Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2022, 01:39
Static task
static1
Behavioral task
behavioral1
Sample
0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe
-
Size
206KB
-
MD5
1ae24c73d964d9c3b1e98ebcce80187f
-
SHA1
ace5b854c401eb86ce72915af9353455dcf0ac1f
-
SHA256
0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431
-
SHA512
d55afcb7ca251c8d9009e6d93e0144646d18842769384f82f74a8e52679a043a49828e1afdbebee572cf8f1d428f17ef824e5a0a1c338dab339e24bd55f5e0a8
-
SSDEEP
3072:M86QifjOahZzGwSJcRDP0wnOo87zEZVsLok1aX2CGKK3jlI/V5xp:i991GwBnOo87z8ask1IlGKdN
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 6 IoCs
resource yara_rule behavioral1/memory/5016-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/3088-135-0x00000000048B0000-0x00000000048B9000-memory.dmp family_smokeloader behavioral1/memory/5016-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/5016-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/1980-144-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/1980-145-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 2 IoCs
pid Process 3228 asscfuc 1980 asscfuc -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3088 set thread context of 5016 3088 0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe 82 PID 3228 set thread context of 1980 3228 asscfuc 92 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI asscfuc Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI asscfuc Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI asscfuc Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5016 0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe 5016 0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 376 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 5016 0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe 1980 asscfuc -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 376 Process not Found 376 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3088 wrote to memory of 5016 3088 0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe 82 PID 3088 wrote to memory of 5016 3088 0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe 82 PID 3088 wrote to memory of 5016 3088 0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe 82 PID 3088 wrote to memory of 5016 3088 0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe 82 PID 3088 wrote to memory of 5016 3088 0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe 82 PID 3088 wrote to memory of 5016 3088 0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe 82 PID 3228 wrote to memory of 1980 3228 asscfuc 92 PID 3228 wrote to memory of 1980 3228 asscfuc 92 PID 3228 wrote to memory of 1980 3228 asscfuc 92 PID 3228 wrote to memory of 1980 3228 asscfuc 92 PID 3228 wrote to memory of 1980 3228 asscfuc 92 PID 3228 wrote to memory of 1980 3228 asscfuc 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe"C:\Users\Admin\AppData\Local\Temp\0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe"C:\Users\Admin\AppData\Local\Temp\0be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5016
-
-
C:\Users\Admin\AppData\Roaming\asscfucC:\Users\Admin\AppData\Roaming\asscfuc1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Users\Admin\AppData\Roaming\asscfucC:\Users\Admin\AppData\Roaming\asscfuc2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1980
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
206KB
MD51ae24c73d964d9c3b1e98ebcce80187f
SHA1ace5b854c401eb86ce72915af9353455dcf0ac1f
SHA2560be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431
SHA512d55afcb7ca251c8d9009e6d93e0144646d18842769384f82f74a8e52679a043a49828e1afdbebee572cf8f1d428f17ef824e5a0a1c338dab339e24bd55f5e0a8
-
Filesize
206KB
MD51ae24c73d964d9c3b1e98ebcce80187f
SHA1ace5b854c401eb86ce72915af9353455dcf0ac1f
SHA2560be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431
SHA512d55afcb7ca251c8d9009e6d93e0144646d18842769384f82f74a8e52679a043a49828e1afdbebee572cf8f1d428f17ef824e5a0a1c338dab339e24bd55f5e0a8
-
Filesize
206KB
MD51ae24c73d964d9c3b1e98ebcce80187f
SHA1ace5b854c401eb86ce72915af9353455dcf0ac1f
SHA2560be73f991e0ac54df68f61597038ccd931a06603211dd2dbc665fb62a239a431
SHA512d55afcb7ca251c8d9009e6d93e0144646d18842769384f82f74a8e52679a043a49828e1afdbebee572cf8f1d428f17ef824e5a0a1c338dab339e24bd55f5e0a8