Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    294KB

  • MD5

    0ad8d40baae0644d4e3d994c5a8405ac

  • SHA1

    ce9da8f3d3a618571e7c51e0dc42133e26ded313

  • SHA256

    bd1a7304c5cc386fb5b1291dc81a28c2fd6d9c6189fab48fffd31e1ddd18ddd1

  • SHA512

    e86d07ef2812cf26f2daf6b67dcff19ab05e516bddf2305507e94ca441af55e5e836e68d45602e33354c3fae88a27299f7f6a250c36fbec0d8e1f3fe4079b966

  • SSDEEP

    3072:peJCXZpXSivGjYTBxSrTRKTABujHdYoJWxg1NsyfkAhhigM+kiMg87dB:OCZtSdSxWTAJ0xgI8kShigUg8Z

Score
10/10
smokeloaderpub4backdoortrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    195.85.115.195
  • Port:
    21
  • Username:
    TEST3
  • Password:
    159753

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://gudintas.at/tmp/

http://pik96.ru/tmp/

http://rosatiauto.com/tmp/

http://kingpirate.ru/tmp/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 4 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:504
  • C:\Users\Admin\AppData\Local\Temp\37D4.exe
    C:\Users\Admin\AppData\Local\Temp\37D4.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:4196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\37D4.exe
    Filesize

    129KB

    MD5

    6d57be58312131cb7672f3d72bf1b5a1

    SHA1

    3dec741a0e5b7271416ad09dbd35be896f07c939

    SHA256

    e000e93034aa809e36c2c270db09f90d9f68949645c3c6d3c7922ebec2b01f13

    SHA512

    6cb7236d81543a32baab42f60cd77c17eafdab11c014520e01a699f85ac74995466f9c3020ba449a4422cb9275665799b57a8b1d40d73aedaf3ef42045b307ce

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\37D4.exe
    Filesize

    129KB

    MD5

    6d57be58312131cb7672f3d72bf1b5a1

    SHA1

    3dec741a0e5b7271416ad09dbd35be896f07c939

    SHA256

    e000e93034aa809e36c2c270db09f90d9f68949645c3c6d3c7922ebec2b01f13

    SHA512

    6cb7236d81543a32baab42f60cd77c17eafdab11c014520e01a699f85ac74995466f9c3020ba449a4422cb9275665799b57a8b1d40d73aedaf3ef42045b307ce

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nssF161.tmp\InetLoad.dll
    Filesize

    18KB

    MD5

    994669c5737b25c26642c94180e92fa2

    SHA1

    d8a1836914a446b0e06881ce1be8631554adafde

    SHA256

    bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

    SHA512

    d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nssF161.tmp\ZipDLL.dll
    Filesize

    163KB

    MD5

    2dc35ddcabcb2b24919b9afae4ec3091

    SHA1

    9eeed33c3abc656353a7ebd1c66af38cccadd939

    SHA256

    6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

    SHA512

    0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Lib\xmlrpc\__init__.py
    Filesize

    39B

    MD5

    f8259102dfc36d919a899cdb8fde48ce

    SHA1

    4510c766809835dab814c25c2223009eb33e633a

    SHA256

    52069aeefb58dad898781d8bde183ffda18faae11f17ace8ce83368cab863fb1

    SHA512

    a77c8a67c95d49e353f903e3bd394e343c0dfa633dcffbfd7c1b34d5e1bdfb9a372ece71360812e44c5c5badfa0fc81387a6f65f96616d6307083c2b3bb0213f

    Download Submit

  • memory/504-1-0x0000000000910000-0x0000000000A10000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/504-2-0x00000000008C0000-0x00000000008C9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/504-3-0x0000000000400000-0x0000000000717000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/504-7-0x0000000000910000-0x0000000000A10000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/504-8-0x0000000000400000-0x0000000000717000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/504-13-0x00000000008C0000-0x00000000008C9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3200-4-0x00000000032C0000-0x00000000032D6000-memory.dmp

    Filesize

    88KB

    Download