Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

99c0cf1dd3...45.exe

windows7-x64

10

99c0cf1dd3...45.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    21/07/2023, 01:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99c0cf1dd3e620333c751d7b28d85d76c239c7fafcdaa71aeda4dc9b76c77145.exe

  • Size

    30KB

  • MD5

    01097d203000288cc8ef629b9b830dd2

  • SHA1

    c6eec303a933ce067f5d8ac49c6efb21f61142e6

  • SHA256

    99c0cf1dd3e620333c751d7b28d85d76c239c7fafcdaa71aeda4dc9b76c77145

  • SHA512

    8fc00b2bd23606edeee5fd48b51f62245e491698c88461889c2fd79b60ab3e9bdb540beb4c34716d88d83806868619f5af6455742fe585959dbf26541e808afb

  • SSDEEP

    384:K9VD6tee+qUOTd2opQTLAdz1SvNmhpdvOjT7PbA6HBiTSnjxZMdP05ldpRMaYIBI:k6Qe+qUv8zcqdvOXA6XkPslJvGaVW

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\99c0cf1dd3e620333c751d7b28d85d76c239c7fafcdaa71aeda4dc9b76c77145.exe
    "C:\Users\Admin\AppData\Local\Temp\99c0cf1dd3e620333c751d7b28d85d76c239c7fafcdaa71aeda4dc9b76c77145.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1912
  • C:\Users\Admin\AppData\Local\Temp\D28B.exe
    C:\Users\Admin\AppData\Local\Temp\D28B.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\AZUAWK.CPL",
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\AZUAWK.CPL",
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2700
        • C:\Windows\system32\RunDll32.exe
          C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\AZUAWK.CPL",
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1144
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\AZUAWK.CPL",
            5⤵
            • Loads dropped DLL
            PID:972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AZUAWK.CPL
    Filesize

    1.2MB

    MD5

    6678ff541ad68a47a8bbbe217ab739f8

    SHA1

    3a43e3a903f217b3dae55837877bfa53f6db0019

    SHA256

    f9e2d9fb4044a1025e27eaa3280db5cb042be491edbe29d3c86f543377f99d17

    SHA512

    b9541aa2a54383ba55ce7cce13434d8a82c4d77eda39e8144f903af0ff74a2d8f712ca2abe437b4094b18ec19c3f8a337a15c2fc12c0d14181f35b986f4c4db6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\D28B.exe
    Filesize

    1.5MB

    MD5

    985f48adeb0b295a4975f767303e2a09

    SHA1

    89709c33a4fb3683b4932bbd93f0857bfdd746e3

    SHA256

    1bbe3ed2b3cbc696f1ffdf45dd12b02f367ff165e5ffe12bb3efb82104817eea

    SHA512

    5e105ab03e00ec9b91d7efc65fdc786cc6be2d10f8f7d9d4caa3742c4fae6c6085dc789f2ccb3320c59bc31bbabf2f06161e43a18490b07c5095566746729832

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\D28B.exe
    Filesize

    1.5MB

    MD5

    985f48adeb0b295a4975f767303e2a09

    SHA1

    89709c33a4fb3683b4932bbd93f0857bfdd746e3

    SHA256

    1bbe3ed2b3cbc696f1ffdf45dd12b02f367ff165e5ffe12bb3efb82104817eea

    SHA512

    5e105ab03e00ec9b91d7efc65fdc786cc6be2d10f8f7d9d4caa3742c4fae6c6085dc789f2ccb3320c59bc31bbabf2f06161e43a18490b07c5095566746729832

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AZUAWK.cpl
    Filesize

    1.2MB

    MD5

    6678ff541ad68a47a8bbbe217ab739f8

    SHA1

    3a43e3a903f217b3dae55837877bfa53f6db0019

    SHA256

    f9e2d9fb4044a1025e27eaa3280db5cb042be491edbe29d3c86f543377f99d17

    SHA512

    b9541aa2a54383ba55ce7cce13434d8a82c4d77eda39e8144f903af0ff74a2d8f712ca2abe437b4094b18ec19c3f8a337a15c2fc12c0d14181f35b986f4c4db6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AZUAWK.cpl
    Filesize

    1.2MB

    MD5

    6678ff541ad68a47a8bbbe217ab739f8

    SHA1

    3a43e3a903f217b3dae55837877bfa53f6db0019

    SHA256

    f9e2d9fb4044a1025e27eaa3280db5cb042be491edbe29d3c86f543377f99d17

    SHA512

    b9541aa2a54383ba55ce7cce13434d8a82c4d77eda39e8144f903af0ff74a2d8f712ca2abe437b4094b18ec19c3f8a337a15c2fc12c0d14181f35b986f4c4db6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AZUAWK.cpl
    Filesize

