Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 03:43
Static task
static1
Behavioral task
behavioral1
Sample
51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0.exe
Resource
win10v2004-20231025-en
General
-
Target
51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0.exe
-
Size
206KB
-
MD5
f9969ef3805249fe3fd6f6ffdb0723b8
-
SHA1
bb3c689bc0837515cb82739d0efb92441f7c31d7
-
SHA256
51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0
-
SHA512
ffe3b8786baf1fd5de2b473871c12c44e4f2a8ea2859d556d674325f6e67b950aba7acae762d5efcab9d02bd89912ab4f66eea906335a76f47abca8d5f3cc91c
-
SSDEEP
3072:oBTRRddkirFSMB6V8JURZFY0hj34h/wDtfDpmwA9AFnJNUc:WRRddDrFSMUeJURnv4O7O9
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://dpav.cc/tmp/
http://lrproduct.ru/tmp/
http://kggcp.com/tmp/
http://talesofpirates.net/tmp/
http://pirateking.online/tmp/
http://piratia.pw/tmp/
http://go-piratia.ru/tmp/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3188 Process not Found -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1768 51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0.exe 1768 51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0.exe 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found 3188 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3188 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1768 51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeShutdownPrivilege 3188 Process not Found Token: SeCreatePagefilePrivilege 3188 Process not Found Token: SeShutdownPrivilege 3188 Process not Found Token: SeCreatePagefilePrivilege 3188 Process not Found Token: SeShutdownPrivilege 3188 Process not Found Token: SeCreatePagefilePrivilege 3188 Process not Found Token: SeShutdownPrivilege 3188 Process not Found Token: SeCreatePagefilePrivilege 3188 Process not Found Token: SeManageVolumePrivilege 4108 svchost.exe Token: SeShutdownPrivilege 3188 Process not Found Token: SeCreatePagefilePrivilege 3188 Process not Found Token: SeShutdownPrivilege 3188 Process not Found Token: SeCreatePagefilePrivilege 3188 Process not Found Token: SeShutdownPrivilege 3188 Process not Found Token: SeCreatePagefilePrivilege 3188 Process not Found Token: SeShutdownPrivilege 3188 Process not Found Token: SeCreatePagefilePrivilege 3188 Process not Found Token: SeShutdownPrivilege 3188 Process not Found Token: SeCreatePagefilePrivilege 3188 Process not Found Token: SeShutdownPrivilege 3188 Process not Found Token: SeCreatePagefilePrivilege 3188 Process not Found Token: SeShutdownPrivilege 3188 Process not Found Token: SeCreatePagefilePrivilege 3188 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3188 Process not Found 3188 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3188 Process not Found -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0.exe"C:\Users\Admin\AppData\Local\Temp\51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1768
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:1532
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD52e85b9c9847734ae96b16ada37e1daec
SHA15716193d5833a65348d68c1dd2b86be07f93ae8e
SHA2568942883e801ec84663876b946705cccdaeecc313908233a346848372c5ea0bf4
SHA51202a6a4b1b160bbd1409f010d163f5e6324145341dc5c43a476036cf106ed5242dfaa7ffdc34c5efe53e21579477a1c078110d237a2d3bccf0c48ef45eb2f7886