Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
24/11/2023, 07:09
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20231020-en
General
-
Target
file.exe
-
Size
251KB
-
MD5
bedac42746c2b83bf0b4238c72271346
-
SHA1
cc2ed883609ffafcaa77eb4738d1b7fbdf0a0ffa
-
SHA256
5628951705135b7582a7913c52cc3c547b50a6a9badc656351b8b7945b1d8d38
-
SHA512
cb08cc09b1ecd5a8c226b566f404c80d2aa2c758747e0010681dd8798a5d5e3411290d2d14182871a66f3b3aa114369f6443b8e6d5819a06061c01c0b29d60c1
-
SSDEEP
3072:HKtk4b3BOGMPMbKRzsraTsFg6KdmxaNDllCVlINC5Ru557qAo:qOKROGMPMbKurPomWhMrLChV
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://dpav.cc/tmp/
http://lrproduct.ru/tmp/
http://kggcp.com/tmp/
http://talesofpirates.net/tmp/
http://pirateking.online/tmp/
http://piratia.pw/tmp/
http://go-piratia.ru/tmp/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 1272 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 2688 darsfvd -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI darsfvd Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI darsfvd Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI darsfvd -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2124 file.exe 2124 file.exe 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1272 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2124 file.exe 2688 darsfvd -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2800 wrote to memory of 2688 2800 taskeng.exe 31 PID 2800 wrote to memory of 2688 2800 taskeng.exe 31 PID 2800 wrote to memory of 2688 2800 taskeng.exe 31 PID 2800 wrote to memory of 2688 2800 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2124
-
C:\Windows\system32\taskeng.exetaskeng.exe {3E80BF12-44BD-4A41-8C0A-5B01C6687255} S-1-5-21-1861898231-3446828954-4278112889-1000:PTZSFKIF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Roaming\darsfvdC:\Users\Admin\AppData\Roaming\darsfvd2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2688
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD5bedac42746c2b83bf0b4238c72271346
SHA1cc2ed883609ffafcaa77eb4738d1b7fbdf0a0ffa
SHA2565628951705135b7582a7913c52cc3c547b50a6a9badc656351b8b7945b1d8d38
SHA512cb08cc09b1ecd5a8c226b566f404c80d2aa2c758747e0010681dd8798a5d5e3411290d2d14182871a66f3b3aa114369f6443b8e6d5819a06061c01c0b29d60c1
-
Filesize
251KB
MD5bedac42746c2b83bf0b4238c72271346
SHA1cc2ed883609ffafcaa77eb4738d1b7fbdf0a0ffa
SHA2565628951705135b7582a7913c52cc3c547b50a6a9badc656351b8b7945b1d8d38
SHA512cb08cc09b1ecd5a8c226b566f404c80d2aa2c758747e0010681dd8798a5d5e3411290d2d14182871a66f3b3aa114369f6443b8e6d5819a06061c01c0b29d60c1