Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7d06e13988...e8.exe

windows7-x64

10

7d06e13988...e8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2022, 12:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d06e1398824ce24db20af1e5de6eae8.exe

  • Size

    301KB

  • MD5

    7d06e1398824ce24db20af1e5de6eae8

  • SHA1

    fb01ccd6b557431d46278ea95ff13c3ec58ae6c5

  • SHA256

    fbbeaa1e952007ae67e981d3ba3b282e260dba293a2250a7756c2ba4f27ba3aa

  • SHA512

    d03bd3c16dc992a252e367b76c7b9e963ab11c13b90bf4adb457f4195fb23511b9fbb5c11612bd08a536aba20ad5bee65d526bde62d5a62bc28095ea07d4eeee

  • SSDEEP

    6144:5+U5mLNpGWZedB+Aqxro2yiw7n1HbwZoV9J:rwB4WYcAsZw7

Score
10/10
smokeloaderbackdoorpersistencetrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 26 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d06e1398824ce24db20af1e5de6eae8.exe
    "C:\Users\Admin\AppData\Local\Temp\7d06e1398824ce24db20af1e5de6eae8.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4916
  • C:\Users\Admin\AppData\Local\Temp\F002.exe
    C:\Users\Admin\AppData\Local\Temp\F002.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp",Dioeeedresq
      2⤵
      • Blocklisted process makes network request
      • Sets DLL path for service in the registry
      • Sets service image path in registry
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:3876
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14026
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3268
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 472
      2⤵
      • Program crash
      PID:3720
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2928 -ip 2928
    1⤵
      PID:4208
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3116
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:4600
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\google\temp\s_shared_multi_filetype.dll",OwwvZzQ=
            2⤵
              PID:1872

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Google\Temp\s_shared_multi_filetype.dll
            Filesize

            792KB

            MD5

            cc4076892624e73648aecd5bc94dc8f1

            SHA1

            98702973bbafd6bb645fece1b19f3801304392c2

            SHA256

            9267492278a426fb8912f019f5854f8bcc19ce01ac914c28e9e784f1d78fec81

            SHA512

            4202440d0aee5b6a103d8fe4eab1af63ac763603b3c78671eee99dee7675f86fedccc770e4bba397385937e59851e45e2f7eeda025783408f065075490aa22af

            Download Submit

          • C:\Program Files (x86)\Google\Temp\s_shared_multi_filetype.dll
            Filesize

            792KB

            MD5

            cc4076892624e73648aecd5bc94dc8f1

            SHA1

            98702973bbafd6bb645fece1b19f3801304392c2

            SHA256

            9267492278a426fb8912f019f5854f8bcc19ce01ac914c28e9e784f1d78fec81

            SHA512

            4202440d0aee5b6a103d8fe4eab1af63ac763603b3c78671eee99dee7675f86fedccc770e4bba397385937e59851e45e2f7eeda025783408f065075490aa22af

            Download Submit

          • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\C2RManifest.osmuxmui.msi.16.en-us.xml
            Filesize

            10KB

            MD5

            220ae72aa2505c9276da2056b7e34936

            SHA1

            6dfb0f4fd5c0d25062d3d1235fc20358560fdb89

            SHA256

            afc37ba57fac36ba151953b67619dbbb985f58122f4ebe07f15b312b5bdf004c

            SHA512

            cab8485458b9870015f037fc6c8279018bf212d36ba01181bdb90970473a4b5aaeb9708e36eb21c8e6c1301dbdca630b29c8b3a6fa82fa14fb04bc65d235debd

            Download Submit

          • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Ieohspdwyru.tmp
            Filesize

            3.5MB

            MD5

            defc6e315c1a4999ad9bef9dc2a7d21a

            SHA1

            32caf8d0e6d3e8ae90da549139289a4582d8d89e

            SHA256

            30d76a9cdb10b372cb1e8267ffa96d9112461acaca0c0ef11da64e19e0c5041b

            SHA512

            2bed1af9ca4edd7c896b81aac7c9a84dbc1710872281256b751035bc36e0f239792ece32b4b2ed17f1c92c7e921f5b674992bf6295db3ed429ce13f1d1e926e3

