Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2022, 09:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b74f7a383e53db77de12baf859b2b679b60e7195caab961bc6950ca66eb2c69.exe

  • Size

    163KB

  • MD5

    b3b837e0c442cfe5a952f7d161726220

  • SHA1

    9f3e370d1a31e87974c45e04c9b300ad348a968b

  • SHA256

    7b74f7a383e53db77de12baf859b2b679b60e7195caab961bc6950ca66eb2c69

  • SHA512

    eb7e03c2a589198fd650ba20164f529b00b5575d4047d06796c51d6e5f87ec71e2c05f7a9d061c947aa8743d566537bc2b5c673d32990277eac538f9dd759a09

  • SSDEEP

    3072:x6qdnK5lgFd2poUe5yOp5PgxnaSmoIvJ4AZQ4vbQh2g86537T36:kX5wd2poH5TgxaxoIxJZTcTY

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b74f7a383e53db77de12baf859b2b679b60e7195caab961bc6950ca66eb2c69.exe
    "C:\Users\Admin\AppData\Local\Temp\7b74f7a383e53db77de12baf859b2b679b60e7195caab961bc6950ca66eb2c69.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1964

Network

  • flag-unknown
    DNS
    furubujjul.net
    Remote address:
    8.8.8.8:53
    Request
    furubujjul.net
    IN A
    Response
    furubujjul.net
    IN A
    91.195.240.101
  • flag-unknown
    POST
    http://furubujjul.net/
    Remote address:
    91.195.240.101:80
    Request
    POST / HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://xnnep.org/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 332
    Host: furubujjul.net
    Response
    HTTP/1.1 403 Forbidden
    date: Mon, 21 Nov 2022 09:04:03 GMT
    content-type: text/html
    content-length: 150
    vary: Accept-Encoding
    server: NginX
  • flag-unknown
    DNS
    starvestitibo.org
    Remote address:
    8.8.8.8:53
    Request
    starvestitibo.org
    IN A
    Response
    starvestitibo.org
    IN A
    193.106.191.15
  • flag-unknown
    DNS
    liubertiyyyul.net
    Remote address:
    8.8.8.8:53
    Request
    liubertiyyyul.net
    IN A
    Response
    liubertiyyyul.net
    IN A
    91.195.240.101
  • flag-unknown
    POST
    http://liubertiyyyul.net/
    Remote address:
    91.195.240.101:80
    Request
    POST / HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://ynfejjns.net/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 254
    Host: liubertiyyyul.net
    Response
    HTTP/1.1 403 Forbidden
    date: Mon, 21 Nov 2022 09:04:24 GMT
    content-type: text/html
    content-length: 150
    vary: Accept-Encoding
    server: NginX
  • flag-unknown
    DNS
    bururutu44org.org
    Remote address:
    8.8.8.8:53
    Request
    bururutu44org.org
    IN A
    Response
  • flag-unknown
    DNS
    nvulukuluir.net
    Remote address:
    8.8.8.8:53
    Request
    nvulukuluir.net
    IN A
    Response
  • flag-unknown
    DNS
    gulutina49org.org
    Remote address:
    8.8.8.8:53
    Request
    gulutina49org.org
    IN A
    Response
    gulutina49org.org
    IN A
    81.17.18.195
  • flag-unknown
    POST
    http://gulutina49org.org/
    Remote address:
    81.17.18.195:80
    Request
    POST / HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://apfyfkxx.org/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 199
    Host: gulutina49org.org
    Response
    HTTP/1.1 302 Found
    cache-control: max-age=0, private, must-revalidate
    connection: close
    content-length: 11
    date: Mon, 21 Nov 2022 09:04:24 GMT
    location: http://survey-smiles.com
    server: nginx
    set-cookie: sid=7ef3eac4-697b-11ed-b85d-1a2480b86564; path=/; domain=.gulutina49org.org; expires=Sat, 09 Dec 2090 12:18:32 GMT; max-age=2147483647; HttpOnly
  • flag-unknown
    DNS
    survey-smiles.com
    Remote address:
    8.8.8.8:53
    Request
    survey-smiles.com
