Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

3a658a682d...80.exe

windows7-x64

10

3a658a682d...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    48s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    01/02/2024, 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a658a682d7961b370dde9b8e65aba80.exe

  • Size

    227KB

  • MD5

    3a658a682d7961b370dde9b8e65aba80

  • SHA1

    1c6dec6db75e49fe3bc0be4fec093d2ebc7b12d2

  • SHA256

    cd9dfd76dbfc11d9c6dd279b346cca489591b551bba392ade52486ee95918430

  • SHA512

    18d96158025e9c3ec10bcf12751361630c59751d8c5063560eb799fc683cd2b6ae1dba44f3c66ad25a398d8df8fd0682c90c7505d4851a48a723e137392f953e

  • SSDEEP

    3072:JG1se/J24L9letmyKn4whMtuuONm9r9opAS9uUHbnx7XkAs9DeBrmu:JG1se/JFIq3Mt0NmILThXkA

Score
10/10
smokeloaderpub1backdoortrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://gxutc2c.com/tmp/index.php

http://proekt8.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a658a682d7961b370dde9b8e65aba80.exe
    "C:\Users\Admin\AppData\Local\Temp\3a658a682d7961b370dde9b8e65aba80.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1392
  • C:\Users\Admin\AppData\Local\Temp\C62C.exe
    C:\Users\Admin\AppData\Local\Temp\C62C.exe
    1⤵
    • Drops startup file
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
      "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
      2⤵
      • Executes dropped EXE
      PID:2496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\C62C.exe
    Filesize

    118KB

    MD5

    e1b9219d86be940d96e19e7dfa16f6ec

    SHA1

    6a2e62db439cf8167fc809b2fe276dbfec70be6d

    SHA256

    d4dca922c95da93a81548f7b51b883be2de4ad433e8196e0a81235835b303c04

    SHA512

    ec8b88903e3c1666410537e1315db3e5ad52e2e5a6b88cfe89d5a749e76ea5f877f23e8da225e1187d43ada70945a02a4102250f66e0df767b55fd2d2e01b762

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\C62C.exe
    Filesize

    199KB

    MD5

    9fb0f35f4ecc566e33d85f07ff80f609

    SHA1

    9b62188eb79e6a576b3e5fcdb1ffa141657a6e9f

    SHA256

    920baa22704343d335cc620ba69a5daf4471c0d197d021a5de87a2a42a16b094

    SHA512

    94cb3523ac109117e3c019b120c4b9015becf14eec6bcd61bee2f4d24190ed356cddc0624165703f2e20d75079ddd5a210e9f742317ea9e8422f02385bd506b5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\C62C.exe
    Filesize

    374KB

    MD5

    c8f910f15f14a82a832159c731986701

    SHA1

    21bcafc26ccb59a1fc54439f4fbef065490de888

    SHA256

    8b00621b30875ecd15d63df82f30b0eb2dfbfc8227cacb89e4f8f9fbd775c729

    SHA512

    9321c11319b53abe18220bf5ddfa9245d26886fc3f6eaf1dd649e5fc49ad7a706b6aaf80359251bc1060095a4c35e18c03b3f1d161a92d5a1a4a6298a9ccffb8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk
    Filesize

    930B

    MD5

    3711f9615bc18ecc850337a3cd471828

    SHA1

    edd296690a756bb873ab710e3efe3f5433c8311b

    SHA256

    496ad64f340d5e6d29b01a256f5d18961c4803acc6ecdd3e26599151c81866cf

    SHA512

    5a0abc0d08bb5ef2c947d9322ef7f96da87031a949090507dab0855d9c15a9dc5444b89a7d4e76d2b93010b8809d6c617c1df4b00c7e52bc2a1539ce054ffc5c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
    Filesize

    288KB

    MD5

    ce284cb55e5cbdd0c9b4c9715af266d6

    SHA1

    fa01678cf7714c397a86f63c5a6e5577ce73c632

    SHA256

    f886e633841881d9d1c1828a832781462b90ff48f18e5ae9dd35dd94a61684eb

    SHA512

    7b486dcb0a38bb7ba29e24b35134ac70af4d7b0f73fe3adfa0a91ad0313377fba1e8011545c3c574c04824ed6172d51b7b9d03f15f8217838bff2e886e07da0f

    Download Submit

  • \Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
    Filesize

    281KB

    MD5

    c75aaab60f42a5c0c18137d77b74721b

    SHA1

    8d22ed3d0ee4f4c81f0a5abbff5b9b1e8f8e5f72

    SHA256

    c725bf0d075d45e7bc4dbb4cfb3fb3e209137d7ca2e195476881c11bf85bab87

    SHA512

    8d6276e32e32da4979123c159af00ac8fed8c4219ce299d28e56bc4c8b2748e43a50b81d858881172735e2922336abba1c9d6610c305e87f15f852c70e0c2ba9

    Download Submit

  • \Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
    Filesize

    244KB

    MD5

    c33820bad3851d585295906bff0884d7

    SHA1

    2be8499c83d1b7e6a1538f0966413ca1b349fb90

    SHA256

    d99ad530c0267a4218ad9f9da96f969d7b582546c47e9fbe9d838b616325cff7

    SHA512

    f0708cdd4a1c52218d07b65d03ea28e19b6821f26c2a86a47c2fdb1e8b1c8fa23002f8ed241b8e0661ada6a4b3e093a1ea757be72f5730c321eab9c99494e6c1

    Download Submit

  • \Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
    Filesize

    448KB

    MD5

    c17b70128943186efca448246072f5df

    SHA1

    1d00ba8363c4b54ca4e55ef2b96abb7a2682b1fe

    SHA256

    d5bf1eba59ec37f47713bc7cb19fc2e7212b38822732d9e9a0ea1500c0b52764

    SHA512

    17d378c649b7335626a80d5b36f25106a84d8fdd2421e9d1be3a7ded35fd14d5561da2cc36f3a646a8d7c123345b5cb0603219fafad23e423cf14dd344b3ceba

    Download Submit

  • memory/1356-4-0x0000000002A70000-0x0000000002A86000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1392-3-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1392-1-0x00000000005A0000-0x00000000006A0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1392-5-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1392-2-0x0000000000220000-0x000000000022B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2496-41-0x0000000002C80000-0x0000000002D80000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2496-38-0x0000000000400000-0x0000000002B72000-memory.dmp

    Filesize

    39.4MB

    Download

  • memory/2496-37-0x0000000002C80000-0x0000000002D80000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2552-20-0x0000000002D20000-0x0000000002E20000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2552-21-0x0000000000220000-0x00000000002B1000-memory.dmp

    Filesize

    580KB

    Download

  • memory/2552-33-0x0000000000400000-0x0000000002B72000-memory.dmp

    Filesize

    39.4MB

    Download

  • memory/2552-35-0x0000000000400000-0x0000000002B72000-memory.dmp

    Filesize

    39.4MB

    Download