Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
17/09/2023, 17:32 UTC
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230915-en
General
-
Target
file.exe
-
Size
227KB
-
MD5
7c5940c3eb79c3a97f4e98f1a8dac782
-
SHA1
906603a5e1b79584844fffe441af49bde89f73ce
-
SHA256
e7cf7131e4c2578bb51fe33d2b6670622233c651a86827a461aa7b081e19b99e
-
SHA512
5debcb8dd3b8fd783a177625c0744f36fbaa86058b67b84a9ffb8e8c57a41e0f980a86ffcdca991b9d7d49b7b34a87e99b840c8fb5d2ffecb53b8d2ba718d9fb
-
SSDEEP
3072:gEs7fZA+gkMbHfHWhv5zbSftq4SovLD8h1w:0fm+gz7fuVuY42h
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4956 file.exe 4956 file.exe 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3120 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4956 file.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request17.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9.228.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request254.177.238.8.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestpotunulit.orgIN A
-
Remote address:8.8.8.8:53Requestpotunulit.orgIN A
-
Remote address:8.8.8.8:53Requestpotunulit.orgIN A
-
Remote address:8.8.8.8:53Requestpotunulit.orgIN A
-
Remote address:8.8.8.8:53Requestpotunulit.orgIN A
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesthutnilior.netIN AResponsehutnilior.netIN A91.195.240.101
-
Remote address:91.195.240.101:80RequestPOST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://lyteuiu.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 326
Host: hutnilior.net
ResponseHTTP/1.1 405 Not Allowed
content-type: text/html
content-length: 154
server: NginX
-
Remote address:8.8.8.8:53Requestbulimu55t.netIN AResponsebulimu55t.netIN A91.195.240.101
-
Remote address:91.195.240.101:80RequestPOST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://glmcq.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 243
Host: bulimu55t.net
ResponseHTTP/1.1 405 Not Allowed
content-type: text/html
content-length: 154
server: NginX
-
Remote address:8.8.8.8:53Requestsoryytlic4.netIN AResponsesoryytlic4.netIN A91.195.240.101
-
Remote address:91.195.240.101:80RequestPOST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://xdglc.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 167
Host: soryytlic4.net
ResponseHTTP/1.1 405 Not Allowed
content-type: text/html
content-length: 154
server: NginX
-
Remote address:8.8.8.8:53Requestnovanosa5org.orgIN AResponsenovanosa5org.orgIN A72.26.218.86
-
Remote address:72.26.218.86:80RequestPOST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://auebffhmlo.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 335
Host: novanosa5org.org
ResponseHTTP/1.1 200 OK
Date: Sun, 17 Sep 2023 17:33:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=642434bca015c60f5bb215bf4492b868|154.61.71.13|1694971981|1694971981|0|1|0; path=/; domain=.novanosa5org.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=154.61.71.13; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Requestnuljjjnuli.orgIN AResponse
-
Remote address:8.8.8.8:53Requesttolilolihul.netIN AResponse
-
Remote address:8.8.8.8:53Requesttolilolihul.netIN AResponse
-
Remote address:8.8.8.8:53Requesttolilolihul.netIN AResponse
-
Remote address:8.8.8.8:53Requesttolilolihul.netIN AResponse
-
Remote address:8.8.8.8:53Request101.240.195.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.218.26.72.in-addr.arpaIN PTRResponse86.218.26.72.in-addr.arpaIN CNAME86.80/29.218.26.72.in-addr.arpa86.80/29.218.26.72.in-addr.arpaIN PTRsvncumquatnl
-
Remote address:8.8.8.8:53Requestsomatoka51hub.netIN AResponsesomatoka51hub.netIN A63.251.235.76
-
Remote address:8.8.8.8:53Requestsomatoka51hub.netIN AResponse
-
Remote address:63.251.235.76:80RequestPOST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nyyyv.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 317
Host: somatoka51hub.net
ResponseHTTP/1.1 200 OK
Date: Sun, 17 Sep 2023 17:33:08 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Set-Cookie: btst=89651d6a0f25498d7ef4b158f055c640|154.61.71.13|1694971988|1694971988|0|1|0; path=/; domain=.somatoka51hub.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
