Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/01/2023, 12:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d1085ca99904e2f7d26eb2e2b040929c00d5a3d6e39437b53b6b7aaab8bd690.exe

  • Size

    327KB

  • MD5

    517bbd12525eb7512758c6b2d8e989e6

  • SHA1

    2be931f4dba7b0eb558ee4dc162a602ef4939212

  • SHA256

    6d1085ca99904e2f7d26eb2e2b040929c00d5a3d6e39437b53b6b7aaab8bd690

  • SHA512

    7d1495d38f51fe40582c932bec31b07583ed4f55ba96ef46476080ca002105d0476d7d6a3241a79d2f232d855bce20a2333631b0f6c9ac49009d45edecc0738e

  • SSDEEP

    6144:C/d5XLV4HxrAxdSMW7G64yyNES5byDqCFNsY6:C/rV4HxOdxnyxOC4Y

Score
10/10
smokeloaderbackdoorspywarestealertrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 20 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d1085ca99904e2f7d26eb2e2b040929c00d5a3d6e39437b53b6b7aaab8bd690.exe
    "C:\Users\Admin\AppData\Local\Temp\6d1085ca99904e2f7d26eb2e2b040929c00d5a3d6e39437b53b6b7aaab8bd690.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4644
  • C:\Users\Admin\AppData\Local\Temp\F91A.exe
    C:\Users\Admin\AppData\Local\Temp\F91A.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qytyaworpiotpd.tmp",Edoqqdswdffqipe
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:944
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23759
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3456
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 528
      2⤵
      • Program crash
      PID:1708
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2524 -ip 2524
    1⤵
      PID:400
    • C:\Users\Admin\AppData\Local\Temp\2C22.exe
      C:\Users\Admin\AppData\Local\Temp\2C22.exe
      1⤵
      • Executes dropped EXE
      PID:744
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4880

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\2C22.exe
        Filesize

        347KB

        MD5

        48f7c8c84eee4a6cd6f00666bacb5119

        SHA1

        f4affe861ba52a3d1efcc3e4cd421ab79b0fb66d

        SHA256

        727f18733aa96b80ed4a42b4543d746230f8d3a0ac13931f8ca1935d3cd1c96d

        SHA512

        e0e17e915e12bce368dc123c5068c597424940fcf5c9c6c844afb810d4d002552cf9087b6f8509c7d0a907c150299c373c0251a34718c3066718ecafb336cc32

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2C22.exe
        Filesize

        347KB

        MD5

        48f7c8c84eee4a6cd6f00666bacb5119

        SHA1

        f4affe861ba52a3d1efcc3e4cd421ab79b0fb66d

        SHA256

        727f18733aa96b80ed4a42b4543d746230f8d3a0ac13931f8ca1935d3cd1c96d

        SHA512

        e0e17e915e12bce368dc123c5068c597424940fcf5c9c6c844afb810d4d002552cf9087b6f8509c7d0a907c150299c373c0251a34718c3066718ecafb336cc32

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\F91A.exe
        Filesize

        1.1MB

        MD5

        c52b5a08f94b85f9c6cd41f67e6efe96

        SHA1

        979a16f04b050882755eac98f52cf934a529f26a

        SHA256

        33ce3667901ba42f04678e49b2153420e0b85094d8c3640077cabc751f348f55

        SHA512

        541baa8922f43d2e625f0d1b9005ee72f56f1a263833bdfe6d5e978d839613fe27f25758e5b801e878d276963b4aeb856e18275dae61b63b68a00aaec7858eba

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\F91A.exe
        Filesize

        1.1MB

        MD5

        c52b5a08f94b85f9c6cd41f67e6efe96

        SHA1

        979a16f04b050882755eac98f52cf934a529f26a

        SHA256

        33ce3667901ba42f04678e49b2153420e0b85094d8c3640077cabc751f348f55

        SHA512

        541baa8922f43d2e625f0d1b9005ee72f56f1a263833bdfe6d5e978d839613fe27f25758e5b801e878d276963b4aeb856e18275dae61b63b68a00aaec7858eba

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Qytyaworpiotpd.tmp
        Filesize

