99da3b542a7155d.exe 83 PID 1128 wrote to memory of 2620 1128 20540f8cbd1837c3d99da3b542a7155d.exe 83 PID 2620 wrote to memory of 5036 2620 CARNAT~2.EXE 89 PID 2620 wrote to memory of 5036 2620 CARNAT~2.EXE 89 PID 2620 wrote to memory of 5036 2620 CARNAT~2.EXE 89 PID 2620 wrote to memory of 4252 2620 CARNAT~2.EXE 93 PID 2620 wrote to memory of 4252 2620 CARNAT~2.EXE 93 PID 2620 wrote to memory of 4252 2620 CARNAT~2.EXE 93 PID 2620 wrote to memory of 4388 2620 CARNAT~2.EXE 94 PID 2620 wrote to memory of 4388 2620 CARNAT~2.EXE 94 PID 2620 wrote to memory of 4388 2620 CARNAT~2.EXE 94 PID 2620 wrote to memory of 1324 2620 CARNAT~2.EXE 95 PID 2620 wrote to memory of 1324 2620 CARNAT~2.EXE 95 PID 2620 wrote to memory of 1324 2620 CARNAT~2.EXE 95 PID 2620 wrote to memory of 1484 2620 CARNAT~2.EXE 97 PID 2620 wrote to memory of 1484 2620 CARNAT~2.EXE 97 PID 2620 wrote to memory of 1484 2620 CARNAT~2.EXE 97 PID 2620 wrote to memory of 324 2620 CARNAT~2.EXE 96 PID 2620 wrote to memory of 324 2620 CARNAT~2.EXE 96 PID 2620 wrote to memory of 324 2620 CARNAT~2.EXE 96 PID 2620 wrote to memory of 324 2620 CARNAT~2.EXE 96 PID 2620 wrote to memory of 324 2620 CARNAT~2.EXE 96 PID 2620 wrote to memory of 324 2620 CARNAT~2.EXE 96 PID 2620 wrote to memory of 324 2620 CARNAT~2.EXE 96 PID 2620 wrote to memory of 324 2620 CARNAT~2.EXE 96 PID 4252 wrote to memory of 3064 4252 Gvnufnpwhsacqcarnature_s.exe 98 PID 4252 wrote to memory of 3064 4252 Gvnufnpwhsacqcarnature_s.exe 98 PID 4252 wrote to memory of 3064 4252 Gvnufnpwhsacqcarnature_s.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\20540f8cbd1837c3d99da3b542a7155d.exe"C:\Users\Admin\AppData\Local\Temp\20540f8cbd1837c3d99da3b542a7155d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA2AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036
-
-
C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe"C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA2AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exeC:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe4⤵PID:3052
-
-
C:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exeC:\Users\Admin\AppData\Local\Temp\Gvnufnpwhsacqcarnature_s.exe4⤵PID:2032
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE3⤵
- Executes dropped EXE
PID:4388
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE3⤵
- Executes dropped EXE
PID:1324
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE3⤵
- Executes dropped EXE
PID:324
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CARNAT~2.EXE3⤵
- Executes dropped EXE
PID:1484
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
16KB
MD5c6c3bc61f6d681667bb6675d48a25823
SHA1705a6030310516719021409fcf1d649e806b0904
SHA256e3617627f771b48393428d79e783eca4ef3eea86ca48473d7c0c6d5620cb8f6b
SHA5128ff451357aa6deb786394f423528d7e771076a65be519c3ce1621ad86380d8c43656e4b838e5130a129480679cf01260f3529f4627b2c40cd5ea77fcfef1177a
-
Filesize
6KB
MD569d0272e2d6cfee950467863be0348db
SHA115b2c9a800b2fdcbf39f23285751fea6e6568c9a
