Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    79s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/12/2023, 03:44

General

  • Target

    0x000a000000014adb-116.exe

  • Size

    37KB

  • MD5

    f4b15e6c814a0d6abf6325753b6d4037

  • SHA1

    489d628694d794492df545d8c73cb0f910a0b479

  • SHA256

    c45b7fe3ddcf8c055c2a9ef8e5d7dabd81e73df49efb9b3a471ec4a969fbfcc3

  • SHA512

    e6c76c630de0e4b4d664b5ad7c3c24ae06d65c3aeaf4835a35406ff7e90b4ecead8cf1b3581c794d1f3870f2d472ff9f7d18c7285302fefad98042312c5d12d1

  • SSDEEP

    768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://81.19.131.34/fks/index.php

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

@oleh_ps

C2

176.123.7.190:32927

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000a000000014adb-116.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3704
  • C:\Users\Admin\AppData\Local\Temp\B820.exe
    C:\Users\Admin\AppData\Local\Temp\B820.exe
    1⤵
    • Executes dropped EXE
    PID:4352
  • C:\Users\Admin\AppData\Local\Temp\3FEE.exe
    C:\Users\Admin\AppData\Local\Temp\3FEE.exe
    1⤵
    • Executes dropped EXE
    PID:1316
    • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
      2⤵
        PID:2244
        • C:\Users\Admin\AppData\Local\Temp\Broom.exe
          C:\Users\Admin\AppData\Local\Temp\Broom.exe
          3⤵
            PID:4884
        • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
          "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
          2⤵
            PID:2032
          • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
            "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
            2⤵
              PID:2468
            • C:\Users\Admin\AppData\Local\Temp\tuc3.exe
              "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
              2⤵
                PID:396
                • C:\Users\Admin\AppData\Local\Temp\is-KTM5C.tmp\tuc3.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-KTM5C.tmp\tuc3.tmp" /SL5="$401E2,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
                  3⤵
                    PID:636
                    • C:\Windows\SysWOW64\schtasks.exe
                      "C:\Windows\system32\schtasks.exe" /Query
                      4⤵
                        PID:896
                      • C:\Program Files (x86)\xrecode3\xrecode3.exe
                        "C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
                        4⤵
                          PID:1540
                    • C:\Users\Admin\AppData\Local\Temp\latestX.exe
                      "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
                      2⤵
                        PID:3652
                    • C:\Users\Admin\AppData\Local\Temp\43B8.exe
                      C:\Users\Admin\AppData\Local\Temp\43B8.exe
                      1⤵
                      • Executes dropped EXE
                      PID:4460
                    • C:\Users\Admin\AppData\Local\Temp\6EF0.exe
                      C:\Users\Admin\AppData\Local\Temp\6EF0.exe
                      1⤵
                        PID:3188
                      • C:\Users\Admin\AppData\Local\Temp\897D.exe
                        C:\Users\Admin\AppData\Local\Temp\897D.exe
                        1⤵
                          PID:3140

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Program Files (x86)\xrecode3\xrecode3.exe

                          Filesize

                          128KB

                          MD5

                          d2ef8dfca07b76626d20a20d38c835a6

                          SHA1

                          02932db44220b4a104c6822ccca1c0a367da7fb2

                          SHA256

                          623961bc5b17849b37e61e99ff84da230fe12ff539e07e947ba454168e935e07

                          SHA512

                          3256df52f995c5632daad4fa3057912645d3403a0b7813d852c50a4d58771eaeaf4e38d981a8110d6770151fe080e85826eb2abb8bc764bbd068c83b4cd7ee40

                        • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                          Filesize

                          256KB

                          MD5

                          db7cea14da34db0b4cf2fc3b40a46a5a

                          SHA1

                          32b621293e6366b45e2dcffe40b590bb985a9ee0

                          SHA256

                          e84e93c12bcbbf578467c9df3d68908e150ae82e74d8073a6ede2be977f284cf

                          SHA512

                          a9a64d63ebe5bcd1342e51e3f461eae3d2ef03c375a692a9fd59bdbcef9ff70d535e0ddf668c20797741dd86a3d91a9fe6b623c1d06c03c8b0c47a11793135f0

                        • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                          Filesize

                          1024KB

                          MD5

                          3053824ffd7b984d9f4acc8d590694ea

                          SHA1

                          2944cadc5f2faf755c960fa2375665168074b761

                          SHA256

                          5d6d1a218717eb310a2e8da32e953a30ef49e4c7faa817d485c3b0fed21b3aed

                          SHA512

                          9841c27148ec0c2a223623609cd17abeeb99cd585c306c0ec7e63853ab3b4d5c9b9efd4e1908448cb823a06e4d697e8952e0a7eb17a4ef82762675e998b5f8d8

