Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    76s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/12/2023, 03:41

General

  • Target

    0x000700000001626b-116.exe

  • Size

    37KB

  • MD5

    f4b15e6c814a0d6abf6325753b6d4037

  • SHA1

    489d628694d794492df545d8c73cb0f910a0b479

  • SHA256

    c45b7fe3ddcf8c055c2a9ef8e5d7dabd81e73df49efb9b3a471ec4a969fbfcc3

  • SHA512

    e6c76c630de0e4b4d664b5ad7c3c24ae06d65c3aeaf4835a35406ff7e90b4ecead8cf1b3581c794d1f3870f2d472ff9f7d18c7285302fefad98042312c5d12d1

  • SSDEEP

    768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4756
  • C:\Users\Admin\AppData\Local\Temp\F558.exe
    C:\Users\Admin\AppData\Local\Temp\F558.exe
    1⤵
    • Executes dropped EXE
    PID:3744
  • C:\Users\Admin\AppData\Local\Temp\5720.exe
    C:\Users\Admin\AppData\Local\Temp\5720.exe
    1⤵
    • Executes dropped EXE
    PID:4228
    • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
      2⤵
        PID:1496
        • C:\Users\Admin\AppData\Local\Temp\Broom.exe
          C:\Users\Admin\AppData\Local\Temp\Broom.exe
          3⤵
            PID:456
        • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
          "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
          2⤵
            PID:1440
          • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
            "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
            2⤵
              PID:1656
            • C:\Users\Admin\AppData\Local\Temp\tuc3.exe
              "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
              2⤵
                PID:2928
                • C:\Users\Admin\AppData\Local\Temp\is-DROPB.tmp\tuc3.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-DROPB.tmp\tuc3.tmp" /SL5="$E0090,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
                  3⤵
                    PID:4440
                • C:\Users\Admin\AppData\Local\Temp\latestX.exe
                  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
                  2⤵
                    PID:4460
                • C:\Users\Admin\AppData\Local\Temp\5CBE.exe
                  C:\Users\Admin\AppData\Local\Temp\5CBE.exe
                  1⤵
                  • Executes dropped EXE
                  PID:844
                • C:\Users\Admin\AppData\Local\Temp\7B05.exe
                  C:\Users\Admin\AppData\Local\Temp\7B05.exe
                  1⤵
                    PID:2688

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                    Filesize

                    384KB

                    MD5

                    b91430f48b85af11e965a1df11fdb59c

                    SHA1

                    f1a49262009044f0e0fdbf0450dd718935152372

                    SHA256

                    1f0c9c42e7c4ccce9aed15ce33dbcab11e5482432f2df6e260ca7c1b0a9eb90f

                    SHA512

                    9dee8362c90632a04f67835e53c8563f6680ae43e52320f15d2ef3090d669a5e7d93248ce174fa0f1878aa4b6dd907494464a728a3e40ec943c3faabf2dd7cfc

                  • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                    Filesize

                    1.1MB

                    MD5

                    7340acb870497624606bf1474112656e

                    SHA1

                    62231ef800ae6389c39031ebc0b0e9ea91f21826

                    SHA256

                    8111a62f4478b427a8382c4aafcd40bd8c026f20f8608c325dd6375cfdebf8ba

                    SHA512

                    64ba586870dff4f49d0e4efdb98fbea5aea66144cda1a719fe6273a5414e58ad05f56853951d261c896c141bc12b70f90ec907e35b075c07700ccec250fa996f

                  • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                    Filesize

                    256KB

                    MD5

                    db7cea14da34db0b4cf2fc3b40a46a5a

                    SHA1

                    32b621293e6366b45e2dcffe40b590bb985a9ee0

                    SHA256

                    e84e93c12bcbbf578467c9df3d68908e150ae82e74d8073a6ede2be977f284cf

                    SHA512

                    a9a64d63ebe5bcd1342e51e3f461eae3d2ef03c375a692a9fd59bdbcef9ff70d535e0ddf668c20797741dd86a3d91a9fe6b623c1d06c03c8b0c47a11793135f0

                  • C:\Users\Admin\AppData\Local\Temp\5720.exe

                    Filesize

                    5.8MB

                    MD5

                    08da88e6ead754a4fcd70d470c433796

                    SHA1

                    588e4dd2c9b67067e31f85954179123778f8afd9

                    SHA256

                    9c979bd00ca4a61775adfd66a3a956df638eec4391412dc7a249b813a1391b74

                    SHA512

                    04fa3be051678f4651c91dea11561b3c89b58144742fff84b7105b8115e0c937411e0a1e7f17091451b125aad919155d0b3adf53fa260aaf5aa66303fd471f30

