Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
11/12/2023, 03:09
Behavioral task
behavioral1
Sample
0x0007000000014970-113.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
0x0007000000014970-113.exe
Resource
win10v2004-20231127-en
General
-
Target
0x0007000000014970-113.exe
-
Size
37KB
-
MD5
cc479b599784116184dd5528c2903adb
-
SHA1
4331d7dc0fdeb8ff344862928f0d1f0d02b05ccc
-
SHA256
a898b42ab81022e5adc0d8d69dc7b0a0eec30eb122d0024f3e28334bd134e3eb
-
SHA512
a0fd422cae04b37242362f941b048d3b3e7526a2ff1dcfe7702bd815b97c759909e9c5fcbcd11aca3b67a0595a2e6e87f25c71ad4906d460f3481e0a24ad9ef5
-
SSDEEP
768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX
Malware Config
Extracted
smokeloader
2022
http://81.19.131.34/fks/index.php
Extracted
redline
LiveTraffic
77.105.132.87:6731
Extracted
redline
@oleh_ps
176.123.7.190:32927
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
Glupteba payload 3 IoCs
resource yara_rule behavioral1/memory/2796-128-0x0000000002BB0000-0x000000000349B000-memory.dmp family_glupteba behavioral1/memory/2796-130-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2796-132-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/2680-12-0x00000000003D0000-0x000000000040C000-memory.dmp family_redline behavioral1/memory/2248-35-0x0000000000FC0000-0x0000000000FFC000-memory.dmp family_redline behavioral1/files/0x0008000000014df5-34.dat family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 1232 Process not Found -
Executes dropped EXE 5 IoCs
pid Process 2680 EE45.exe 1724 F2F7.exe 2248 F910.exe 2260 InstallSetup9.exe 752 toolspub2.exe -
Loads dropped DLL 3 IoCs
pid Process 1724 F2F7.exe 1724 F2F7.exe 1724 F2F7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x0007000000014970-113.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x0007000000014970-113.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x0007000000014970-113.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2852 0x0007000000014970-113.exe 2852 0x0007000000014970-113.exe 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2852 0x0007000000014970-113.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 1232 Process not Found Token: SeShutdownPrivilege 1232 Process not Found Token: SeShutdownPrivilege 1232 Process not Found Token: SeDebugPrivilege 2680 EE45.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1232 wrote to memory of 2680 1232 Process not Found 30 PID 1232 wrote to memory of 2680 1232 Process not Found 30 PID 1232 wrote to memory of 2680 1232 Process not Found 30 PID 1232 wrote to memory of 2680 1232 Process not Found 30 PID 1232 wrote to memory of 1724 1232 Process not Found 32 PID 1232 wrote to memory of 1724 1232 Process not Found 32 PID 1232 wrote to memory of 1724 1232 Process not Found 32 PID 1232 wrote to memory of 1724 1232 Process not Found 32 PID 1232 wrote to memory of 2248 1232 Process not Found 33 PID 1232 wrote to memory of 2248 1232 Process not Found 33 PID 1232 wrote to memory of 2248 1232 Process not Found 33 PID 1232 wrote to memory of 2248 1232 Process not Found 33 PID 1724 wrote to memory of 2260 1724 F2F7.exe 34 PID 1724 wrote to memory of 2260 1724 F2F7.exe 34 PID 1724 wrote to memory of 2260 1724 F2F7.exe 34 PID 1724 wrote to memory of 2260 1724 F2F7.exe 34 PID 1724 wrote to memory of 2260 1724 F2F7.exe 34 PID 1724 wrote to memory of 2260 1724 F2F7.exe 34 PID 1724 wrote to memory of 2260 1724 F2F7.exe 34 PID 1724 wrote to memory of 752 1724 F2F7.exe 35 PID 1724 wrote to memory of 752 1724 F2F7.exe 35 PID 1724 wrote to memory of 752 1724 F2F7.exe 35 PID 1724 wrote to memory of 752 1724 F2F7.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2852
-
C:\Users\Admin\AppData\Local\Temp\EE45.exeC:\Users\Admin\AppData\Local\Temp\EE45.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
C:\Users\Admin\AppData\Local\Temp\F2F7.exeC:\Users\Admin\AppData\Local\Temp\F2F7.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"2⤵
- Executes dropped EXE
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\Broom.exeC:\Users\Admin\AppData\Local\Temp\Broom.exe3⤵PID:1940
-
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵
- Executes dropped EXE
PID:752 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵PID:320
-
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\tuc3.exe"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"2⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\is-TIC7J.tmp\tuc3.tmp"C:\Users\Admin\AppData\Local\Temp\is-TIC7J.tmp\tuc3.tmp" /SL5="$801F0,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"3⤵PID:1044
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"2⤵PID:956
