Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
76s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
10/12/2023, 22:52
Behavioral task
behavioral1
Sample
0b5ab18b1fb6b220e32a614dfb5b4de2.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
0b5ab18b1fb6b220e32a614dfb5b4de2.exe
Resource
win10v2004-20231127-en
General
-
Target
0b5ab18b1fb6b220e32a614dfb5b4de2.exe
-
Size
37KB
-
MD5
0b5ab18b1fb6b220e32a614dfb5b4de2
-
SHA1
42b2d5dcf34395173b96899113d42080f0053643
-
SHA256
8b978cea455f253e274933089679a398069a42108e037cb3f930f168fb89c3cb
-
SHA512
999bcc43833f18abf11804bec0acc419a03dbce7ebc3900dfd3cdb5fe8e66af5baa71f8961c13d7a38162e73206ae245d3eb2ef6eb24d1b17de001f6b6324bf7
-
SSDEEP
768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX
Malware Config
Extracted
smokeloader
2022
http://81.19.131.34/fks/index.php
Extracted
redline
@oleh_ps
176.123.7.190:32927
Extracted
eternity
47vk9PbPuHnEnazCn4tLpwPCWRLSMhpX9PD8WqpjchhTXisimD6j8EvRFDbPQHKUmHVq3vAM3DLytXLg8CqcdRXRFdPe92Q
-
payload_urls
https://raw.githubusercontent.com/VolVeRFM/SilentMiner-VolVeR/main/VolVeRBuilder/Resources/xmrig.exe
Signatures
-
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x000a0000000230f8-23.dat family_redline behavioral2/memory/4324-28-0x0000000000A60000-0x0000000000A9C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 3172 Process not Found -
Executes dropped EXE 4 IoCs
pid Process 4204 9788.exe 860 16DB.exe 1780 1D15.exe 4324 2072.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1780 set thread context of 1616 1780 1D15.exe 110 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b5ab18b1fb6b220e32a614dfb5b4de2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b5ab18b1fb6b220e32a614dfb5b4de2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0b5ab18b1fb6b220e32a614dfb5b4de2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4472 0b5ab18b1fb6b220e32a614dfb5b4de2.exe 4472 0b5ab18b1fb6b220e32a614dfb5b4de2.exe 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found 3172 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4472 0b5ab18b1fb6b220e32a614dfb5b4de2.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3172 wrote to memory of 4204 3172 Process not Found 103 PID 3172 wrote to memory of 4204 3172 Process not Found 103 PID 3172 wrote to memory of 4204 3172 Process not Found 103 PID 3172 wrote to memory of 860 3172 Process not Found 106 PID 3172 wrote to memory of 860 3172 Process not Found 106 PID 3172 wrote to memory of 860 3172 Process not Found 106 PID 3172 wrote to memory of 1780 3172 Process not Found 107 PID 3172 wrote to memory of 1780 3172 Process not Found 107 PID 3172 wrote to memory of 1780 3172 Process not Found 107 PID 3172 wrote to memory of 4324 3172 Process not Found 108 PID 3172 wrote to memory of 4324 3172 Process not Found 108 PID 3172 wrote to memory of 4324 3172 Process not Found 108 PID 1780 wrote to memory of 3512 1780 1D15.exe 109 PID 1780 wrote to memory of 3512 1780 1D15.exe 109 PID 1780 wrote to memory of 3512 1780 1D15.exe 109 PID 1780 wrote to memory of 1616 1780 1D15.exe 110 PID 1780 wrote to memory of 1616 1780 1D15.exe 110 PID 1780 wrote to memory of 1616 1780 1D15.exe 110 PID 1780 wrote to memory of 1616 1780 1D15.exe 110 PID 1780 wrote to memory of 1616 1780 1D15.exe 110 PID 1780 wrote to memory of 1616 1780 1D15.exe 110 PID 1780 wrote to memory of 1616 1780 1D15.exe 110 PID 1780 wrote to memory of 1616 1780 1D15.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b5ab18b1fb6b220e32a614dfb5b4de2.exe"C:\Users\Admin\AppData\Local\Temp\0b5ab18b1fb6b220e32a614dfb5b4de2.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4472
-
C:\Users\Admin\AppData\Local\Temp\9788.exeC:\Users\Admin\AppData\Local\Temp\9788.exe1⤵
- Executes dropped EXE
PID:4204
-
C:\Users\Admin\AppData\Local\Temp\16DB.exeC:\Users\Admin\AppData\Local\Temp\16DB.exe1⤵
- Executes dropped EXE
PID:860 -
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"2⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\Broom.exeC:\Users\Admin\AppData\Local\Temp\Broom.exe3⤵PID:4920
-
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵PID:3656
