Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
79s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2023, 03:44
Behavioral task
behavioral1
Sample
0x000a000000014adb-116.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
0x000a000000014adb-116.exe
Resource
win10v2004-20231127-en
General
-
Target
0x000a000000014adb-116.exe
-
Size
37KB
-
MD5
f4b15e6c814a0d6abf6325753b6d4037
-
SHA1
489d628694d794492df545d8c73cb0f910a0b479
-
SHA256
c45b7fe3ddcf8c055c2a9ef8e5d7dabd81e73df49efb9b3a471ec4a969fbfcc3
-
SHA512
e6c76c630de0e4b4d664b5ad7c3c24ae06d65c3aeaf4835a35406ff7e90b4ecead8cf1b3581c794d1f3870f2d472ff9f7d18c7285302fefad98042312c5d12d1
-
SSDEEP
768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX
Malware Config
Extracted
smokeloader
2022
http://81.19.131.34/fks/index.php
Extracted
redline
@oleh_ps
176.123.7.190:32927
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000002272f-19.dat family_redline behavioral2/memory/4460-21-0x0000000000340000-0x000000000037C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 3380 Process not Found -
Executes dropped EXE 3 IoCs
pid Process 4352 B820.exe 1316 3FEE.exe 4460 43B8.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x000a000000014adb-116.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x000a000000014adb-116.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x000a000000014adb-116.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3704 0x000a000000014adb-116.exe 3704 0x000a000000014adb-116.exe 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found 3380 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3704 0x000a000000014adb-116.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3380 wrote to memory of 4352 3380 Process not Found 103 PID 3380 wrote to memory of 4352 3380 Process not Found 103 PID 3380 wrote to memory of 4352 3380 Process not Found 103 PID 3380 wrote to memory of 1316 3380 Process not Found 107 PID 3380 wrote to memory of 1316 3380 Process not Found 107 PID 3380 wrote to memory of 1316 3380 Process not Found 107 PID 3380 wrote to memory of 4460 3380 Process not Found 108 PID 3380 wrote to memory of 4460 3380 Process not Found 108 PID 3380 wrote to memory of 4460 3380 Process not Found 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe"C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3704
-
C:\Users\Admin\AppData\Local\Temp\B820.exeC:\Users\Admin\AppData\Local\Temp\B820.exe1⤵
- Executes dropped EXE
PID:4352
-
C:\Users\Admin\AppData\Local\Temp\3FEE.exeC:\Users\Admin\AppData\Local\Temp\3FEE.exe1⤵
- Executes dropped EXE
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"2⤵PID:2244
-
C:\Users\Admin\AppData\Local\Temp\Broom.exeC:\Users\Admin\AppData\Local\Temp\Broom.exe3⤵PID:4884
-
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵PID:2032
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵PID:2468
-
-
C:\Users\Admin\AppData\Local\Temp\tuc3.exe"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"2⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\is-KTM5C.tmp\tuc3.tmp"C:\Users\Admin\AppData\Local\Temp\is-KTM5C.tmp\tuc3.tmp" /SL5="$401E2,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"3⤵PID:636
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query4⤵PID:896
