Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05/03/2023, 07:29
General
-
Target
1d7437d860a392e93ea83ebe6b11a9a127d95c70699c576900a828ab869676be.exe
-
Size
179KB
-
MD5
8e34b1f2f8dde77647df4a288d2d0892
-
SHA1
3a999eee6560c3e734b6e15b955830b3a3d1ed39
-
SHA256
1d7437d860a392e93ea83ebe6b11a9a127d95c70699c576900a828ab869676be
-
SHA512
b960d0b497d8942b1ed7c52709b5fd1b173875a4ffc375399c8c01e3d0180e766a5f276980560ac340d89b03e4547880401cba4271fbb7ea01aaa0bdbeb2e099
-
SSDEEP
3072:oF8J9qXc9beLdp2CE1XbqZt7LdeibCTK94phdwnRztlXB9R:f4XMbeLlEhbELLb264phdwnR5lX
Malware Config
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
Detects Smokeloader packer 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d7437d860a392e93ea83ebe6b11a9a127d95c70699c576900a828ab869676be.exe"C:\Users\Admin\AppData\Local\Temp\1d7437d860a392e93ea83ebe6b11a9a127d95c70699c576900a828ab869676be.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1d7437d860a392e93ea83ebe6b11a9a127d95c70699c576900a828ab869676be.exe"C:\Users\Admin\AppData\Local\Temp\1d7437d860a392e93ea83ebe6b11a9a127d95c70699c576900a828ab869676be.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Roaming\gtrvvhrC:\Users\Admin\AppData\Roaming\gtrvvhr1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gtrvvhrC:\Users\Admin\AppData\Roaming\gtrvvhr2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
179KB
MD58e34b1f2f8dde77647df4a288d2d0892
SHA13a999eee6560c3e734b6e15b955830b3a3d1ed39
SHA2561d7437d860a392e93ea83ebe6b11a9a127d95c70699c576900a828ab869676be
SHA512b960d0b497d8942b1ed7c52709b5fd1b173875a4ffc375399c8c01e3d0180e766a5f276980560ac340d89b03e4547880401cba4271fbb7ea01aaa0bdbeb2e099
-
Filesize
179KB
MD58e34b1f2f8dde77647df4a288d2d0892
SHA13a999eee6560c3e734b6e15b955830b3a3d1ed39
SHA2561d7437d860a392e93ea83ebe6b11a9a127d95c70699c576900a828ab869676be
SHA512b960d0b497d8942b1ed7c52709b5fd1b173875a4ffc375399c8c01e3d0180e766a5f276980560ac340d89b03e4547880401cba4271fbb7ea01aaa0bdbeb2e099
-
Filesize
179KB
MD58e34b1f2f8dde77647df4a288d2d0892
SHA13a999eee6560c3e734b6e15b955830b3a3d1ed39
SHA2561d7437d860a392e93ea83ebe6b11a9a127d95c70699c576900a828ab869676be
SHA512b960d0b497d8942b1ed7c52709b5fd1b173875a4ffc375399c8c01e3d0180e766a5f276980560ac340d89b03e4547880401cba4271fbb7ea01aaa0bdbeb2e099
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
12KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
12KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB