Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
12/10/2023, 21:47
Static task
static1
Behavioral task
behavioral1
Sample
b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682exe_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682exe_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682exe_JC.exe
-
Size
277KB
-
MD5
deb9302060c7ff8df9216a531ce7f447
-
SHA1
dddf7bc6246bd26e222c630c090871ecb7fd1985
-
SHA256
b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682
-
SHA512
3fd840fb7bdee69c3f9b05beb1986792560246307fb167e394d90bd9d5c24dff7cd63d21467a954221f34ed742fae1d6b0252811a6405df6ebc15a95031f7856
-
SSDEEP
3072:0af0kPlr7aoj/CQiVCynGWZ8GV0lMECipao9rkI4mKhW:jPPlr+RQiw2v8c0lMEbxrkIC
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://taibi.at/tmp/
http://01stroy.ru/tmp/
http://mal-net.com/tmp/
http://gromograd.ru/tmp/
http://kingpirate.ru/tmp/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 1216 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 2852 vrhehiw -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682exe_JC.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682exe_JC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vrhehiw Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vrhehiw Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vrhehiw Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682exe_JC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2964 b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682exe_JC.exe 2964 b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682exe_JC.exe 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1216 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2964 b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682exe_JC.exe 2852 vrhehiw -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2656 wrote to memory of 2852 2656 taskeng.exe 31 PID 2656 wrote to memory of 2852 2656 taskeng.exe 31 PID 2656 wrote to memory of 2852 2656 taskeng.exe 31 PID 2656 wrote to memory of 2852 2656 taskeng.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682exe_JC.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2964
-
C:\Windows\system32\taskeng.exetaskeng.exe {11D1E78D-CB81-4AAC-B50C-8DCB9C9F6F44} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Roaming\vrhehiwC:\Users\Admin\AppData\Roaming\vrhehiw2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2852
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
277KB
MD5deb9302060c7ff8df9216a531ce7f447
SHA1dddf7bc6246bd26e222c630c090871ecb7fd1985
SHA256b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682
SHA5123fd840fb7bdee69c3f9b05beb1986792560246307fb167e394d90bd9d5c24dff7cd63d21467a954221f34ed742fae1d6b0252811a6405df6ebc15a95031f7856
-
Filesize
277KB
MD5deb9302060c7ff8df9216a531ce7f447
SHA1dddf7bc6246bd26e222c630c090871ecb7fd1985
SHA256b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682
SHA5123fd840fb7bdee69c3f9b05beb1986792560246307fb167e394d90bd9d5c24dff7cd63d21467a954221f34ed742fae1d6b0252811a6405df6ebc15a95031f7856