Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2023, 03:09
Behavioral task
behavioral1
Sample
0x0007000000014970-113.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
0x0007000000014970-113.exe
Resource
win10v2004-20231127-en
General
-
Target
0x0007000000014970-113.exe
-
Size
37KB
-
MD5
cc479b599784116184dd5528c2903adb
-
SHA1
4331d7dc0fdeb8ff344862928f0d1f0d02b05ccc
-
SHA256
a898b42ab81022e5adc0d8d69dc7b0a0eec30eb122d0024f3e28334bd134e3eb
-
SHA512
a0fd422cae04b37242362f941b048d3b3e7526a2ff1dcfe7702bd815b97c759909e9c5fcbcd11aca3b67a0595a2e6e87f25c71ad4906d460f3481e0a24ad9ef5
-
SSDEEP
768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX
Malware Config
Extracted
smokeloader
2022
http://81.19.131.34/fks/index.php
Extracted
redline
@oleh_ps
176.123.7.190:32927
Extracted
smokeloader
up3
Signatures
-
Glupteba payload 2 IoCs
resource yara_rule behavioral2/memory/4640-261-0x0000000002D80000-0x000000000366B000-memory.dmp family_glupteba behavioral2/memory/4640-263-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x00090000000230df-19.dat family_redline behavioral2/memory/4376-22-0x0000000000120000-0x000000000015C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 3408 Process not Found -
Executes dropped EXE 3 IoCs
pid Process 3420 898E.exe 1104 6C5D.exe 4376 716F.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x0007000000014970-113.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x0007000000014970-113.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x0007000000014970-113.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4476 0x0007000000014970-113.exe 4476 0x0007000000014970-113.exe 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found 3408 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4476 0x0007000000014970-113.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3408 wrote to memory of 3420 3408 Process not Found 104 PID 3408 wrote to memory of 3420 3408 Process not Found 104 PID 3408 wrote to memory of 3420 3408 Process not Found 104 PID 3408 wrote to memory of 1104 3408 Process not Found 108 PID 3408 wrote to memory of 1104 3408 Process not Found 108 PID 3408 wrote to memory of 1104 3408 Process not Found 108 PID 3408 wrote to memory of 4376 3408 Process not Found 109 PID 3408 wrote to memory of 4376 3408 Process not Found 109 PID 3408 wrote to memory of 4376 3408 Process not Found 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4476
-
C:\Users\Admin\AppData\Local\Temp\898E.exeC:\Users\Admin\AppData\Local\Temp\898E.exe1⤵
- Executes dropped EXE
PID:3420
-
C:\Users\Admin\AppData\Local\Temp\6C5D.exeC:\Users\Admin\AppData\Local\Temp\6C5D.exe1⤵
- Executes dropped EXE
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"2⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\Broom.exeC:\Users\Admin\AppData\Local\Temp\Broom.exe3⤵PID:1824
-
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵PID:2976
-
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵PID:4640
-
-
C:\Users\Admin\AppData\Local\Temp\tuc3.exe"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"2⤵PID:3324
-
C:\Users\Admin\AppData\Local\Temp\is-A6U2Q.tmp\tuc3.tmp"C:\Users\Admin\AppData\Local\Temp\is-A6U2Q.tmp\tuc3.tmp" /SL5="$7022E,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"3⤵PID:4524
