Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/09/2023, 17:32 UTC

General

  • Target

    file.exe

  • Size

    227KB

  • MD5

    7c5940c3eb79c3a97f4e98f1a8dac782

  • SHA1

    906603a5e1b79584844fffe441af49bde89f73ce

  • SHA256

    e7cf7131e4c2578bb51fe33d2b6670622233c651a86827a461aa7b081e19b99e

  • SHA512

    5debcb8dd3b8fd783a177625c0744f36fbaa86058b67b84a9ffb8e8c57a41e0f980a86ffcdca991b9d7d49b7b34a87e99b840c8fb5d2ffecb53b8d2ba718d9fb

  • SSDEEP

    3072:gEs7fZA+gkMbHfHWhv5zbSftq4SovLD8h1w:0fm+gz7fuVuY42h

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32
1
0xcc4f5fd4
rc4.i32
1
0x2a68f03e

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4956

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    17.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    254.177.238.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    254.177.238.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    41.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.16.96.in-addr.arpa
    IN PTR
    Response
    41.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    potunulit.org
    Remote address:
    8.8.8.8:53
    Request
    potunulit.org
    IN A
  • flag-us
    DNS
    potunulit.org
    Remote address:
    8.8.8.8:53
    Request
    potunulit.org
    IN A
  • flag-us
    DNS
    potunulit.org
    Remote address:
    8.8.8.8:53
    Request
    potunulit.org
    IN A
  • flag-us
    DNS
    potunulit.org
    Remote address:
    8.8.8.8:53
    Request
    potunulit.org
    IN A
  • flag-us
    DNS
    potunulit.org
    Remote address:
    8.8.8.8:53
    Request
    potunulit.org
    IN A
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    hutnilior.net
    Remote address:
    8.8.8.8:53
    Request
    hutnilior.net
    IN A
    Response
    hutnilior.net
    IN A
    91.195.240.101
  • flag-de
    POST
    http://hutnilior.net/
    Remote address:
    91.195.240.101:80
    Request
    POST / HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://lyteuiu.net/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 326
    Host: hutnilior.net
    Response
    HTTP/1.1 405 Not Allowed
    date: Sun, 17 Sep 2023 17:33:01 GMT
    content-type: text/html
    content-length: 154
    server: NginX
  • flag-us
    DNS
    bulimu55t.net
    Remote address:
    8.8.8.8:53
    Request
    bulimu55t.net
    IN A
    Response
    bulimu55t.net
    IN A
    91.195.240.101
  • flag-de
    POST
    http://bulimu55t.net/
    Remote address:
    91.195.240.101:80
    Request
    POST / HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://glmcq.com/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 243
    Host: bulimu55t.net
    Response
    HTTP/1.1 405 Not Allowed
    date: Sun, 17 Sep 2023 17:33:01 GMT
    content-type: text/html
    content-length: 154
    server: NginX
  • flag-us
    DNS
    soryytlic4.net
    Remote address:
    8.8.8.8:53
    Request
    soryytlic4.net
    IN A
    Response
    soryytlic4.net
    IN A
    91.195.240.101
  • flag-de
    POST
    http://soryytlic4.net/
    Remote address:
    91.195.240.101:80
    Request
    POST / HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://xdglc.com/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 167
    Host: soryytlic4.net
    Response
    HTTP/1.1 405 Not Allowed
    date: Sun, 17 Sep 2023 17:33:01 GMT
    content-type: text/html
    content-length: 154
    server: NginX
  • flag-us
    DNS
    novanosa5org.org
    Remote address:
    8.8.8.8:53
    Request
    novanosa5org.org
    IN A
    Response
    novanosa5org.org
    IN A
    72.26.218.86
  • flag-nl
    POST
    http://novanosa5org.org/
    Remote address:
    72.26.218.86:80
    Request
    POST / HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://auebffhmlo.org/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 335
    Host: novanosa5org.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 17 Sep 2023 17:33:01 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=642434bca015c60f5bb215bf4492b868|154.61.71.13|1694971981|1694971981|0|1|0; path=/; domain=.novanosa5org.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=154.61.71.13; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    nuljjjnuli.org
    Remote address:
    8.8.8.8:53
    Request
    nuljjjnuli.org
    IN A
    Response
  • flag-us
    DNS
    tolilolihul.net
    Remote address:
    8.8.8.8:53
    Request
    tolilolihul.net
    IN A
    Response
  • flag-us
    DNS
    tolilolihul.net
    Remote address:
    8.8.8.8:53
    Request
    tolilolihul.net
    IN A
    Response
  • flag-us
    DNS
    tolilolihul.net
    Remote address:
    8.8.8.8:53
    Request
    tolilolihul.net
    IN A
    Response
  • flag-us
    DNS
    tolilolihul.net
    Remote address:
    8.8.8.8:53
    Request
    tolilolihul.net
    IN A
    Response
  • flag-us
    DNS
    101.240.195.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    101.240.195.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.218.26.72.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.218.26.72.in-addr.arpa
