Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
76s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
12/04/2023, 13:56
General
-
Target
a5e065bd9a3a411cac043f60a0df9bf4f6839042dfed251f86deed1e336d10cd.exe
-
Size
350KB
-
MD5
bc6bb448a098b2cbd03bfd9c4fcf19a8
-
SHA1
cbebe41adcde336a7346cfb8618f34dc6bd8158d
-
SHA256
a5e065bd9a3a411cac043f60a0df9bf4f6839042dfed251f86deed1e336d10cd
-
SHA512
b41be414d39f208e7aa18090350de4377f4fc42d637d9e3ec1e2f23df04dfa81e4eee5bc2d024e5dee4a8b761702579d9a424dfbcafe9a2cd48b75e0edb1fbb0
-
SSDEEP
6144:DKW+GxGCfZKDTbH+wnUfVI+NflkPaaXWXVCV+:DKvGxDZKDTbewUa+LMa0wVCV
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Extracted
vidar
3.4
e749025c61b2caca10aa829a9e1a65a1
https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs
-
profile_id_v2
e749025c61b2caca10aa829a9e1a65a1
-
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Extracted
redline
1379752987
107.167.69.80:28253
-
auth_value
94039ae8b5b0b9ec5346501cc0139461
Signatures
-
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
LoaderBot executable 1 IoCs
-
XMRig Miner payload 14 IoCs
-
Downloads MZ/PE file
-
Drops startup file 1 IoCs
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5e065bd9a3a411cac043f60a0df9bf4f6839042dfed251f86deed1e336d10cd.exe"C:\Users\Admin\AppData\Local\Temp\a5e065bd9a3a411cac043f60a0df9bf4f6839042dfed251f86deed1e336d10cd.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\200B.exeC:\Users\Admin\AppData\Local\Temp\200B.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\2DE7.exeC:\Users\Admin\AppData\Local\Temp\2DE7.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2DE7.exe"C:\Users\Admin\AppData\Local\Temp\2DE7.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\2DE7.exe"C:\Users\Admin\AppData\Local\Temp\2DE7.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\3A8A.exeC:\Users\Admin\AppData\Local\Temp\3A8A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 43vDzCah59pa7NjPUPS2ow6tp1drE7MUU188sTbUJ1wzNyfnvRyDdtic8C4kPMambW1PcRMbkBgvbM157NBNjs3tRWxYy83 -p x -k -v=0 --donate-level=0 -t 23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2188 -s 7604⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 43vDzCah59pa7NjPUPS2ow6tp1drE7MUU188sTbUJ1wzNyfnvRyDdtic8C4kPMambW1PcRMbkBgvbM157NBNjs3tRWxYy83 -p x -k -v=0 --donate-level=0 -t 23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 43vDzCah59pa7NjPUPS2ow6tp1drE7MUU188sTbUJ1wzNyfnvRyDdtic8C4kPMambW1PcRMbkBgvbM157NBNjs3tRWxYy83 -p x -k -v=0 --donate-level=0 -t 23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 2188 -ip 21881⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
471KB
MD5603e0b4083560a933494a6a844ecac4c
SHA1604063cfe175b37c6e7b21b6c7173ecddd9227ba
SHA2562b999d539dab833c70b1575a767273eafcc880cc95114707215a10b05d4c26d7
SHA5129f8a45140c8343ff0772d76036aaf6ccc51e09dc22a37c6174422a06c37fe19a12e48b116be1654d22e7e21334e7cfa781953a4bed62dfe7b4c321bf5dbac9cd
-
Filesize
471KB
MD5603e0b4083560a933494a6a844ecac4c
SHA1604063cfe175b37c6e7b21b6c7173ecddd9227ba
SHA2562b999d539dab833c70b1575a767273eafcc880cc95114707215a10b05d4c26d7
SHA5129f8a45140c8343ff0772d76036aaf6ccc51e09dc22a37c6174422a06c37fe19a12e48b116be1654d22e7e21334e7cfa781953a4bed62dfe7b4c321bf5dbac9cd
-
Filesize
553KB
MD5e0888920ecf5282f98cc62836905ecdd
SHA13e954e4030869d99ecbaf6503acafd1ef4a81dbf
SHA256f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2
SHA512ab8fd95c90930875b3db507c75ec5d883b1b73966129df31dc300ebe2d6ee6b7fb540d7bd46e5dedcf88ab3affa5713ae408f57081dd54e6323ee06f99b9a7ea
-
Filesize
553KB
MD5e0888920ecf5282f98cc62836905ecdd
SHA13e954e4030869d99ecbaf6503acafd1ef4a81dbf
SHA256f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2
SHA512ab8fd95c90930875b3db507c75ec5d883b1b73966129df31dc300ebe2d6ee6b7fb540d7bd46e5dedcf88ab3affa5713ae408f57081dd54e6323ee06f99b9a7ea
-
Filesize
553KB
MD5e0888920ecf5282f98cc62836905ecdd
SHA13e954e4030869d99ecbaf6503acafd1ef4a81dbf
SHA256f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2
SHA512ab8fd95c90930875b3db507c75ec5d883b1b73966129df31dc300ebe2d6ee6b7fb540d7bd46e5dedcf88ab3affa5713ae408f57081dd54e6323ee06f99b9a7ea
-
Filesize
553KB
MD5e0888920ecf5282f98cc62836905ecdd
SHA13e954e4030869d99ecbaf6503acafd1ef4a81dbf
SHA256f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2
SHA512ab8fd95c90930875b3db507c75ec5d883b1b73966129df31dc300ebe2d6ee6b7fb540d7bd46e5dedcf88ab3affa5713ae408f57081dd54e6323ee06f99b9a7ea
-
Filesize
5.0MB
MD58b1f945c3be65f087ce41188397403be
SHA1aa9bc2cf10e61c12b5ab418179e0d2ec40c0202c
SHA256e82ddd25a062bc207cc82773a9c8f902be0e3343a7a644d95de765d74ff60ab9
SHA512ee743eb12a28dc67b4bd1be96549d6cfca2dfc640d3f55606cbf83f07196ef64fac017f2889acf2ca0120ea1814737dbce2b911c45bc40ba5d3c1345a132b871
-
Filesize
5.0MB
MD58b1f945c3be65f087ce41188397403be
SHA1aa9bc2cf10e61c12b5ab418179e0d2ec40c0202c
SHA256e82ddd25a062bc207cc82773a9c8f902be0e3343a7a644d95de765d74ff60ab9
SHA512ee743eb12a28dc67b4bd1be96549d6cfca2dfc640d3f55606cbf83f07196ef64fac017f2889acf2ca0120ea1814737dbce2b911c45bc40ba5d3c1345a132b871
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
1.0MB
-
Filesize
192KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
6.1MB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
36KB
-
Filesize
4.0MB
-
Filesize
11.5MB
-
Filesize
80KB
-
Filesize
11.5MB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
4.1MB
-
Filesize
348KB
-
Filesize
972KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
48KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
64KB
-
Filesize
36KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
60KB
-
Filesize
60KB
-
Filesize
44KB
-
Filesize
156KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
36KB
-
Filesize
4.0MB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
576KB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
44KB