Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
47s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
11/12/2023, 03:41
Behavioral task
behavioral1
Sample
0x000700000001626b-116.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
0x000700000001626b-116.exe
Resource
win10v2004-20231127-en
General
-
Target
0x000700000001626b-116.exe
-
Size
37KB
-
MD5
f4b15e6c814a0d6abf6325753b6d4037
-
SHA1
489d628694d794492df545d8c73cb0f910a0b479
-
SHA256
c45b7fe3ddcf8c055c2a9ef8e5d7dabd81e73df49efb9b3a471ec4a969fbfcc3
-
SHA512
e6c76c630de0e4b4d664b5ad7c3c24ae06d65c3aeaf4835a35406ff7e90b4ecead8cf1b3581c794d1f3870f2d472ff9f7d18c7285302fefad98042312c5d12d1
-
SSDEEP
768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX
Malware Config
Extracted
smokeloader
2022
http://81.19.131.34/fks/index.php
Extracted
redline
LiveTraffic
77.105.132.87:6731
Extracted
redline
@oleh_ps
176.123.7.190:32927
Extracted
smokeloader
up3
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/2904-12-0x0000000000080000-0x00000000000BC000-memory.dmp family_redline behavioral1/memory/1884-32-0x0000000000090000-0x00000000000CC000-memory.dmp family_redline behavioral1/files/0x00130000000152c4-31.dat family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 1268 Process not Found -
Executes dropped EXE 2 IoCs
pid Process 2904 9492.exe 2504 D8C3.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x000700000001626b-116.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x000700000001626b-116.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x000700000001626b-116.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1464 0x000700000001626b-116.exe 1464 0x000700000001626b-116.exe 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found 1268 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1464 0x000700000001626b-116.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 1268 Process not Found Token: SeShutdownPrivilege 1268 Process not Found -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1268 wrote to memory of 2904 1268 Process not Found 28 PID 1268 wrote to memory of 2904 1268 Process not Found 28 PID 1268 wrote to memory of 2904 1268 Process not Found 28 PID 1268 wrote to memory of 2904 1268 Process not Found 28 PID 1268 wrote to memory of 2504 1268 Process not Found 31 PID 1268 wrote to memory of 2504 1268 Process not Found 31 PID 1268 wrote to memory of 2504 1268 Process not Found 31 PID 1268 wrote to memory of 2504 1268 Process not Found 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe"C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1464
-
C:\Users\Admin\AppData\Local\Temp\9492.exeC:\Users\Admin\AppData\Local\Temp\9492.exe1⤵
- Executes dropped EXE
PID:2904
-
C:\Users\Admin\AppData\Local\Temp\D8C3.exeC:\Users\Admin\AppData\Local\Temp\D8C3.exe1⤵
- Executes dropped EXE
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"2⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\Broom.exeC:\Users\Admin\AppData\Local\Temp\Broom.exe3⤵PID:1612
-
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵PID:1504
-
-
C:\Users\Admin\AppData\Local\Temp\tuc3.exe"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"2⤵PID:2140
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"2⤵PID:592
-
-
C:\Users\Admin\AppData\Local\Temp\DAE6.exeC:\Users\Admin\AppData\Local\Temp\DAE6.exe1⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\E9E5.exeC:\Users\Admin\AppData\Local\Temp\E9E5.exe1⤵PID:2756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD51b34ee464944864d44f1f8bbb3dad7fa
SHA15768fe663d155465b3ee07e514dcf6a9d04238fe
SHA2563a09158cf77af5ca18efa7960a35f90bf52564d458a7f65c656db6a6cc3e6323
SHA512df69ceb08767681e3a36d64b69a98dfb9f20e6b88294861db5208bf586c209af82bdbd0d5feae0b34df7ab20f412cee947901e621181324289ed0234131974cf
-
Filesize
401KB
MD5f88edad62a7789c2c5d8047133da5fa7
SHA141b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60
-
Filesize
2.9MB
MD5ac437f0b8931209308e13b06843a6564
SHA115bba7d0bd670080cee652552c793aa0d407114b
SHA2569f0396785b63277b4b665db6a0246dc1189c411eedf0d65cf8caae6ad111e32b