            Download Submit

          • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Ieohspdwyru.tmp
            Filesize

            3.5MB

            MD5

            defc6e315c1a4999ad9bef9dc2a7d21a

            SHA1

            32caf8d0e6d3e8ae90da549139289a4582d8d89e

            SHA256

            30d76a9cdb10b372cb1e8267ffa96d9112461acaca0c0ef11da64e19e0c5041b

            SHA512

            2bed1af9ca4edd7c896b81aac7c9a84dbc1710872281256b751035bc36e0f239792ece32b4b2ed17f1c92c7e921f5b674992bf6295db3ed429ce13f1d1e926e3

            Download Submit

          • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\MasterDescriptor.en-us.xml
            Filesize

            28KB

            MD5

            4bee7862d96900a7b0f20d709ffe5af2

            SHA1

            59f4073ff756ee74e83e5d9448e7d6da69f3bf08

            SHA256

            526cb82e083378ccc1a5465f3250f40f9e74bdbc65c58ab9210fc8a88b273e63

            SHA512

            ee0f19e4aa0006b4da4b16522eea9774c09b07d6fae3529992df7f5f47ee1fa49a6ec5b77370be594762ec63f1f6aee4be139e44f2f369f5590777cf95d9be31

            Download Submit

          • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe.xml
            Filesize

            7KB

            MD5

            e585657cf3525fd22dad5e2409eb9e60

            SHA1

            1c0b9d97bb93098e1d8a162b9725a0d6134dc913

            SHA256

            581fd3d9aa551599bd691b5b23cdc51c48f7f3a65955adf1e1d0fef0a8cfb8b8

            SHA512

            601c03a19bb0d1170db8c3a05ff4a38d209e2ec53426b2048362504b75e3971f40480afd118cd741a52e69ba5a55c61dd4cc488f335be3d67584982009392ced

            Download Submit

          • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\MicrosoftLync2010.xml
            Filesize

            3KB

            MD5

            701beb4f8c252fb3c9f5dbdc94648048

            SHA1

            556ba20475a502b68b7992454be6c64ab355b4ec

            SHA256

            620e27a3746773947ba7ceee99d2b55e4e3cfa32a9164a0185a8cb8b22a55b67

            SHA512

            28c76c3d5ebb75797d37965b13cb05f852e25cc3d2558c38b091b82e12b78f268d58f144a0fcac32b30d70e5897ed7c647d4e3584edd2625ba7cdf5c54826faf

            Download Submit

          • C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\TELEMETRY.ASM-WINDOWSSQ.json
            Filesize

            53B

            MD5

            6b5c875287b25d64563bd7c830621b66

            SHA1

            df0c4dcbbf3ce6706cae126955b4fcb88be0694a

            SHA256

            9d45f7e6114d2088ab05423697cafedc0a9926f785358cb2faddc4f1e45b193d

            SHA512

            608b92078a9082b4bfe2b066891127713cfd4329d8b26a3747b672c19e41e25242f60153517227a04a3f2b355805584cd4fe2f2dece45b1cd5dfc814a486d229

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\F002.exe
            Filesize

            1.1MB

            MD5

            54e4da5b4f70e860806c6453cb9af849

            SHA1

            1da5cb24149011684811df7e841b11341f0ec2cc

            SHA256

            c52eaa66f05cbf87779feb3036a295c2b146f56ada659c656e54f7143b506ae0

            SHA512

            dc3b02a9ad375c14e561f12d366122e0050930c0fe978f0e4da8ddadf46d9360cb4921d681a6c5c29015ad5ee8c5130675a106469074547a88deaa6c9118f354

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\F002.exe
            Filesize

            1.1MB

            MD5

            54e4da5b4f70e860806c6453cb9af849

            SHA1

            1da5cb24149011684811df7e841b11341f0ec2cc

            SHA256

            c52eaa66f05cbf87779feb3036a295c2b146f56ada659c656e54f7143b506ae0

            SHA512

            dc3b02a9ad375c14e561f12d366122e0050930c0fe978f0e4da8ddadf46d9360cb4921d681a6c5c29015ad5ee8c5130675a106469074547a88deaa6c9118f354

