Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
12/10/2023, 21:47
General
-
Target
b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682exe_JC.exe
-
Size
277KB
-
MD5
deb9302060c7ff8df9216a531ce7f447
-
SHA1
dddf7bc6246bd26e222c630c090871ecb7fd1985
-
SHA256
b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682
-
SHA512
3fd840fb7bdee69c3f9b05beb1986792560246307fb167e394d90bd9d5c24dff7cd63d21467a954221f34ed742fae1d6b0252811a6405df6ebc15a95031f7856
-
SSDEEP
3072:0af0kPlr7aoj/CQiVCynGWZ8GV0lMECipao9rkI4mKhW:jPPlr+RQiw2v8c0lMEbxrkIC
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://taibi.at/tmp/
http://01stroy.ru/tmp/
http://mal-net.com/tmp/
http://gromograd.ru/tmp/
http://kingpirate.ru/tmp/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682exe_JC.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {11D1E78D-CB81-4AAC-B50C-8DCB9C9F6F44} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\vrhehiwC:\Users\Admin\AppData\Roaming\vrhehiw2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
277KB
MD5deb9302060c7ff8df9216a531ce7f447
SHA1dddf7bc6246bd26e222c630c090871ecb7fd1985
SHA256b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682
SHA5123fd840fb7bdee69c3f9b05beb1986792560246307fb167e394d90bd9d5c24dff7cd63d21467a954221f34ed742fae1d6b0252811a6405df6ebc15a95031f7856
-
Filesize
277KB
MD5deb9302060c7ff8df9216a531ce7f447
SHA1dddf7bc6246bd26e222c630c090871ecb7fd1985
SHA256b2843f650b2dad5ef0013b57f06cd51763f62365cf2c8db59fc2cad126dad682
SHA5123fd840fb7bdee69c3f9b05beb1986792560246307fb167e394d90bd9d5c24dff7cd63d21467a954221f34ed742fae1d6b0252811a6405df6ebc15a95031f7856
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
1.3MB
-
Filesize
1024KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
3.1MB