                        • C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

                          Filesize

                          640KB

                          MD5

                          ed88de7bde0aa9e5c6373bf712a912e7

                          SHA1

                          771c3cfe93ee2cb077d56189abab1543c4b19a0d

                          SHA256

                          6b9d8ef83bad81d4075c1419274320f7ee66490742f7779b87681330ec18c885

                          SHA512

                          06fb06a9a73ba32368db66a91a787ba24fd050210fcab647321719ff5d9b7e5feceb00f121e3d25efdebc2ee3635c69d9176d2bdf567ddf46b6fb78e8765b633

                        • C:\Users\Admin\AppData\Local\Temp\3FEE.exe

                          Filesize

                          8.9MB

                          MD5

                          b0b169ef9fb82ea942fc84f29fa06551

                          SHA1

                          bf5afb5636187f2464ed599dfdec034fbf578697

                          SHA256

                          4b65875a9af87bc66f237835fde7340f78023e277c5ce00190e989d81b4c7841

                          SHA512

                          cdb952b9432e5cac5c8950e3b49db2def5f219ef0bfd863ca6e89321cd1ff34c4a0436c9dda26a419588308957a14aa910d24d05e779b711391e59f925650cb3

                        • C:\Users\Admin\AppData\Local\Temp\3FEE.exe

                          Filesize

                          10.4MB

                          MD5

                          1bd64ffbb781661958321de291442d84

                          SHA1

                          49cd6dff91046eaa85840dd66501685c697686f9

                          SHA256

                          f172c871be20b4c5c86b6616186dd8b3783a7a650dd9dd3d4142961cdaee0b69

                          SHA512

                          a7b494726a61ff3520c3d9b0c9d901ac56e0210778b65c836b93743382c28d2a34f593e60f6b9dc544bcda8e4909844870860f615623cd6b62675012a36d1368

                        • C:\Users\Admin\AppData\Local\Temp\43B8.exe

                          Filesize

                          219KB

                          MD5

                          91d23595c11c7ee4424b6267aabf3600

                          SHA1

                          ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02

                          SHA256

                          d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47

                          SHA512

                          cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

                        • C:\Users\Admin\AppData\Local\Temp\6EF0.exe

                          Filesize

                          896KB

                          MD5

                          6915ae7cb5b2eb3f5df1b184cc625950

                          SHA1

                          e5ef210770671a430148a1df61fdd6cddecc30ad

                          SHA256

                          4f8d417ea7c3b15679337a1cd12bbf88299a84107cf5bae3be47c5e4425eead2

                          SHA512

                          0d000b3e90f9185ad56455d1da101ad18875ae1738c6fe5dfe3e2e923d3317e535e5514fca80a443a1ac1a779c93305f849465cc3ea7ee7e52f719903960bf6c

                        • C:\Users\Admin\AppData\Local\Temp\6EF0.exe

                          Filesize

                          1.1MB

                          MD5

                          94e484b3c98f11ddd7b52a1f2e0d6d07

                          SHA1

                          69996218b5284f2db3c63be84c008bb158999fc6

                          SHA256

                          629e09208510bd357194229b346444616ace3bc724106d8843a4b98f5504731c

                          SHA512

                          52ab9bc3101529e6d4b919d4716abc0a1e052395c4c75e7ace09971dfb89ea0b138a8d8d105ed36ca94e5b77232ad94cce44f20161e3ec3cd5a06a1cd5a1e41e

                        • C:\Users\Admin\AppData\Local\Temp\B820.exe

                          Filesize

                          401KB

                          MD5

                          f88edad62a7789c2c5d8047133da5fa7

                          SHA1

                          41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9

                          SHA256

                          eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc

                          SHA512

                          e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

                        • C:\Users\Admin\AppData\Local\Temp\Broom.exe

                          Filesize

                          576KB

                          MD5

                          d6af9f1ea20caf07cbbc7cc75475411b

                          SHA1

                          9b677fe3f4994e76ecfae030f08b6f5393238010

                          SHA256

                          4e7bc66339e8b20cff5500a85b34afd2fd8ae81fb9d5973a2fb84c66651537c5

                          SHA512

                          04723a1b98b8b68e8156d2dcf3fca0b2d826266e1fc0b4bad9c1f7448291ea8dd86273f786efc12329b8570de200a700e36ee666d45dd1d926da5c21fccb1535

                        • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                          Filesize

