Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    102s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/12/2023, 03:01

General

  • Target

    aa96cbc9b53138883480cee00d2e6e41.exe

  • Size

    37KB

  • MD5

    aa96cbc9b53138883480cee00d2e6e41

  • SHA1

    6ee4d8308087e804e958012cb364e05b454c40fe

  • SHA256

    0e7e5c6eec2718102c051da7d403442664bb8cd9c6f3f2e231c4dae69be2fb79

  • SHA512

    cad1962f44d941705d16d734fa88f15c8a56eba62c95c5648d7c24d87eef3c8e760a42642d2dbbae4a5f602274d4d775c4b6367751abf8922a96e9814b72aff3

  • SSDEEP

    768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe
    "C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4516
  • C:\Users\Admin\AppData\Local\Temp\C35B.exe
    C:\Users\Admin\AppData\Local\Temp\C35B.exe
    1⤵
    • Executes dropped EXE
    PID:3376
  • C:\Users\Admin\AppData\Local\Temp\9CA5.exe
    C:\Users\Admin\AppData\Local\Temp\9CA5.exe
    1⤵
    • Executes dropped EXE
    PID:3832
    • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
      2⤵
        PID:1140
        • C:\Users\Admin\AppData\Local\Temp\Broom.exe
          C:\Users\Admin\AppData\Local\Temp\Broom.exe
          3⤵
            PID:1296
        • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
          "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
          2⤵
            PID:5108
          • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
            "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
            2⤵
              PID:3212
            • C:\Users\Admin\AppData\Local\Temp\tuc3.exe
              "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
              2⤵
                PID:2988
                • C:\Users\Admin\AppData\Local\Temp\is-EOKF6.tmp\tuc3.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-EOKF6.tmp\tuc3.tmp" /SL5="$801C4,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
                  3⤵
                    PID:4124
                • C:\Users\Admin\AppData\Local\Temp\latestX.exe
                  "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
                  2⤵
                    PID:1236
                • C:\Users\Admin\AppData\Local\Temp\A205.exe
                  C:\Users\Admin\AppData\Local\Temp\A205.exe
                  1⤵
                  • Executes dropped EXE
                  PID:3124
                • C:\Users\Admin\AppData\Local\Temp\C899.exe
                  C:\Users\Admin\AppData\Local\Temp\C899.exe
                  1⤵
                    PID:2904
                  • C:\Users\Admin\AppData\Local\Temp\D79D.exe
                    C:\Users\Admin\AppData\Local\Temp\D79D.exe
                    1⤵
                      PID:3468

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                      Filesize

                      3.2MB

                      MD5

                      7e41a1c24fc929332c543bbfcfe35e1c

                      SHA1

                      24bac343b1f9274d58000338ad6ca952d279e506

                      SHA256

                      a74afcff220ef3684c8f4422fd6448d17b26559d8dcd334c2c94251fc7308bbe

                      SHA512

                      3eaf8594fdfc130d3e77bcce87352f31e2bb9a12f099c05aaf5e1c4ac84fc9385267c859882ae1bb674878630d8517c26448c765e52a4dbb53e77512f71bd611

                    • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                      Filesize

                      2.9MB

                      MD5

                      66de89cce68597992b191cdeb3315608

                      SHA1

                      5cf6e0281c763e3e19dcab2e51f60cf2e228b547

                      SHA256

                      24911be65b64e351baf52569600c765a87be757ae267331b0ab733f421f0043f

                      SHA512

                      62942fffb007857fcb9c6e7dc6f0ccce71bdb47abe8005866e75198aad9d943aebedb73f050159c573f1019358e44537f94e2a175456833d9915d4b035f834d4

                    • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                      Filesize

                      3.4MB

                      MD5

                      ffc2a021479aa849e8a49f2998867f28

                      SHA1

                      03f251e2ee97c35985c95edaa874dd95b28b63aa

                      SHA256

                      447def5e41f9a1b3e57eae085d1289689d42a138395a54e8af046557e6bca193

                      SHA512

                      2228279ad8179545b3064bb36ec051e9719c8d03e472b7df67519a7e06702217011a8b4763e4a6e9a09f1333e2bef55f0d95f20b607614e0b4e97f739076d455