-
C:\Program Files (x86)\xrecode3\xrecode3.exe"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i4⤵PID:4920
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query4⤵PID:5056
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 14⤵PID:4956
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 15⤵PID:532
-
-
-
C:\Program Files (x86)\xrecode3\xrecode3.exe"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s4⤵PID:4472
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"2⤵PID:2072
-
-
C:\Users\Admin\AppData\Local\Temp\716F.exeC:\Users\Admin\AppData\Local\Temp\716F.exe1⤵
- Executes dropped EXE
PID:4376
-
C:\Users\Admin\AppData\Local\Temp\C906.exeC:\Users\Admin\AppData\Local\Temp\C906.exe1⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\E45F.exeC:\Users\Admin\AppData\Local\Temp\E45F.exe1⤵PID:1800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD516e697fbb09b200f0ab420179ccaefd4
SHA15908f7f583d0b60bf5e51dec26abb3ffd7cc31a6
SHA2563f3a7313feed17bb3d0e821bdaf1ebede9c106d93d322b4ab28184259f709f9c
SHA512ebae80718fd33b14184c92551fa299777aeec97af0d79574f850441fdb29545e942bf095f3272a634f83c754bb1d47e1a04a07f52434596e73cb455a6ae9f9d2
-
Filesize
2.4MB
MD5da8aa7fca2c1f2aadec5c23992945964
SHA18b5ec126443684fd504b3aef2a3dfb25a3b3b997
SHA25627d64e47f85f561390c129f813280adb43084a48183f406a4da43c63669618b4
SHA5127309791627810478e737bc2bbc7b07a5f2351b9df8bbf56e0c4923fe1822d438969202779dfa0b5b5dc54417d86bf806739ee29ac1e0cffee4ba8d8b3dcd8ad9
-
Filesize
2.5MB
MD553f84548a76c05e2eb08dec0ffc3914e
SHA106aaf965c1b1743aeba9fab4e31086882c9b8536
SHA256debc49918d3e8c0f01a2ea5d005e7ed2a9b89d6652876c65d006e08bdb81c3aa
SHA51297798caf6269f173361b46cb94f407b3b0cd2e3531cf5ce08c79d8ea563bb3bac4d7eda1ebf270c6847fc04a4d8bf8ba3451a154d5ef258a0572438e0d897199
-
Filesize
2.0MB
MD5031f92aa5d2af7d683af4ca4d6da56fb
SHA1c050f9b1f22b7a461a8cc8ba25616a6611a7a28f
SHA256bb16d833e4cf44e4103b4492df9b9b0c3acf0099eed9fc1271c62e1a6f4345cd
SHA512487dc0256aae5c584cccba4ff9ef4ea4e4cd02374daf45454fb06d0d72c83f5c2b3a3df9d9d4a6b6121e053ccdee5c357f66a8b4ce616b3457f01f7a8d03c755
-
Filesize
3.4MB
MD5d87229b116edc4003d8244f9039b15f8
SHA173249e6c378fe1f75799defff01d97deef857ac4
SHA2569696335f8cbf1000a0b9498458fb630e64dae4e209fb8efeb0b9cde4b13be227
SHA5128d37482bac52cfbcadc76d7a616306994b0d1c3838c85312797d9c1eb371cdc381e682b56f6e6c4ec2baa9a9eddc17deff7ec7e0497a39488a060fc3267dd1b1
-
Filesize
2.4MB
MD56200a658245d0bf4fab336e6018a8fef
SHA1c4bd77e3561eeda70eb68432fa0b146e8777a648
SHA2567ab8cb78dd3a44504e05aacb1daec6771793c4072c4a1e2bdb959799f8e96b66
SHA512496dcb042306af0c59134a4f4b2def798926869f537c6c650d67efc3e803804b88a0d07005fbf8714e7d8fb7dc145419c9da42c6f02d9ac57d41a7353325b5d9
-
Filesize
3.0MB
MD5648cf2409af84186c9d9ec1bc00c3f4c
SHA1a24e94213ba233a05ef3a386ab20df7461483cb6
SHA2564a6166045b17c703f9d9a5547aa81d0e2e2a7d1019268bef5b13b609896c53dd
SHA512ac16f74ac3eb7566fa966a480ee021af8addf641f938bcffc37f565641f7c6ad0d937cb92b76d8736aba725fc87ebc4426f889bdf07ee82c356be9d144cd9a74
-
Filesize
20.7MB
MD5d0c59443e41e1160209139841fa39c9f
SHA176be0077ce9dc5ef6756b8c202a6d5d94c759535
SHA256de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c
SHA512d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28
