Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
113s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 06:04
Static task
static1
Behavioral task
behavioral1
Sample
2b18e848913549f52ef1b3c99411ef5c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2b18e848913549f52ef1b3c99411ef5c.exe
Resource
win10v2004-20231222-en
General
-
Target
2b18e848913549f52ef1b3c99411ef5c.exe
-
Size
177KB
-
MD5
2b18e848913549f52ef1b3c99411ef5c
-
SHA1
deeae31755acdf4dac3c9badd383d0602eb7449f
-
SHA256
faf49f9b1d785e077bd17c37eddec80c57d3ffc843a745e6854c9b7a6812b7e0
-
SHA512
ec5550bedc4ce1daa1ea1c9bdd9c2d9a762db86a27ed79db0e82abd60fed4a8b8390d94ef683e6b4380e9967b91b867c863bd18bdeec355c6f059fcda6957592
-
SSDEEP
3072:D6abkbeQNnL8RkJ+W5wSRFHHwhZoWC9sI5/DuT61m:D6TblNnLmLUHwhZU9sI5/
Malware Config
Extracted
smokeloader
2020
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3452 Process not Found -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1772 set thread context of 2276 1772 2b18e848913549f52ef1b3c99411ef5c.exe 68 -
Program crash 1 IoCs
pid pid_target Process procid_target 388 2276 WerFault.exe 68 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2b18e848913549f52ef1b3c99411ef5c.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2b18e848913549f52ef1b3c99411ef5c.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2b18e848913549f52ef1b3c99411ef5c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2276 2b18e848913549f52ef1b3c99411ef5c.exe 2276 2b18e848913549f52ef1b3c99411ef5c.exe 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found 3452 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2276 2b18e848913549f52ef1b3c99411ef5c.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3452 Process not Found Token: SeCreatePagefilePrivilege 3452 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3452 Process not Found -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1772 wrote to memory of 2276 1772 2b18e848913549f52ef1b3c99411ef5c.exe 68 PID 1772 wrote to memory of 2276 1772 2b18e848913549f52ef1b3c99411ef5c.exe 68 PID 1772 wrote to memory of 2276 1772 2b18e848913549f52ef1b3c99411ef5c.exe 68 PID 1772 wrote to memory of 2276 1772 2b18e848913549f52ef1b3c99411ef5c.exe 68 PID 1772 wrote to memory of 2276 1772 2b18e848913549f52ef1b3c99411ef5c.exe 68 PID 1772 wrote to memory of 2276 1772 2b18e848913549f52ef1b3c99411ef5c.exe 68 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b18e848913549f52ef1b3c99411ef5c.exe"C:\Users\Admin\AppData\Local\Temp\2b18e848913549f52ef1b3c99411ef5c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\2b18e848913549f52ef1b3c99411ef5c.exe"C:\Users\Admin\AppData\Local\Temp\2b18e848913549f52ef1b3c99411ef5c.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2276 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 3283⤵
- Program crash
PID:388
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2276 -ip 22761⤵PID:660