Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d4bd84ab6a...78.exe

windows10-2004-x64

10

Resubmissions

19/03/2024, 10:46

240319-mvcmcsah4t 10

18/03/2024, 12:09

240318-pbenqagc97 10

17/03/2024, 13:27

240317-qqh55afc93 10

17/03/2024, 02:17

240317-cqtd7scf2x 10

Analysis

  • max time kernel
    66s
  • max time network
    70s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2024, 10:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe

  • Size

    209KB

  • MD5

    2cb4d9235c8edfaeeedf9258177cec57

  • SHA1

    401520c963a302e4df292c032416febec06e5666

  • SHA256

    d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278

  • SHA512

    5d1059c1618e8cf1645a7775da743b02ef387d249c6b263e20ade68362ee06e43548293c1bb224719014618458b6bb6b00c7664fbea97b2414976ce980a8d950

  • SSDEEP

    3072:M4GZjvkqp4C/Khv97mrvw1F0Dz1yL9w1RBeg8+/yGYV:nGlvkqp4RSTwQwkRBeA

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe
    "C:\Users\Admin\AppData\Local\Temp\d4bd84ab6a80420dd229e9607fb50c088667fdd38e2d8bf7a583269effa68278.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:5100
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3876
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4424
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffed2e69758,0x7ffed2e69768,0x7ffed2e69778
      2⤵
        PID:1552
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1760,i,12532792639342473703,1234061620840526890,131072 /prefetch:2
        2⤵
          PID:3780
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1760,i,12532792639342473703,1234061620840526890,131072 /prefetch:8
          2⤵
            PID:1612
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 --field-trial-handle=1760,i,12532792639342473703,1234061620840526890,131072 /prefetch:8
            2⤵
              PID:4408
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1760,i,12532792639342473703,1234061620840526890,131072 /prefetch:1
              2⤵
                PID:996
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1760,i,12532792639342473703,1234061620840526890,131072 /prefetch:1
                2⤵
                  PID:2796
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4188 --field-trial-handle=1760,i,12532792639342473703,1234061620840526890,131072 /prefetch:1
                  2⤵
                    PID:3844
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 --field-trial-handle=1760,i,12532792639342473703,1234061620840526890,131072 /prefetch:8
                    2⤵
                      PID:3952
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 --field-trial-handle=1760,i,12532792639342473703,1234061620840526890,131072 /prefetch:8
                      2⤵
                        PID:3640
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4140 --field-trial-handle=1760,i,12532792639342473703,1234061620840526890,131072 /prefetch:8
                        2⤵
                          PID:2292
                      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                        1⤵
                          PID:4860
                        • C:\Windows\system32\taskmgr.exe
                          "C:\Windows\system32\taskmgr.exe" /4
                          1⤵
                          • Checks SCSI registry key(s)
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1068

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
                          Filesize

                          64KB

                          MD5

                          d2fb266b97caff2086bf0fa74eddb6b2

                          SHA1

                          2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                          SHA256

                          b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                          SHA512

                          c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                          Download Submit

                        • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
                          Filesize

                          4B

                          MD5

                          f49655f856acb8884cc0ace29216f511

                          SHA1

                          cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                          SHA256

                          7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                          SHA512

                          599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                          Download Submit

                        • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
                          Filesize

                          944B

                          MD5

                          6bd369f7c74a28194c991ed1404da30f

                          SHA1

                          0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                          SHA256

                          878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                          SHA512

                          8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                          Filesize

                          371B

                          MD5

                          de03e12ed26b954c5d71bbeeed852bf6

                          SHA1

                          e43ec7ebd156c2c7b50f44e0c631fa2b978c582d

                          SHA256

                          a9ba8b9cc59a9113d9ef0e7b60cbab721be7059a5c633f0f31b0db164dbe910d

                          SHA512

                          d8d13551eeb38aa01672a26758b5c9cac9290824e871b48e95507bddc5d781c103a188aa90f9281072d7e18d0c1d54b8947f0a76202f5e20cb2f929933ad9536

