Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
14/04/2023, 16:04
General
-
Target
b7d7cfc2d23fb69c6112ef5461e94a8826594befbdd80d0f5f9c2c5e94c901b9.exe
-
Size
351KB
-
MD5
0a6676af3f77226da8baa584e64616ab
-
SHA1
281cc4fe995ad1b8a49b0d0f940b63ec46d82590
-
SHA256
b7d7cfc2d23fb69c6112ef5461e94a8826594befbdd80d0f5f9c2c5e94c901b9
-
SHA512
82bd6da6c7a47074f768932953e730b42e059b1e188c7b3d419b943e534c719be864575e63b12b743040c375750a94e4c350ddaea0df4d25630a8d908b26a49b
-
SSDEEP
6144:+Vl/JuDybFvA5psGGYjXm0scWpQ2Bd7z3CnFo8heo5gbb1qt:+VlcybFYsGGUXNscw7z3CnFo8so5Wb
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Extracted
vidar
3.4
e749025c61b2caca10aa829a9e1a65a1
https://steamcommunity.com/profiles/76561199494593681
https://t.me/auftriebs
-
profile_id_v2
e749025c61b2caca10aa829a9e1a65a1
-
user_agent
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Extracted
redline
37.220.87.13:48790
-
auth_value
58fae2a6410d913f90f926a25a82d686
Extracted
laplas
http://185.106.92.74
-
api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 48 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7d7cfc2d23fb69c6112ef5461e94a8826594befbdd80d0f5f9c2c5e94c901b9.exe"C:\Users\Admin\AppData\Local\Temp\b7d7cfc2d23fb69c6112ef5461e94a8826594befbdd80d0f5f9c2c5e94c901b9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C8C3.exeC:\Users\Admin\AppData\Local\Temp\C8C3.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\16901719349057600738.exe"C:\ProgramData\16901719349057600738.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\ProgramData\01547868612144412074.exe"C:\ProgramData\01547868612144412074.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\01547868612144412074.exe3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 04⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\C8C3.exe" & exit2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\EA08.exeC:\Users\Admin\AppData\Local\Temp\EA08.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 9922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 10322⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 9202⤵
- Program crash
-
-
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 2682⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\F4B7.exeC:\Users\Admin\AppData\Local\Temp\F4B7.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\FCB7.exeC:\Users\Admin\AppData\Local\Temp\FCB7.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
4.3MB
MD5c4ab3149ef02a36d663699a8c541933e
SHA167088f5eff9ec575775b711c9e3650d12d7f4d5c
SHA2560a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce
SHA51288b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
7.2MB
MD5c5e0fb4ecaa8a7481a283099d604f7a0
SHA1df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
-
Filesize
471KB
MD54ce94e0111eda6d503066341e24b7ff6
SHA1fb84294c389f1e096ed3737dc7036559b6a3d39f
SHA2567e5a479ffbdadcbe186548d2142de5d0d02df93fea5a963909fec936195e4439
SHA5123ede6bc530ba57f389379023bdd8a4b223ddd725bedbe6c327753bf268bfefcea9c6341a55fb4f01b1d03933abf16689f57bfe277e7fb8cd30f76b4fec1f4d25
-
Filesize
471KB
MD54ce94e0111eda6d503066341e24b7ff6
SHA1fb84294c389f1e096ed3737dc7036559b6a3d39f
SHA2567e5a479ffbdadcbe186548d2142de5d0d02df93fea5a963909fec936195e4439
SHA5123ede6bc530ba57f389379023bdd8a4b223ddd725bedbe6c327753bf268bfefcea9c6341a55fb4f01b1d03933abf16689f57bfe277e7fb8cd30f76b4fec1f4d25
-
Filesize
5.4MB
MD519b50e116e3708c663672d9c6e5a02f7
SHA1f2fcb880b1448f745dc525e192e0b13199363946
SHA256a9b3a6990f77252738e89a4880dba0f331cb151c0dfda1ddd0d5002aa907479e
SHA5125b42f712c5a3b6af0c163eb3fc30a85b74458711ca7c6ff2ff2eebdd2b7951f7080384f59bff850a2e49c052d1ce4da34c8d7d22b76ab82f99dc1ffe240af7cf
