Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
76s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2023, 03:41
Behavioral task
behavioral1
Sample
0x000700000001626b-116.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
0x000700000001626b-116.exe
Resource
win10v2004-20231127-en
General
-
Target
0x000700000001626b-116.exe
-
Size
37KB
-
MD5
f4b15e6c814a0d6abf6325753b6d4037
-
SHA1
489d628694d794492df545d8c73cb0f910a0b479
-
SHA256
c45b7fe3ddcf8c055c2a9ef8e5d7dabd81e73df49efb9b3a471ec4a969fbfcc3
-
SHA512
e6c76c630de0e4b4d664b5ad7c3c24ae06d65c3aeaf4835a35406ff7e90b4ecead8cf1b3581c794d1f3870f2d472ff9f7d18c7285302fefad98042312c5d12d1
-
SSDEEP
768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX
Malware Config
Extracted
smokeloader
2022
http://81.19.131.34/fks/index.php
Extracted
redline
@oleh_ps
176.123.7.190:32927
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x0008000000023119-18.dat family_redline behavioral2/memory/844-22-0x0000000000680000-0x00000000006BC000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 3332 Process not Found -
Executes dropped EXE 3 IoCs
pid Process 3744 F558.exe 4228 5720.exe 844 5CBE.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x000700000001626b-116.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x000700000001626b-116.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x000700000001626b-116.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4756 0x000700000001626b-116.exe 4756 0x000700000001626b-116.exe 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found 3332 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4756 0x000700000001626b-116.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3332 wrote to memory of 3744 3332 Process not Found 104 PID 3332 wrote to memory of 3744 3332 Process not Found 104 PID 3332 wrote to memory of 3744 3332 Process not Found 104 PID 3332 wrote to memory of 4228 3332 Process not Found 106 PID 3332 wrote to memory of 4228 3332 Process not Found 106 PID 3332 wrote to memory of 4228 3332 Process not Found 106 PID 3332 wrote to memory of 844 3332 Process not Found 107 PID 3332 wrote to memory of 844 3332 Process not Found 107 PID 3332 wrote to memory of 844 3332 Process not Found 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe"C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4756
-
C:\Users\Admin\AppData\Local\Temp\F558.exeC:\Users\Admin\AppData\Local\Temp\F558.exe1⤵
- Executes dropped EXE
PID:3744
-
C:\Users\Admin\AppData\Local\Temp\5720.exeC:\Users\Admin\AppData\Local\Temp\5720.exe1⤵
- Executes dropped EXE
PID:4228 -
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"2⤵PID:1496
-
C:\Users\Admin\AppData\Local\Temp\Broom.exeC:\Users\Admin\AppData\Local\Temp\Broom.exe3⤵PID:456
-
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵PID:1440
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵PID:1656
-
-
C:\Users\Admin\AppData\Local\Temp\tuc3.exe"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"2⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\is-DROPB.tmp\tuc3.tmp"C:\Users\Admin\AppData\Local\Temp\is-DROPB.tmp\tuc3.tmp" /SL5="$E0090,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"3⤵PID:4440
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"2⤵PID:4460
-
-
C:\Users\Admin\AppData\Local\Temp\5CBE.exeC:\Users\Admin\AppData\Local\Temp\5CBE.exe1⤵
- Executes dropped EXE
PID:844
-
C:\Users\Admin\AppData\Local\Temp\7B05.exeC:\Users\Admin\AppData\Local\Temp\7B05.exe1⤵PID:2688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD5b91430f48b85af11e965a1df11fdb59c
SHA1f1a49262009044f0e0fdbf0450dd718935152372
SHA2561f0c9c42e7c4ccce9aed15ce33dbcab11e5482432f2df6e260ca7c1b0a9eb90f
SHA5129dee8362c90632a04f67835e53c8563f6680ae43e52320f15d2ef3090d669a5e7d93248ce174fa0f1878aa4b6dd907494464a728a3e40ec943c3faabf2dd7cfc
-
Filesize
1.1MB
MD57340acb870497624606bf1474112656e
SHA162231ef800ae6389c39031ebc0b0e9ea91f21826
SHA2568111a62f4478b427a8382c4aafcd40bd8c026f20f8608c325dd6375cfdebf8ba
SHA51264ba586870dff4f49d0e4efdb98fbea5aea66144cda1a719fe6273a5414e58ad05f56853951d261c896c141bc12b70f90ec907e35b075c07700ccec250fa996f
