Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2023, 03:49
Behavioral task
behavioral1
Sample
fa42753a5fe2e60076476da32fcfaf01.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
fa42753a5fe2e60076476da32fcfaf01.exe
Resource
win10v2004-20231130-en
General
-
Target
fa42753a5fe2e60076476da32fcfaf01.exe
-
Size
37KB
-
MD5
fa42753a5fe2e60076476da32fcfaf01
-
SHA1
8147938ec14fc596c55d1819f8e2cb3d92991ac5
-
SHA256
22bf47b5ca0c997a013a8259a44a81171f00ee542c349695f1ea30a8b9c1051a
-
SHA512
e16b32648b38d7a6d8e2bb3062e0246d6bae0118d60b865eda9a671b26eb2f8f087d1ebddc9a6f9191cdc980e94d734adcd461e0dc2479e7790e2ebb79561dd1
-
SSDEEP
768:d8n3N4JRqwg8UTB+8zx70f0PSuopLwlFFWO7:dmN4JRrg8ypxSKFFX
Malware Config
Extracted
smokeloader
2022
http://81.19.131.34/fks/index.php
Extracted
redline
LiveTraffic
77.105.132.87:6731
Extracted
redline
@oleh_ps
176.123.7.190:32927
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral2/memory/656-19-0x00000000013B0000-0x00000000013EC000-memory.dmp family_redline behavioral2/memory/4952-99-0x0000000000180000-0x00000000001BC000-memory.dmp family_redline behavioral2/files/0x0007000000023220-93.dat family_redline behavioral2/files/0x0007000000023220-86.dat family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 5012 netsh.exe -
Deletes itself 1 IoCs
pid Process 3384 Process not Found -
Executes dropped EXE 2 IoCs
pid Process 656 9877.exe 3632 sfsbfug -
Program crash 1 IoCs
pid pid_target Process procid_target 2216 4380 WerFault.exe 121 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fa42753a5fe2e60076476da32fcfaf01.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fa42753a5fe2e60076476da32fcfaf01.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fa42753a5fe2e60076476da32fcfaf01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sfsbfug Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sfsbfug Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sfsbfug -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4616 schtasks.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2768 fa42753a5fe2e60076476da32fcfaf01.exe 2768 fa42753a5fe2e60076476da32fcfaf01.exe 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found 3384 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2768 fa42753a5fe2e60076476da32fcfaf01.exe 3632 sfsbfug -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3384 wrote to memory of 656 3384 Process not Found 98 PID 3384 wrote to memory of 656 3384 Process not Found 98 PID 3384 wrote to memory of 656 3384 Process not Found 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe"C:\Users\Admin\AppData\Local\Temp\fa42753a5fe2e60076476da32fcfaf01.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2768
-
C:\Users\Admin\AppData\Local\Temp\9877.exeC:\Users\Admin\AppData\Local\Temp\9877.exe1⤵
- Executes dropped EXE
PID:656
-
C:\Users\Admin\AppData\Roaming\sfsbfugC:\Users\Admin\AppData\Roaming\sfsbfug1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3632
-
C:\Users\Admin\AppData\Local\Temp\1583.exeC:\Users\Admin\AppData\Local\Temp\1583.exe1⤵PID:3328
-
C:\Users\Admin\AppData\Local\Temp\tuc3.exe"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"2⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\is-2AI56.tmp\tuc3.tmp"C:\Users\Admin\AppData\Local\Temp\is-2AI56.tmp\tuc3.tmp" /SL5="$C0062,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"3⤵PID:2072
-
C:\Program Files (x86)\xrecode3\xrecode3.exe"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i4⤵PID:2068
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query4⤵PID:4320
-
-
C:\Program Files (x86)\xrecode3\xrecode3.exe"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s4⤵PID:1528
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 14⤵PID:4608
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 15⤵PID:32
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"2⤵PID:3460
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵PID:4992
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:1096
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:4596
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:624
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2280
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵PID:4776
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:1096
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:1880
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:3496
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
PID:4616
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:5064
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵PID:3788
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵PID:4076
