Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2WikyfhIg3...9j.exe

windows7-x64

10

2WikyfhIg3...9j.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19/02/2024, 22:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2WikyfhIg3qcjejHn3mPOq9j.exe

  • Size

    4.6MB

  • MD5

    61d5c104ea3648f4020c15dfac7e41de

  • SHA1

    7197efa6c099fd47ea379578e5bdf9877d33b087

  • SHA256

    d699d09ddc2994787b49a164b33353a8e723a62c7a2709201c4a3398169f8edf

  • SHA512

    33386ae9326a298617c54bdc3084559f3b1a2e0ad72d33d773582befe7f5c4b875710dc2e93f9d10614add27bebd3b1ea6f9311b06b05f82eadb81c35df13a0a

  • SSDEEP

    98304:oV8ndGDi9ymvydJLC19UYeh62JPtG4n65Kj5OJPL2Pso:o+ndGapsLCaW4n65K1CPa

Score
10/10
lgoogloaderriseprosmokeloaderpub3backdoordownloaderevasionspywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

smokeloader

Version

2022

C2

http://sjyey.com/tmp/index.php

http://babonwo.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php
rc4.i32
rc4.i32

Signatures

  • Detects LgoogLoader payload 2 IoCs
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2WikyfhIg3qcjejHn3mPOq9j.exe
    "C:\Users\Admin\AppData\Local\Temp\2WikyfhIg3qcjejHn3mPOq9j.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Users\Admin\Documents\GuardFox\naFT6AQizmOyifoJT8Usp082.exe
      "C:\Users\Admin\Documents\GuardFox\naFT6AQizmOyifoJT8Usp082.exe"
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1700
    • C:\Users\Admin\Documents\GuardFox\9PpmP3Bu6vDE1bsDRzmBaBe4.exe
      "C:\Users\Admin\Documents\GuardFox\9PpmP3Bu6vDE1bsDRzmBaBe4.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Executes dropped EXE
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1752
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\GuardFox\9PpmP3Bu6vDE1bsDRzmBaBe4.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2840
      • C:\Windows\SYSWOW64\calc.exe
        "C:\Windows\SYSWOW64\calc.exe"
        3⤵
          PID:2376
      • C:\Users\Admin\Documents\GuardFox\EWgP54QXnJBXasEmZqiw8Di7.exe
        "C:\Users\Admin\Documents\GuardFox\EWgP54QXnJBXasEmZqiw8Di7.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1996

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      a65e7f1710e3993af63b13323e693091

      SHA1

      5280fae7b4917412d22142c747ff9f0d21f375e0

      SHA256

      3ca9dad265968b6b7ce4370d9f550e892d5a9eb3490b82120ef15c0b7527a675

      SHA512

      0c1dc6dec35f2daae250301a390b7eadab0030c94bf98f40b36e28a765ea18f13c841ab3c369e5e93f82de3e38064592ed4c0457fcb3d593e1f66de58282f600

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      3f5d16ef8620c6b4202df8062d65df19

      SHA1

      b559dc2c849e3f3e706df5a6c928bcc0d970da4a

      SHA256

      723fad5ff2228fb6e12895b30f5f64ae07c0fcecbf062670ae3fc926a4d2a803

      SHA512

      bbaad2a17e76f6ba11d22ea6495169dc21db50f5c9c8c0ccde9e72b6fb4c447967dc4898ccf3b3f0183c1d0e5f478fe3e50ef4b0d4756f83d435133d55022aea

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      2fdbe064606a046d90948685ab514ac4

      SHA1

      631ba56ec0b2d6c4876b7befc28521bfea82200d

      SHA256

      358f4cf781e9c3c2ada5616c5cf7ad4f7c45eef28246b959fe834dbe2b1bd457

      SHA512

      4d91fa567b7cad8c0eb59961ae561a117017ce6d74b35c9474373fe1707b517ca73e328fb9cc4084c9ab184a5bb64944d8aa47314f85fb254e2546a52018fa22

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab3DAE.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar3DE0.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit

    • C:\Users\Admin\Documents\GuardFox\9PpmP3Bu6vDE1bsDRzmBaBe4.exe
      Filesize

      57KB

      MD5

      d01db1a22fa1650f21ee7b8aecd5e470

      SHA1

      cd7efd6796bc3265d9a46c4ab931dd260a802a5e

      SHA256

      de08f713d5ba090928a648dfbea989c87b60c5cc97b3725016d1a9c816ef3735

      SHA512

      fb537d7f17624e2729d8ee86bb1c1264408013b199a54d8e98476ae8310f125fefeb4f781ac4b78de73c75ff77aa6a58d69a3dae5fc1b0f78d9cf7110e0009b8

      Download Submit

    • C:\Users\Admin\Documents\GuardFox\EWgP54QXnJBXasEmZqiw8Di7.exe
      Filesize

      6.7MB

      MD5

      07e9dde33ec50fdddf4432a38b85e76f

      SHA1

      cba6a1592fad4627a87aa86a42418840e5863561

      SHA256

      8441cd2d39c8accf00cd4df692bf1e58c33904e30e6db60d02af6be09904263b

      SHA512

      c82e4e2dca1d14a5323841bcf543330a57232a4b19a3407ab875b3af2978d4e4438d66f86610d14bd61274bc120bf2ef6053c77ed37600b169e286541b84354b

