Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
14/10/2023, 04:12
Static task
static1
Behavioral task
behavioral1
Sample
8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe
Resource
win10v2004-20230915-en
General
-
Target
8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe
-
Size
301KB
-
MD5
531a942a943d149dd615d07a566cd06b
-
SHA1
3112979189a6922f0090731dd1660299a0416afb
-
SHA256
8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f
-
SHA512
034b6db05a0805eacb26e18b6151fccf19496d9f7e48b23d235ee7fc3c30f9c9bb13fd4281f74c008d41da14b4e26a9efca674a1a5e74488733e16b83d058c3b
-
SSDEEP
3072:KoF324VAoovHMp7WCC75csFtCDLpaD49uJbyeO8J:pGnoovH07h6cg8LpU49WI
Malware Config
Extracted
smokeloader
up4
Extracted
smokeloader
2020
http://host-file-file0.com/
http://file-file-file1.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
pid Process 1192 Process not Found -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2584 set thread context of 2732 2584 8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe 29 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2732 8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe 2732 8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1192 Process not Found 2476 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2732 8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeShutdownPrivilege 2476 explorer.exe Token: SeShutdownPrivilege 2476 explorer.exe Token: SeShutdownPrivilege 2476 explorer.exe Token: SeShutdownPrivilege 2476 explorer.exe Token: SeShutdownPrivilege 2476 explorer.exe Token: SeShutdownPrivilege 2476 explorer.exe Token: SeShutdownPrivilege 2476 explorer.exe Token: SeShutdownPrivilege 2476 explorer.exe Token: SeShutdownPrivilege 2476 explorer.exe Token: SeShutdownPrivilege 2476 explorer.exe Token: 33 2796 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2796 AUDIODG.EXE Token: 33 2796 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2796 AUDIODG.EXE Token: SeShutdownPrivilege 2476 explorer.exe Token: SeShutdownPrivilege 2476 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe 2476 explorer.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2584 wrote to memory of 2732 2584 8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe 29 PID 2584 wrote to memory of 2732 2584 8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe 29 PID 2584 wrote to memory of 2732 2584 8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe 29 PID 2584 wrote to memory of 2732 2584 8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe 29 PID 2584 wrote to memory of 2732 2584 8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe 29 PID 2584 wrote to memory of 2732 2584 8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe 29 PID 2584 wrote to memory of 2732 2584 8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe 29 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe"C:\Users\Admin\AppData\Local\Temp\8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe"C:\Users\Admin\AppData\Local\Temp\8e6e4b930b79cb66ece296d8bacc0225db53b48f362508dcc5e335b254055a7f.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2732
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2476
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x50c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796