                    • C:\Users\Admin\AppData\Local\Temp\9CA5.exe

                      Filesize

                      20.7MB

                      MD5

                      d0c59443e41e1160209139841fa39c9f

                      SHA1

                      76be0077ce9dc5ef6756b8c202a6d5d94c759535

                      SHA256

                      de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c

                      SHA512

                      d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28

                    • C:\Users\Admin\AppData\Local\Temp\A205.exe

                      Filesize

                      219KB

                      MD5

                      91d23595c11c7ee4424b6267aabf3600

                      SHA1

                      ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02

                      SHA256

                      d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47

                      SHA512

                      cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

                    • C:\Users\Admin\AppData\Local\Temp\Broom.exe

                      Filesize

                      3.0MB

                      MD5

                      d7366a2bdcd1d261bee21a0cf2545b9b

                      SHA1

                      c192d32c6f19067902a0a60db9b2e104711d6f5e

                      SHA256

                      9c71381a583a3657051a5d09560cf4d36411c6e93e0bc6c487f433cd31223db7

                      SHA512

                      388798bdad8f550451cbf625765e41ce96605dea1c9f2fef3d6c51d1766d628ec91fb8a17f6c51e66a68a5a8e474d70d3041e842434035c8d582bc9af20fed48

                    • C:\Users\Admin\AppData\Local\Temp\C35B.exe

                      Filesize

                      401KB

                      MD5

                      f88edad62a7789c2c5d8047133da5fa7

                      SHA1

                      41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9

                      SHA256

                      eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc

                      SHA512

                      e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

                    • C:\Users\Admin\AppData\Local\Temp\C899.exe

                      Filesize

                      1.4MB

                      MD5

                      10a7d69cbd21cea6d41ae8f3552cbc42

                      SHA1

                      dcd78b08a28b642c442cce26a5d446d787ffd5cc

                      SHA256

                      8d94d29b15cbc3e250472461250fa1fc794a2022159c63efed70ff35d222c750

                      SHA512

                      f5a119a9d7f8a6946ddbc7d695c81ec80fb9c360a3db69f9b43c325ed004c565142034564bdb4505cce80c159b1f8fd0f9d49e5f5610d509bcaf39d3ac319bf1

                    • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                      Filesize

                      2.3MB

                      MD5

                      77471d919a5e2151fb49f37c315af514

                      SHA1

                      0687047ed80aa348bdc1657731f21181995b654c

                      SHA256

                      52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1

                      SHA512

                      6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

                    • C:\Users\Admin\AppData\Local\Temp\is-EOKF6.tmp\tuc3.tmp

                      Filesize

                      694KB

                      MD5

                      5525670a9e72d77b368a9aa4b8c814c1

                      SHA1

                      3fdad952ea00175f3a6e549b5dca4f568e394612

                      SHA256

                      1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

                      SHA512

                      757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

                    • C:\Users\Admin\AppData\Local\Temp\is-K9F98.tmp\_isetup\_iscrypt.dll

                      Filesize

                      2KB

                      MD5

                      a69559718ab506675e907fe49deb71e9

                      SHA1

                      bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                      SHA256

                      2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                      SHA512

                      e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                    • C:\Users\Admin\AppData\Local\Temp\latestX.exe

                      Filesize

                      2.8MB

                      MD5

                      421ef4dbe8a259c2d4130b4220d504f5

                      SHA1

                      84d95e2d6d3a246e9a7b327ff52284e38c316680

                      SHA256

                      d759a771ccadcdcd3cdf18f6345cd0748f6eda876294cf00f974189d815b4ed4

                      SHA512

                      3e1a3c9f1bafb14fa07f1ebb135d0379ac497e475d79158dfd0b5c02079af9f22cc54d537fa73c6a4a67a6ad5f88ca9159c1873a6e87724bdd3d0e58eae49377

                    • C:\Users\Admin\AppData\Local\Temp\latestX.exe

                      Filesize

                      1.9MB

                      MD5

                      04cc956dec03d238571c1db53f8d1bcb

                      SHA1

                      fd18a6f18cd2717821b9e54f0325d3a8db66a1cf

                      SHA256

                      dfc5cb8800d467acf4089ecbae8872d2d6606bb63b71aa77d00b6bdbc5dde420

                      SHA512

                      d7594603e1f08045ae1b05af8da496b3e247f8b3aef617e35dd71d02e3daa295dc51c13a33a4ef0b332e2f657c7cb9fa1ff6f6d78a756eaa37c26c1f961c9eef

                    • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

                      Filesize

                      291KB

                      MD5

                      cde750f39f58f1ec80ef41ce2f4f1db9

                      SHA1

                      942ea40349b0e5af7583fd34f4d913398a9c3b96

                      SHA256

                      0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094

                      SHA512

                      c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

                    • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                      Filesize

