Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    104s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    11/12/2023, 02:57

General

  • Target

    b846f0bb8a677991d85807fded1e9007.exe

  • Size

    37KB

  • MD5

    b846f0bb8a677991d85807fded1e9007

  • SHA1

    38e24fe6301cf2426bb90ea635676c87a860c21f

  • SHA256

    62f28fb67834679ed133e70158c6b89327de331af2e89ee895da8f43d2bb13a2

  • SHA512

    890b9b0f691064c81e53fcff4235ac382c06713d4065d0e68bc7ea18867a5b883a8f09a8c3e54be9b8f6ed82cd997fc7b3154d9305751f5983cdfd6fedd3a96c

  • SSDEEP

    768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

C2

77.105.132.87:6731

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 7 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Downloads MZ/PE file
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe
    "C:\Users\Admin\AppData\Local\Temp\b846f0bb8a677991d85807fded1e9007.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1764
  • C:\Users\Admin\AppData\Local\Temp\F68F.exe
    C:\Users\Admin\AppData\Local\Temp\F68F.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2272
  • C:\Users\Admin\AppData\Local\Temp\BC2F.exe
    C:\Users\Admin\AppData\Local\Temp\BC2F.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
      2⤵
      • Executes dropped EXE
      PID:644
      • C:\Users\Admin\AppData\Local\Temp\Broom.exe
        C:\Users\Admin\AppData\Local\Temp\Broom.exe
        3⤵
          PID:2880
      • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
        "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
        2⤵
        • Executes dropped EXE
        PID:1684
        • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
          "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
          3⤵
            PID:944
        • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
          "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
          2⤵
          • Executes dropped EXE
          PID:2592
          • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
            "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
            3⤵
              PID:2956
              • C:\Windows\system32\cmd.exe
                C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                4⤵
                  PID:2724
                  • C:\Windows\system32\netsh.exe
                    netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                    5⤵
                    • Modifies Windows Firewall
                    PID:2636
                • C:\Windows\rss\csrss.exe
                  C:\Windows\rss\csrss.exe
                  4⤵
                    PID:2552
              • C:\Users\Admin\AppData\Local\Temp\tuc3.exe
                "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
                2⤵
                  PID:2844
                  • C:\Users\Admin\AppData\Local\Temp\is-FSMN3.tmp\tuc3.tmp
                    "C:\Users\Admin\AppData\Local\Temp\is-FSMN3.tmp\tuc3.tmp" /SL5="$901C6,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
                    3⤵
                      PID:868
                  • C:\Users\Admin\AppData\Local\Temp\latestX.exe
                    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
                    2⤵
                      PID:1328
                  • C:\Users\Admin\AppData\Local\Temp\C728.exe
                    C:\Users\Admin\AppData\Local\Temp\C728.exe
                    1⤵
                    • Executes dropped EXE
                    PID:1640
                  • C:\Windows\system32\makecab.exe
                    "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211025914.log C:\Windows\Logs\CBS\CbsPersist_20231211025914.cab
                    1⤵
                      PID:1928
                    • C:\Users\Admin\AppData\Local\Temp\102A.exe
                      C:\Users\Admin\AppData\Local\Temp\102A.exe
                      1⤵
                        PID:2344
                      • C:\Users\Admin\AppData\Local\Temp\33A2.exe
                        C:\Users\Admin\AppData\Local\Temp\33A2.exe
                        1⤵
                          PID:1196

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\102A.exe

                          Filesize

                          5.7MB

                          MD5

                          2e47689f4002fe68d190b2f939f683c7

                          SHA1

                          f389e3443edaf6886220427b65a0688cd87de873

                          SHA256

                          dab540109675f8680f497b14f62913bc6ffa21c28dd4604f480ea5a9beffaff4

                          SHA512

                          398a682c426be43396894cd8d5dda25f6308f191dab236496522e524a69ceacd31019f238034e27af8af2155b017bd50397a6b3b939441a0e2fdbc034f22b57b

                        • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                          Filesize

                          4.2MB

                          MD5

                          f81be07058935d224ab3843bff94fec0

                          SHA1

                          1a7360901f8cb5017f7a41ca1a6984227b712b16

                          SHA256

                          8d4df79cf6bf1cb8285b7358a7c6d92c7f665065999934b24c1175311d99fb6c

                          SHA512

                          342b2c767af972819c57091e9d9d65578522fa48549b6c40aad6791b0c65e186b377e3f095458e8b5d873ffdadd73897252a13bead652bd74a09540d2c27c96e