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"2⤵PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\Broom.exeC:\Users\Admin\AppData\Local\Temp\Broom.exe1⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\192D.exeC:\Users\Admin\AppData\Local\Temp\192D.exe1⤵PID:4952
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile1⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"1⤵PID:4380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 3282⤵
- Program crash
PID:2216
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4380 -ip 43801⤵PID:2836
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies Windows Firewall
PID:5012
-
C:\Users\Admin\AppData\Local\Temp\6BD3.exeC:\Users\Admin\AppData\Local\Temp\6BD3.exe1⤵PID:1444
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD56d85259c78b1d653d7e077ef515fde6e
SHA1fb27c5cf8c58199f67ee2b3caecfd3ee5bde86d0
SHA256847f4898f2adef5839ff24d7d9ea9da008dcadd4d620daf3c9321ff1b7cfdafc
SHA512039d83cc5517be741eb120cef3bd77936742c25a23b44e7f9514678d99dd664c04842c2b62718b544053836d26bc6dfa7e4ac17eaaf3ae491753ffc986a50cdd
-
Filesize
33KB
MD51ea753c26a9a9b36a1ea3eb6eef74792
SHA15abc373a4ac4f2f374e9bee21ee1e2d104b2a4a3
SHA25628352504c842004725e1f53fc4e65e16065642452de646917dc606ddcfd9f970
SHA512a9a62165d42ed8d380cdfe887f29d1028c2e96f7dc5f8cab38e2398f842eaf7c7f8191a454efae0280782dfddef2d9c7a8b142cce5008c346930d181ddbd5c42
-
Filesize
75KB
MD574461137d38386f0473fbcb475d0fc37
SHA19f849998554b4584a172dfc4e99d84454cd32323
SHA25659ba7fbb6e1f42ac28150728de37110b881ffd5cdabc359768566c4b1806f722
SHA512d1e97e73886dc2bf11a076490f6665cca6b4716c767a61bf3e80af7b4bb1e75884df7b8aebb5557d23cd014c5d35b974f9609d71d855eb899be4945f25d9bae7
-
Filesize
27KB
MD552a959ca162a679855ffd3f5c08ec9a0
SHA1d28813ea9b81c639ace82f812370fc1541ec9ede
SHA256bd91ce0d9b7621bbb0abaffb2085a6b53a0ff0c21a002f90cf11519f0a39fb3e
SHA5124d33183acf674816bcb4760d5837bad1922d5bedc8f20c5ceff4d6c754b04c15d942fb448047eb96dbe6a1d0e3cb83c062848aebdf859bc3a06b820962eeaf33
-
Filesize
169KB
MD5e33cadf4b3ae6a9d47c1f8357631426d
SHA16f7f9ee4e9d44d2e2829781034e9b3365ef21819
SHA256be0de1f5f6d9c900cee889ff035623793aa11eb56717fc395f7daa0a6a2fdc0c
SHA512a8f384ba81c1f6e4ceada53ec23fb39bb28f9d259f73dcbbcfbf15cb20eb526a740378c7e2d90a9cdd915c2124f88d51af212706e7060b10bdc8a72bac2666c9
-
Filesize
137KB
MD5d8d8daa14e7259290e728e98ff6bfbbb
SHA179627f6e255582d8eee34ada3c4377054bfa3ea1
SHA25621ceca5b4af638a7f8d6c1a0b7ce9b5ca459b28aef1b7d5f9d80381d09ad7a43
SHA512bd326ddd695efa2420ee9940b9bce99400579b1b17a603358ca7e33f18275724d71023aeb99e786719260c2b50cfac4674aa996bd583e92c4545188af20737f5
-
Filesize
401KB
MD5f88edad62a7789c2c5d8047133da5fa7
SHA141b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60
-
Filesize
87KB
MD5713258283d098fdc6a26408edc9dca13
SHA15784f69076c2057f21b963a9e13fbd186fb1f308
SHA2567a268aff850715b2f1aef618c46512c531885248c1a05aea326ddd13bb39eea0
SHA5123af46480eb917f37bcb85c5fb046debe24d86f5804227388e81af9d351604d33b4bfce2fe034f8f0a60e2ac1088134236f4053681a844b4fe5b033657065929f
-
Filesize
38KB
MD5e531d4b3fe89b853c46bc13fe348d06f
SHA175fa013b9dc494df46a0b1227bcf7a59456a211b
SHA2569c59b6ccdce18585f923ef2aeb39b3fc1d5bf47de74134629bf542248ec8cb68
SHA5125a3e06a7e1ebdb627e88c79dc1854423e55e4b2f0ff0a715d149d5e416f5a3ab59874cb7aa43ca1589909e004197f01120536bbb8c430c208ccf7917b45edbad
-
Filesize
11KB
MD5879f6daa64e7c5cd0c5407b3335f1a08
SHA11b90e48b2db46ca06ecaa783b49afa596c69aaef
SHA2560260e173818cf121d0b744131756d7799228508cd38af9a033f4bdf27f927728
SHA51251ca18517e520c98c4064f42d8ed2aba05318392ce11f89705dec7eab6c624790f561a9a3b09af4398ac2377787a4ac552eda66df116bb9ee1432d3c924cfdfa
-
Filesize
204KB
MD57776759ea28041a3b23799da25b042d7
SHA1145ad923430023052617a70a957d96dcba1eb692
SHA256db3491d1d1017660e5626ef5173a1d117d852a934341073ae67040e17fe779e0
SHA5124d4100e896f9c1b4156ff0f0028765d10dfe2a505d7cbcb273189751231a77921ff5a34448fd7a15809d147185624478565eb926be089264af89e6d7ce3f6308
-
Filesize
174KB
MD502ab342dc31ba5c94685b020407a9bdd
SHA1eee928e482e81814c6c4d72df2e3cc61d4e1477a
SHA2564514276540e9290b92cbf2c08ee6b0d522769ddc22812ce2baad167dd8a71e8d
SHA512ceb607b6b034e2529239372709862b612483205fa2bb69d398e1800ad8a8fafd44640260deb87ef2f0c511a1cdbcd7a1aa9acb9aca18f578907caaede55a7375
-
Filesize
92KB
MD5a3d098610415db87bc6cee13cda24803
SHA1bfed2811ab2e0a6348eaccd168fc7ffc3a9c3d92
SHA256f722cb4a916da1dae426e44f98a359eee43014d379b9c23118120c144cc52301
SHA5122d7be3981e1c4dd634ebd377f6b7cb866d00be726e87cd66348e3bdd55916b848a3b7fbca2bbb581b4f70103f669dbe1479a4beaeb11ffeb4646d1057b518361
-
Filesize
37KB
MD5fa42753a5fe2e60076476da32fcfaf01
SHA18147938ec14fc596c55d1819f8e2cb3d92991ac5
SHA25622bf47b5ca0c997a013a8259a44a81171f00ee542c349695f1ea30a8b9c1051a
SHA512e16b32648b38d7a6d8e2bb3062e0246d6bae0118d60b865eda9a671b26eb2f8f087d1ebddc9a6f9191cdc980e94d734adcd461e0dc2479e7790e2ebb79561dd1