Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
81s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2023, 03:14
Behavioral task
behavioral1
Sample
0x0007000000014970-113.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
0x0007000000014970-113.exe
Resource
win10v2004-20231127-en
General
-
Target
0x0007000000014970-113.exe
-
Size
37KB
-
MD5
cc479b599784116184dd5528c2903adb
-
SHA1
4331d7dc0fdeb8ff344862928f0d1f0d02b05ccc
-
SHA256
a898b42ab81022e5adc0d8d69dc7b0a0eec30eb122d0024f3e28334bd134e3eb
-
SHA512
a0fd422cae04b37242362f941b048d3b3e7526a2ff1dcfe7702bd815b97c759909e9c5fcbcd11aca3b67a0595a2e6e87f25c71ad4906d460f3481e0a24ad9ef5
-
SSDEEP
768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX
Malware Config
Extracted
smokeloader
2022
http://81.19.131.34/fks/index.php
Extracted
redline
LiveTraffic
77.105.132.87:6731
Extracted
redline
@oleh_ps
176.123.7.190:32927
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/memory/2940-12-0x0000000003020000-0x000000000305C000-memory.dmp family_redline behavioral2/files/0x00090000000233da-46.dat family_redline behavioral2/memory/4216-49-0x0000000000FC0000-0x0000000000FFC000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 3272 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 2940 1807.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x0007000000014970-113.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x0007000000014970-113.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x0007000000014970-113.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1572 0x0007000000014970-113.exe 1572 0x0007000000014970-113.exe 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1572 0x0007000000014970-113.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeDebugPrivilege 2940 1807.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3272 wrote to memory of 2940 3272 Process not Found 102 PID 3272 wrote to memory of 2940 3272 Process not Found 102 PID 3272 wrote to memory of 2940 3272 Process not Found 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"C:\Users\Admin\AppData\Local\Temp\0x0007000000014970-113.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1572
-
C:\Users\Admin\AppData\Local\Temp\1807.exeC:\Users\Admin\AppData\Local\Temp\1807.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
C:\Users\Admin\AppData\Local\Temp\E069.exeC:\Users\Admin\AppData\Local\Temp\E069.exe1⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"2⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\Broom.exeC:\Users\Admin\AppData\Local\Temp\Broom.exe3⤵PID:2948
-
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵PID:3976
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵PID:1596
-
-
C:\Users\Admin\AppData\Local\Temp\tuc3.exe"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"2⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\is-L5KAS.tmp\tuc3.tmp"C:\Users\Admin\AppData\Local\Temp\is-L5KAS.tmp\tuc3.tmp" /SL5="$501F0,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"3⤵PID:548
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query4⤵PID:1376
-
-
C:\Program Files (x86)\xrecode3\xrecode3.exe"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i4⤵PID:316
-
-
C:\Program Files (x86)\xrecode3\xrecode3.exe"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s4⤵PID:4596
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 14⤵PID:1680
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 15⤵PID:4816
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"2⤵PID:4812
-
-
C:\Users\Admin\AppData\Local\Temp\E2EB.exeC:\Users\Admin\AppData\Local\Temp\E2EB.exe1⤵PID:4216
-
C:\Users\Admin\AppData\Local\Temp\F27C.exeC:\Users\Admin\AppData\Local\Temp\F27C.exe1⤵PID:1384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163KB
MD5b365d5a9f52f871044f61011e496cbdf
SHA113a248939be980d240b20e8ef72334b2eb749d47
SHA256a94b2bc157dcf54099ff1a80dcc49fc2433fcd48a6048ead44efb177576666b8
SHA5123f1869957fb7ac9f4278ac160518bad244bf634309c1b0f649f3ea89939931f5924e72b6d2cd9075a158ac135226020e11352743c73096324ddea0b6e769aa17
-
Filesize
391KB
MD5dc03cfc87ab203f5d439f65962d95e92
SHA12afc0b770115492339137a987b8bbb31c9909aa1
SHA2567c4fa22ed82dae8c25c0fe27ddc4ba39e105a59a962c5b2d1b9e707370de2c5b
SHA5120e892499f62548eae2b8365c319151c8823296e2766a2b994388a95d7a1ad691ecd5ae4093fb2faa316d08d2aa60fdd3c6328a9e11f925bb38c0ab102dfa65cb
-
Filesize
129KB
MD521f912f210419128e7c04c04f9de7920
SHA16cc2d8bfbed4fc297c68e6925b378663d1a2f48c
SHA256a0811f0bac71bbc9205110757b302a9b4d829df3b673f2b1ec9c5e4b7e1095a6
SHA512273bdbcc519f35de7fc8834caa8ed755beb5b9042a42f8451e588d092f440e5a4ee94474dc188e17b44d02f696faa0005f2d19b52458e94f5bbb23549d2c468f
-
Filesize
401KB
MD5f88edad62a7789c2c5d8047133da5fa7
SHA141b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60
-
Filesize
816KB
MD58de8917e309208915990a95180c47ae0
SHA1906a5eaf56a2e15511bd99a17245d47c47368ed5
SHA25655bd32d4f7e9d331008c607d2fb618590630d9b6cc79d180cd7ace4cc8834bdd
SHA512be4764da1a8123bb3f3d4e9793d044f5a3e8699df159a535f1ae82ecb89c4ef3e3f63a8c1cdd32661f4158ca439089bb5111b86e8631ac52be373064e462c475
-
Filesize
621KB
MD5702222f0bed54a930463e50f1e9cb8ee
SHA1aaff4dd1acb5106062a6d67a5f5d07490dfdc1d5
SHA25617986e57c6b160834b0d844781bcce59b0173e55455717f9f7d233d99d707b5d
SHA51281d93cff9a55ddc71a9b3819741a078e8c6e53eab771c7f2bab250ed3f069cc4142b741c512a7430ba64ef89dfc4ef77769e9dd2a4eedc89bdfc52b13f911f73
-
Filesize
704KB
MD565b02fa69ab9d24b4dcc9c5140a37a5f
SHA1ca435e858dabc37d820e9f60212ec9f0fd20f54f
SHA2563a5d6b36be69175977fa2613a74ffa9a2eb4c9520e15a28be70aa5c801307ef1
SHA51241e329b65e9b00f9ce8ff25fef26db83d962ccb93220987ba4aaaa377862ac6f0dec13d274e7f4797257c5920c1f275b7bdec4fcf2290d0093d8d784fe7d7388
-
Filesize
540KB
MD5ce0c881dde669a80ce0960f90389a061
SHA1da8834104ea05326300abb6dcef95729e8ef5a68
SHA256d0ed07e17acad95e07ac7f8e3a6b03fed82e682c25772e82fec837ec0993a2f9
SHA512e98950620b922cdfcf25c4fbee22dffdcb6e51700573c3707d9b1b01fc256add11477312062dcbda65d80b74f7fc54f16307890cf894679ca21c7071fcc5012f
-
Filesize
1.8MB
MD56c993484f6d45bfd9d0e7fd8481e1e0e
SHA11af1afaa4c518f8e856ab5d0ce756da838c013d7
SHA256f86094034e417dad951bb7145ed5cd20bfb2d3b02009557ccaaab7425401a126
SHA512e26ca2b44493d01309bc1078849e7de4f44e9134e79ea411b7349b9eff192c7f3e096a2e1e4b238f4277b6f1804b9e6cf85ec0a06a5cc226dc655baac02edb3b
-
Filesize
2.1MB
MD558bd3d124dbafffb7ff24ef86159f969
SHA1eac7bf63c63e6b369012fa550ee2aad88e679276
SHA256c961cac47927c87b96b84877da9edac5612ed53daef01e3d8a9feca2bfbdd09d
SHA51246d7046a95b3a45d2b1f7e0bc682198d1867fc4308dd002e3d89c6c9815db0b68e1e5c7d364b55e07ba0f3cbf39fc065b53ca61ea84348b35ad4f6f210bbb4d1
-
Filesize
219KB
MD591d23595c11c7ee4424b6267aabf3600
SHA1ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b
-
Filesize
323KB
MD5cc2501300d41433559a6ea42baaaa87e
SHA13e951489fc2e1ba11d60f8c8af124ab636a0a30a
SHA25608ba2abb8c863ce1629d574856f1f341c0eb8119bda8f0c39c35e4c56b359fe9
SHA512aa2dd3eb7e8e6e1643a8ebbb59cc738b137edb40ab31f78083c233d0d138f36366ac5c420d523cfa2f811283555881698386e3f74bb24326cce1812c7ad1bf84
-
Filesize
218KB
MD59e0b9926679b39e34f46a97d82577dd2