-
-
C:\Users\Admin\AppData\Local\Temp\F910.exeC:\Users\Admin\AppData\Local\Temp\F910.exe1⤵
- Executes dropped EXE
PID:2248
-
C:\Users\Admin\AppData\Local\Temp\4637.exeC:\Users\Admin\AppData\Local\Temp\4637.exe1⤵PID:2692
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211031134.log C:\Windows\Logs\CBS\CbsPersist_20231211031134.cab1⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\5008.exeC:\Users\Admin\AppData\Local\Temp\5008.exe1⤵PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD5f81be07058935d224ab3843bff94fec0
SHA11a7360901f8cb5017f7a41ca1a6984227b712b16
SHA2568d4df79cf6bf1cb8285b7358a7c6d92c7f665065999934b24c1175311d99fb6c
SHA512342b2c767af972819c57091e9d9d65578522fa48549b6c40aad6791b0c65e186b377e3f095458e8b5d873ffdadd73897252a13bead652bd74a09540d2c27c96e
-
Filesize
1024KB
MD5e27d09606853bd7cc337c2d338854824
SHA18a91c95ff2e6b5983c936c5a0ee11586d1dfeb70
SHA25617acc7dd07b27037a73924112cc45711d2c6659d5101c0e8606957f2f36303d7
SHA5125ed4e4510731c31cf34cf14628b7ac997b4d445bda754084f79e24df2e2d2118ff49ad3de1125f2fd8011b2a7161e3c14a3b658dc15f03a9eb572996c80631b2
-
Filesize
2.1MB
MD5f46fcdf3b8d78523a59981d45ad725f1
SHA106507e670624f3a363ef4e1c1271d784e82e0d07
SHA256e716d2e4f1d37f5d9be93b3ecc8a7c5e1621344988ddc34729f2ac2505f940d0
SHA5121d765b8c013b26b636430f318f519168e5914734e999efffe4d5d7fa30e35d39adabd91f86192449e2a2b5e93bcf49d34f28995b5f56158725d3223969d14b64
-
Filesize
401KB
MD5f88edad62a7789c2c5d8047133da5fa7
SHA141b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60
-
Filesize
7.2MB
MD5667ddbcd2147d72d85fe6021270456be
SHA1cffb27c5e80163d054366814b209845660bdd412
SHA2565956997af14c1707ef6f1dcc5ba1d9593b42d21f2894dacaa4c4adff15fac24c
SHA5120d6a081de7eb30013e9c91a264ad83e3218696038b89fb25d1edd284d36ad90679cdd83ce191cb68014eb325c56076810f3110158bbcf5641a74a382804ce90d
-
Filesize
12.7MB
MD5ed3235f559c31f0b2f8fe8698c53ba0b
SHA1a25237f9144ea8d64a24517c24dfe05acde53f68
SHA2566c0b520c69ff3cbbed8c2172842461996affee4db79047d2a662680ed0b90cb3
SHA512e305ce2388f29003ec334fb9a853edabab7837c6879b95b79bcdd332eb80dc31bd521e7c20d21dbd258be767f1cc8ddebebf90b5a9355cd3e149e1d8cd13e5d5
-
Filesize
219KB
MD591d23595c11c7ee4424b6267aabf3600
SHA1ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b
-
Filesize
2.3MB
MD577471d919a5e2151fb49f37c315af514
SHA10687047ed80aa348bdc1657731f21181995b654c
SHA25652666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA5126ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844
-
Filesize
8.3MB
MD51f40433778e799319ae0ece36d28f00f
SHA14ce947e15182e61e379fbfbf52b6625cb0528c69
SHA2561d360b097bfd95b5e6312350928af25631973ff1ddfce7835ac5c8b239b9e58c
SHA51230e0d4d61dd4535f7e09a0e0d49691dbb9f99ed54f01b4b898eb786b466cdba34e170677887831daa5e6f98bf2f0d8ca7729a2bf7949ee0ac043a617b419030f
-
Filesize
2.2MB
MD5b6c38a18341a71ef49e2503b9e28d6b0
SHA1d25490d3f37dc2864f0d8629de97d51002dcdd2f
SHA256b42c516ac25153cac5de0f44a7ad81cd17b19aecbba650f42187e0c225992173
SHA512eb54ceef102209534bbe869619f95ecc8408ce5e9db42b0981484cd3b8e90fa254d77c09500edd63e4364a95a9aa913f8272d17287eca799847a3410213685d4
-
Filesize
3.2MB
MD57e41a1c24fc929332c543bbfcfe35e1c
SHA124bac343b1f9274d58000338ad6ca952d279e506
SHA256a74afcff220ef3684c8f4422fd6448d17b26559d8dcd334c2c94251fc7308bbe
SHA5123eaf8594fdfc130d3e77bcce87352f31e2bb9a12f099c05aaf5e1c4ac84fc9385267c859882ae1bb674878630d8517c26448c765e52a4dbb53e77512f71bd611
-
Filesize
5.3MB
MD500e93456aa5bcf9f60f84b0c0760a212
SHA16096890893116e75bd46fea0b8c3921ceb33f57d
SHA256ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504
SHA512abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca
-
Filesize
11KB
MD5365de00b65f84a0a49222348d94e6c6e
SHA1f83f943fad3a48790665c1805f8d0d91c6f843af
SHA25651f9235838aa532c33cdfb629e9e14a3e67718937a923d3ebd92aa95fbb20884
SHA512477cf931e65be79a061568c4c1b7d60b5998d6db046b642625ba2e2ee85bd7a46e537be317ab32c97ba2b8458bd2b4a0ac441894a6a3379ae543cfbdae0ca848
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
694KB
MD55525670a9e72d77b368a9aa4b8c814c1
SHA13fdad952ea00175f3a6e549b5dca4f568e394612
SHA2561180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
291KB
MD5cde750f39f58f1ec80ef41ce2f4f1db9
SHA1942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA2560a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580
-
Filesize
7.7MB
MD5721a2a56d2af016ce1e41d2056ee1e9a
SHA1eb1414043ebf9d798e4b9e42d20a8e58558bdba5
SHA2563ebb1be7ccf08f80925e4226f6af454f3c98f39a62c0d1c7a002435df9425d0c
SHA512342dee4d905714b182e3eb167638167f2f77d785ca839866d2ae5361796cdad823fd57006a7106836910d3180f1d1eabb1c6c7e9bea6ee7312a0708d2124fc85