Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/01/2023, 23:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    212KB

  • MD5

    28900a37a284467d9f9a0769105cedc4

  • SHA1

    12f1fd222b75aa3effa9e4ef17b74d9b5affc979

  • SHA256

    5465e10d6534d16d2ca844714d0f03da4f78fa1726252f32f54c436fcd6145b4

  • SHA512

    f64a1d9815176e2892d2513b0740604b3850a10ccbc4e31ca3f5cadc929f21073de3f35ba0bbb40cf1b5097c5527ca29c0dd8e578daaa1fc884d0c4ba0c084c4

  • SSDEEP

    3072:O0XhY7SvLCGxJDhniq+R5z5BqDHWbORdzh9EOl7T4/Cvk:OwlLCGx7i9R52rbdvR

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 23 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4996
  • C:\Users\Admin\AppData\Local\Temp\FEF6.exe
    C:\Users\Admin\AppData\Local\Temp\FEF6.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4624
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Rewurtuihyfrtty.dll,start
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14118
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3016
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 480
      2⤵
      • Program crash
      PID:4640
  • C:\Users\Admin\AppData\Roaming\shesurb
    C:\Users\Admin\AppData\Roaming\shesurb
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:1300
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4624 -ip 4624
    1⤵
      PID:1648
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2388

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\FEF6.exe
        Filesize

        3.7MB

        MD5

        e7c4f8fa014ac2eb81c2d4368ed28953

        SHA1

        f6dcfaab307479cad7b03624b26474e5eccee5f3

        SHA256

        cd2c2cd15f57ed2f6ff4a8e431fab91b541515ac5d2596e186a90190d445dff2

        SHA512

        59f8bb582ed2f09f4c08aa5f824407f0e1b20186071e859c897230902e7bf9aaf6e620bcd8c302ca4bbace4229b4bd801622d254344ba065e95be26ebd40ccd6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\FEF6.exe
        Filesize

        3.7MB

        MD5

        e7c4f8fa014ac2eb81c2d4368ed28953

        SHA1

        f6dcfaab307479cad7b03624b26474e5eccee5f3

        SHA256

        cd2c2cd15f57ed2f6ff4a8e431fab91b541515ac5d2596e186a90190d445dff2

        SHA512

        59f8bb582ed2f09f4c08aa5f824407f0e1b20186071e859c897230902e7bf9aaf6e620bcd8c302ca4bbace4229b4bd801622d254344ba065e95be26ebd40ccd6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Rewurtuihyfrtty.dll
        Filesize

        4.3MB

        MD5

        0cf33e9defed769e99bb375480518d07

        SHA1

        099b8b21a8f6fec81789ce033b39d693d6732d85

        SHA256

        66d881b9e631d9e8b645dd88129c786dceca1c3bf0cd7ef444157415a59e7a98

        SHA512

        5103c63508d3630aa8a9cd0d5fb1dc79dc62f67585e5dce311e190099ad66cd1a9ebf5eb17076ec1b5efd235e2b3c5f5340b8689cecfecfa6cfc77f31dce2a1c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Rewurtuihyfrtty.dll
        Filesize

        4.3MB

        MD5

        0cf33e9defed769e99bb375480518d07

        SHA1

        099b8b21a8f6fec81789ce033b39d693d6732d85

        SHA256

        66d881b9e631d9e8b645dd88129c786dceca1c3bf0cd7ef444157415a59e7a98

        SHA512

        5103c63508d3630aa8a9cd0d5fb1dc79dc62f67585e5dce311e190099ad66cd1a9ebf5eb17076ec1b5efd235e2b3c5f5340b8689cecfecfa6cfc77f31dce2a1c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Rewurtuihyfrtty.dll
        Filesize

        4.3MB

        MD5

        0cf33e9defed769e99bb375480518d07

        SHA1

        099b8b21a8f6fec81789ce033b39d693d6732d85

        SHA256

        66d881b9e631d9e8b645dd88129c786dceca1c3bf0cd7ef444157415a59e7a98

        SHA512

        5103c63508d3630aa8a9cd0d5fb1dc79dc62f67585e5dce311e190099ad66cd1a9ebf5eb17076ec1b5efd235e2b3c5f5340b8689cecfecfa6cfc77f31dce2a1c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\shesurb
        Filesize

