Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
04/01/2023, 08:06
General
-
Target
39021047c13e6054cb6e714f20563565.exe
-
Size
314KB
-
MD5
39021047c13e6054cb6e714f20563565
-
SHA1
c4a4a3e2eac3cc8b410c7ebeab2d376f2b514e95
-
SHA256
0cb4087b8d532e5fae9ff5d39815fd9b394f9e12cbf783a32329f925022350bc
-
SHA512
6f8272c3fe0e475b533db861388731138de49195081b06ff3791c80f4feb07939b8695bfa3c83746655011fff3e73f65371b1b44dbc72e64d9d2ccee072d5b9f
-
SSDEEP
6144:zdjdLbFiXyOjzninVBGb6wlEA/qXD3cAyjcbxe:zjtiCGzniVBGb3EAEDMAygV
Malware Config
Extracted
redline
GIVEMEMYGUN
193.233.49.83:3321
-
auth_value
862b38f54d952bd9a16b1945a039305a
Signatures
-
Detects Smokeloader packer 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Detectes Phoenix Miner Payload 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\39021047c13e6054cb6e714f20563565.exe"C:\Users\Admin\AppData\Local\Temp\39021047c13e6054cb6e714f20563565.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\D6CD.exeC:\Users\Admin\AppData\Local\Temp\D6CD.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 9762⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\DCD9.exeC:\Users\Admin\AppData\Local\Temp\DCD9.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ghoul.exe"C:\Users\Admin\AppData\Local\Temp\ghoul.exe" hvasjw34favaawhnb682⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PSOBPDL" /tr "C:\ProgramData\Microsoft\PSOBPDL.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PSOBPDL" /tr "C:\ProgramData\Microsoft\PSOBPDL.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Program.exe"C:\Users\Admin\AppData\Roaming\Program.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RAiXn2Cm9gBmXtWE1r43sAskTm6LNhULcE.worker -p x -t 43⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -pool ssl://eu1-etc.ethermine.org:5555 -wal 0xfD75a752E7594751115555Af6d67B49D8dFf2Ee5.Rig001 -coin etc -log 03⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\DFB8.exeC:\Users\Admin\AppData\Local\Temp\DFB8.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ghoul.exe"C:\Users\Admin\AppData\Local\Temp\ghoul.exe" hvasjw34favaawhnb682⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3468 -ip 34681⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5440cb38dbee06645cc8b74d51f6e5f71
SHA1d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA2568ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA5123aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
305KB
MD5effd444fc9ebb66f7187c407bac43ffe
SHA12ae9f83c9b783ee2317fdd6013377445894e1d68
SHA2563575f74003ced283121e83bcdb393cb371862f01fc0ddc00a871cf72252b51e5
SHA5120f6be3f85dfd20009892229613ffb15521996ef784f27da6b0bce8558827f501184d443fba7975489f4566f4b2850132ebdbc6a7514832d941222d539fec165b
-
Filesize
305KB
MD5effd444fc9ebb66f7187c407bac43ffe
SHA12ae9f83c9b783ee2317fdd6013377445894e1d68
SHA2563575f74003ced283121e83bcdb393cb371862f01fc0ddc00a871cf72252b51e5
SHA5120f6be3f85dfd20009892229613ffb15521996ef784f27da6b0bce8558827f501184d443fba7975489f4566f4b2850132ebdbc6a7514832d941222d539fec165b
-
Filesize
1.6MB
MD5ee67ea6b81a0859cbdea2c1a8c689c40
SHA1e4425ab917e028be1a349384f4dce4c0eee1f72a
SHA256d093cc2e257699ebf02497e30b6c5590ef100f44a7d692d2cac83f0a813985b5
SHA5124ef11812363009c8303d2385f08e666c4e9fbe55413577e743350f427794a3663fdae1a2b4d98771ee5f6359c41adec50f10cf733a40a907f1b448bcd3568c99
-