SHA512ecf1c36d9c225c30ab50f9bb1a8d9d9dbb33cf8168302a4860f817e1ab244f1111e83511b6f560b05a184a7bd865ee5eda25a2c0b652018f6d3e9c3f2cbe537c
-
Filesize
1.2MB
MD5cbeef82b7a11df90f89e21db5cca9ec5
SHA125f42ebeebb7313cb495716309405402bbef0f24
SHA256969a4ac83b411ecd4e1e779a12ea63bf5652cacfe2b9663e6fe49ce4b06f5c7f
SHA512137834384d3bcbe67bcb5abc02324fb4386ba079fefbba5b47d5a809a8552384ac166a0b98dcf9bf48f54294d406f3dfb1227cf1403094023aa71d298fa19aba
-
Filesize
219KB
MD591d23595c11c7ee4424b6267aabf3600
SHA1ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b
-
Filesize
58KB
MD5308a56558f07305c71dc0e6a73143ce9
SHA1a9347824407368944f50d99dc5cb68465c011e78
SHA256ef070c656fec7226d240e6af6406d4804703400b2d2a70ab051c8301c680cc4e
SHA512260e6db20bcddb2dca0a676984ebf3083a413c3e51af88a5e6982543ffac154c865cc22bb27679c9da84583cce1d9f7725200482534dd4a5ebda09ed72a7c8b6
-
Filesize
92KB
MD5dcc5159d5572687064ed6485f9c9d9bd
SHA1e35d8b3194c98199a33a84c7a65c9d8ab1900be3
SHA256786618896a897e764cee0d07326e3e0c2cbace97e1fd7485930ed8a00f021cfb
SHA51209b581e07354927ce122f0ccbd9552fb61dedda33903eccaaff6423f89cdf4ab50bf728cf6e47b786d8b4c8f5fdd1baa9a2c4d5377ad635d37bf8e6d2ebe2820
-
Filesize
477KB
MD5ae8435e39af69efd3a8258d2252ef130
SHA1fbf7ce9c0409afaf11857e07f7fdb3f5d6d47e4d
SHA2560bed9d9e1811a60d12f578e485bcf11d774b5207a2b8fc3f50092e80c40922fc
SHA5122352666c3e37f131966d4ec83e8e40012c7c95ae71225786fe89ec7f3eec6f6a7e63ba1241d2cc52f934f5b1d4960e4ce890c80fad8866f5a60e187f0d052430
-
Filesize
92KB
MD5a7423abfff1f8d14e1be346efe9a4662
SHA1db373ffcfc944dd56b7f4f0fd8ad11593ce5083a
SHA25655f365ef9c8576b8d2d29017b8ba4a2634da7d87cc57cc5737821c3b199b06c0
SHA512ced4ef9ded59b90821fe418dfc8c36cef4b0f777a44e96b5c1a494ac158ec00e2d22fea95b5c431b1bc60e3952d5bf0954fe8da2702e17df3459cb9912ebb89b
-
Filesize
291KB
MD5cde750f39f58f1ec80ef41ce2f4f1db9
SHA1942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA2560a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580
-
Filesize
167KB
MD500af0e524b4e4928e63cf3a61a197b5f
SHA14e57715bd53b224c5207e737b83b69708947e62c
SHA25602dcc0b3d6561c67584f5a01193b829ed43bddc543002f37a2b9a00fdf7aba4e
SHA5121a1dae422987767598715ac71a939279769764a522e7b3069d6e6fc0672b208fb6000d558c12197e6cd3b9070e8082b908a700747f359035531f4ef7889871bb
-
Filesize
4KB
MD54c74fcdbbe270ad0ace6b39b85430354
SHA13e0ce90a18724712167b66b624fdbc003cc724dd
SHA2565975bd54ad9ca1ed6c8fab26611c9629cc4e0dbfe3457549d84268a963357a2f
SHA5123f05d0227f84e69041af49bad29b589238ab42682a83916c4bbb9f9740df57c44ab930252bfc87414eede3737674565770337e81d116772fce7fbb361e9968be
-
Filesize
96KB
MD541dbc0b5c50304824f41a120d3f313f1
SHA1b981ad6be87b3d85a2edece6e1a5711248df420b
SHA25668347eb9c581529076c2f94603dbc79e9787629e1e09d7417069e53c8d9c0364
SHA5121b33f7b4d6a2af2acf55961b52dca21a6e748d128b02b401fa82fdd58e83bd44cb044d124e375057a228efd2b6e734783912c97ba7f3a8c36dbdf4a02782ea78
-
Filesize
63KB
MD570d6fecb6d5c67cb5a349153bcf0c855
SHA19025829bfe3fde42975be31207b731612ec0bcdc
SHA256c3ef46bf69a9e8681074d73c050cbcd545292f842db350c6ece1f0b14ac03d6a
SHA51222521cdcd0a069806c6548fd4d831b03f2820f666a2d61440c2a4110f881e042ba223d541e0bf0279c592df38edb36b686042022a39f64cbf4e7f0cd9659709f
-
Filesize
381KB
MD5d5670f0d50a88da39df770aaeddf46f2
SHA1ff1681f68e53df1594769bd367b7fb0d3792f368
SHA256fe455c4782a727e4954aa9f2b7b6e7c624008cbe9217625ab32701b41b3de011
SHA512903e5b9b7ae0d52bda955429e0a90ddfbee8bf7bac3186f1d6ec3edcbb4a2312e008f51e2bc6f7251deef25de47d001cd60da1ccceff3b91d60e40b160ff3f12
-
Filesize
287KB
MD5bedc6a3e6b76fa08e537780f39b88fd8
SHA1e04763a7eb627acb295bc08aad1c638e746264a6
SHA2565fd8fc433493db1c17dc91c5125454fe0e5031bb7a9c4d5a1ea89190c42c3379
SHA512b16b3de428c8b77fd6fb1f5e9449bc394bb809b38dffc2698f1a5b3ae2e2d9fb6e761857e87ee6164776e41990a4012c625b5621b9a2474d827a7657deeaccf0
-
Filesize
28KB
MD58d4535c4c3a23d43b7c9bd5b3918d31d
SHA18d554ac1bd7f3ceabfed89f3fd87f02601ddec3e
SHA2562b58f0f1427e6878e081699f09e04a22fe4ba30b578ee1ea4ae9687d2b12fe7b
SHA512d37dda7c151b4be2b87bb70d53f520a12f7d11da2821a601d1147851f7b26a9cc5b51fa4f56894ba14e5d48ab0a4784488df0eb5a43b10951d3f34a0f6242bc5