        212KB

        MD5

        28900a37a284467d9f9a0769105cedc4

        SHA1

        12f1fd222b75aa3effa9e4ef17b74d9b5affc979

        SHA256

        5465e10d6534d16d2ca844714d0f03da4f78fa1726252f32f54c436fcd6145b4

        SHA512

        f64a1d9815176e2892d2513b0740604b3850a10ccbc4e31ca3f5cadc929f21073de3f35ba0bbb40cf1b5097c5527ca29c0dd8e578daaa1fc884d0c4ba0c084c4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\shesurb
        Filesize

        212KB

        MD5

        28900a37a284467d9f9a0769105cedc4

        SHA1

        12f1fd222b75aa3effa9e4ef17b74d9b5affc979

        SHA256

        5465e10d6534d16d2ca844714d0f03da4f78fa1726252f32f54c436fcd6145b4

        SHA512

        f64a1d9815176e2892d2513b0740604b3850a10ccbc4e31ca3f5cadc929f21073de3f35ba0bbb40cf1b5097c5527ca29c0dd8e578daaa1fc884d0c4ba0c084c4

        Download Submit

      • memory/1300-147-0x0000000000400000-0x0000000002B9D000-memory.dmp

        Filesize

        39.6MB

        Download

      • memory/1300-146-0x0000000000400000-0x0000000002B9D000-memory.dmp

        Filesize

        39.6MB

        Download

      • memory/1300-145-0x0000000002E58000-0x0000000002E68000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1988-162-0x0000000003F20000-0x0000000004060000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1988-164-0x0000000003F20000-0x0000000004060000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1988-171-0x0000000003290000-0x0000000003E16000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/1988-168-0x0000000003F99000-0x0000000003F9B000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1988-163-0x0000000003F20000-0x0000000004060000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1988-161-0x0000000003F20000-0x0000000004060000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1988-160-0x0000000003F20000-0x0000000004060000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1988-159-0x0000000003F20000-0x0000000004060000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1988-158-0x0000000003290000-0x0000000003E16000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/1988-152-0x00000000020B0000-0x00000000024FF000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/1988-153-0x00000000020B0000-0x00000000024FF000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/1988-157-0x0000000003290000-0x0000000003E16000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/1988-155-0x00000000020B0000-0x00000000024FF000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/1988-156-0x0000000003290000-0x0000000003E16000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/3016-170-0x00000159D6340000-0x00000159D65F3000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/3016-169-0x0000000000FE0000-0x0000000001282000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/3016-167-0x00000159D7DA0000-0x00000159D7EE0000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3016-166-0x00000159D7DA0000-0x00000159D7EE0000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4624-139-0x0000000004C50000-0x0000000004FD3000-memory.dmp

        Filesize

        3.5MB

        Download

      • memory/4624-154-0x0000000000400000-0x0000000002F10000-memory.dmp

        Filesize

        43.1MB

        Download

      • memory/4624-142-0x0000000000400000-0x0000000002F10000-memory.dmp

        Filesize

        43.1MB

        Download

      • memory/4624-140-0x0000000004FE0000-0x00000000054C0000-memory.dmp

        Filesize

        4.9MB

        Download

      • memory/4624-141-0x0000000000400000-0x0000000002F10000-memory.dmp

        Filesize

        43.1MB

        Download

      • memory/4996-132-0x0000000002CE9000-0x0000000002CF9000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4996-135-0x0000000000400000-0x0000000002B9D000-memory.dmp

        Filesize

        39.6MB

        Download

      • memory/4996-134-0x0000000000400000-0x0000000002B9D000-memory.dmp

        Filesize

        39.6MB

        Download

      • memory/4996-133-0x0000000002CB0000-0x0000000002CB9000-memory.dmp

        Filesize

        36KB

        Download