Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
300s -
max time network
297s -
platform
windows10-1703_x64 -
resource
win10-20240214-en -
resource tags
arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system -
submitted
20/02/2024, 04:48
Static task
static1
Behavioral task
behavioral1
Sample
2247fbe7501c8dd4621c03b2d80df6e66933136aaa06afe0dda086ba3a6f1ce5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2247fbe7501c8dd4621c03b2d80df6e66933136aaa06afe0dda086ba3a6f1ce5.exe
Resource
win10-20240214-en
General
-
Target
2247fbe7501c8dd4621c03b2d80df6e66933136aaa06afe0dda086ba3a6f1ce5.exe
-
Size
218KB
-
MD5
8e9c86c06b0e994e3b99716e2a5ffc76
-
SHA1
3d3e45bd3383761f23bbab220c316fae5871bae6
-
SHA256
2247fbe7501c8dd4621c03b2d80df6e66933136aaa06afe0dda086ba3a6f1ce5
-
SHA512
be768b80d8cf560907a183dce32435cd5363b193ffd03fafa31a264370a6edfd506ea71cbb0772b4ca2720c08a4e8c7d35c4c1d40d959f89b3135a0b7a2919d7
-
SSDEEP
3072:ubztenC6XwwUZ0usUt+7s3jHA9JldQi++1xw8Ye6L3o+7BaGLvSx5x0z5:DfXk0CYnl9xw8G3o0Bat0z
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3316 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 4240 bvgtvjd -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2247fbe7501c8dd4621c03b2d80df6e66933136aaa06afe0dda086ba3a6f1ce5.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2247fbe7501c8dd4621c03b2d80df6e66933136aaa06afe0dda086ba3a6f1ce5.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2247fbe7501c8dd4621c03b2d80df6e66933136aaa06afe0dda086ba3a6f1ce5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bvgtvjd Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bvgtvjd Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bvgtvjd -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2300 2247fbe7501c8dd4621c03b2d80df6e66933136aaa06afe0dda086ba3a6f1ce5.exe 2300 2247fbe7501c8dd4621c03b2d80df6e66933136aaa06afe0dda086ba3a6f1ce5.exe 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found 3316 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2300 2247fbe7501c8dd4621c03b2d80df6e66933136aaa06afe0dda086ba3a6f1ce5.exe 4240 bvgtvjd -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3316 Process not Found Token: SeCreatePagefilePrivilege 3316 Process not Found -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2247fbe7501c8dd4621c03b2d80df6e66933136aaa06afe0dda086ba3a6f1ce5.exe"C:\Users\Admin\AppData\Local\Temp\2247fbe7501c8dd4621c03b2d80df6e66933136aaa06afe0dda086ba3a6f1ce5.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2300
-
C:\Users\Admin\AppData\Roaming\bvgtvjdC:\Users\Admin\AppData\Roaming\bvgtvjd1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD58e9c86c06b0e994e3b99716e2a5ffc76
SHA13d3e45bd3383761f23bbab220c316fae5871bae6
SHA2562247fbe7501c8dd4621c03b2d80df6e66933136aaa06afe0dda086ba3a6f1ce5
SHA512be768b80d8cf560907a183dce32435cd5363b193ffd03fafa31a264370a6edfd506ea71cbb0772b4ca2720c08a4e8c7d35c4c1d40d959f89b3135a0b7a2919d7