      Download Submit

    • C:\Users\Admin\Documents\GuardFox\EWgP54QXnJBXasEmZqiw8Di7.exe
      Filesize

      4.6MB

      MD5

      0afca741f047f86a8832cc95fb567670

      SHA1

      f58f8d936f604a2d618a3e253cd584e59acc53dc

      SHA256

      023373372c930f07e59c4e9e1ac1a6b10ee48809b1aa44c1e07312416b7347f9

      SHA512

      0226226100f9873e6bbd40525a93f1568c2fce6b505ce62b53372b99a4d918e095c856b00f764c266c474279d2f145c5fa064c8c4e9e9f1ff1a5e20d761a8ec2

      Download Submit

    • C:\Users\Admin\Documents\GuardFox\EWgP54QXnJBXasEmZqiw8Di7.exe
      Filesize

      4.5MB

      MD5

      21518a6ca8c1cb4364f4c1e9abfd7fc4

      SHA1

      c38d37938e8111deb106de8b85114afacf3285e0

      SHA256

      61bdfed7616a3fb0c0f67df2a1c62da154af8036db325f9704451a4087575704

      SHA512

      5d346574ad85f7888b607335aefb6cbf27bfc7935a81313f82a3bee9a595baad677efa6ace809522224cc6f4023eddaff4657ab2648b088b070f9fd8c2dd41f0

      Download Submit

    • C:\Users\Admin\Documents\GuardFox\naFT6AQizmOyifoJT8Usp082.exe
      Filesize

      227KB

      MD5

      2ed2bc32020d935168d5be26e48ba06e

      SHA1

      e1f599b8518c16fe113a5cdee8925deacf91ecf0

      SHA256

      3757c57271c86fe5c2a6c0eacc3e5f1a0121d80b5a7f4c69c78e010594b6990c

      SHA512

      bf7069b75a2cb1e3a87c38927ddedf3d9beb30f85f0738bfec8e78ddda3644aeb2617bfb46d44ffe29ea38b0cb90a0423c649c3484ee1ceec0490d220df36327

      Download Submit

    • memory/1272-316-0x0000000002A60000-0x0000000002A76000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1700-317-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/1700-295-0x00000000005F0000-0x00000000006F0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1700-297-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/1700-296-0x0000000000230000-0x000000000023B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1752-324-0x0000000074CF0000-0x00000000753DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1752-320-0x0000000008670000-0x000000000876E000-memory.dmp

      Filesize

      1016KB

      Download

    • memory/1752-315-0x0000000004B50000-0x0000000004B90000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1752-309-0x0000000074CF0000-0x00000000753DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1752-306-0x0000000000630000-0x000000000064A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1752-301-0x00000000008E0000-0x00000000008F4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1996-307-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1996-314-0x0000000000090000-0x0000000000091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1996-312-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1996-313-0x0000000000170000-0x0000000000EF3000-memory.dmp

      Filesize

      13.5MB

      Download

    • memory/1996-310-0x0000000000080000-0x0000000000081000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1996-298-0x0000000000170000-0x0000000000EF3000-memory.dmp

      Filesize

      13.5MB

      Download

    • memory/2376-321-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2376-339-0x00000000000B0000-0x00000000000BD000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2376-325-0x0000000000080000-0x0000000000089000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2376-326-0x00000000000B0000-0x00000000000BD000-memory.dmp

      Filesize

      52KB

      Download

    • memory/2376-323-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/2504-20-0x0000000077D90000-0x0000000077D92000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2504-25-0x000007FEFDA90000-0x000007FEFDA92000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2504-15-0x0000000077D80000-0x0000000077D82000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2504-5-0x0000000077D60000-0x0000000077D62000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2504-30-0x000007FEFDAA0000-0x000007FEFDAA2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2504-6-0x0000000077D70000-0x0000000077D72000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2504-10-0x0000000077D70000-0x0000000077D72000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2504-8-0x0000000077D70000-0x0000000077D72000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2504-28-0x000007FEFDAA0000-0x000007FEFDAA2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2504-3-0x0000000077D60000-0x0000000077D62000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2504-0-0x0000000077D60000-0x0000000077D62000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2504-11-0x0000000077D80000-0x0000000077D82000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2504-305-0x000000013F1B0000-0x000000013F9D2000-memory.dmp

      Filesize

      8.1MB

      Download

    • memory/2504-23-0x000007FEFDA90000-0x000007FEFDA92000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2504-18-0x0000000077D90000-0x0000000077D92000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2504-2-0x000000013F1B0000-0x000000013F9D2000-memory.dmp

      Filesize

      8.1MB

      Download

    • memory/2504-13-0x0000000077D80000-0x0000000077D82000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2504-16-0x0000000077D90000-0x0000000077D92000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2840-330-0x000000006F970000-0x000000006FF1B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2840-331-0x0000000002230000-0x0000000002270000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2840-332-0x0000000002230000-0x0000000002270000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2840-333-0x0000000002230000-0x0000000002270000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2840-334-0x000000006F970000-0x000000006FF1B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2840-329-0x000000006F970000-0x000000006FF1B000-memory.dmp

      Filesize

      5.7MB

      Download