Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

RFQ# RE-2301707.xls

windows7-x64

10

RFQ# RE-2301707.xls

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    21/07/2023, 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ# RE-2301707.xls

  • Size

    1.2MB

  • MD5

    b9b21e99991c542b6c2298548c004f28

  • SHA1

    09ab1bbc0baff1fee59e5409303297d9d2e80c47

  • SHA256

    ceeb7b4c98464f0429796c743d1c78e2d18c331c4e7c87448440726b7531e1d1

  • SHA512

    a9693452c08a496ec9063500d328d0772b45fc4b688557497593cda36cc291d760b70af3fce5b308d73ecc227f0ae0408365b3177e3185337624c2e226028713

  • SSDEEP

    24576:90nKZyUw6Vtln+Zykw6VINX0wI6XiHP5n2wyL/gGD1p3H:90U06Vtlok6V+X35iPdxe/gON

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cletonmy.com/

http://alpatrik.com/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 12 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\RFQ# RE-2301707.xls"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2592
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Users\Admin\AppData\Local\Temp\IBM_Linux.exe
      "C:\Users\Admin\AppData\Local\Temp\IBM_Linux.exe"
      2⤵
      • Checks QEMU agent file
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Users\Admin\AppData\Local\Temp\IBM_Linux.exe
        "C:\Users\Admin\AppData\Local\Temp\IBM_Linux.exe"
        3⤵
        • Checks QEMU agent file
        • Loads dropped DLL
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:1972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E821A7AE.emf
    Filesize

    1.4MB

    MD5

    a01b9617553432807b9b58025b338d97

    SHA1

    439bdcc450408b9735b2428c2d53d2e6977fa58c

    SHA256

    7a0426ed2e2349916969ff7087c0f76089fb8ce7f4627f3d11ccbc1aaefcedce

    SHA512

    312cc2563fa865d6a939fea85a520627c73ed9a95bafc98c89495f21d535dc658825be74b64f0f5c5815d1d234fc6e77a71779247e4973e39ba8dccec2f09bee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IBM_Linux.exe
    Filesize

    395KB

    MD5

    dede170df1b43a3d2e0095af1e16f7d5

    SHA1

    da3732c14024ea58bff773c7a2f5317c83041920

    SHA256

    30fecff47896754fe3c4fe3c748827d98f1ea1d5c0654bb229f7784e3521f148

    SHA512

    dd7816592feb25c2881760652ad03393f20856186091cb187107339ad74e682af348b3edaf0b792417b6ef4099e08060ed7aeff1d082ab36c73d3000bea3b15e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IBM_Linux.exe
    Filesize

    395KB

    MD5

    dede170df1b43a3d2e0095af1e16f7d5

    SHA1

    da3732c14024ea58bff773c7a2f5317c83041920

    SHA256

    30fecff47896754fe3c4fe3c748827d98f1ea1d5c0654bb229f7784e3521f148

    SHA512

    dd7816592feb25c2881760652ad03393f20856186091cb187107339ad74e682af348b3edaf0b792417b6ef4099e08060ed7aeff1d082ab36c73d3000bea3b15e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IBM_Linux.exe
    Filesize

    395KB

    MD5

    dede170df1b43a3d2e0095af1e16f7d5

    SHA1

    da3732c14024ea58bff773c7a2f5317c83041920

    SHA256

    30fecff47896754fe3c4fe3c748827d98f1ea1d5c0654bb229f7784e3521f148

    SHA512

    dd7816592feb25c2881760652ad03393f20856186091cb187107339ad74e682af348b3edaf0b792417b6ef4099e08060ed7aeff1d082ab36c73d3000bea3b15e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IBM_Linux.exe
    Filesize

    395KB

    MD5

    dede170df1b43a3d2e0095af1e16f7d5

    SHA1

    da3732c14024ea58bff773c7a2f5317c83041920

    SHA256

    30fecff47896754fe3c4fe3c748827d98f1ea1d5c0654bb229f7784e3521f148

    SHA512

    dd7816592feb25c2881760652ad03393f20856186091cb187107339ad74e682af348b3edaf0b792417b6ef4099e08060ed7aeff1d082ab36c73d3000bea3b15e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IBM_Linux.exe
    Filesize

    395KB

    MD5

    dede170df1b43a3d2e0095af1e16f7d5

    SHA1

    da3732c14024ea58bff773c7a2f5317c83041920

    SHA256

    30fecff47896754fe3c4fe3c748827d98f1ea1d5c0654bb229f7784e3521f148

    SHA512

    dd7816592feb25c2881760652ad03393f20856186091cb187107339ad74e682af348b3edaf0b792417b6ef4099e08060ed7aeff1d082ab36c73d3000bea3b15e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IBM_Linux.exe
    Filesize

    395KB

    MD5

    dede170df1b43a3d2e0095af1e16f7d5

    SHA1

    da3732c14024ea58bff773c7a2f5317c83041920

    SHA256

    30fecff47896754fe3c4fe3c748827d98f1ea1d5c0654bb229f7784e3521f148

    SHA512

    dd7816592feb25c2881760652ad03393f20856186091cb187107339ad74e682af348b3edaf0b792417b6ef4099e08060ed7aeff1d082ab36c73d3000bea3b15e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst9945.tmp\System.dll
    Filesize

    11KB

    MD5

    fccff8cb7a1067e23fd2e2b63971a8e1

    SHA1

    30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    SHA256

    6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    SHA512

    f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

    Download Submit

  • memory/1180-95-0x0000000002BA0000-0x0000000002BB6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1972-96-0x0000000001470000-0x0000000006FBD000-memory.dmp

    Filesize

    91.3MB

    Download

  • memory/1972-92-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1972-99-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1972-90-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1972-87-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1972-88-0x0000000000400000-0x0000000001462000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1972-91-0x0000000001470000-0x0000000006FBD000-memory.dmp

    Filesize

    91.3MB

    Download

  • memory/1972-89-0x00000000773E0000-0x0000000077589000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2592-81-0x00000000737DD000-0x00000000737E8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2592-55-0x00000000737DD000-0x00000000737E8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2592-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-110-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2592-125-0x00000000737DD000-0x00000000737E8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3024-83-0x00000000775D0000-0x00000000776A6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/3024-82-0x00000000773E0000-0x0000000077589000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3024-85-0x000000006CBE0000-0x000000006CBE6000-memory.dmp

    Filesize

    24KB

    Download