Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2023, 03:22
Behavioral task
behavioral1
Sample
ac026bee297cb9c7852863cb13154b84.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ac026bee297cb9c7852863cb13154b84.exe
Resource
win10v2004-20231130-en
General
-
Target
ac026bee297cb9c7852863cb13154b84.exe
-
Size
37KB
-
MD5
ac026bee297cb9c7852863cb13154b84
-
SHA1
aa76e5d1598afe2e1f7d55c5d1728857bea263c7
-
SHA256
eb8fdac6122db3911fb94887b8b56997a7eace7e65158d681906f194bfe3979d
-
SHA512
0a51efec9448885f2dd1aa4da2fa5569aa8c743c78098c1542641283b814338d8d196d5839697a44142044c819ef48cf48122d80a9b82c81b72574ba157836e3
-
SSDEEP
768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX
Malware Config
Extracted
smokeloader
2022
http://81.19.131.34/fks/index.php
Extracted
redline
LiveTraffic
77.105.132.87:6731
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/1080-12-0x0000000000F50000-0x0000000000F8C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 3276 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 1080 A7D9.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ac026bee297cb9c7852863cb13154b84.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ac026bee297cb9c7852863cb13154b84.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ac026bee297cb9c7852863cb13154b84.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4900 ac026bee297cb9c7852863cb13154b84.exe 4900 ac026bee297cb9c7852863cb13154b84.exe 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found 3276 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4900 ac026bee297cb9c7852863cb13154b84.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeShutdownPrivilege 3276 Process not Found Token: SeCreatePagefilePrivilege 3276 Process not Found Token: SeShutdownPrivilege 3276 Process not Found Token: SeCreatePagefilePrivilege 3276 Process not Found Token: SeShutdownPrivilege 3276 Process not Found Token: SeCreatePagefilePrivilege 3276 Process not Found Token: SeShutdownPrivilege 3276 Process not Found Token: SeCreatePagefilePrivilege 3276 Process not Found Token: SeShutdownPrivilege 3276 Process not Found Token: SeCreatePagefilePrivilege 3276 Process not Found Token: SeShutdownPrivilege 3276 Process not Found Token: SeCreatePagefilePrivilege 3276 Process not Found Token: SeShutdownPrivilege 3276 Process not Found Token: SeCreatePagefilePrivilege 3276 Process not Found -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3276 wrote to memory of 1080 3276 Process not Found 102 PID 3276 wrote to memory of 1080 3276 Process not Found 102 PID 3276 wrote to memory of 1080 3276 Process not Found 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe"C:\Users\Admin\AppData\Local\Temp\ac026bee297cb9c7852863cb13154b84.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4900
-
C:\Users\Admin\AppData\Local\Temp\A7D9.exeC:\Users\Admin\AppData\Local\Temp\A7D9.exe1⤵
- Executes dropped EXE
PID:1080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD59a957e739edac052e617e67c8e68aa40
SHA1ecd030f83acca28dae9ec0567839db4e3d5cac1e
SHA256611614199c1c92a88b8ab0de739b40a6d97c88112b70251c3d10a0db356c0d1d
SHA512120a71efb0671e2fe309a23065119cb30ca1d79d1b36c6acf383e9afe7fffe0853968154b92c41ce1e98257777de2ad46ff5a8589394401e2bd5fdca4257418a
-
Filesize
200KB
MD52432bbe7a924948d214c5d8ad95318fa
SHA1ef18da9b0892eef066c87458d87791ff019c9607
SHA256d5d498a38882f22374b9f1c404765a57caac64edc1cd61e9b4ab3c27aaf87621
SHA5126399cfa12975c297edc2064097adbe9520fbffa10421c922c7d98c577aef0916953ba917db4272ad214837300eccd75881eeddc9b1c75eb15f2f42372e1007c7