        752KB

        MD5

        710af73b2d7e92d33fac751318c08101

        SHA1

        2208c96a528b1d96e18ae47ab274f303e4099fff

        SHA256

        72021339c18f79141f9867c30616cbbdc517471e44d16bfe81063e5c7dba56c3

        SHA512

        1f19138b8412b871ccf33ec351d28157b6571bc02cb1d338fc4c06bd77e9518bbdb3392d63b9bcdde2bd94746c232f90b4796363f83cecfd49e0470b6495ac1a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Qytyaworpiotpd.tmp
        Filesize

        752KB

        MD5

        710af73b2d7e92d33fac751318c08101

        SHA1

        2208c96a528b1d96e18ae47ab274f303e4099fff

        SHA256

        72021339c18f79141f9867c30616cbbdc517471e44d16bfe81063e5c7dba56c3

        SHA512

        1f19138b8412b871ccf33ec351d28157b6571bc02cb1d338fc4c06bd77e9518bbdb3392d63b9bcdde2bd94746c232f90b4796363f83cecfd49e0470b6495ac1a

        Download Submit

      • memory/388-160-0x00000000022C0000-0x00000000022D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-159-0x00000000022C0000-0x00000000022D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-186-0x0000000006F90000-0x0000000006FA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-165-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-184-0x0000000006F90000-0x0000000006FA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-171-0x0000000006F90000-0x0000000006FA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-169-0x0000000006F90000-0x0000000006FA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-164-0x00000000022C0000-0x00000000022D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-185-0x0000000006F90000-0x0000000006FA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-163-0x00000000022C0000-0x00000000022D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-148-0x00000000022C0000-0x00000000022D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-149-0x00000000022C0000-0x00000000022D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-150-0x00000000022C0000-0x00000000022D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-151-0x00000000022C0000-0x00000000022D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-152-0x00000000022C0000-0x00000000022D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-153-0x00000000022C0000-0x00000000022D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-154-0x00000000022C0000-0x00000000022D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-155-0x00000000022C0000-0x00000000022D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-156-0x00000000022C0000-0x00000000022D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-157-0x00000000022C0000-0x00000000022D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-158-0x00000000022C0000-0x00000000022D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-166-0x0000000006F90000-0x0000000006FA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-162-0x00000000022C0000-0x00000000022D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/388-161-0x00000000022C0000-0x00000000022D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/744-167-0x000000000065E000-0x0000000000678000-memory.dmp

        Filesize

        104KB

        Download

      • memory/744-172-0x0000000000400000-0x000000000045C000-memory.dmp

        Filesize

        368KB

        Download

      • memory/744-168-0x00000000005B0000-0x00000000005DA000-memory.dmp

        Filesize

        168KB

        Download

      • memory/744-170-0x0000000000400000-0x000000000045C000-memory.dmp

        Filesize

        368KB

        Download

      • memory/944-179-0x0000000004180000-0x00000000042C0000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/944-178-0x0000000004180000-0x00000000042C0000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/944-190-0x00000000046B0000-0x000000000520B000-memory.dmp

        Filesize

        11.4MB

        Download

      • memory/944-187-0x00000000041F9000-0x00000000041FB000-memory.dmp

        Filesize

        8KB

        Download

      • memory/944-177-0x0000000004180000-0x00000000042C0000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/944-173-0x00000000046B0000-0x000000000520B000-memory.dmp

        Filesize

        11.4MB

        Download

      • memory/944-174-0x00000000046B0000-0x000000000520B000-memory.dmp

        Filesize

        11.4MB

        Download

      • memory/944-176-0x0000000004180000-0x00000000042C0000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/944-175-0x0000000004180000-0x00000000042C0000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/944-180-0x0000000004180000-0x00000000042C0000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2524-143-0x0000000002330000-0x0000000002450000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2524-142-0x00000000020A5000-0x0000000002186000-memory.dmp

        Filesize

        900KB

        Download

      • memory/2524-144-0x0000000000400000-0x0000000000525000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3456-183-0x000001EF7C1A0000-0x000001EF7C2E0000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3456-182-0x000001EF7C1A0000-0x000001EF7C2E0000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3456-188-0x00000000003B0000-0x000000000065A000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/3456-189-0x000001EF7A740000-0x000001EF7A9FB000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/4644-132-0x00000000004AE000-0x00000000004C3000-memory.dmp

        Filesize

        84KB

        Download

      • memory/4644-133-0x0000000000610000-0x0000000000619000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4644-135-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download

      • memory/4644-134-0x0000000000400000-0x0000000000458000-memory.dmp

        Filesize

        352KB

        Download