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp
            Filesize

            792KB

            MD5

            822d3ead416a1a85cb96e65f65cd5ae2

            SHA1

            af32b69e2835d1cacdadb97ae6dfafccc32d1837

            SHA256

            72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

            SHA512

            48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp
            Filesize

            792KB

            MD5

            822d3ead416a1a85cb96e65f65cd5ae2

            SHA1

            af32b69e2835d1cacdadb97ae6dfafccc32d1837

            SHA256

            72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

            SHA512

            48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

            Download Submit

          • \??\c:\program files (x86)\google\temp\s_shared_multi_filetype.dll
            Filesize

            792KB

            MD5

            cc4076892624e73648aecd5bc94dc8f1

            SHA1

            98702973bbafd6bb645fece1b19f3801304392c2

            SHA256

            9267492278a426fb8912f019f5854f8bcc19ce01ac914c28e9e784f1d78fec81

            SHA512

            4202440d0aee5b6a103d8fe4eab1af63ac763603b3c78671eee99dee7675f86fedccc770e4bba397385937e59851e45e2f7eeda025783408f065075490aa22af

            Download Submit

          • memory/1872-196-0x0000000004720000-0x000000000527D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1872-197-0x0000000004720000-0x000000000527D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/2032-168-0x0000000001060000-0x0000000001070000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-142-0x0000000007830000-0x0000000007840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-154-0x0000000007840000-0x0000000007850000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-155-0x0000000007840000-0x0000000007850000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-156-0x0000000001060000-0x0000000001070000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-152-0x0000000007830000-0x0000000007840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-136-0x0000000007830000-0x0000000007840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-137-0x0000000007830000-0x0000000007840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-151-0x0000000007830000-0x0000000007840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-150-0x0000000007830000-0x0000000007840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-138-0x0000000007830000-0x0000000007840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-140-0x0000000007830000-0x0000000007840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-139-0x0000000007830000-0x0000000007840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-166-0x0000000007840000-0x0000000007850000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-167-0x0000000007840000-0x0000000007850000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-149-0x0000000007830000-0x0000000007840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-141-0x0000000007830000-0x0000000007840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-153-0x0000000007810000-0x0000000007820000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-143-0x0000000007830000-0x0000000007840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-144-0x0000000007830000-0x0000000007840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-145-0x0000000007830000-0x0000000007840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-146-0x0000000007830000-0x0000000007840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-147-0x0000000007830000-0x0000000007840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2032-148-0x0000000007830000-0x0000000007840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2928-165-0x0000000000400000-0x0000000000517000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2928-163-0x0000000000A4C000-0x0000000000B22000-memory.dmp

            Filesize

            856KB

            Download

          • memory/2928-164-0x00000000022E0000-0x00000000023F1000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3268-178-0x000001DA18090000-0x000001DA181D0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3268-180-0x000001DA18090000-0x000001DA181D0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3268-179-0x00000000002D0000-0x000000000056C000-memory.dmp

            Filesize

            2.6MB

            Download

          • memory/3268-181-0x000001DA16640000-0x000001DA168EE000-memory.dmp

            Filesize

            2.7MB

            Download

          • memory/3876-171-0x0000000004F50000-0x0000000005090000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3876-175-0x0000000004F50000-0x0000000005090000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3876-172-0x0000000004F50000-0x0000000005090000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3876-177-0x0000000004FC9000-0x0000000004FCB000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3876-170-0x0000000004F50000-0x0000000005090000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3876-169-0x00000000055B0000-0x000000000610D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/3876-182-0x00000000055B0000-0x000000000610D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/3876-173-0x0000000004F50000-0x0000000005090000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3876-174-0x0000000004F50000-0x0000000005090000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4600-195-0x0000000004510000-0x000000000506D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/4600-186-0x0000000004510000-0x000000000506D000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/4916-132-0x00000000005D7000-0x00000000005EC000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4916-133-0x00000000005A0000-0x00000000005A9000-memory.dmp

            Filesize

            36KB

            Download

          • memory/4916-134-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

            Download

          • memory/4916-135-0x0000000000400000-0x000000000044F000-memory.dmp

            Filesize

            316KB

            Download