Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
08/05/2023, 23:37
General
-
Target
49fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9.exe
-
Size
322KB
-
MD5
f9b1d55654308e893e49ec62c9ea5aa7
-
SHA1
dd8604a3ff8e6a7fb284cbb703143311b5072dd8
-
SHA256
49fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9
-
SHA512
000bc79f49c6bea78d807a3adcb3da0366f1ae35c4e5929046e2b05f176d6eda70f7b88a23d51d0b7781b7d406d8eb9bb35c20ffb6d3b539046bb3fb12bda245
-
SSDEEP
3072:SPapJc+lYWQGGiZaSptQ5Xem0qGsF0doQZC66YrrMWUfN0c9tVtbCaS0GRPma:Si7OQvpS5XeNBLZC66SYRB99i
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 20 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\49fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9.exe"C:\Users\Admin\AppData\Local\Temp\49fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\rceefarC:\Users\Admin\AppData\Roaming\rceefar1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
322KB
MD5f9b1d55654308e893e49ec62c9ea5aa7
SHA1dd8604a3ff8e6a7fb284cbb703143311b5072dd8
SHA25649fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9
SHA512000bc79f49c6bea78d807a3adcb3da0366f1ae35c4e5929046e2b05f176d6eda70f7b88a23d51d0b7781b7d406d8eb9bb35c20ffb6d3b539046bb3fb12bda245
-
Filesize
322KB
MD5f9b1d55654308e893e49ec62c9ea5aa7
SHA1dd8604a3ff8e6a7fb284cbb703143311b5072dd8
SHA25649fd772c6007383b249067c367f1250415c5e66f76002163ecba38fb4bc6c6f9
SHA512000bc79f49c6bea78d807a3adcb3da0366f1ae35c4e5929046e2b05f176d6eda70f7b88a23d51d0b7781b7d406d8eb9bb35c20ffb6d3b539046bb3fb12bda245
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
156KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
4.0MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
4.0MB
-
Filesize
156KB
-
Filesize
48KB
-
Filesize
156KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
60KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
60KB