-
Filesize
256KB
MD5db7cea14da34db0b4cf2fc3b40a46a5a
SHA132b621293e6366b45e2dcffe40b590bb985a9ee0
SHA256e84e93c12bcbbf578467c9df3d68908e150ae82e74d8073a6ede2be977f284cf
SHA512a9a64d63ebe5bcd1342e51e3f461eae3d2ef03c375a692a9fd59bdbcef9ff70d535e0ddf668c20797741dd86a3d91a9fe6b623c1d06c03c8b0c47a11793135f0
-
Filesize
5.8MB
MD508da88e6ead754a4fcd70d470c433796
SHA1588e4dd2c9b67067e31f85954179123778f8afd9
SHA2569c979bd00ca4a61775adfd66a3a956df638eec4391412dc7a249b813a1391b74
SHA51204fa3be051678f4651c91dea11561b3c89b58144742fff84b7105b8115e0c937411e0a1e7f17091451b125aad919155d0b3adf53fa260aaf5aa66303fd471f30
-
Filesize
5.3MB
MD59682abf1ff8376ed771b4544f9d89a5e
SHA11e9dbd9c560c9f6744428916300f6fa07e2e28dd
SHA2561322e8782e78af9be4e1e2139b3b620c83d69411c46e979466088471be88a144
SHA5120e478af6b16d11761f66d7232e0866abc176c3a6199e4fd0d01cb055d7803d7605dcbea7df4ad1bd1e6b8fdf408e5053604830672077131dff47e0a5d84cd157
-
Filesize
219KB
MD591d23595c11c7ee4424b6267aabf3600
SHA1ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b
-
Filesize
768KB
MD5a68f7e520c17ad5fbdeca74827db2fab
SHA1c36488bb8a004bcd5dd9e2ae9940b244045b7891
SHA2564919fdfcefd8c32de5e15a31d35f545bb5ccff81b4c9490fdaa3f66fafd928dd
SHA512d96e6d3fdfc33e44addfa30e529800c5791d0e0006487ece07c2c61417b853fbd6825af290d6ce6b3ce9d24ff077e0f600b2e3c09f62ed918f2782af4fc1fb2c
-
Filesize
1024KB
MD5e27d09606853bd7cc337c2d338854824
SHA18a91c95ff2e6b5983c936c5a0ee11586d1dfeb70
SHA25617acc7dd07b27037a73924112cc45711d2c6659d5101c0e8606957f2f36303d7
SHA5125ed4e4510731c31cf34cf14628b7ac997b4d445bda754084f79e24df2e2d2118ff49ad3de1125f2fd8011b2a7161e3c14a3b658dc15f03a9eb572996c80631b2
-
Filesize
1.8MB
MD52a1ead0f193538b1e134cda851538d51
SHA1e88412aaae131de89926535a0c631706b4f3456d
SHA2560bd3b948312dbc87df5959fcc1a2560064fb660b9a4b19a31fa4457e87e4b094
SHA512a9dc2fbd74928f394741a8a9cd6bd3148d070a7cc452e1966954fb07761a8957a564911a058d327af4bdbe59639455c900493330734a55f73554cb0e2a6b74e1
-
Filesize
401KB
MD5f88edad62a7789c2c5d8047133da5fa7
SHA141b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60
-
Filesize
64KB
MD5431870c626da5d5bcbc6804ec76c8b3d
SHA1e9955b11b27d37fb177e30fda7a6f6d3df465d72
SHA2564a866cc834204db8fdea083280ec90b5e4631ea81a6341131ca121d3d5c71e7b
SHA512adcdb61b7f3449a8e6b33110a29c6c5d31c91b906d3135e2777e0ed8bdc3aec07666c5ca125171db2ebeb85078c0d7805788ff34d0a0be5c472905f3423153ae
-
Filesize
1.5MB
MD584d81c950676c48dfff52116e4fc7f80
SHA128436963cb734db28a20e1e1a0b68416f54b6cb5
SHA256d5e769b3cdaf2414216f3d91d3bc77291b5715f2d4f2372fd61d8a9aadfa6d10
SHA512614f4703e886d24ef305441cbd0e3c8621e94d1b33d64de71d602c77c225fe296c406f628a1ae924806a127ea01a9d7ed5af7e758f960cd7a16a28d8c5621b60
-
Filesize
1.1MB
MD569460f7f058e26e03a72fd2bbacde61d
SHA1132b3cdda57b7f40d3f4c9fdd0ae697078811eee
SHA256df16e7354f19dc0ee595d662a6de7825af8c7ef72cded084640f017d6378a21e
SHA5125b6833168afb92c557b3314cc3ed5743f5e8f6bfd6bf31e592e78947786c02f1e785bcd60d52a110ea8b93e7003a4b67b431c4c1edf79fed4488241da35d140a
-
Filesize
291KB
MD5cde750f39f58f1ec80ef41ce2f4f1db9
SHA1942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA2560a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580
-
Filesize
192KB
MD5df5dfc67daa14d0fb30d4b2e4193bd2d
SHA18ab837661f393e3949c5dd0647c0dc68767aa4a5
SHA256171db0491441ac4c9e5a966a52e3e5ad578ee999548cc4a02b5968dad5afb58e
SHA51209152a498f6079ef0961dd7865be386dc5e68844fbe11e1e5f8905f2557e3184d7b4fd1020d84b6b3cfa0d55b3c97f439c37941fc1ffa125dd5678a38158a316
-
Filesize
448KB
MD55a518debae1cc2912892c5c384bef0ea
SHA155450b5f73216b9cc9c8fae5289c324d3a30b43a
SHA256410a6e0957c79decafc3d8c3417754169141a6acb754150caf46db2c80fa7333
SHA51202c1e7f5332c0b91bf320133253bf98262d6fcc913a3757e6ac44014cd68eaf194314199458831b343d1a25dbd8dbdc513ff3ee8793315f04c469d218c808a8e
-
Filesize
1024KB
MD5c6188926b380d45e3e384bcbfaf0798a
SHA1864a0987a82e79a53f15df9e117a8e4cfdb7c6b0
SHA25652ce724f1df325548e1a0671790efae68ccd156efd5daeb8a464a1d11b04ae6e
SHA51215028fc894d56308bcbe33d49506c4e8a01243811821b11fb9eb900b3b23ba5bafde77c8c36651cbd020692978b53c29975225393feae6634285c303eb4747bf