Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
-
submitted
30/06/2023, 14:08
General
-
Target
DaHostexeexeexe.exe
-
Size
299KB
-
MD5
dabf4bf05dadea76f0a7b346eee48844
-
SHA1
1ea751f2c11f8f57f80cdc30826e38a551761828
-
SHA256
4fce1d0099d746c09f6e7a8ae41882cbb95070ab24843b1516b8a74ce65d3701
-
SHA512
8dc5a9d442fd6b95ab3a1a682ad80451131da2e5f74cc741b4bd4badfbbb31f002098c79c62ef77c4677703aefc2a698e2f97becd94b1ac0d58cd71629b73f23
-
SSDEEP
3072:12zYpE8kiiX63a0mkBxKvQ5RN3vKdjSj0mRLRLh7EkHot:cMO8kWK0mkTKo5RpvUcp9Ew
Malware Config
Extracted
smokeloader
2022
http://suprememax.ga/
http://bloomberg.ga/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 16 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DaHostexeexeexe.exe"C:\Users\Admin\AppData\Local\Temp\DaHostexeexeexe.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\gvaedvdC:\Users\Admin\AppData\Roaming\gvaedvd1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
299KB
MD5dabf4bf05dadea76f0a7b346eee48844
SHA11ea751f2c11f8f57f80cdc30826e38a551761828
SHA2564fce1d0099d746c09f6e7a8ae41882cbb95070ab24843b1516b8a74ce65d3701
SHA5128dc5a9d442fd6b95ab3a1a682ad80451131da2e5f74cc741b4bd4badfbbb31f002098c79c62ef77c4677703aefc2a698e2f97becd94b1ac0d58cd71629b73f23
-
Filesize
299KB
MD5dabf4bf05dadea76f0a7b346eee48844
SHA11ea751f2c11f8f57f80cdc30826e38a551761828
SHA2564fce1d0099d746c09f6e7a8ae41882cbb95070ab24843b1516b8a74ce65d3701
SHA5128dc5a9d442fd6b95ab3a1a682ad80451131da2e5f74cc741b4bd4badfbbb31f002098c79c62ef77c4677703aefc2a698e2f97becd94b1ac0d58cd71629b73f23
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
512KB
-
Filesize
5.2MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
84KB
-
Filesize
5.2MB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
24KB