    IN A
    Response
    survey-smiles.com
    IN A
    199.59.243.222
  • flag-unknown
    GET
    http://survey-smiles.com/
    Remote address:
    199.59.243.222:80
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Referer: http://apfyfkxx.org/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Host: survey-smiles.com
    Response
    HTTP/1.1 200 OK
    Server: openresty
    Date: Mon, 21 Nov 2022 09:04:25 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: parking_session=1f333651-23b7-cbc1-eb30-ee1df85a2465; expires=Mon, 21-Nov-2022 09:19:25 GMT; Max-Age=900; path=/; HttpOnly
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_brdkEcxT1faxlwh5pocxc38n+VRnQibNS67GuEJFL4C6i3EvmITttwGExz8+Vw2ALR2tjaa0QWJ8CpCsQG+Dew==
    Cache-Control: no-cache
    Accept-CH: sec-ch-prefers-color-scheme
    Critical-CH: sec-ch-prefers-color-scheme
    Vary: sec-ch-prefers-color-scheme
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Cache-Control: no-store, must-revalidate
    Cache-Control: post-check=0, pre-check=0
    Pragma: no-cache
  • flag-unknown
    DNS
    hulimudulinu.net
    Remote address:
    8.8.8.8:53
    Request
    hulimudulinu.net
    IN A
    Response
  • flag-unknown
    DNS
    stalnnuytyt.org
    Remote address:
    8.8.8.8:53
    Request
    stalnnuytyt.org
    IN A
    Response
    stalnnuytyt.org
    IN A
    192.187.111.220
  • flag-unknown
    DNS
    nuluitnulo.me
    Remote address:
    8.8.8.8:53
    Request
    nuluitnulo.me
    IN A
    Response
  • flag-unknown
    DNS
    youyouumenia5.org
    Remote address:
    8.8.8.8:53
    Request
    youyouumenia5.org
    IN A
    Response
    youyouumenia5.org
    IN A
    81.17.18.197
  • flag-unknown
    POST
    http://youyouumenia5.org/
    Remote address:
    81.17.18.197:80
    Request
    POST / HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://vntowik.org/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 330
    Host: youyouumenia5.org
    Response
    HTTP/1.1 302 Found
    cache-control: max-age=0, private, must-revalidate
    connection: close
    content-length: 11
    date: Mon, 21 Nov 2022 09:04:46 GMT
    location: http://survey-smiles.com
    server: nginx
    set-cookie: sid=8bdb313e-697b-11ed-8302-1a24746eca4d; path=/; domain=.youyouumenia5.org; expires=Sat, 09 Dec 2090 12:18:53 GMT; max-age=2147483647; HttpOnly
  • flag-unknown
    GET
    http://survey-smiles.com/
    Remote address:
    199.59.243.222:80
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Referer: http://vntowik.org/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Host: survey-smiles.com
    Response
    HTTP/1.1 200 OK
    Server: openresty
    Date: Mon, 21 Nov 2022 09:04:46 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: parking_session=f63c7cc8-3b93-4af8-9e90-123d6a21f71d; expires=Mon, 21-Nov-2022 09:19:46 GMT; Max-Age=900; path=/; HttpOnly
    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_brdkEcxT1faxlwh5pocxc38n+VRnQibNS67GuEJFL4C6i3EvmITttwGExz8+Vw2ALR2tjaa0QWJ8CpCsQG+Dew==
    Cache-Control: no-cache
    Accept-CH: sec-ch-prefers-color-scheme
    Critical-CH: sec-ch-prefers-color-scheme
    Vary: sec-ch-prefers-color-scheme
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Cache-Control: no-store, must-revalidate
    Cache-Control: post-check=0, pre-check=0
    Pragma: no-cache
  • flag-unknown
    DNS
    guluiiiimnstra.net
    Remote address:
    8.8.8.8:53
    Request
    guluiiiimnstra.net
    IN A
    Response
  • 93.184.221.240:80
    322 B
     7
  • 91.195.240.101:80
    http://furubujjul.net/
    http
    912 B
     505 B
     7
    5

