Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2023, 22:20
Static task
static1
Behavioral task
behavioral1
Sample
cfgtbvh.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
cfgtbvh.exe
Resource
win10v2004-20230220-en
General
-
Target
cfgtbvh.exe
-
Size
237KB
-
MD5
51b3cddd75069bda9deb36fd539442e2
-
SHA1
a5183c20f329a3ea3726ce2c8300b0f2654ab531
-
SHA256
f0098ef0f31aa50b097bfb3ac7e420c518a697394a0ffed54640a55045263fa9
-
SHA512
50e78682a53f0ef631e7faaf2892057b35e5895afee8d8520f2a3a49f99e239912bef67e8ebe70b099528b5a1753a06aad0675bc3dec64b9a2e7b605ced2d06c
-
SSDEEP
6144:DL3v+mWnRzxvqRYwqgft1rSVsMAdaV/BaW:D7v+myRtqRYRgX20di/F
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://aapu.at/tmp/
http://poudineh.com/tmp/
http://firsttrusteedrx.ru/tmp/
http://kingpirate.ru/tmp/
Signatures
-
Detect rhadamanthys stealer shellcode 5 IoCs
resource yara_rule behavioral2/memory/4156-151-0x0000000002440000-0x000000000245C000-memory.dmp family_rhadamanthys behavioral2/memory/4156-152-0x0000000002440000-0x000000000245C000-memory.dmp family_rhadamanthys behavioral2/memory/4156-154-0x0000000002440000-0x000000000245C000-memory.dmp family_rhadamanthys behavioral2/memory/4156-164-0x0000000002440000-0x000000000245C000-memory.dmp family_rhadamanthys behavioral2/memory/4156-169-0x0000000002480000-0x000000000249C000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4156 EC0A.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook dllhost.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook dllhost.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cfgtbvh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cfgtbvh.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cfgtbvh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dllhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dllhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3532 cfgtbvh.exe 3532 cfgtbvh.exe 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found 2780 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2780 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3532 cfgtbvh.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2780 wrote to memory of 4156 2780 Process not Found 90 PID 2780 wrote to memory of 4156 2780 Process not Found 90 PID 2780 wrote to memory of 4156 2780 Process not Found 90 PID 4156 wrote to memory of 4760 4156 EC0A.exe 91 PID 4156 wrote to memory of 4760 4156 EC0A.exe 91 PID 4156 wrote to memory of 4760 4156 EC0A.exe 91 PID 4156 wrote to memory of 4760 4156 EC0A.exe 91 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook dllhost.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfgtbvh.exe"C:\Users\Admin\AppData\Local\Temp\cfgtbvh.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3532
-
C:\Users\Admin\AppData\Local\Temp\EC0A.exeC:\Users\Admin\AppData\Local\Temp\EC0A.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:4760
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
332KB
MD5b0d324176fa2559bfeb2e8d6ce117d58
SHA18967469bcca172d5a15b9aeed141a3e970ba2abf
SHA25639492cb6b44ab5111fc433cfb989e5dea977a23773660e2dede758746549454d
SHA5129c3edbd5ed28ef054b70b2184fb659305cadb4150db04a9effb12774240e1a2b5c20c66e0b0fe3594a0890e3bc7573075d8f8850923d734b9eaa631c7836656c
-
Filesize
332KB
MD5b0d324176fa2559bfeb2e8d6ce117d58
SHA18967469bcca172d5a15b9aeed141a3e970ba2abf
SHA25639492cb6b44ab5111fc433cfb989e5dea977a23773660e2dede758746549454d
SHA5129c3edbd5ed28ef054b70b2184fb659305cadb4150db04a9effb12774240e1a2b5c20c66e0b0fe3594a0890e3bc7573075d8f8850923d734b9eaa631c7836656c