-
-
C:\Program Files (x86)\xrecode3\xrecode3.exe"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i4⤵PID:1540
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"2⤵PID:3652
-
-
C:\Users\Admin\AppData\Local\Temp\43B8.exeC:\Users\Admin\AppData\Local\Temp\43B8.exe1⤵
- Executes dropped EXE
PID:4460
-
C:\Users\Admin\AppData\Local\Temp\6EF0.exeC:\Users\Admin\AppData\Local\Temp\6EF0.exe1⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\897D.exeC:\Users\Admin\AppData\Local\Temp\897D.exe1⤵PID:3140
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5d2ef8dfca07b76626d20a20d38c835a6
SHA102932db44220b4a104c6822ccca1c0a367da7fb2
SHA256623961bc5b17849b37e61e99ff84da230fe12ff539e07e947ba454168e935e07
SHA5123256df52f995c5632daad4fa3057912645d3403a0b7813d852c50a4d58771eaeaf4e38d981a8110d6770151fe080e85826eb2abb8bc764bbd068c83b4cd7ee40
-
Filesize
256KB
MD5db7cea14da34db0b4cf2fc3b40a46a5a
SHA132b621293e6366b45e2dcffe40b590bb985a9ee0
SHA256e84e93c12bcbbf578467c9df3d68908e150ae82e74d8073a6ede2be977f284cf
SHA512a9a64d63ebe5bcd1342e51e3f461eae3d2ef03c375a692a9fd59bdbcef9ff70d535e0ddf668c20797741dd86a3d91a9fe6b623c1d06c03c8b0c47a11793135f0
-
Filesize
1024KB
MD53053824ffd7b984d9f4acc8d590694ea
SHA12944cadc5f2faf755c960fa2375665168074b761
SHA2565d6d1a218717eb310a2e8da32e953a30ef49e4c7faa817d485c3b0fed21b3aed
SHA5129841c27148ec0c2a223623609cd17abeeb99cd585c306c0ec7e63853ab3b4d5c9b9efd4e1908448cb823a06e4d697e8952e0a7eb17a4ef82762675e998b5f8d8
-
Filesize
640KB
MD5ed88de7bde0aa9e5c6373bf712a912e7
SHA1771c3cfe93ee2cb077d56189abab1543c4b19a0d
SHA2566b9d8ef83bad81d4075c1419274320f7ee66490742f7779b87681330ec18c885
SHA51206fb06a9a73ba32368db66a91a787ba24fd050210fcab647321719ff5d9b7e5feceb00f121e3d25efdebc2ee3635c69d9176d2bdf567ddf46b6fb78e8765b633
-
Filesize
8.9MB
MD5b0b169ef9fb82ea942fc84f29fa06551
SHA1bf5afb5636187f2464ed599dfdec034fbf578697
SHA2564b65875a9af87bc66f237835fde7340f78023e277c5ce00190e989d81b4c7841
SHA512cdb952b9432e5cac5c8950e3b49db2def5f219ef0bfd863ca6e89321cd1ff34c4a0436c9dda26a419588308957a14aa910d24d05e779b711391e59f925650cb3
-
Filesize
10.4MB
MD51bd64ffbb781661958321de291442d84
SHA149cd6dff91046eaa85840dd66501685c697686f9
SHA256f172c871be20b4c5c86b6616186dd8b3783a7a650dd9dd3d4142961cdaee0b69
SHA512a7b494726a61ff3520c3d9b0c9d901ac56e0210778b65c836b93743382c28d2a34f593e60f6b9dc544bcda8e4909844870860f615623cd6b62675012a36d1368
-
Filesize
219KB
MD591d23595c11c7ee4424b6267aabf3600
SHA1ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b
-
Filesize
896KB
MD56915ae7cb5b2eb3f5df1b184cc625950
SHA1e5ef210770671a430148a1df61fdd6cddecc30ad
SHA2564f8d417ea7c3b15679337a1cd12bbf88299a84107cf5bae3be47c5e4425eead2
SHA5120d000b3e90f9185ad56455d1da101ad18875ae1738c6fe5dfe3e2e923d3317e535e5514fca80a443a1ac1a779c93305f849465cc3ea7ee7e52f719903960bf6c
-
Filesize
1.1MB
MD594e484b3c98f11ddd7b52a1f2e0d6d07
SHA169996218b5284f2db3c63be84c008bb158999fc6
SHA256629e09208510bd357194229b346444616ace3bc724106d8843a4b98f5504731c
SHA51252ab9bc3101529e6d4b919d4716abc0a1e052395c4c75e7ace09971dfb89ea0b138a8d8d105ed36ca94e5b77232ad94cce44f20161e3ec3cd5a06a1cd5a1e41e
-
Filesize
401KB
MD5f88edad62a7789c2c5d8047133da5fa7
SHA141b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60