    HTTP Request

    POST http://furubujjul.net/

    HTTP Response

    403
  • 193.106.191.15:80
    starvestitibo.org
    260 B
     5
  • 40.74.98.195:443
    322 B
     7
  • 91.195.240.101:80
    http://liubertiyyyul.net/
    http
    840 B
     545 B
     7
    6

    HTTP Request

    POST http://liubertiyyyul.net/

    HTTP Response

    403
  • 81.17.18.195:80
    http://gulutina49org.org/
    http
    739 B
     614 B
     6
    6

    HTTP Request

    POST http://gulutina49org.org/

    HTTP Response

    302
  • 199.59.243.222:80
    http://survey-smiles.com/
    http
    527 B
     3.0kB
     7
    7

    HTTP Request

    GET http://survey-smiles.com/

    HTTP Response

    200
  • 192.187.111.220:80
    stalnnuytyt.org
    260 B
     5
  • 104.80.225.205:443
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 93.184.221.240:80
    322 B
     7
  • 93.184.221.240:80
    260 B
     5
  • 81.17.18.197:80
    http://youyouumenia5.org/
    http
    869 B
     614 B
     6
    6

    HTTP Request

    POST http://youyouumenia5.org/

    HTTP Response

    302
  • 199.59.243.222:80
    http://survey-smiles.com/
    http
    526 B
     2.4kB
     7
    8

    HTTP Request

    GET http://survey-smiles.com/

    HTTP Response

    200
  • 93.184.221.240:80
    260 B
     5
  • 93.184.221.240:80
    260 B
     5
  • 8.8.8.8:53
    furubujjul.net
    dns
    60 B
     76 B
     1
    1

    DNS Request

    furubujjul.net

    DNS Response

    91.195.240.101

  • 8.8.8.8:53
    starvestitibo.org
    dns
    63 B
     79 B
     1
    1

    DNS Request

    starvestitibo.org

    DNS Response

    193.106.191.15

  • 8.8.8.8:53
    liubertiyyyul.net
    dns
    63 B
     79 B
     1
    1

    DNS Request

    liubertiyyyul.net

    DNS Response

    91.195.240.101

  • 8.8.8.8:53
    bururutu44org.org
    dns
    63 B
     145 B
     1
    1

    DNS Request

    bururutu44org.org

  • 8.8.8.8:53
    nvulukuluir.net
    dns
    61 B
     134 B
     1
    1

    DNS Request

    nvulukuluir.net

  • 8.8.8.8:53
    gulutina49org.org
    dns
    63 B
     79 B
     1
    1

    DNS Request

    gulutina49org.org

    DNS Response

    81.17.18.195

  • 8.8.8.8:53
    survey-smiles.com
    dns
    63 B
     79 B
     1
    1

    DNS Request

    survey-smiles.com

    DNS Response

    199.59.243.222

  • 8.8.8.8:53
    hulimudulinu.net
    dns
    62 B
     135 B
     1
    1

    DNS Request

    hulimudulinu.net

  • 8.8.8.8:53
    stalnnuytyt.org
    dns
    61 B
     77 B
     1
    1

    DNS Request

    stalnnuytyt.org

    DNS Response

    192.187.111.220

  • 8.8.8.8:53
    nuluitnulo.me
    dns
    59 B
     122 B
     1
    1

    DNS Request

    nuluitnulo.me

  • 8.8.8.8:53
    youyouumenia5.org
    dns
    63 B
     79 B
     1
    1

    DNS Request

    youyouumenia5.org

    DNS Response

    81.17.18.197

  • 8.8.8.8:53
    guluiiiimnstra.net
    dns
    64 B
     137 B
     1
    1

    DNS Request

    guluiiiimnstra.net

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1964-132-0x0000000000718000-0x0000000000729000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1964-133-0x00000000006E0000-0x00000000006E9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1964-134-0x0000000000400000-0x000000000058E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1964-135-0x0000000000400000-0x000000000058E000-memory.dmp

    Filesize

    1.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.