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                          Filesize

                          6KB

                          MD5

                          52887fa184f10338884de2547be1f010

                          SHA1

                          4b90e115679fb031623185cb2453de10d636ddb1

                          SHA256

                          b099f202d0eb11400bbf66dbff2a7a15ce99e7f75fec56169260eb54908ac9ea

                          SHA512

                          03c79ceb90d56ba2c2abb3f161246084ccb15a9be45207584cfa7f5c0e0406797879cee880f2d2d84734c8b388dc2a01a46542c0b1be48bb9f38c79cf2216ef6

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                          Filesize

                          15KB

                          MD5

                          f76d951b03147f9ad965e8bcbdf23958

                          SHA1

                          ce798116662a6173461b813f289b8a353a17361c

                          SHA256

                          f388d0b90211fb1e026e9d682d569e50c00d1e791f7b00b08d10c412cb199992

                          SHA512

                          78dbfd72c0874bcf2f8471043d0ceeda8f0726b165bbb78c2d3e07e4a6ad07f82f068338fef7a568a909b2429f2cb84cbef53054e96c2a91bc3acfe3480b9964

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                          Filesize

                          258KB

                          MD5

                          081073a0a2bce445578007f857a7fe4e

                          SHA1

                          54a36dd74a0a809daf1d0b47eca530c38d683c95

                          SHA256

                          e97981eeac991cc4458d1918d3698dfcd8756e30cab8762f7a8eb556196277c8

                          SHA512

                          883c007571d427856c78216f3a988028afdce2db5fdf992ed814a635596fe1391e20e795a5bfe60793cf02608dae09dfacc2ec7b96f9dc7aacf0c53fbb1d8652

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
                          Filesize

                          2B

                          MD5

                          99914b932bd37a50b983c5e7c90ae93b

                          SHA1

                          bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                          SHA256

                          44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                          SHA512

                          27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                          Download Submit

                        • memory/1068-53-0x000001AA76800000-0x000001AA76801000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1068-43-0x000001AA76800000-0x000001AA76801000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1068-54-0x000001AA76800000-0x000001AA76801000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1068-52-0x000001AA76800000-0x000001AA76801000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1068-50-0x000001AA76800000-0x000001AA76801000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1068-51-0x000001AA76800000-0x000001AA76801000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1068-55-0x000001AA76800000-0x000001AA76801000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1068-44-0x000001AA76800000-0x000001AA76801000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1068-45-0x000001AA76800000-0x000001AA76801000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3408-4-0x0000000002300000-0x0000000002316000-memory.dmp

                          Filesize

                          88KB

                          Download

                        • memory/3876-15-0x0000015D60CA0000-0x0000015D60CA1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3876-14-0x0000015D60CA0000-0x0000015D60CA1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3876-20-0x0000015D60CA0000-0x0000015D60CA1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3876-25-0x0000015D60CA0000-0x0000015D60CA1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3876-24-0x0000015D60CA0000-0x0000015D60CA1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3876-13-0x0000015D60CA0000-0x0000015D60CA1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3876-23-0x0000015D60CA0000-0x0000015D60CA1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3876-22-0x0000015D60CA0000-0x0000015D60CA1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3876-19-0x0000015D60CA0000-0x0000015D60CA1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3876-21-0x0000015D60CA0000-0x0000015D60CA1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/5100-1-0x0000000000620000-0x0000000000720000-memory.dmp

                          Filesize

                          1024KB

                          Download

                        • memory/5100-5-0x0000000000400000-0x0000000000473000-memory.dmp

                          Filesize

                          460KB

                          Download

                        • memory/5100-8-0x00000000005E0000-0x00000000005EB000-memory.dmp

                          Filesize

                          44KB

                          Download

                        • memory/5100-3-0x0000000000400000-0x0000000000473000-memory.dmp

                          Filesize

                          460KB

                          Download

                        • memory/5100-2-0x00000000005E0000-0x00000000005EB000-memory.dmp

                          Filesize

                          44KB

                          Download