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"2⤵PID:4356
-
-
C:\Users\Admin\AppData\Local\Temp\1D15.exeC:\Users\Admin\AppData\Local\Temp\1D15.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:3512
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:1616
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "AppLaunch" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\AppLaunch.exe"3⤵PID:3860
-
-
-
C:\Users\Admin\AppData\Local\Temp\2072.exeC:\Users\Admin\AppData\Local\Temp\2072.exe1⤵
- Executes dropped EXE
PID:4324
-
C:\Users\Admin\AppData\Local\Temp\44F3.exeC:\Users\Admin\AppData\Local\Temp\44F3.exe1⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\4CE3.exeC:\Users\Admin\AppData\Local\Temp\4CE3.exe1⤵PID:3836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20.7MB
MD5d0c59443e41e1160209139841fa39c9f
SHA176be0077ce9dc5ef6756b8c202a6d5d94c759535
SHA256de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c
SHA512d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28
-
Filesize
279KB
MD50de1d0372e15bbfeded7fb418e8c00ae
SHA16d0dc8617e5bcdd48dd5b45d8f40b97e4bbce0a1
SHA25698df5d41ea0e8ba3846de781c30543be8777d1bd11241bc76bc903a4be81c502
SHA5127b3f2d2cc3fce6707be938053fd94a8a5edb48f7dad787847bd362329b6f07657fd7f66ab1f5c5d78db12aa7a41717ea3c7cbe8a1706d2456d1c42e9b1fb4e67
-
Filesize
219KB
MD591d23595c11c7ee4424b6267aabf3600
SHA1ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b
-
Filesize
832KB
MD54a9e40fa8264d6e63bf044600ae92ec1
SHA1917d952821b9c1ae38205a036ee4540afdf48f8a
SHA256611487839bfadd009afa344945503a08ea240b2b966b924ab6c0cc160995798d
SHA5121a1a1eb60e1710e6ad89bc3c4e7d87d032a463f905d03ff7f1a8bfc18ed81cb96951fe315659526b2ce40a55d05de3601c19643a17b915c1bb4efed43aaeea20
-
Filesize
704KB
MD5c2f66d15f2d6c660047154704e7d186c
SHA136f72e94b82ed17f36d0ca722ada953b0ebc5bf4
SHA2568cf00f2d21fe713193ada5cb47b37be9d872fbff4d025ed14567785c09411f1c
SHA5123126404938b881d2d5520a1f5e2a5274d4bad56556087f7702a620256930736e10db1ac324e2c46991a7322a99270eef47087dc7d8c405691a683db012cf4f4e
-
Filesize
576KB
MD5f9a9f70bf5d417c3b01b651549cb4229
SHA19032cb2d2ab901276640cc29b76bd65774132b19
SHA25683b49507b64922720a68aa0f0fec49f48209fa64126d5e89366a7267637512cd
SHA512845aa421a8da4e098f4df86957200d736adce0047bbfda652d1c2fd962b5ede9486994c63fed07b56de8bd94d6bdf42f4346aa92690cdfaaaf3ffd45849f7f52
-
Filesize
401KB
MD5f88edad62a7789c2c5d8047133da5fa7
SHA141b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60
-
Filesize
832KB
MD54dc703a1292f7ae81a10105c0ce28a43
SHA1ae0ee928db8037ca0a34031b556d2ea62fc4d96e
SHA256c13a9f933aba7ada1740067f68a93613c0e4ec3266d9bfe5c0ab8bd278fc4312
SHA512e3c3d804127edb4819362b26724c3d3e9712355175ace7a1a00add09def1bdf759332b0f4fade43491a26a530a0ccd6bb0be1a344d77b7b358b4dfb71ba5c8de
-
Filesize
2.3MB
MD577471d919a5e2151fb49f37c315af514
SHA10687047ed80aa348bdc1657731f21181995b654c
SHA25652666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA5126ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844
-
Filesize
896KB
MD50e229517da34b2e84b4d471ad3083bbf
SHA137a7bcb538db05c1e6bc32f4fe676c1841be1f4b
SHA25624d0dc0e173e53c57f7b4cf8f9810658bdc36e40840006a73ab3294f63c1cb89
SHA51205a5d10204887c1b237914ba1d722ffb13eb0f5bd4243f436882cd7b913468bfefc3acf392349b57ad6982dd4ad7888ad93b47eb4faf2e987978eafd2823a127
-
Filesize
291KB
MD5cde750f39f58f1ec80ef41ce2f4f1db9
SHA1942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA2560a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580
-
Filesize
1.2MB
MD5312dbad72fbc4a4a97c1c269e0ecae76
SHA11d5864b8eb96c1c4fd45667b0a0981643183fa10
SHA2563afa784ee5c99abf77ca1e6037d2603f9ec187658e854d3ec509164ed858e01b
SHA5129d2ae8933d0425ae0a71e502b378c2e958a2274f8ce97c40e07e6e9bf9353bc748e0665e9b6f5c7aba0426b180510d2c419616f0167b13ac56398fc88dd31d02
-
Filesize
256KB
MD58335d6613a3214463ef7b6e4e677e75b
SHA19ffc50191767dec85b8b5e42d20ab93bd0ff7294
SHA2567ec6e003abdae200d11be45647958e6bd3cd3981fe5ff7167486b76095862836
SHA512fc5a092b60d1e4b8e489d8c1fc03ecb26319a7c60c2f8a5e85a08c89e1177b329c3eba5776609d7550b19cf08c58d3aa6109d1dab2cd10790c3a6f391bef6b91