Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
26/03/2024, 22:08
Static task
static1
Behavioral task
behavioral1
Sample
c42f13321ee181c267897c3247a66bfba3398d7ea2723aee7cc530649feba589.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
c42f13321ee181c267897c3247a66bfba3398d7ea2723aee7cc530649feba589.exe
Resource
win11-20240221-en
General
-
Target
c42f13321ee181c267897c3247a66bfba3398d7ea2723aee7cc530649feba589.exe
-
Size
310KB
-
MD5
dbb56492a396cdf8bdcb2f9cdabb7c0f
-
SHA1
af8b1578f4b99f56acbdf129ac212a2b860cb134
-
SHA256
c42f13321ee181c267897c3247a66bfba3398d7ea2723aee7cc530649feba589
-
SHA512
c33edfde4f75a3667a7b27bbe0f023ba4d2255d2a8ea5918cb9291af2d49f39ace965eaca50981bec45d3fbc9ec437b41f3d18631adc34b576a05919093dd560
-
SSDEEP
3072:sx7/kXDb/S+1C+SUoIiXUd4fnMm68HMK4zNUQ7mrhsb4LNeIIeuTTSz+dcFjTmc:s1eCrUd4L0NUQytsb4Lbu3Y+dcFjT
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 3268 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 892 dahfesw -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c42f13321ee181c267897c3247a66bfba3398d7ea2723aee7cc530649feba589.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dahfesw Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dahfesw Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dahfesw Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c42f13321ee181c267897c3247a66bfba3398d7ea2723aee7cc530649feba589.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c42f13321ee181c267897c3247a66bfba3398d7ea2723aee7cc530649feba589.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2728 c42f13321ee181c267897c3247a66bfba3398d7ea2723aee7cc530649feba589.exe 2728 c42f13321ee181c267897c3247a66bfba3398d7ea2723aee7cc530649feba589.exe 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found 3268 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2728 c42f13321ee181c267897c3247a66bfba3398d7ea2723aee7cc530649feba589.exe 892 dahfesw -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3268 Process not Found Token: SeCreatePagefilePrivilege 3268 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3268 Process not Found -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3268 wrote to memory of 2988 3268 Process not Found 81 PID 3268 wrote to memory of 2988 3268 Process not Found 81 PID 2988 wrote to memory of 1712 2988 cmd.exe 83 PID 2988 wrote to memory of 1712 2988 cmd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\c42f13321ee181c267897c3247a66bfba3398d7ea2723aee7cc530649feba589.exe"C:\Users\Admin\AppData\Local\Temp\c42f13321ee181c267897c3247a66bfba3398d7ea2723aee7cc530649feba589.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DA43.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:1712
-
-
C:\Users\Admin\AppData\Roaming\dahfeswC:\Users\Admin\AppData\Roaming\dahfesw1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
310KB
MD5dbb56492a396cdf8bdcb2f9cdabb7c0f
SHA1af8b1578f4b99f56acbdf129ac212a2b860cb134
SHA256c42f13321ee181c267897c3247a66bfba3398d7ea2723aee7cc530649feba589
SHA512c33edfde4f75a3667a7b27bbe0f023ba4d2255d2a8ea5918cb9291af2d49f39ace965eaca50981bec45d3fbc9ec437b41f3d18631adc34b576a05919093dd560