Set-Cookie: snkz=154.61.71.13; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
-
Remote address:8.8.8.8:53Requesthujukui3.netIN AResponsehujukui3.netIN A35.205.61.67
-
Remote address:35.205.61.67:80RequestPOST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://numfdtbbeo.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 273
Host: hujukui3.net
-
Remote address:8.8.8.8:53Requestbukubuka1.netIN AResponsebukubuka1.netIN A35.205.61.67
-
Remote address:8.8.8.8:53Requestbukubuka1.netIN AResponsebukubuka1.netIN A35.205.61.67
-
Remote address:8.8.8.8:53Requestbukubuka1.netIN AResponse
-
Remote address:8.8.8.8:53Request76.235.251.63.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request67.61.205.35.in-addr.arpaIN PTRResponse67.61.205.35.in-addr.arpaIN PTR676120535bcgoogleusercontentcom
-
Remote address:35.205.61.67:80RequestPOST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://kbkqyvoa.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 149
Host: bukubuka1.net
-
Remote address:8.8.8.8:53Requestgolilopaster.orgIN AResponse
-
Remote address:8.8.8.8:53Requestgolilopaster.orgIN AResponse
-
Remote address:8.8.8.8:53Requestgolilopaster.orgIN AResponse
-
Remote address:8.8.8.8:53Requestgolilopaster.orgIN AResponse
-
Remote address:8.8.8.8:53Requestnewzelannd66.orgIN AResponse
-
Remote address:8.8.8.8:53Requestnewzelannd66.orgIN AResponsenewzelannd66.orgIN A35.205.61.67
-
Remote address:8.8.8.8:53Requestnewzelannd66.orgIN AResponse
-
Remote address:8.8.8.8:53Requestnewzelannd66.orgIN AResponse
-
Remote address:8.8.8.8:53Requestotriluyttn.orgIN AResponse
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request254.23.238.8.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request211.143.182.52.in-addr.arpaIN PTRResponse
-
907 B 528 B 7 6
HTTP Request
POST http://hutnilior.net/HTTP Response
405 -
822 B 528 B 7 6
HTTP Request
POST http://bulimu55t.net/HTTP Response
405 -
747 B 488 B 7 5
HTTP Request
POST http://soryytlic4.net/HTTP Response
405 -
876 B 668 B 6 6
HTTP Request
POST http://novanosa5org.org/HTTP Response
200 -
854 B 669 B 6 6
HTTP Request
POST http://somatoka51hub.net/HTTP Response
200 -
810 B 204 B 6 5
HTTP Request
POST http://hujukui3.net/ -
697 B 84 B 6 2
HTTP Request
POST http://bukubuka1.net/
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
17.160.190.20.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
9.228.82.20.in-addr.arpa
-
72 B 126 B 1 1
DNS Request
254.177.238.8.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
295 B 5
DNS Request
potunulit.org
DNS Request
potunulit.org
DNS Request
potunulit.org
DNS Request
potunulit.org
DNS Request
potunulit.org
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
59 B 75 B 1 1
DNS Request
hutnilior.net
DNS Response
91.195.240.101
-
59 B 75 B 1 1
DNS Request
bulimu55t.net
DNS Response
91.195.240.101
-
60 B 76 B 1 1
DNS Request
soryytlic4.net
DNS Response
91.195.240.101
-
62 B 78 B 1 1
DNS Request
novanosa5org.org
DNS Response
72.26.218.86
-
60 B 142 B 1 1
DNS Request
nuljjjnuli.org
-
244 B 244 B 4 4
DNS Request
tolilolihul.net
DNS Request
tolilolihul.net
DNS Request
tolilolihul.net
DNS Request
tolilolihul.net
-
73 B 157 B 1 1
DNS Request
101.240.195.91.in-addr.arpa
-
71 B 122 B 1 1
DNS Request
86.218.26.72.in-addr.arpa
-
126 B 142 B 2 2
DNS Request
somatoka51hub.net
DNS Request
somatoka51hub.net
DNS Response
63.251.235.76
-
58 B 74 B 1 1
DNS Request
hujukui3.net
DNS Response
35.205.61.67
-
177 B 209 B 3 3
DNS Request
bukubuka1.net
DNS Request
bukubuka1.net
DNS Request
bukubuka1.net
DNS Response
35.205.61.67
DNS Response
35.205.61.67
-
72 B 131 B 1 1
DNS Request
76.235.251.63.in-addr.arpa
-
71 B 122 B 1 1
DNS Request
67.61.205.35.in-addr.arpa
-
248 B 248 B 4 4
DNS Request
golilopaster.org
DNS Request
golilopaster.org
DNS Request
golilopaster.org
DNS Request
golilopaster.org
-
248 B 264 B 4 4
DNS Request
newzelannd66.org
DNS Request
newzelannd66.org
DNS Request
newzelannd66.org
DNS Request
newzelannd66.org
DNS Response
35.205.61.67
-
60 B 142 B 1 1
DNS Request
otriluyttn.org
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa
-
71 B 125 B 1 1
DNS Request
254.23.238.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
211.143.182.52.in-addr.arpa