Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
12/12/2023, 02:45
Behavioral task
behavioral1
Sample
ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe
Resource
win10v2004-20231130-en
General
-
Target
ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe
-
Size
30KB
-
MD5
109c692ea197cabe6ab720f415ca866f
-
SHA1
0712a6095b3ade9e5ed763bdd5ad4d4ffa248d93
-
SHA256
4c60260f51e6cba1b0276210a1f38140d11ed66404f339a672f7814f6e08c66e
-
SHA512
edb5550c9b160872f8d650cd015ec8d2a95d8119abda2a57b8a435a08f1d2bb0ed0d3898f5e709d6877be6fbcc39de1284c518e74c40c074409624818d08842b
-
SSDEEP
768:OAUqYpNSIoKpDd1KM02kQhx4hOtFceWzYqvz0bOS:HLo8LKtd1PBkQD4UtFceWnz
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3372 Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 2724 4428 WerFault.exe 48 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4428 ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe 4428 ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found 3372 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4428 ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3372 Process not Found Token: SeCreatePagefilePrivilege 3372 Process not Found -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3372 Process not Found 3372 Process not Found 3372 Process not Found -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3372 Process not Found 3372 Process not Found 3372 Process not Found -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe"C:\Users\Admin\AppData\Local\Temp\ea755384c6e3558710e6bc8833d51e09aff904c76ecfa751895b9948feff726d_payload.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 3642⤵
- Program crash
PID:2724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4428 -ip 44281⤵PID:3752