SHA25624ec524af5843d89d406b72abf735106f2e1b6e28cf234ff4713dc5ee51e515e
SHA51218773567df920d1046d672607de44a828debd6dbc15297e594a2f730c62961c2b508ea0c28f958ab370ccf52db70cc4d53324647ff6018e9cb97e15fdea527b5
-
Filesize
6KB
MD569d0272e2d6cfee950467863be0348db
SHA115b2c9a800b2fdcbf39f23285751fea6e6568c9a
SHA25624ec524af5843d89d406b72abf735106f2e1b6e28cf234ff4713dc5ee51e515e
SHA51218773567df920d1046d672607de44a828debd6dbc15297e594a2f730c62961c2b508ea0c28f958ab370ccf52db70cc4d53324647ff6018e9cb97e15fdea527b5
-
Filesize
6KB
MD569d0272e2d6cfee950467863be0348db
SHA115b2c9a800b2fdcbf39f23285751fea6e6568c9a
SHA25624ec524af5843d89d406b72abf735106f2e1b6e28cf234ff4713dc5ee51e515e
SHA51218773567df920d1046d672607de44a828debd6dbc15297e594a2f730c62961c2b508ea0c28f958ab370ccf52db70cc4d53324647ff6018e9cb97e15fdea527b5
-
Filesize
6KB
MD569d0272e2d6cfee950467863be0348db
SHA115b2c9a800b2fdcbf39f23285751fea6e6568c9a
SHA25624ec524af5843d89d406b72abf735106f2e1b6e28cf234ff4713dc5ee51e515e
SHA51218773567df920d1046d672607de44a828debd6dbc15297e594a2f730c62961c2b508ea0c28f958ab370ccf52db70cc4d53324647ff6018e9cb97e15fdea527b5
-
Filesize
333.8MB
MD50195b0838e4bafd5e9eed41ac4e8a9cc
SHA1d813f54a41899ea02a97cf4988737787a431abe5
SHA2561af1b6698ab7e6fa795eb5748832aef7d98b9fa8ea3d3f05f724691014c96bca
SHA5120ea148d95b56f586e4d12e49d56ddaff02ed031f9200c7e521120cd49234827d682be99cb75380ccab9cdd4fdf322b98c8a733edc09f98bd70bd570b7e1f5c3a
-
Filesize
333.8MB
MD50195b0838e4bafd5e9eed41ac4e8a9cc
SHA1d813f54a41899ea02a97cf4988737787a431abe5
SHA2561af1b6698ab7e6fa795eb5748832aef7d98b9fa8ea3d3f05f724691014c96bca
SHA5120ea148d95b56f586e4d12e49d56ddaff02ed031f9200c7e521120cd49234827d682be99cb75380ccab9cdd4fdf322b98c8a733edc09f98bd70bd570b7e1f5c3a
-
Filesize
242.6MB
MD52e4dccf3b9ee93193d8c6d5a53ce67f9
SHA1702c9c3539a9972ff536591eec204ee940b15c4d
SHA256908a24b47100390c507d2ad862fee02778725c6441a32d4a8156f8ad7ca0971d
SHA512d7c2950efdb29112a51885bcd1bafa659e446b7884f41139948eeb5c1b895dc99a9ab5c5d49526b9236bd3eca0e9bfcce453fe2dc7464490a7dd46a2a2f1296a
-
Filesize
250.5MB
MD5eaa64c1948a54316df94e236e943baa5
SHA18573a5874151df386771919b0f9e35ecaf5e7595
SHA256477439a8ced2f94732a720ca38b798a64b0ba405b1a422321bf6d6d389d45137
SHA512e3ce85845e4391eb814bd434e8d19f164b6aac32c9b496ab642876ad682b6fb5fa3cb0333930ba52ec0cb2c54040f7b5cc066e63656410165a9e427071bd5615
-
Filesize
256.2MB
MD5f3580a24e5b6be6bd315cd57045653ae
SHA12147c3ac54e1303b8f339edcd16bbb5424b5a012
SHA25676f6ff38b205d631ff1670119ef59a2cbbbbf08ffad5cff11c5a7bedfe3fe6df
SHA512dc6d3c6a42d253c5a1f997303d597d6785bfa89658a629243b08f2c335d3217f4914c1662549a076ae344fe399d748cf6ff7038cefb525f11e0fd5274acd85ae
-
Filesize
250.1MB
MD5e7d7c007e5ea903da40ac7d7bcecd547
SHA1f1e5f426d7751547d34dc8961a0b1b8a92a9c9c0
SHA256a5fe95b8eb02d554157c47d5d660ff83c7682149d41a4d180ffd9ffad1d2bc1c
SHA5129530553764f1a82a2b08f831a2e9a54a457df1370b01a6171e18d587a0d62c9d256f90256a9e3984b50decf8372487efbabd3d8433b597100bed5dc45481e302