    1.2MB

    MD5

    6678ff541ad68a47a8bbbe217ab739f8

    SHA1

    3a43e3a903f217b3dae55837877bfa53f6db0019

    SHA256

    f9e2d9fb4044a1025e27eaa3280db5cb042be491edbe29d3c86f543377f99d17

    SHA512

    b9541aa2a54383ba55ce7cce13434d8a82c4d77eda39e8144f903af0ff74a2d8f712ca2abe437b4094b18ec19c3f8a337a15c2fc12c0d14181f35b986f4c4db6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AZUAWK.cpl
    Filesize

    1.2MB

    MD5

    6678ff541ad68a47a8bbbe217ab739f8

    SHA1

    3a43e3a903f217b3dae55837877bfa53f6db0019

    SHA256

    f9e2d9fb4044a1025e27eaa3280db5cb042be491edbe29d3c86f543377f99d17

    SHA512

    b9541aa2a54383ba55ce7cce13434d8a82c4d77eda39e8144f903af0ff74a2d8f712ca2abe437b4094b18ec19c3f8a337a15c2fc12c0d14181f35b986f4c4db6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AZUAWK.cpl
    Filesize

    1.2MB

    MD5

    6678ff541ad68a47a8bbbe217ab739f8

    SHA1

    3a43e3a903f217b3dae55837877bfa53f6db0019

    SHA256

    f9e2d9fb4044a1025e27eaa3280db5cb042be491edbe29d3c86f543377f99d17

    SHA512

    b9541aa2a54383ba55ce7cce13434d8a82c4d77eda39e8144f903af0ff74a2d8f712ca2abe437b4094b18ec19c3f8a337a15c2fc12c0d14181f35b986f4c4db6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AZUAWK.cpl
    Filesize

    1.2MB

    MD5

    6678ff541ad68a47a8bbbe217ab739f8

    SHA1

    3a43e3a903f217b3dae55837877bfa53f6db0019

    SHA256

    f9e2d9fb4044a1025e27eaa3280db5cb042be491edbe29d3c86f543377f99d17

    SHA512

    b9541aa2a54383ba55ce7cce13434d8a82c4d77eda39e8144f903af0ff74a2d8f712ca2abe437b4094b18ec19c3f8a337a15c2fc12c0d14181f35b986f4c4db6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AZUAWK.cpl
    Filesize

    1.2MB

    MD5

    6678ff541ad68a47a8bbbe217ab739f8

    SHA1

    3a43e3a903f217b3dae55837877bfa53f6db0019

    SHA256

    f9e2d9fb4044a1025e27eaa3280db5cb042be491edbe29d3c86f543377f99d17

    SHA512

    b9541aa2a54383ba55ce7cce13434d8a82c4d77eda39e8144f903af0ff74a2d8f712ca2abe437b4094b18ec19c3f8a337a15c2fc12c0d14181f35b986f4c4db6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\AZUAWK.cpl
    Filesize

    1.2MB

    MD5

    6678ff541ad68a47a8bbbe217ab739f8

    SHA1

    3a43e3a903f217b3dae55837877bfa53f6db0019

    SHA256

    f9e2d9fb4044a1025e27eaa3280db5cb042be491edbe29d3c86f543377f99d17

    SHA512

    b9541aa2a54383ba55ce7cce13434d8a82c4d77eda39e8144f903af0ff74a2d8f712ca2abe437b4094b18ec19c3f8a337a15c2fc12c0d14181f35b986f4c4db6

    Download Submit

  • memory/972-96-0x0000000002780000-0x0000000002878000-memory.dmp

    Filesize

    992KB

    Download

  • memory/972-100-0x0000000002880000-0x000000000295F000-memory.dmp

    Filesize

    892KB

    Download

  • memory/972-97-0x0000000002880000-0x000000000295F000-memory.dmp

    Filesize

    892KB

    Download

  • memory/972-101-0x0000000002880000-0x000000000295F000-memory.dmp

    Filesize

    892KB

    Download

  • memory/972-90-0x00000000021B0000-0x00000000022E3000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/972-91-0x00000000021B0000-0x00000000022E3000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/972-92-0x00000000001F0000-0x00000000001F6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1204-54-0x0000000002AD0000-0x0000000002AE6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1912-53-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1912-55-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2700-74-0x0000000002440000-0x0000000002573000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2700-85-0x00000000026A0000-0x000000000277F000-memory.dmp

    Filesize

    892KB

    Download

  • memory/2700-84-0x00000000026A0000-0x000000000277F000-memory.dmp

    Filesize

    892KB

    Download

  • memory/2700-81-0x00000000026A0000-0x000000000277F000-memory.dmp

    Filesize

    892KB

    Download

  • memory/2700-80-0x0000000002020000-0x0000000002118000-memory.dmp

    Filesize

    992KB

    Download

  • memory/2700-76-0x0000000000180000-0x0000000000186000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2700-75-0x0000000002440000-0x0000000002573000-memory.dmp

    Filesize

    1.2MB

    Download