Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
16/05/2023, 18:00
General
-
Target
0b1780772e521630e77a1f6b32201bed228a9c97134c9f462d5ac8d6b08ccae4.exe
-
Size
313KB
-
MD5
4db73a32cecfa765907e892b7aea8345
-
SHA1
c420d45d39f21d01bfc71eafd0750fe3cc256a63
-
SHA256
0b1780772e521630e77a1f6b32201bed228a9c97134c9f462d5ac8d6b08ccae4
-
SHA512
0007ffba3eb76a2240da84b5b8138d939dd512a6ffb59f83dfce730c5dcf06635b408c5b20bfbd99d254530e0f8bd5deb6f60b4ef49e1b5b6f558e2d3f9fd9a1
-
SSDEEP
3072:iAXPGgaSaDNJOanCLg3Tcjke0m4gyRAY0+qryYIu+PKPSvNO644vKSgI5gPc3Pgc:3+Sa5MfLgjcwTYyRAYBqryXq4SZOc
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
VMProtect packed file 2 IoCs
Detects executables packed with VMProtect commercial packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b1780772e521630e77a1f6b32201bed228a9c97134c9f462d5ac8d6b08ccae4.exe"C:\Users\Admin\AppData\Local\Temp\0b1780772e521630e77a1f6b32201bed228a9c97134c9f462d5ac8d6b08ccae4.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F23.exeC:\Users\Admin\AppData\Local\Temp\F23.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
Filesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
Filesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
Filesize
4.5MB
MD5019cba45c206e0f3606dfb4382d054b1
SHA178b1f1139ef9784b7736a54958c57adf7758bcf3
SHA2565acc5d15323119465e4a0aa18ee7620b7a84428d708211e77b109c516324754f
SHA512789be0deee9ba04903ca7a30dd2ae70d060a2e3240fd9d96262dc62c31613206dc16048ed6628919ad67f9edb173ee3d339798cf07a3a4829dbec46c69760991
-
Filesize
156KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
156KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
964KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
44KB
-
Filesize
60KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
2.9MB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
44KB