Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
102s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2023, 03:01
Behavioral task
behavioral1
Sample
aa96cbc9b53138883480cee00d2e6e41.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
aa96cbc9b53138883480cee00d2e6e41.exe
Resource
win10v2004-20231127-en
General
-
Target
aa96cbc9b53138883480cee00d2e6e41.exe
-
Size
37KB
-
MD5
aa96cbc9b53138883480cee00d2e6e41
-
SHA1
6ee4d8308087e804e958012cb364e05b454c40fe
-
SHA256
0e7e5c6eec2718102c051da7d403442664bb8cd9c6f3f2e231c4dae69be2fb79
-
SHA512
cad1962f44d941705d16d734fa88f15c8a56eba62c95c5648d7c24d87eef3c8e760a42642d2dbbae4a5f602274d4d775c4b6367751abf8922a96e9814b72aff3
-
SSDEEP
768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX
Malware Config
Extracted
smokeloader
2022
http://81.19.131.34/fks/index.php
Extracted
redline
@oleh_ps
176.123.7.190:32927
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x0009000000023116-18.dat family_redline behavioral2/memory/3124-22-0x0000000000200000-0x000000000023C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 3292 Process not Found -
Executes dropped EXE 3 IoCs
pid Process 3376 C35B.exe 3832 9CA5.exe 3124 A205.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aa96cbc9b53138883480cee00d2e6e41.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aa96cbc9b53138883480cee00d2e6e41.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aa96cbc9b53138883480cee00d2e6e41.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4516 aa96cbc9b53138883480cee00d2e6e41.exe 4516 aa96cbc9b53138883480cee00d2e6e41.exe 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found 3292 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4516 aa96cbc9b53138883480cee00d2e6e41.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3292 wrote to memory of 3376 3292 Process not Found 105 PID 3292 wrote to memory of 3376 3292 Process not Found 105 PID 3292 wrote to memory of 3376 3292 Process not Found 105 PID 3292 wrote to memory of 3832 3292 Process not Found 108 PID 3292 wrote to memory of 3832 3292 Process not Found 108 PID 3292 wrote to memory of 3832 3292 Process not Found 108 PID 3292 wrote to memory of 3124 3292 Process not Found 109 PID 3292 wrote to memory of 3124 3292 Process not Found 109 PID 3292 wrote to memory of 3124 3292 Process not Found 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4516
-
C:\Users\Admin\AppData\Local\Temp\C35B.exeC:\Users\Admin\AppData\Local\Temp\C35B.exe1⤵
- Executes dropped EXE
PID:3376
-
C:\Users\Admin\AppData\Local\Temp\9CA5.exeC:\Users\Admin\AppData\Local\Temp\9CA5.exe1⤵
- Executes dropped EXE
PID:3832 -
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"2⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\Broom.exeC:\Users\Admin\AppData\Local\Temp\Broom.exe3⤵PID:1296
-
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵PID:5108
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵PID:3212
-
-
C:\Users\Admin\AppData\Local\Temp\tuc3.exe"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"2⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\is-EOKF6.tmp\tuc3.tmp"C:\Users\Admin\AppData\Local\Temp\is-EOKF6.tmp\tuc3.tmp" /SL5="$801C4,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"3⤵PID:4124
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"2⤵PID:1236
-
-
C:\Users\Admin\AppData\Local\Temp\A205.exeC:\Users\Admin\AppData\Local\Temp\A205.exe1⤵
- Executes dropped EXE
PID:3124
-
C:\Users\Admin\AppData\Local\Temp\C899.exeC:\Users\Admin\AppData\Local\Temp\C899.exe1⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\D79D.exeC:\Users\Admin\AppData\Local\Temp\D79D.exe1⤵PID:3468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD57e41a1c24fc929332c543bbfcfe35e1c
SHA124bac343b1f9274d58000338ad6ca952d279e506
SHA256a74afcff220ef3684c8f4422fd6448d17b26559d8dcd334c2c94251fc7308bbe