                      3.3MB

                      MD5

                      e304dd37525095c4b9a36b2a56fdafe9

                      SHA1

                      db85880cf6177ae268473f1932f57978b77766d0

                      SHA256

                      fcae9d5dad0ac7fc09e21aac66417762ae3ce830cb7483cd082e49fcc770e419

                      SHA512

                      39c40b9f9698d83c030ff75a1edef84a1ace004ad3d6c7c8155149c20c8a81520af1ff68748ecd158216117e9bec39e5b08b6a9987e8a2a8a14cada00e81aa7f

                    • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                      Filesize

                      2.7MB

                      MD5

                      f20c1b59a919b1e412c1de88d0b9e1ea

                      SHA1

                      069a5af013c041fcb78525ae68c6c8c6da84c789

                      SHA256

                      4e7a8dd6276583bd9600ae16c8724459897dd13c5bdcb2124f245c803dee0eb7

                      SHA512

                      bf17ac4fe4f6e410613f63c1418e911ee36b202db770e50563008edb62a3324b3036002668df040b8e58cc5aa38b2e87a25d69f2a6b2ab78e5f860a53fdfa15f

                    • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                      Filesize

                      2.2MB

                      MD5

                      e51631776ba9e9b5aeead61bea651b76

                      SHA1

                      47654f815ee15a01bf7bd662b27358d5700316af

                      SHA256

                      9fdae4bae589d7def17c618cbf42ee4c782634338bcbe0b9b013a9c6c965aca2

                      SHA512

                      4642de47c6ee1a5aa22cce664103c81d9a9dff8fd7b5a1c2cdce118c13fdf9d24385c70c558215c943a8a42ac17e7cd58be22e6806f58f9b6720934732e54019

                    • memory/1296-91-0x0000000002930000-0x0000000002931000-memory.dmp

                      Filesize

                      4KB

                    • memory/2904-98-0x0000000005B50000-0x0000000005B60000-memory.dmp

                      Filesize

                      64KB

                    • memory/2904-97-0x0000000005D30000-0x0000000005DCC000-memory.dmp

                      Filesize

                      624KB

                    • memory/2904-94-0x0000000000C80000-0x0000000001232000-memory.dmp

                      Filesize

                      5.7MB

                    • memory/2904-93-0x0000000074F30000-0x00000000756E0000-memory.dmp

                      Filesize

                      7.7MB

                    • memory/2988-74-0x0000000000400000-0x0000000000414000-memory.dmp

                      Filesize

                      80KB

                    • memory/3124-22-0x0000000000200000-0x000000000023C000-memory.dmp

                      Filesize

                      240KB

                    • memory/3124-48-0x0000000007240000-0x0000000007252000-memory.dmp

                      Filesize

                      72KB

                    • memory/3124-28-0x0000000007160000-0x000000000716A000-memory.dmp

                      Filesize

                      40KB

                    • memory/3124-59-0x00000000072A0000-0x00000000072DC000-memory.dmp

                      Filesize

                      240KB

                    • memory/3124-73-0x00000000072F0000-0x000000000733C000-memory.dmp

                      Filesize

                      304KB

                    • memory/3124-24-0x0000000007480000-0x0000000007A24000-memory.dmp

                      Filesize

                      5.6MB

                    • memory/3124-21-0x0000000074F30000-0x00000000756E0000-memory.dmp

                      Filesize

                      7.7MB

                    • memory/3124-27-0x0000000007180000-0x0000000007190000-memory.dmp

                      Filesize

                      64KB

                    • memory/3124-38-0x0000000008050000-0x0000000008668000-memory.dmp

                      Filesize

                      6.1MB

                    • memory/3124-25-0x0000000006FB0000-0x0000000007042000-memory.dmp

                      Filesize

                      584KB

                    • memory/3124-44-0x0000000007A30000-0x0000000007B3A000-memory.dmp

                      Filesize

                      1.0MB

                    • memory/3292-1-0x0000000002390000-0x00000000023A6000-memory.dmp

                      Filesize

                      88KB

                    • memory/3832-95-0x0000000074F30000-0x00000000756E0000-memory.dmp

                      Filesize

                      7.7MB

                    • memory/3832-23-0x0000000000780000-0x0000000001C36000-memory.dmp

                      Filesize

                      20.7MB

                    • memory/3832-20-0x0000000074F30000-0x00000000756E0000-memory.dmp

                      Filesize

                      7.7MB

                    • memory/4516-3-0x0000000000400000-0x000000000040B000-memory.dmp

                      Filesize

                      44KB

                    • memory/4516-0-0x0000000000400000-0x000000000040B000-memory.dmp

                      Filesize

                      44KB