Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
-
submitted
02/11/2023, 03:43
General
-
Target
51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0.exe
-
Size
206KB
-
MD5
f9969ef3805249fe3fd6f6ffdb0723b8
-
SHA1
bb3c689bc0837515cb82739d0efb92441f7c31d7
-
SHA256
51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0
-
SHA512
ffe3b8786baf1fd5de2b473871c12c44e4f2a8ea2859d556d674325f6e67b950aba7acae762d5efcab9d02bd89912ab4f66eea906335a76f47abca8d5f3cc91c
-
SSDEEP
3072:oBTRRddkirFSMB6V8JURZFY0hj34h/wDtfDpmwA9AFnJNUc:WRRddDrFSMUeJURnv4O7O9
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://dpav.cc/tmp/
http://lrproduct.ru/tmp/
http://kggcp.com/tmp/
http://talesofpirates.net/tmp/
http://pirateking.online/tmp/
http://piratia.pw/tmp/
http://go-piratia.ru/tmp/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0.exe"C:\Users\Admin\AppData\Local\Temp\51690da60d1c2bfe20e0e865240193bc3d9e2dbc3e5727de8891976b01b83fa0.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD52e85b9c9847734ae96b16ada37e1daec
SHA15716193d5833a65348d68c1dd2b86be07f93ae8e
SHA2568942883e801ec84663876b946705cccdaeecc313908233a346848372c5ea0bf4
SHA51202a6a4b1b160bbd1409f010d163f5e6324145341dc5c43a476036cf106ed5242dfaa7ffdc34c5efe53e21579477a1c078110d237a2d3bccf0c48ef45eb2f7886
-
Filesize
1024KB
-
Filesize
44KB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
44KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
12KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
12KB
-
Filesize
64KB
-
Filesize
64KB