Filesize
1.6MB
MD5ee67ea6b81a0859cbdea2c1a8c689c40
SHA1e4425ab917e028be1a349384f4dce4c0eee1f72a
SHA256d093cc2e257699ebf02497e30b6c5590ef100f44a7d692d2cac83f0a813985b5
SHA5124ef11812363009c8303d2385f08e666c4e9fbe55413577e743350f427794a3663fdae1a2b4d98771ee5f6359c41adec50f10cf733a40a907f1b448bcd3568c99
-
Filesize
1.6MB
MD5ee67ea6b81a0859cbdea2c1a8c689c40
SHA1e4425ab917e028be1a349384f4dce4c0eee1f72a
SHA256d093cc2e257699ebf02497e30b6c5590ef100f44a7d692d2cac83f0a813985b5
SHA5124ef11812363009c8303d2385f08e666c4e9fbe55413577e743350f427794a3663fdae1a2b4d98771ee5f6359c41adec50f10cf733a40a907f1b448bcd3568c99
-
Filesize
1.6MB
MD5ee67ea6b81a0859cbdea2c1a8c689c40
SHA1e4425ab917e028be1a349384f4dce4c0eee1f72a
SHA256d093cc2e257699ebf02497e30b6c5590ef100f44a7d692d2cac83f0a813985b5
SHA5124ef11812363009c8303d2385f08e666c4e9fbe55413577e743350f427794a3663fdae1a2b4d98771ee5f6359c41adec50f10cf733a40a907f1b448bcd3568c99
-
Filesize
935KB
MD5ab99beb3f8c06723ed7bda90e5065901
SHA1c576d7a71695be459ed0064cc412d45bfab64d04
SHA256cc5b339899f4a126853d0fcffd70c971400ee5049c5d1c1fe881033c2d2f1b0b
SHA512b69fe2e3a6bd7b06b54c617827978fb9bb70da42f27ebe006d32988015097d429b60aafdbd4f668d0dccdde0b40101f87942c11594c211da5a2b2d13ed828854
-
Filesize
935KB
MD5ab99beb3f8c06723ed7bda90e5065901
SHA1c576d7a71695be459ed0064cc412d45bfab64d04
SHA256cc5b339899f4a126853d0fcffd70c971400ee5049c5d1c1fe881033c2d2f1b0b
SHA512b69fe2e3a6bd7b06b54c617827978fb9bb70da42f27ebe006d32988015097d429b60aafdbd4f668d0dccdde0b40101f87942c11594c211da5a2b2d13ed828854
-
Filesize
935KB
MD5ab99beb3f8c06723ed7bda90e5065901
SHA1c576d7a71695be459ed0064cc412d45bfab64d04
SHA256cc5b339899f4a126853d0fcffd70c971400ee5049c5d1c1fe881033c2d2f1b0b
SHA512b69fe2e3a6bd7b06b54c617827978fb9bb70da42f27ebe006d32988015097d429b60aafdbd4f668d0dccdde0b40101f87942c11594c211da5a2b2d13ed828854
-
Filesize
935KB
MD5ab99beb3f8c06723ed7bda90e5065901
SHA1c576d7a71695be459ed0064cc412d45bfab64d04
SHA256cc5b339899f4a126853d0fcffd70c971400ee5049c5d1c1fe881033c2d2f1b0b
SHA512b69fe2e3a6bd7b06b54c617827978fb9bb70da42f27ebe006d32988015097d429b60aafdbd4f668d0dccdde0b40101f87942c11594c211da5a2b2d13ed828854
-
Filesize
266KB
MD51c26d22dc1fe8afb79d9ba5987f47dcd
SHA1025b02c610b6dceb8204a34d70837813685fed85
SHA25647079d77283f2a49dff6f073e1612e23454dcca1235d7c74fbf56b7730d87284
SHA512beb70e71cd4616759b373370ab553edbc66e67468f443f0c877a501ccf2c2ac3d565c67ebf4933fceaa483a6eb1af1e582b778a9105981b1c951976733a06918
-
Filesize
266KB
MD51c26d22dc1fe8afb79d9ba5987f47dcd
SHA1025b02c610b6dceb8204a34d70837813685fed85
SHA25647079d77283f2a49dff6f073e1612e23454dcca1235d7c74fbf56b7730d87284
SHA512beb70e71cd4616759b373370ab553edbc66e67468f443f0c877a501ccf2c2ac3d565c67ebf4933fceaa483a6eb1af1e582b778a9105981b1c951976733a06918
-
Filesize
40KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
36KB
-
Filesize
40.3MB
-
Filesize
40.3MB
-
Filesize
1024KB
-
Filesize
792KB
-
Filesize
792KB
-
Filesize
792KB
-
Filesize
792KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
1024KB
-
Filesize
16.0MB
-
Filesize
424KB
-
Filesize
116KB
-
Filesize
116KB
-
Filesize
424KB
-
Filesize
208KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
224KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
10.8MB
-
Filesize
952KB
-
Filesize
10.8MB
-
Filesize
1.6MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
10.8MB
-
Filesize
10.8MB