-
Filesize
5.4MB
MD519b50e116e3708c663672d9c6e5a02f7
SHA1f2fcb880b1448f745dc525e192e0b13199363946
SHA256a9b3a6990f77252738e89a4880dba0f331cb151c0dfda1ddd0d5002aa907479e
SHA5125b42f712c5a3b6af0c163eb3fc30a85b74458711ca7c6ff2ff2eebdd2b7951f7080384f59bff850a2e49c052d1ce4da34c8d7d22b76ab82f99dc1ffe240af7cf
-
Filesize
353KB
MD5b9bfb0a292cab0286d40456a9ac1552a
SHA107bbfc1788f59a15ebee278b270c462106d77d31
SHA25677fb87b906b8eadddd3f0d796e4ae65cf712fe2358d290dd2b026919502c118d
SHA512749483db3162566983e7c80e1879f86b0bcc4071a6db10ccf1c2057d8917c14f9a4b78bd045c27cb9765baf3076d695664ebc5a35e4c83964cb26d2ef22598f9
-
Filesize
353KB
MD5b9bfb0a292cab0286d40456a9ac1552a
SHA107bbfc1788f59a15ebee278b270c462106d77d31
SHA25677fb87b906b8eadddd3f0d796e4ae65cf712fe2358d290dd2b026919502c118d
SHA512749483db3162566983e7c80e1879f86b0bcc4071a6db10ccf1c2057d8917c14f9a4b78bd045c27cb9765baf3076d695664ebc5a35e4c83964cb26d2ef22598f9
-
Filesize
458KB
MD506a8139dedfe3077c11a72759ff82b96
SHA145e4bb0e8afb76514fa6a620d78ffb98588b3f54
SHA256aa53ae86d3ef7e0f19d97b175a7831f3d389db6d19082cdfa6f5ec4a845d13f3
SHA5125bf5cfe7e2b0fee817371fcda1c09556e35dfe64d753bc5f8c873038dd06cbd7a38144bd5dae666c0247875ce11446507019bc941655d9b3ad5ecdd9e957a16f
-
Filesize
458KB
MD506a8139dedfe3077c11a72759ff82b96
SHA145e4bb0e8afb76514fa6a620d78ffb98588b3f54
SHA256aa53ae86d3ef7e0f19d97b175a7831f3d389db6d19082cdfa6f5ec4a845d13f3
SHA5125bf5cfe7e2b0fee817371fcda1c09556e35dfe64d753bc5f8c873038dd06cbd7a38144bd5dae666c0247875ce11446507019bc941655d9b3ad5ecdd9e957a16f
-
Filesize
333.5MB
MD56bc2d4e16697b82ac02cbda3353d0b9f
SHA1effaea36dcd12680d29e518a5a84e4b768c4d557
SHA256d03bea421ae83f005f6ec9daa7be1216f54b54e72a47026391a90b94c5114d12
SHA5123bd8a0356598faef5a373fdb217026239d04ce748f1be7c83490914f2a5c01afe20789fd8e6fae063227f66389a87ef0000d17fd5b2f4e7ea08aca297059065c
-
Filesize
237.0MB
MD57db6d09fb77dad706d7fe6f04d1162df
SHA11b2f5e8edbf28c46f075fab799eff2d4b84ccd3b
SHA2560783adc895662132e1593fea20bbfbde0c0300a9951df4806e9c2d0963558b8a
SHA5127330feec7f8e1c7b8c4fddf4fef214d41732eb5c3f528fd658c75b74c6085fc6cc4a4969707ed25496ab5ccf0f55a49c98368a800c0019d76ba39d8952c07c6b
-
Filesize
244.9MB
MD5a8bb49a07c16ab81938ec7a93064a5e2
SHA1d5548afc501243fe26c6ff13f8ff18c483251f86
SHA256d6eff1bc829600e07da979994cb524e92c10e1885fc79c43ef4c73f4a88fdb31
SHA512708c4421951926c8a062adc541b6280bbe37824f9d31f6cc9571fa1e2dd7c88c1ddccac092e23b592b8e4a88a9aa338db78c3ce05eeebcfe29050155c1ca4c3b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
156KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
156KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
52KB
-
Filesize
4KB
-
Filesize
14.4MB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
88KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
272KB
-
Filesize
4KB
-
Filesize
60KB
-
Filesize
60KB
-
Filesize
376KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
176KB
-
Filesize
584KB
-
Filesize
5.0MB
-
Filesize
36KB
-
Filesize
4.0MB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
972KB
-
Filesize
4.1MB
-
Filesize
6.0MB
-
Filesize
408KB
-
Filesize
160KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
11.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.4MB
-
Filesize
4.5MB
-
Filesize
4KB
-
Filesize
11.2MB
-
Filesize
4KB
-
Filesize
11.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
11.2MB
-
Filesize
1.2MB
-
Filesize
11.2MB
-
Filesize
10.1MB
-
Filesize
4KB
-
Filesize
11.2MB
-
Filesize
11.2MB
-
Filesize
11.2MB
-
Filesize
11.2MB
-
Filesize
4KB
-
Filesize
11.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
11.2MB
-
Filesize
11.2MB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
4KB