    IN PTR
    Response
    86.218.26.72.in-addr.arpa
    IN CNAME
    86.80/29.218.26.72.in-addr.arpa
    86.80/29.218.26.72.in-addr.arpa
    IN PTR
    svncumquatnl
  • flag-us
    DNS
    somatoka51hub.net
    Remote address:
    8.8.8.8:53
    Request
    somatoka51hub.net
    IN A
    Response
    somatoka51hub.net
    IN A
    63.251.235.76
  • flag-us
    DNS
    somatoka51hub.net
    Remote address:
    8.8.8.8:53
    Request
    somatoka51hub.net
    IN A
    Response
  • flag-nl
    POST
    http://somatoka51hub.net/
    Remote address:
    63.251.235.76:80
    Request
    POST / HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://nyyyv.org/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 317
    Host: somatoka51hub.net
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 17 Sep 2023 17:33:08 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: close
    Set-Cookie: btst=89651d6a0f25498d7ef4b158f055c640|154.61.71.13|1694971988|1694971988|0|1|0; path=/; domain=.somatoka51hub.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
    Set-Cookie: snkz=154.61.71.13; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
  • flag-us
    DNS
    hujukui3.net
    Remote address:
    8.8.8.8:53
    Request
    hujukui3.net
    IN A
    Response
    hujukui3.net
    IN A
    35.205.61.67
  • flag-be
    POST
    http://hujukui3.net/
    Remote address:
    35.205.61.67:80
    Request
    POST / HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://numfdtbbeo.net/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 273
    Host: hujukui3.net
  • flag-us
    DNS
    bukubuka1.net
    Remote address:
    8.8.8.8:53
    Request
    bukubuka1.net
    IN A
    Response
    bukubuka1.net
    IN A
    35.205.61.67
  • flag-us
    DNS
    bukubuka1.net
    Remote address:
    8.8.8.8:53
    Request
    bukubuka1.net
    IN A
    Response
    bukubuka1.net
    IN A
    35.205.61.67
  • flag-us
    DNS
    bukubuka1.net
    Remote address:
    8.8.8.8:53
    Request
    bukubuka1.net
    IN A
    Response
  • flag-us
    DNS
    76.235.251.63.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.235.251.63.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    67.61.205.35.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.61.205.35.in-addr.arpa
    IN PTR
    Response
    67.61.205.35.in-addr.arpa
    IN PTR
    676120535bcgoogleusercontentcom
  • flag-be
    POST
    http://bukubuka1.net/
    Remote address:
    35.205.61.67:80
    Request
    POST / HTTP/1.1
    Connection: Keep-Alive
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    Referer: http://kbkqyvoa.net/
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
    Content-Length: 149
    Host: bukubuka1.net
  • flag-us
    DNS
    golilopaster.org
    Remote address:
    8.8.8.8:53
    Request
    golilopaster.org
    IN A
    Response
  • flag-us
    DNS
    golilopaster.org
    Remote address:
    8.8.8.8:53
    Request
    golilopaster.org
    IN A
    Response
  • flag-us
    DNS
    golilopaster.org
    Remote address:
    8.8.8.8:53
    Request
    golilopaster.org
    IN A
    Response
  • flag-us
    DNS
    golilopaster.org
    Remote address:
    8.8.8.8:53
    Request
    golilopaster.org
    IN A
    Response
  • flag-us
    DNS
    newzelannd66.org
    Remote address:
    8.8.8.8:53
    Request
    newzelannd66.org
    IN A
    Response
  • flag-us
    DNS
    newzelannd66.org
    Remote address:
    8.8.8.8:53
    Request
    newzelannd66.org
    IN A
    Response
    newzelannd66.org
    IN A
    35.205.61.67
  • flag-us
    DNS
    newzelannd66.org
    Remote address:
    8.8.8.8:53
    Request
    newzelannd66.org
    IN A
    Response
  • flag-us
    DNS
    newzelannd66.org
    Remote address:
    8.8.8.8:53
    Request
    newzelannd66.org
    IN A
    Response
  • flag-us
    DNS
    otriluyttn.org
    Remote address:
    8.8.8.8:53
    Request
    otriluyttn.org
    IN A
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    254.23.238.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    254.23.238.8.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    211.143.182.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    211.143.182.52.in-addr.arpa
    IN PTR
    Response
  • 91.195.240.101:80
    http://hutnilior.net/
    http
    907 B
    528 B
    7
    6

    HTTP Request

    POST http://hutnilior.net/

    HTTP Response

    405
  • 91.195.240.101:80
    http://bulimu55t.net/
    http
    822 B
    528 B
    7
    6

    HTTP Request

    POST http://bulimu55t.net/

    HTTP Response

    405
  • 91.195.240.101:80
    http://soryytlic4.net/
    http
    747 B
    488 B
    7
    5

    HTTP Request

    POST http://soryytlic4.net/

    HTTP Response

    405
  • 72.26.218.86:80
    http://novanosa5org.org/
    http
    876 B
    668 B
    6
    6

    HTTP Request

    POST http://novanosa5org.org/

    HTTP Response

    200
  • 63.251.235.76:80
    http://somatoka51hub.net/
    http
    854 B
    669 B
    6
    6