                          2.3MB

                          MD5

                          77471d919a5e2151fb49f37c315af514

                          SHA1

                          0687047ed80aa348bdc1657731f21181995b654c

                          SHA256

                          52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1

                          SHA512

                          6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

                        • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                          Filesize

                          1.8MB

                          MD5

                          9cbdb49c8cfe94d3380cf3456b66d96c

                          SHA1

                          32c5d500781220052e695ca2485a686267a8390b

                          SHA256

                          49b1edd250702b352f9ed1948db08e6a540c20e67c6916e76211fe450ca675d9

                          SHA512

                          b67aa9f0a8ae905c64fc699370d81e385adc5164237e0a60e9ec693ca57ff4aa77d8c7c329486eedd41bd43e97b9416c0ebf0a7fb8928feed621c0217715ae29

                        • C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

                          Filesize

                          640KB

                          MD5

                          d6e2d1e34c09f72cfec36486cffe83d6

                          SHA1

                          81636569d19838e479c7c469d9402f57cdbe41d7

                          SHA256

                          746db77481ca2dcb8f061c26f1b77f1c5a0e7c7a4fe0eb65ba8befdfb831b82a

                          SHA512

                          5006c15d03cda40c81d1fbb6fd53976e1ccbbd9975c0eeafddaa158b03b355a83188af0abb050da8d97d80e284db832910eb3499840d382e6e327ca0ef9b7b57

                        • C:\Users\Admin\AppData\Local\Temp\is-AOE37.tmp\_isetup\_iscrypt.dll

                          Filesize

                          2KB

                          MD5

                          a69559718ab506675e907fe49deb71e9

                          SHA1

                          bc8f404ffdb1960b50c12ff9413c893b56f2e36f

                          SHA256

                          2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

                          SHA512

                          e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

                        • C:\Users\Admin\AppData\Local\Temp\is-AOE37.tmp\_isetup\_isdecmp.dll

                          Filesize

                          13KB

                          MD5

                          a813d18268affd4763dde940246dc7e5

                          SHA1

                          c7366e1fd925c17cc6068001bd38eaef5b42852f

                          SHA256

                          e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

                          SHA512

                          b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

                        • C:\Users\Admin\AppData\Local\Temp\is-KTM5C.tmp\tuc3.tmp

                          Filesize

                          192KB

                          MD5

                          c92eb06a2c0616bdf739a70b1427b0f0

                          SHA1

                          3657c0f2e2ebf65d95469e93ad781516e6b808ef

                          SHA256

                          0551438a2f2a917e628bfc212473dafb78edcabd6188389dd485be69437f3e03

                          SHA512

                          e23e7499c7959b8cda5c12f888aecc1d08556163280b603998e2ac8dfb268c2d721e5280b977b2d9afcb2312706ec98bfbd490d9a22bc7bb0a8620db19e53327

                        • C:\Users\Admin\AppData\Local\Temp\is-KTM5C.tmp\tuc3.tmp

                          Filesize

                          128KB

                          MD5

                          54bb0d4e8255b55f339cb4e20b537b0b

                          SHA1

                          9b8957c8631a57142545c9bd1229cdae402bafea

                          SHA256

                          82eecf84a880e8cbf0a4a5dfaffed6b65afcec9f6b0289bccf9f06f58c7550e8

                          SHA512

                          da5461afc80fabb5920d3dffbcf870ffe4b8432b0d61a1b2ef4a549b54d25e2f299bbfc5c7961c43131f1556e4ff5ab244e7a3598193dd06654bf1f3362ef889

                        • C:\Users\Admin\AppData\Local\Temp\latestX.exe

                          Filesize

                          384KB

                          MD5

                          226ab7d4c5a038c007eec25a889bcddf

                          SHA1

                          57b2f5af24a9ed41bada5cbfde98a8a31a3d5e28

                          SHA256

                          f3153b917963382dd4895ecb4bf18cf40e330f479c89b4ac66f2d90b15257f7a

                          SHA512

                          c415051ddc1c5d61f1635bcef34963f20c63b6deb021809ccd7152a01b2504838182b2624d6318c497915277455009db46cf5d3e4c36f342f4cf765b0558309d

                        • C:\Users\Admin\AppData\Local\Temp\latestX.exe

                          Filesize

                          320KB

                          MD5

                          e6398c572d3912e95d67990db42f7b65

                          SHA1

                          1caeb92853c065336109a4b63813aedcab048aad

                          SHA256

                          46d152bb29f8bff9153f8e357b8b06d56b865e3aadd43a67e5a5645878c1359c

                          SHA512

                          d6986cc29c6fac52959ab3945c398e28369dbd3a0654d8c3186227855dd5639685cd7ba3e308bc78189dfc5dd8aca894d30c4029b8d0c019b16080377346576d