-
Filesize
576KB
MD5d6af9f1ea20caf07cbbc7cc75475411b
SHA19b677fe3f4994e76ecfae030f08b6f5393238010
SHA2564e7bc66339e8b20cff5500a85b34afd2fd8ae81fb9d5973a2fb84c66651537c5
SHA51204723a1b98b8b68e8156d2dcf3fca0b2d826266e1fc0b4bad9c1f7448291ea8dd86273f786efc12329b8570de200a700e36ee666d45dd1d926da5c21fccb1535
-
Filesize
2.3MB
MD577471d919a5e2151fb49f37c315af514
SHA10687047ed80aa348bdc1657731f21181995b654c
SHA25652666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA5126ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844
-
Filesize
1.8MB
MD59cbdb49c8cfe94d3380cf3456b66d96c
SHA132c5d500781220052e695ca2485a686267a8390b
SHA25649b1edd250702b352f9ed1948db08e6a540c20e67c6916e76211fe450ca675d9
SHA512b67aa9f0a8ae905c64fc699370d81e385adc5164237e0a60e9ec693ca57ff4aa77d8c7c329486eedd41bd43e97b9416c0ebf0a7fb8928feed621c0217715ae29
-
Filesize
640KB
MD5d6e2d1e34c09f72cfec36486cffe83d6
SHA181636569d19838e479c7c469d9402f57cdbe41d7
SHA256746db77481ca2dcb8f061c26f1b77f1c5a0e7c7a4fe0eb65ba8befdfb831b82a
SHA5125006c15d03cda40c81d1fbb6fd53976e1ccbbd9975c0eeafddaa158b03b355a83188af0abb050da8d97d80e284db832910eb3499840d382e6e327ca0ef9b7b57
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
192KB
MD5c92eb06a2c0616bdf739a70b1427b0f0
SHA13657c0f2e2ebf65d95469e93ad781516e6b808ef
SHA2560551438a2f2a917e628bfc212473dafb78edcabd6188389dd485be69437f3e03
SHA512e23e7499c7959b8cda5c12f888aecc1d08556163280b603998e2ac8dfb268c2d721e5280b977b2d9afcb2312706ec98bfbd490d9a22bc7bb0a8620db19e53327
-
Filesize
128KB
MD554bb0d4e8255b55f339cb4e20b537b0b
SHA19b8957c8631a57142545c9bd1229cdae402bafea
SHA25682eecf84a880e8cbf0a4a5dfaffed6b65afcec9f6b0289bccf9f06f58c7550e8
SHA512da5461afc80fabb5920d3dffbcf870ffe4b8432b0d61a1b2ef4a549b54d25e2f299bbfc5c7961c43131f1556e4ff5ab244e7a3598193dd06654bf1f3362ef889
-
Filesize
384KB
MD5226ab7d4c5a038c007eec25a889bcddf
SHA157b2f5af24a9ed41bada5cbfde98a8a31a3d5e28
SHA256f3153b917963382dd4895ecb4bf18cf40e330f479c89b4ac66f2d90b15257f7a
SHA512c415051ddc1c5d61f1635bcef34963f20c63b6deb021809ccd7152a01b2504838182b2624d6318c497915277455009db46cf5d3e4c36f342f4cf765b0558309d
-
Filesize
320KB
MD5e6398c572d3912e95d67990db42f7b65
SHA11caeb92853c065336109a4b63813aedcab048aad
SHA25646d152bb29f8bff9153f8e357b8b06d56b865e3aadd43a67e5a5645878c1359c
SHA512d6986cc29c6fac52959ab3945c398e28369dbd3a0654d8c3186227855dd5639685cd7ba3e308bc78189dfc5dd8aca894d30c4029b8d0c019b16080377346576d
-
Filesize
291KB
MD5cde750f39f58f1ec80ef41ce2f4f1db9
SHA1942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA2560a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580
-
Filesize
1.4MB
MD51ac6f91f68a718573bc6e310e5267f9c
SHA1a30f1f046da88ec78fcab903e37f0b8520625d5d
SHA2564dfa49ef5ea03ebc0e710e29dd0a95653d606a3fce17d08c4ac6b1d9919dae8a
SHA512023438ea1a126fa0b87f95a5f9a23a7ab298a68747c2bda95657a1f7a48e68a236a9077c058676b4dc974ad567dccf56640740233343109a4a585aef3bb11381
-
Filesize
768KB
MD5bb62eb5da4f2a9ab8434396d9752fdb0
SHA1ad269614474763d1b6f1b39e51ff58b99bdd2e13
SHA25608a4f6f94fe0a0b52fab5283aa44f062bb68c1755205bd81ef924f352f2d209e
SHA512e4da83dbae17e1db6e57692a409ac9c05f7fba029fd1a75d2cee8a1d529475ff4698db371dfd14c846197226077d6699cf648b4428656861f0f5304e819e3632