    HTTP Request

    POST http://somatoka51hub.net/

    HTTP Response

    200
  • 35.205.61.67:80
    http://hujukui3.net/
    http
    810 B
    204 B
    6
    5

    HTTP Request

    POST http://hujukui3.net/
  • 35.205.61.67:80
    http://bukubuka1.net/
    http
    697 B
    84 B
    6
    2

    HTTP Request

    POST http://bukubuka1.net/
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    17.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    17.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    254.177.238.8.in-addr.arpa
    dns
    72 B
    126 B
    1
    1

    DNS Request

    254.177.238.8.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    41.110.16.96.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    41.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    potunulit.org
    dns
    295 B
    5

    DNS Request

    potunulit.org

    DNS Request

    potunulit.org

    DNS Request

    potunulit.org

    DNS Request

    potunulit.org

    DNS Request

    potunulit.org

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    hutnilior.net
    dns
    59 B
    75 B
    1
    1

    DNS Request

    hutnilior.net

    DNS Response

    91.195.240.101

  • 8.8.8.8:53
    bulimu55t.net
    dns
    59 B
    75 B
    1
    1

    DNS Request

    bulimu55t.net

    DNS Response

    91.195.240.101

  • 8.8.8.8:53
    soryytlic4.net
    dns
    60 B
    76 B
    1
    1

    DNS Request

    soryytlic4.net

    DNS Response

    91.195.240.101

  • 8.8.8.8:53
    novanosa5org.org
    dns
    62 B
    78 B
    1
    1

    DNS Request

    novanosa5org.org

    DNS Response

    72.26.218.86

  • 8.8.8.8:53
    nuljjjnuli.org
    dns
    60 B
    142 B
    1
    1

    DNS Request

    nuljjjnuli.org

  • 8.8.8.8:53
    tolilolihul.net
    dns
    244 B
    244 B
    4
    4

    DNS Request

    tolilolihul.net

    DNS Request

    tolilolihul.net

    DNS Request

    tolilolihul.net

    DNS Request

    tolilolihul.net

  • 8.8.8.8:53
    101.240.195.91.in-addr.arpa
    dns
    73 B
    157 B
    1
    1

    DNS Request

    101.240.195.91.in-addr.arpa

  • 8.8.8.8:53
    86.218.26.72.in-addr.arpa
    dns
    71 B
    122 B
    1
    1

    DNS Request

    86.218.26.72.in-addr.arpa

  • 8.8.8.8:53
    somatoka51hub.net
    dns
    126 B
    142 B
    2
    2

    DNS Request

    somatoka51hub.net

    DNS Request

    somatoka51hub.net

    DNS Response

    63.251.235.76

  • 8.8.8.8:53
    hujukui3.net
    dns
    58 B
    74 B
    1
    1

    DNS Request

    hujukui3.net

    DNS Response

    35.205.61.67

  • 8.8.8.8:53
    bukubuka1.net
    dns
    177 B
    209 B
    3
    3

    DNS Request

    bukubuka1.net

    DNS Request

    bukubuka1.net

    DNS Request

    bukubuka1.net

    DNS Response

    35.205.61.67

    DNS Response

    35.205.61.67

  • 8.8.8.8:53
    76.235.251.63.in-addr.arpa
    dns
    72 B
    131 B
    1
    1

    DNS Request

    76.235.251.63.in-addr.arpa

  • 8.8.8.8:53
    67.61.205.35.in-addr.arpa
    dns
    71 B
    122 B
    1
    1

    DNS Request

    67.61.205.35.in-addr.arpa

  • 8.8.8.8:53
    golilopaster.org
    dns
    248 B
    248 B
    4
    4

    DNS Request

    golilopaster.org

    DNS Request

    golilopaster.org

    DNS Request

    golilopaster.org

    DNS Request

    golilopaster.org

  • 8.8.8.8:53
    newzelannd66.org
    dns
    248 B
    264 B
    4
    4

    DNS Request

    newzelannd66.org

    DNS Request

    newzelannd66.org

    DNS Request

    newzelannd66.org

    DNS Request

    newzelannd66.org

    DNS Response

    35.205.61.67

  • 8.8.8.8:53
    otriluyttn.org
    dns
    60 B
    142 B
    1
    1

    DNS Request

    otriluyttn.org

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    254.23.238.8.in-addr.arpa
    dns
    71 B
    125 B
    1
    1

    DNS Request

    254.23.238.8.in-addr.arpa

  • 8.8.8.8:53
    211.143.182.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    211.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3120-4-0x0000000000DB0000-0x0000000000DC6000-memory.dmp

    Filesize

    88KB

  • memory/4956-1-0x0000000000930000-0x0000000000A30000-memory.dmp

    Filesize

    1024KB

  • memory/4956-2-0x0000000000400000-0x0000000000707000-memory.dmp

    Filesize

    3.0MB

  • memory/4956-3-0x00000000008B0000-0x00000000008B9000-memory.dmp

    Filesize

    36KB

  • memory/4956-5-0x0000000000400000-0x0000000000707000-memory.dmp

    Filesize

    3.0MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.