                        • C:\Users\Admin\AppData\Local\Temp\BC2F.exe

                          Filesize

                          20.7MB

                          MD5

                          d0c59443e41e1160209139841fa39c9f

                          SHA1

                          76be0077ce9dc5ef6756b8c202a6d5d94c759535

                          SHA256

                          de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c

                          SHA512

                          d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28

                        • C:\Users\Admin\AppData\Local\Temp\C728.exe

                          Filesize

                          219KB

                          MD5

                          91d23595c11c7ee4424b6267aabf3600

                          SHA1

                          ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02

                          SHA256

                          d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47

                          SHA512

                          cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

                        • C:\Users\Admin\AppData\Local\Temp\F68F.exe

                          Filesize

                          401KB

                          MD5

                          f88edad62a7789c2c5d8047133da5fa7

                          SHA1

                          41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9

                          SHA256

                          eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc

                          SHA512

                          e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

                        • C:\Users\Admin\AppData\Local\Temp\latestX.exe

                          Filesize

                          5.6MB

                          MD5

                          bae29e49e8190bfbbf0d77ffab8de59d

                          SHA1

                          4a6352bb47c7e1666a60c76f9b17ca4707872bd9

                          SHA256

                          f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

                          SHA512

                          9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

                        • \Users\Admin\AppData\Local\Temp\Broom.exe

                          Filesize

                          5.3MB

                          MD5

                          00e93456aa5bcf9f60f84b0c0760a212

                          SHA1

                          6096890893116e75bd46fea0b8c3921ceb33f57d

                          SHA256

                          ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

                          SHA512

                          abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

                        • \Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                          Filesize

                          2.3MB

                          MD5

                          77471d919a5e2151fb49f37c315af514

                          SHA1

                          0687047ed80aa348bdc1657731f21181995b654c

                          SHA256

                          52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1

                          SHA512

                          6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

                        • \Users\Admin\AppData\Local\Temp\is-629L0.tmp\_isetup\_iscrypt.dll

                          Filesize

                          2KB

                          MD5

                          a69559718ab506675e907fe49deb71e9

                          SHA1

                          bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                          SHA256

                          2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                          SHA512

                          e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                        • \Users\Admin\AppData\Local\Temp\is-629L0.tmp\_isetup\_isdecmp.dll

                          Filesize

                          13KB

                          MD5

                          a813d18268affd4763dde940246dc7e5

                          SHA1

                          c7366e1fd925c17cc6068001bd38eaef5b42852f

                          SHA256

                          e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

                          SHA512

                          b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

                        • \Users\Admin\AppData\Local\Temp\is-629L0.tmp\_isetup\_shfoldr.dll

                          Filesize

                          22KB

                          MD5

                          92dc6ef532fbb4a5c3201469a5b5eb63

                          SHA1

                          3e89ff837147c16b4e41c30d6c796374e0b8e62c

                          SHA256

                          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

                          SHA512

                          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

                        • \Users\Admin\AppData\Local\Temp\is-FSMN3.tmp\tuc3.tmp

                          Filesize

                          694KB

                          MD5

                          5525670a9e72d77b368a9aa4b8c814c1

                          SHA1

                          3fdad952ea00175f3a6e549b5dca4f568e394612

                          SHA256

                          1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

                          SHA512

                          757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

                        • \Users\Admin\AppData\Local\Temp\toolspub2.exe

                          Filesize

                          291KB

                          MD5

                          cde750f39f58f1ec80ef41ce2f4f1db9

                          SHA1

                          942ea40349b0e5af7583fd34f4d913398a9c3b96

                          SHA256

                          0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094

                          SHA512

                          c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

                        • \Users\Admin\AppData\Local\Temp\tuc3.exe

                          Filesize

                          8.3MB

                          MD5

                          1f40433778e799319ae0ece36d28f00f

                          SHA1

                          4ce947e15182e61e379fbfbf52b6625cb0528c69

                          SHA256

                          1d360b097bfd95b5e6312350928af25631973ff1ddfce7835ac5c8b239b9e58c

                          SHA512

                          30e0d4d61dd4535f7e09a0e0d49691dbb9f99ed54f01b4b898eb786b466cdba34e170677887831daa5e6f98bf2f0d8ca7729a2bf7949ee0ac043a617b419030f

                        • memory/868-146-0x0000000000400000-0x00000000004BD000-memory.dmp

                          Filesize

                          756KB

                        • memory/868-92-0x0000000000240000-0x0000000000241000-memory.dmp

                          Filesize

                          4KB

                        • memory/868-148-0x0000000000240000-0x0000000000241000-memory.dmp

                          Filesize

                          4KB

                        • memory/944-125-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                          Filesize

                          4KB

                        • memory/944-130-0x0000000000400000-0x0000000000409000-memory.dmp

                          Filesize

                          36KB

                        • memory/944-128-0x0000000000400000-0x0000000000409000-memory.dmp

                          Filesize

                          36KB

                        • memory/944-140-0x0000000000400000-0x0000000000409000-memory.dmp

                          Filesize

                          36KB

                        • memory/1204-139-0x0000000002A50000-0x0000000002A66000-memory.dmp

                          Filesize

                          88KB

                        • memory/1204-1-0x0000000002C00000-0x0000000002C16000-memory.dmp

                          Filesize

                          88KB

                        • memory/1328-153-0x000000013F490000-0x000000013FA31000-memory.dmp

                          Filesize

                          5.6MB

                        • memory/1536-119-0x00000000740C0000-0x00000000747AE000-memory.dmp

                          Filesize

                          6.9MB

                        • memory/1536-31-0x0000000000830000-0x0000000001CE6000-memory.dmp

                          Filesize

                          20.7MB

                        • memory/1536-30-0x00000000740C0000-0x00000000747AE000-memory.dmp

                          Filesize

                          6.9MB

                        • memory/1640-37-0x0000000000FC0000-0x0000000000FFC000-memory.dmp

                          Filesize

                          240KB

                        • memory/1640-135-0x0000000007270000-0x00000000072B0000-memory.dmp

                          Filesize

                          256KB

                        • memory/1640-131-0x00000000740C0000-0x00000000747AE000-memory.dmp

                          Filesize

                          6.9MB

                        • memory/1640-40-0x0000000007270000-0x00000000072B0000-memory.dmp

                          Filesize

                          256KB

                        • memory/1640-38-0x00000000740C0000-0x00000000747AE000-memory.dmp

                          Filesize

                          6.9MB

                        • memory/1684-124-0x0000000000900000-0x0000000000A00000-memory.dmp

                          Filesize

                          1024KB

                        • memory/1684-126-0x0000000000220000-0x0000000000229000-memory.dmp

                          Filesize

                          36KB

                        • memory/1764-2-0x0000000000400000-0x000000000040B000-memory.dmp

                          Filesize

                          44KB

                        • memory/1764-0-0x0000000000400000-0x000000000040B000-memory.dmp

                          Filesize

                          44KB

                        • memory/2272-12-0x0000000000160000-0x000000000019C000-memory.dmp

                          Filesize

                          240KB

                        • memory/2272-22-0x0000000000CF0000-0x0000000000D30000-memory.dmp

                          Filesize

                          256KB

                        • memory/2272-24-0x00000000747B0000-0x0000000074E9E000-memory.dmp

                          Filesize

                          6.9MB

                        • memory/2272-17-0x00000000747B0000-0x0000000074E9E000-memory.dmp

                          Filesize

                          6.9MB

                        • memory/2272-18-0x0000000000CF0000-0x0000000000D30000-memory.dmp

                          Filesize

                          256KB

                        • memory/2272-21-0x00000000747B0000-0x0000000074E9E000-memory.dmp

                          Filesize

                          6.9MB

                        • memory/2344-157-0x0000000005310000-0x0000000005350000-memory.dmp

                          Filesize

                          256KB

                        • memory/2344-156-0x00000000740C0000-0x00000000747AE000-memory.dmp

                          Filesize

                          6.9MB

                        • memory/2344-154-0x0000000000FD0000-0x0000000001582000-memory.dmp

                          Filesize

                          5.7MB

                        • memory/2592-143-0x0000000002B60000-0x000000000344B000-memory.dmp

                          Filesize

                          8.9MB

                        • memory/2592-138-0x0000000000400000-0x0000000000D1C000-memory.dmp

                          Filesize

                          9.1MB

                        • memory/2592-118-0x0000000000400000-0x0000000000D1C000-memory.dmp

                          Filesize

                          9.1MB

                        • memory/2592-145-0x0000000002760000-0x0000000002B58000-memory.dmp

                          Filesize

                          4.0MB

                        • memory/2592-72-0x0000000002760000-0x0000000002B58000-memory.dmp

                          Filesize

                          4.0MB

                        • memory/2592-104-0x0000000002B60000-0x000000000344B000-memory.dmp

                          Filesize

                          8.9MB

                        • memory/2592-133-0x0000000000400000-0x0000000000D1C000-memory.dmp

                          Filesize

                          9.1MB

                        • memory/2592-101-0x0000000002760000-0x0000000002B58000-memory.dmp

                          Filesize

                          4.0MB

                        • memory/2844-78-0x0000000000400000-0x0000000000414000-memory.dmp

                          Filesize

                          80KB

                        • memory/2844-136-0x0000000000400000-0x0000000000414000-memory.dmp

                          Filesize

                          80KB

                        • memory/2880-134-0x0000000000400000-0x0000000000965000-memory.dmp

                          Filesize

                          5.4MB

                        • memory/2880-120-0x0000000000230000-0x0000000000231000-memory.dmp

                          Filesize

                          4KB

                        • memory/2880-161-0x0000000000230000-0x0000000000231000-memory.dmp

                          Filesize

                          4KB

                        • memory/2956-155-0x00000000025E0000-0x00000000029D8000-memory.dmp

                          Filesize

                          4.0MB

                        • memory/2956-158-0x0000000000400000-0x0000000000D1C000-memory.dmp

                          Filesize

                          9.1MB

                        • memory/2956-159-0x00000000025E0000-0x00000000029D8000-memory.dmp

                          Filesize

                          4.0MB

                        • memory/2956-171-0x0000000000400000-0x0000000000D1C000-memory.dmp

                          Filesize

                          9.1MB