Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06/05/2023, 20:18
General
-
Target
068cc6785e0eccc6e37f1dd67ffcf6f0.bin.exe
-
Size
234KB
-
MD5
068cc6785e0eccc6e37f1dd67ffcf6f0
-
SHA1
fcfb12625183cad04ce2832f9c29908baa8039dc
-
SHA256
fc51e907d00e4bc82fda5bfec4b227e5ebf9c5ecce4acebaa24f17ecdfe5ebe8
-
SHA512
27dd069bd3871277e0527b1e9a12ad99986b7b3e9a0451c3109d64a8280eb1ff169c0e5964b7b0f6306237d6b161bfe5bde7773d6f3d42e5ba84cfba12921cf9
-
SSDEEP
3072:jPNKDILIsTh2BZxOq5APDiYbNL4pW95hbfp1I:d8sThaxOyAPLbNL42bfp1I
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\068cc6785e0eccc6e37f1dd67ffcf6f0.bin.exe"C:\Users\Admin\AppData\Local\Temp\068cc6785e0eccc6e37f1dd67ffcf6f0.bin.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
156KB
-
Filesize
48KB
-
Filesize
156KB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
156KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
36KB
-
Filesize
39.6MB
-
Filesize
60KB
-
Filesize
44KB
-
Filesize
60KB
-
Filesize
44KB