SHA5123eaf8594fdfc130d3e77bcce87352f31e2bb9a12f099c05aaf5e1c4ac84fc9385267c859882ae1bb674878630d8517c26448c765e52a4dbb53e77512f71bd611
-
Filesize
2.9MB
MD566de89cce68597992b191cdeb3315608
SHA15cf6e0281c763e3e19dcab2e51f60cf2e228b547
SHA25624911be65b64e351baf52569600c765a87be757ae267331b0ab733f421f0043f
SHA51262942fffb007857fcb9c6e7dc6f0ccce71bdb47abe8005866e75198aad9d943aebedb73f050159c573f1019358e44537f94e2a175456833d9915d4b035f834d4
-
Filesize
3.4MB
MD5ffc2a021479aa849e8a49f2998867f28
SHA103f251e2ee97c35985c95edaa874dd95b28b63aa
SHA256447def5e41f9a1b3e57eae085d1289689d42a138395a54e8af046557e6bca193
SHA5122228279ad8179545b3064bb36ec051e9719c8d03e472b7df67519a7e06702217011a8b4763e4a6e9a09f1333e2bef55f0d95f20b607614e0b4e97f739076d455
-
Filesize
20.7MB
MD5d0c59443e41e1160209139841fa39c9f
SHA176be0077ce9dc5ef6756b8c202a6d5d94c759535
SHA256de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c
SHA512d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28
-
Filesize
219KB
MD591d23595c11c7ee4424b6267aabf3600
SHA1ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b
-
Filesize
3.0MB
MD5d7366a2bdcd1d261bee21a0cf2545b9b
SHA1c192d32c6f19067902a0a60db9b2e104711d6f5e
SHA2569c71381a583a3657051a5d09560cf4d36411c6e93e0bc6c487f433cd31223db7
SHA512388798bdad8f550451cbf625765e41ce96605dea1c9f2fef3d6c51d1766d628ec91fb8a17f6c51e66a68a5a8e474d70d3041e842434035c8d582bc9af20fed48
-
Filesize
401KB
MD5f88edad62a7789c2c5d8047133da5fa7
SHA141b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60
-
Filesize
1.4MB
MD510a7d69cbd21cea6d41ae8f3552cbc42
SHA1dcd78b08a28b642c442cce26a5d446d787ffd5cc
SHA2568d94d29b15cbc3e250472461250fa1fc794a2022159c63efed70ff35d222c750
SHA512f5a119a9d7f8a6946ddbc7d695c81ec80fb9c360a3db69f9b43c325ed004c565142034564bdb4505cce80c159b1f8fd0f9d49e5f5610d509bcaf39d3ac319bf1
-
Filesize
2.3MB
MD577471d919a5e2151fb49f37c315af514
SHA10687047ed80aa348bdc1657731f21181995b654c
SHA25652666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA5126ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844
-
Filesize
694KB
MD55525670a9e72d77b368a9aa4b8c814c1
SHA13fdad952ea00175f3a6e549b5dca4f568e394612
SHA2561180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
2.8MB
MD5421ef4dbe8a259c2d4130b4220d504f5
SHA184d95e2d6d3a246e9a7b327ff52284e38c316680
SHA256d759a771ccadcdcd3cdf18f6345cd0748f6eda876294cf00f974189d815b4ed4
SHA5123e1a3c9f1bafb14fa07f1ebb135d0379ac497e475d79158dfd0b5c02079af9f22cc54d537fa73c6a4a67a6ad5f88ca9159c1873a6e87724bdd3d0e58eae49377
-
Filesize
1.9MB
MD504cc956dec03d238571c1db53f8d1bcb
SHA1fd18a6f18cd2717821b9e54f0325d3a8db66a1cf
SHA256dfc5cb8800d467acf4089ecbae8872d2d6606bb63b71aa77d00b6bdbc5dde420
SHA512d7594603e1f08045ae1b05af8da496b3e247f8b3aef617e35dd71d02e3daa295dc51c13a33a4ef0b332e2f657c7cb9fa1ff6f6d78a756eaa37c26c1f961c9eef
-
Filesize
291KB
MD5cde750f39f58f1ec80ef41ce2f4f1db9
SHA1942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA2560a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580
-
Filesize
3.3MB
MD5e304dd37525095c4b9a36b2a56fdafe9
SHA1db85880cf6177ae268473f1932f57978b77766d0
SHA256fcae9d5dad0ac7fc09e21aac66417762ae3ce830cb7483cd082e49fcc770e419
SHA51239c40b9f9698d83c030ff75a1edef84a1ace004ad3d6c7c8155149c20c8a81520af1ff68748ecd158216117e9bec39e5b08b6a9987e8a2a8a14cada00e81aa7f
-
Filesize
2.7MB
MD5f20c1b59a919b1e412c1de88d0b9e1ea
SHA1069a5af013c041fcb78525ae68c6c8c6da84c789
SHA2564e7a8dd6276583bd9600ae16c8724459897dd13c5bdcb2124f245c803dee0eb7
SHA512bf17ac4fe4f6e410613f63c1418e911ee36b202db770e50563008edb62a3324b3036002668df040b8e58cc5aa38b2e87a25d69f2a6b2ab78e5f860a53fdfa15f
-
Filesize
2.2MB
MD5e51631776ba9e9b5aeead61bea651b76
SHA147654f815ee15a01bf7bd662b27358d5700316af
SHA2569fdae4bae589d7def17c618cbf42ee4c782634338bcbe0b9b013a9c6c965aca2
SHA5124642de47c6ee1a5aa22cce664103c81d9a9dff8fd7b5a1c2cdce118c13fdf9d24385c70c558215c943a8a42ac17e7cd58be22e6806f58f9b6720934732e54019