Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2022, 13:35
Static task
static1
Behavioral task
behavioral1
Sample
8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe
-
Size
249KB
-
MD5
c5106b7a22b1720d708b2409cf694915
-
SHA1
2bd7a7fad4dedc2228146a22e01458be6ad57673
-
SHA256
8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3
-
SHA512
83a3eb96191ff9aafedc4466dd91fa5b7c8b420c320a980feb808b3c39a859d0484123094380b84e663029e9ec27515682715491575fd4c37b2ca51c2282611a
-
SSDEEP
6144:BRbDKHNwLI7DyWIZ2qc6PMLzIwP0M1Qa:nSHGLI7DyWy2qcDzsB
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/3560-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/1512-135-0x00000000001C0000-0x00000000001C9000-memory.dmp family_smokeloader behavioral1/memory/3560-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/3560-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3D065F79-B6B0-4FCB-A49C-F7616F051ED9}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{6AFAD9EC-2807-481D-8617-DC1E6542120D}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1512 set thread context of 3560 1512 8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe 75 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3560 8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe 3560 8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3560 8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3004 Process not Found 3004 Process not Found 3004 Process not Found -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3004 Process not Found 3004 Process not Found 3004 Process not Found -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1512 wrote to memory of 3560 1512 8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe 75 PID 1512 wrote to memory of 3560 1512 8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe 75 PID 1512 wrote to memory of 3560 1512 8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe 75 PID 1512 wrote to memory of 3560 1512 8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe 75 PID 1512 wrote to memory of 3560 1512 8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe 75 PID 1512 wrote to memory of 3560 1512 8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe"C:\Users\Admin\AppData\Local\Temp\8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe"C:\Users\Admin\AppData\Local\Temp\8c22b81f04cbfff5369e880af816b0e759b18d00d609d28e53247bd5a48f78c3.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3560
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
PID:3264