-
Filesize
219KB
MD591d23595c11c7ee4424b6267aabf3600
SHA1ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b
-
Filesize
401KB
MD5f88edad62a7789c2c5d8047133da5fa7
SHA141b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60
-
Filesize
3.6MB
MD58b549b3586fdcfec2f80d8e3ef602dc1
SHA1d004ccb9547888a939cf664e7eca60642590daa2
SHA25610e7790607d5c8c14e9ed5eb0747d5901a7f88f322a69d5b979985d93caa07d6
SHA512cf878cd75bb7007a8a3b572c13187c6e892ddcc0ae75868b6b0e22d9fa20daeca6e190f7ee3d5e5203cce2f088da33808c0c3e28cd1599add5afdc0aa8abf696
-
Filesize
4.8MB
MD53128ddef41e91856db29b2fd12a8fcc6
SHA1686107159084b34be7cc1aabc6ef2cc3113c3a1e
SHA256a982aa8c21830caea888c61b1151496d3f7bedfd70838fbb2eda21528186571f
SHA512bbe60496c3b9b8c132f0cca4611d09954b76d6914820e7c9469c1d65be5013b472d1fb0a85763c62de47b24986315f0844f33e1a3aa95a4b2474d7ffbf5a5dc2
-
Filesize
1.2MB
MD5d9272f48339d2fff46bdf9ca231866fb
SHA1bf2ae059f6e8403100bed30d4f524670e01f3bf7
SHA256d9dab8e325c4e4a5b45d00a631d0cdbbbee06d805eb9a43a69b403771ec890f7
SHA5123738adfc0f6f430031b24c17bde97afa3c50a3502a3924c69122d8384b68c7321b71b590dd413aa8c597d1893a8902802ab43efbc0cfdaffb7222ec5e4f0b932
-
Filesize
2.3MB
MD577471d919a5e2151fb49f37c315af514
SHA10687047ed80aa348bdc1657731f21181995b654c
SHA25652666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA5126ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
694KB
MD55525670a9e72d77b368a9aa4b8c814c1
SHA13fdad952ea00175f3a6e549b5dca4f568e394612
SHA2561180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a
-
Filesize
4.1MB
MD59615886cd5d4b73e21b7b37853a3abe1
SHA127a295a2be329fda09ef420de6fbc5880f63f661
SHA256d7e749046df14ec00a793aa7b8913c44bfabbb9d0668b765ee60d5f3ceb4d37a
SHA512c7b9fead0499e0b946c62887635742d8b96c8e2a2c671f8aeab20518202329a184aa5daf18adc4f3ef8669802740fd5b66e9a2eb7e9b9e871918032e6473f4bf
-
Filesize
4.6MB
MD5798886a57ce7fb1a76a577beeb7d05da
SHA178f2d724346c7baefbab1d0030ec16a4393ca7d9
SHA2568706348d9e340df292ec7cd842588b1a1d0f68667bdfcd29c7ec8e57920a8e61
SHA512261002f42db2421c20b5212e1d2e96658ff7ca02bccf16bfb1fc2e53eae9e533c873d1f36d3d29c52a3f95ebd67376c4691084f08a0c4449512a4ee333881665
-
Filesize
291KB
MD5cde750f39f58f1ec80ef41ce2f4f1db9
SHA1942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA2560a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580
-
Filesize
2.6MB
MD539508adcff7eceed3a77a6f6f7e715a8
SHA1dcd84016a43ab9bd5d476889043f4b56827e8539
SHA25675b704ba240410adec369ffccc29665521133682d8fb65b021c9888e5d894759
SHA5125d29ea730cc4dd593f5b06cb31cd94a1192e53380a90f29d26e917af7088d9df791c7525a92b1c626876ff523e78f8806b36f8cd6479a46c79ac529713ec2178
-
Filesize
4.3MB
MD5b085b07c9fb1aa44b3f854512a6f1b2f
SHA10a9aa29c512dc0ff4aba69480d0544f5d829831e
SHA256de15932684958ba35f798f366ad2e56fa14a3b6259944e5906c2fb3e4a3a4c40
SHA5121fb1f9972e0a5ab5b4c36f51d3f028d023939f1f6a8e3c84ac7bf72162ac0ba3fa830380a4b6172bcfaf75ed36b0841a160f3c9f326c2bcbf9292816f92e698a
-
Filesize
4.0MB
MD58e5942a7903c1da6ed46c2a50f9742ed
SHA176aaf7b3616659a6f24b4a8f5b243496e4a38bf6
SHA256bda380296a716271d12fa54ef0c33ae356d51669c0c9b7b944f870e6e313e5f6
SHA5120cd9fe2ef8ffac44194bd5ccf3a66720d62eeb2db4600a5fcba792fbaf7e988eada5cd6e7e0c8f258025af754d85db753d7b75116a4bb41804ffffed6261dfbe