Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    58s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07/03/2023, 10:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d4ed405992f3e2bddb0e4401eb3a1c1306474e09ee3b680f006d5967d12756e.exe

  • Size

    261KB

  • MD5

    d928fd4d1871b145f8ac5e522cf4ee10

  • SHA1

    e508d3cf0c2bca37c0ecb7a415c2fe7ac5e5f3d3

  • SHA256

    7d4ed405992f3e2bddb0e4401eb3a1c1306474e09ee3b680f006d5967d12756e

  • SHA512

    c10bda22063354526ab630551ccf0403c0af7b9452965da992c1f140ea069d8d22cb01b88b478c0b71c6f53d00e974d05838f54bd66e3406dec8a3305811511c

  • SSDEEP

    3072:qWYs2Lu3IRoHT/3fFG3mkUPWI0n/5JrpXGP3yE1HSx+fF8Py6m9k4PGVoDNb:94L/aL6JplE1ygfD9kKAMNb

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • Detects Smokeloader packer 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d4ed405992f3e2bddb0e4401eb3a1c1306474e09ee3b680f006d5967d12756e.exe
    "C:\Users\Admin\AppData\Local\Temp\7d4ed405992f3e2bddb0e4401eb3a1c1306474e09ee3b680f006d5967d12756e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Users\Admin\AppData\Local\Temp\7d4ed405992f3e2bddb0e4401eb3a1c1306474e09ee3b680f006d5967d12756e.exe
      "C:\Users\Admin\AppData\Local\Temp\7d4ed405992f3e2bddb0e4401eb3a1c1306474e09ee3b680f006d5967d12756e.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:3380
  • C:\Users\Admin\AppData\Roaming\stsdjaw
    C:\Users\Admin\AppData\Roaming\stsdjaw
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Users\Admin\AppData\Roaming\stsdjaw
      C:\Users\Admin\AppData\Roaming\stsdjaw
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:2728

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\stsdjaw
    Filesize

    261KB

    MD5

    d928fd4d1871b145f8ac5e522cf4ee10

    SHA1

    e508d3cf0c2bca37c0ecb7a415c2fe7ac5e5f3d3

    SHA256

    7d4ed405992f3e2bddb0e4401eb3a1c1306474e09ee3b680f006d5967d12756e

    SHA512

    c10bda22063354526ab630551ccf0403c0af7b9452965da992c1f140ea069d8d22cb01b88b478c0b71c6f53d00e974d05838f54bd66e3406dec8a3305811511c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\stsdjaw
    Filesize

    261KB

    MD5

    d928fd4d1871b145f8ac5e522cf4ee10

    SHA1

    e508d3cf0c2bca37c0ecb7a415c2fe7ac5e5f3d3

    SHA256

    7d4ed405992f3e2bddb0e4401eb3a1c1306474e09ee3b680f006d5967d12756e

    SHA512

    c10bda22063354526ab630551ccf0403c0af7b9452965da992c1f140ea069d8d22cb01b88b478c0b71c6f53d00e974d05838f54bd66e3406dec8a3305811511c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\stsdjaw
    Filesize

    261KB

    MD5

    d928fd4d1871b145f8ac5e522cf4ee10

    SHA1

    e508d3cf0c2bca37c0ecb7a415c2fe7ac5e5f3d3

    SHA256

    7d4ed405992f3e2bddb0e4401eb3a1c1306474e09ee3b680f006d5967d12756e

    SHA512

    c10bda22063354526ab630551ccf0403c0af7b9452965da992c1f140ea069d8d22cb01b88b478c0b71c6f53d00e974d05838f54bd66e3406dec8a3305811511c

    Download Submit

  • memory/2728-138-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2728-140-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3196-125-0x0000000000F90000-0x0000000000FA6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3196-139-0x0000000001020000-0x0000000001036000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3380-123-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3380-124-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3380-126-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4044-122-0x00000000001D0000-0x00000000001D9000-memory.dmp

    Filesize

    36KB

    Download