                  • C:\Users\Admin\AppData\Local\Temp\5720.exe

                    Filesize

                    5.3MB

                    MD5

                    9682abf1ff8376ed771b4544f9d89a5e

                    SHA1

                    1e9dbd9c560c9f6744428916300f6fa07e2e28dd

                    SHA256

                    1322e8782e78af9be4e1e2139b3b620c83d69411c46e979466088471be88a144

                    SHA512

                    0e478af6b16d11761f66d7232e0866abc176c3a6199e4fd0d01cb055d7803d7605dcbea7df4ad1bd1e6b8fdf408e5053604830672077131dff47e0a5d84cd157

                  • C:\Users\Admin\AppData\Local\Temp\5CBE.exe

                    Filesize

                    219KB

                    MD5

                    91d23595c11c7ee4424b6267aabf3600

                    SHA1

                    ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02

                    SHA256

                    d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47

                    SHA512

                    cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

                  • C:\Users\Admin\AppData\Local\Temp\7B05.exe

                    Filesize

                    768KB

                    MD5

                    a68f7e520c17ad5fbdeca74827db2fab

                    SHA1

                    c36488bb8a004bcd5dd9e2ae9940b244045b7891

                    SHA256

                    4919fdfcefd8c32de5e15a31d35f545bb5ccff81b4c9490fdaa3f66fafd928dd

                    SHA512

                    d96e6d3fdfc33e44addfa30e529800c5791d0e0006487ece07c2c61417b853fbd6825af290d6ce6b3ce9d24ff077e0f600b2e3c09f62ed918f2782af4fc1fb2c

                  • C:\Users\Admin\AppData\Local\Temp\7B05.exe

                    Filesize

                    1024KB

                    MD5

                    e27d09606853bd7cc337c2d338854824

                    SHA1

                    8a91c95ff2e6b5983c936c5a0ee11586d1dfeb70

                    SHA256

                    17acc7dd07b27037a73924112cc45711d2c6659d5101c0e8606957f2f36303d7

                    SHA512

                    5ed4e4510731c31cf34cf14628b7ac997b4d445bda754084f79e24df2e2d2118ff49ad3de1125f2fd8011b2a7161e3c14a3b658dc15f03a9eb572996c80631b2

                  • C:\Users\Admin\AppData\Local\Temp\Broom.exe

                    Filesize

                    1.8MB

                    MD5

                    2a1ead0f193538b1e134cda851538d51

                    SHA1

                    e88412aaae131de89926535a0c631706b4f3456d

                    SHA256

                    0bd3b948312dbc87df5959fcc1a2560064fb660b9a4b19a31fa4457e87e4b094

                    SHA512

                    a9dc2fbd74928f394741a8a9cd6bd3148d070a7cc452e1966954fb07761a8957a564911a058d327af4bdbe59639455c900493330734a55f73554cb0e2a6b74e1

                  • C:\Users\Admin\AppData\Local\Temp\F558.exe

                    Filesize

                    401KB

                    MD5

                    f88edad62a7789c2c5d8047133da5fa7

                    SHA1

                    41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9

                    SHA256

                    eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc

                    SHA512

                    e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

                  • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                    Filesize

                    64KB

                    MD5

                    431870c626da5d5bcbc6804ec76c8b3d

                    SHA1

                    e9955b11b27d37fb177e30fda7a6f6d3df465d72

                    SHA256

                    4a866cc834204db8fdea083280ec90b5e4631ea81a6341131ca121d3d5c71e7b

                    SHA512

                    adcdb61b7f3449a8e6b33110a29c6c5d31c91b906d3135e2777e0ed8bdc3aec07666c5ca125171db2ebeb85078c0d7805788ff34d0a0be5c472905f3423153ae

                  • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                    Filesize

                    1.5MB

                    MD5

                    84d81c950676c48dfff52116e4fc7f80

                    SHA1

                    28436963cb734db28a20e1e1a0b68416f54b6cb5

                    SHA256

                    d5e769b3cdaf2414216f3d91d3bc77291b5715f2d4f2372fd61d8a9aadfa6d10

                    SHA512

                    614f4703e886d24ef305441cbd0e3c8621e94d1b33d64de71d602c77c225fe296c406f628a1ae924806a127ea01a9d7ed5af7e758f960cd7a16a28d8c5621b60

                  • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                    Filesize

                    1.1MB

                    MD5

                    69460f7f058e26e03a72fd2bbacde61d

                    SHA1

                    132b3cdda57b7f40d3f4c9fdd0ae697078811eee

                    SHA256

                    df16e7354f19dc0ee595d662a6de7825af8c7ef72cded084640f017d6378a21e

                    SHA512

                    5b6833168afb92c557b3314cc3ed5743f5e8f6bfd6bf31e592e78947786c02f1e785bcd60d52a110ea8b93e7003a4b67b431c4c1edf79fed4488241da35d140a

                  • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

                    Filesize

                    291KB

                    MD5

                    cde750f39f58f1ec80ef41ce2f4f1db9

                    SHA1

                    942ea40349b0e5af7583fd34f4d913398a9c3b96

                    SHA256

                    0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094

                    SHA512

                    c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

                  • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                    Filesize

                    192KB

                    MD5

                    df5dfc67daa14d0fb30d4b2e4193bd2d

                    SHA1

                    8ab837661f393e3949c5dd0647c0dc68767aa4a5

                    SHA256

                    171db0491441ac4c9e5a966a52e3e5ad578ee999548cc4a02b5968dad5afb58e

                    SHA512

                    09152a498f6079ef0961dd7865be386dc5e68844fbe11e1e5f8905f2557e3184d7b4fd1020d84b6b3cfa0d55b3c97f439c37941fc1ffa125dd5678a38158a316

                  • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                    Filesize

                    448KB

                    MD5

                    5a518debae1cc2912892c5c384bef0ea

                    SHA1

                    55450b5f73216b9cc9c8fae5289c324d3a30b43a

                    SHA256

                    410a6e0957c79decafc3d8c3417754169141a6acb754150caf46db2c80fa7333

                    SHA512

                    02c1e7f5332c0b91bf320133253bf98262d6fcc913a3757e6ac44014cd68eaf194314199458831b343d1a25dbd8dbdc513ff3ee8793315f04c469d218c808a8e

                  • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                    Filesize

                    1024KB

                    MD5

                    c6188926b380d45e3e384bcbfaf0798a

                    SHA1

                    864a0987a82e79a53f15df9e117a8e4cfdb7c6b0

                    SHA256

                    52ce724f1df325548e1a0671790efae68ccd156efd5daeb8a464a1d11b04ae6e

                    SHA512

                    15028fc894d56308bcbe33d49506c4e8a01243811821b11fb9eb900b3b23ba5bafde77c8c36651cbd020692978b53c29975225393feae6634285c303eb4747bf

                  • memory/456-80-0x0000000000A80000-0x0000000000A81000-memory.dmp

                    Filesize

                    4KB

                  • memory/844-36-0x00000000085C0000-0x0000000008BD8000-memory.dmp

                    Filesize

                    6.1MB

                  • memory/844-61-0x00000000078C0000-0x000000000790C000-memory.dmp

                    Filesize

                    304KB

                  • memory/844-43-0x0000000007FA0000-0x00000000080AA000-memory.dmp

                    Filesize

                    1.0MB

                  • memory/844-28-0x00000000075E0000-0x00000000075EA000-memory.dmp

                    Filesize

                    40KB

                  • memory/844-21-0x0000000074960000-0x0000000075110000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/844-27-0x0000000007630000-0x0000000007640000-memory.dmp

                    Filesize

                    64KB

                  • memory/844-55-0x0000000007760000-0x000000000779C000-memory.dmp

                    Filesize

                    240KB

                  • memory/844-25-0x0000000007440000-0x00000000074D2000-memory.dmp

                    Filesize

                    584KB

                  • memory/844-24-0x00000000079F0000-0x0000000007F94000-memory.dmp

                    Filesize

                    5.6MB

                  • memory/844-46-0x0000000007700000-0x0000000007712000-memory.dmp

                    Filesize

                    72KB

                  • memory/844-22-0x0000000000680000-0x00000000006BC000-memory.dmp

                    Filesize

                    240KB

                  • memory/2688-49-0x0000000000B70000-0x0000000001122000-memory.dmp

                    Filesize

                    5.7MB

                  • memory/2688-60-0x0000000005BE0000-0x0000000005BF0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2688-58-0x0000000005C50000-0x0000000005CEC000-memory.dmp

                    Filesize

                    624KB

                  • memory/2688-44-0x0000000074960000-0x0000000075110000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/2928-84-0x0000000000400000-0x0000000000414000-memory.dmp

                    Filesize

                    80KB

                  • memory/3332-1-0x0000000003010000-0x0000000003026000-memory.dmp

                    Filesize

                    88KB

                  • memory/4228-20-0x0000000074960000-0x0000000075110000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/4228-23-0x0000000000F80000-0x0000000002436000-memory.dmp

                    Filesize

                    20.7MB

                  • memory/4756-2-0x0000000000400000-0x000000000040B000-memory.dmp

                    Filesize

                    44KB

                  • memory/4756-0-0x0000000000400000-0x000000000040B000-memory.dmp

                    Filesize

                    44KB