SHA15f3ad2343f98b97e4ca4ec0874cb8f9acbc4ba31
SHA256dd47b5969e98735684e44c07bdfb3366162ba141e2e4cd5524ef41fc2c980c06
SHA51285510cd4de855e8c1b19ac25ca67c09fca955c9fa0bec592e7e9e09c91c1d752bdf4e60491d44ca8ac40382b2897ea816d8f959f8cea707ef0fb4fc2bf776ae5
-
Filesize
791KB
MD53d206fc22c02d16f536621fc9c80c465
SHA12ede51aee2ca72d825e39b945a3b575e0dafbb77
SHA2564fe016dcc4c5cc69bbbf05eea5428c8cddfa598250b5472db61daebcdea05e07
SHA512cd2a7f275684de8c862542dfc81158bb25ddb6cb7feb3dc147ede44738767db54c1e6bf7a4c4e83275b9f2046afa26af119b96aaf2893f8d2e0858776e2ff100
-
Filesize
943KB
MD5baa2da75e0d013177899f3e5b9cf385b
SHA10a10ff5f18e1f9b0da042c1c4e8492a6e3786c2c
SHA256b2611ffcb49fc617ba80771232f061fcb9161b41f4a43cd7bf1e5f6d6551293b
SHA51235eaa9f70877831780dcfb696e927dadfc18068102e3ab5ba19b8dfb553f081a4b82ef95f4618792cf7e9d09207fb281ebbff38ff87b184079fd0547d567bd8e
-
Filesize
558KB
MD5530ad889cd20252d186ccff2e2e879d3
SHA1362e59be2a71629214d59976f7276ad8ccef52fb
SHA25666ba6152edae3b984f7d6f489e6ac38e8f7e84952db7bbe904dbe9adf07f8281
SHA51290e9027cca9b9060be1a65f3681173c4cf30b19c66fe3be061eb3bc931c0a4ea6389cc308b38a33e888795bf19239bc031487c5a839d8c218358faa5afd1a834
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
79KB
MD53659aa7fd0429bf23260edd5c7fc4cfe
SHA16f37c3b49d27930c9cb8820da0f2c80e5a08d45f
SHA256ae2c2f3929715ea631ff82a0f303f4fbfe1ea3a8d18516fa52feccbaba81d080
SHA512845993dfe019cfc89c40f77540c757ee89b070dec5a268ee8be56e1b329b257a924cdccf688fd9dc719929be185443f772d5f0b24aea0bbaf876525b544c481a
-
Filesize
1KB
MD5dcc391f875f163582ad987b1d81af38b
SHA1e6d99f84192c8208a21b6465f11b8dc04041430d
SHA2560ef8b30c7f7f46da3e3d4181a01db4998087e568adcc835968b478a6f985a84a
SHA512fa9af6c3d8e3fbafe1525a3b0f3dec86211b126a6c0e0cecb25395a03c6c78c2d4cf30e8a22ba32175862ed5eb0bb14f01ec933e5756ccd9d2d1e154bff279fa
-
Filesize
64KB
MD5e77422fac1e9d2d11cf7f1c1d57071a4
SHA153e63414263dc20ea044c6cbb4fb4fc2c2be6140
SHA2569d0cfbb7bb8da895a7f43758556217bf4c00b5c335c56b1f765c14069993e320
SHA512d2b84dd99814d55c541f02452eac9c9344bfd838d1f8b73a07bcc3193b9122176ffee19a182712b0ea646fb9e4b306732940efb0f38f0903d98788ecf2495f53
-
Filesize
880KB
MD5ceb7b6de2781f90b51641fbd89e0d387
SHA1099c9efc0ea74089da601c1f8d7fb260e296c9d9
SHA2561bbdc276dfcd8768bfc8659887d307a41d8bd73f76b2ce671257bd4d6e9373d3
SHA512b2b1528236734421ef589014e78e0d10e5c295f9058ddfa5fe83b82afe219402f3e099feb212098773c7cd3b5f9b66861065d064ffff191fc6b5b5dc4a404210
-
Filesize
291KB
MD5cde750f39f58f1ec80ef41ce2f4f1db9
SHA1942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA2560a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580
-
Filesize
534KB
MD54143a3040f0296f56986d1d2db61e0a3
SHA1c43f1398b35656d090feb1211439e990a4546048
SHA25637fa015655fec8c85f36f52e805d3706b873514258fe9ccdcd63014aeee99209
SHA512bc57d43581d630b5c301592f3fe6a659764f45289b766db7d17d64f12d1ef08aa5139dd079068c2925c88308fe926a3972dfd17834d78cd382066a7c0db5c1f3
-
Filesize
1.4MB
MD554eb949c88b8f80abe56663f76ff83ec
SHA1b81d4a43d7ca071862979770b04b4c9164247d92
SHA25609f0c100b01c4b4ea7c8ad2bca7e639c0555985139e509b821b5d56c6969f4e4
SHA512db723ed74024d76a8b70682d56b11c56b68e964edabb033754ee1ec69f81675210e6a1621d1c84277cdca290f89d4dd692ed30fa078c5d9f06c41bfa2fc4f4d6
-
Filesize
385KB
MD56de69fc3a9c9a4c412f36d9f36050e8e
SHA1ecfd2278db738b0ade1420ff39c551026482f229
SHA256d3f9309eb142bfd633097bff7abc1b93db3c33b3ca1d210a1e51ed259264eed4
SHA5121164a43ae88703ab788d7f8d69197234b103d237e4ca84acce06ff381012c14524e5e379f5eac79bd726ab0a8d9515923d63366fbc3da9e863ecbf0424a7eb2b