                        • C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

                          Filesize

                          291KB

                          MD5

                          cde750f39f58f1ec80ef41ce2f4f1db9

                          SHA1

                          942ea40349b0e5af7583fd34f4d913398a9c3b96

                          SHA256

                          0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094

                          SHA512

                          c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

                        • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                          Filesize

                          1.4MB

                          MD5

                          1ac6f91f68a718573bc6e310e5267f9c

                          SHA1

                          a30f1f046da88ec78fcab903e37f0b8520625d5d

                          SHA256

                          4dfa49ef5ea03ebc0e710e29dd0a95653d606a3fce17d08c4ac6b1d9919dae8a

                          SHA512

                          023438ea1a126fa0b87f95a5f9a23a7ab298a68747c2bda95657a1f7a48e68a236a9077c058676b4dc974ad567dccf56640740233343109a4a585aef3bb11381

                        • C:\Users\Admin\AppData\Local\Temp\tuc3.exe

                          Filesize

                          768KB

                          MD5

                          bb62eb5da4f2a9ab8434396d9752fdb0

                          SHA1

                          ad269614474763d1b6f1b39e51ff58b99bdd2e13

                          SHA256

                          08a4f6f94fe0a0b52fab5283aa44f062bb68c1755205bd81ef924f352f2d209e

                          SHA512

                          e4da83dbae17e1db6e57692a409ac9c05f7fba029fd1a75d2cee8a1d529475ff4698db371dfd14c846197226077d6699cf648b4428656861f0f5304e819e3632

                        • memory/396-79-0x0000000000400000-0x0000000000414000-memory.dmp

                          Filesize

                          80KB

                        • memory/396-83-0x0000000000400000-0x0000000000414000-memory.dmp

                          Filesize

                          80KB

                        • memory/636-115-0x0000000000540000-0x0000000000541000-memory.dmp

                          Filesize

                          4KB

                        • memory/1316-23-0x0000000000CB0000-0x0000000002166000-memory.dmp

                          Filesize

                          20.7MB

                        • memory/1316-22-0x00000000746F0000-0x0000000074EA0000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/1316-99-0x00000000746F0000-0x0000000074EA0000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/3188-97-0x0000000005650000-0x0000000005660000-memory.dmp

                          Filesize

                          64KB

                        • memory/3188-81-0x00000000746F0000-0x0000000074EA0000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/3188-95-0x0000000005510000-0x00000000055AC000-memory.dmp

                          Filesize

                          624KB

                        • memory/3188-84-0x00000000003A0000-0x0000000000952000-memory.dmp

                          Filesize

                          5.7MB

                        • memory/3380-1-0x00000000026D0000-0x00000000026E6000-memory.dmp

                          Filesize

                          88KB

                        • memory/3704-3-0x0000000000400000-0x000000000040B000-memory.dmp

                          Filesize

                          44KB

                        • memory/3704-0-0x0000000000400000-0x000000000040B000-memory.dmp

                          Filesize

                          44KB

                        • memory/4460-25-0x00000000070F0000-0x0000000007182000-memory.dmp

                          Filesize

                          584KB

                        • memory/4460-44-0x0000000007440000-0x000000000748C000-memory.dmp

                          Filesize

                          304KB

                        • memory/4460-42-0x00000000073E0000-0x000000000741C000-memory.dmp

                          Filesize

                          240KB

                        • memory/4460-39-0x0000000007380000-0x0000000007392000-memory.dmp

                          Filesize

                          72KB

                        • memory/4460-37-0x0000000007BA0000-0x0000000007CAA000-memory.dmp

                          Filesize

                          1.0MB

                        • memory/4460-36-0x00000000081C0000-0x00000000087D8000-memory.dmp

                          Filesize

                          6.1MB

                        • memory/4460-28-0x00000000072B0000-0x00000000072BA000-memory.dmp

                          Filesize

                          40KB

                        • memory/4460-27-0x0000000007280000-0x0000000007290000-memory.dmp

                          Filesize

                          64KB

                        • memory/4460-24-0x00000000075F0000-0x0000000007B94000-memory.dmp

                          Filesize

                          5.6MB

                        • memory/4460-21-0x0000000000340000-0x000000000037C000-memory.dmp

                          Filesize

                          240KB

                        • memory/4460-20-0x00000000746F0000-0x0000000074EA0000-memory.dmp

                          Filesize

                          7.7MB

                        • memory/4884-78-0x0000000000B30000-0x0000000000B31000-memory.dmp

                          Filesize

                          4KB