Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
40s -
max time network
142s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
27/08/2020, 15:46
General
-
Target
2020-08-16_12-33-29.bin.exe
-
Size
182KB
-
MD5
31293dfcacc8dc2e1e0daca8ad83ffe4
-
SHA1
49d99d21ee7070f9923e53247dff9359cef66e56
-
SHA256
8d6a931a8e8a65cf3a98fc2ee69ded2bd91ee03ef6677c6f653561dd4742ce17
-
SHA512
962605b126e84500a0039b6ddcc2dd6686c942e2aa762d09ab49f97200812721c837770e116f5cb0477ce6ce145529830ef6cfafadb311944c28d388a3ee68dc
Malware Config
Extracted
smokeloader
2020
http://rexstat35x.xyz/statweb955/
http://dexspot2x.xyz/statweb955/
http://atxspot20x.xyz/statweb955/
http://rexspot7x.xyz/statweb955/
http://fdmail85.club/statweb955/
http://servicem977x.xyz/statweb955/
http://advertxman7x.xyz/statweb955/
http://starxpush7x.xyz/statweb955/
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 6 IoCs
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 4 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies data under HKEY_USERS 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2020-08-16_12-33-29.bin.exe"C:\Users\Admin\AppData\Local\Temp\2020-08-16_12-33-29.bin.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2020-08-16_12-33-29.bin.exe"C:\Users\Admin\AppData\Local\Temp\2020-08-16_12-33-29.bin.exe"2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\D77A.exeC:\Users\Admin\AppData\Local\Temp\D77A.exe1⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Users\Admin\AppData\Local\Temp\D894.exeC:\Users\Admin\AppData\Local\Temp\D894.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DF7B.exeC:\Users\Admin\AppData\Local\Temp\DF7B.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\E17F.exeC:\Users\Admin\AppData\Local\Temp\E17F.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\E326.exeC:\Users\Admin\AppData\Local\Temp\E326.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\EEB0.exeC:\Users\Admin\AppData\Local\Temp\EEB0.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\swap.cmd" "2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
16KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
48KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
16KB
-
Filesize
28KB
-
Filesize
88KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
16KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
16KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
468KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
16KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
40KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
428KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB