Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
17/09/2022, 13:29
General
-
Target
eb6e244c66a5598aab05cdc653a5781faa499773294f2016bb5c13f9bfc7c782.exe
-
Size
290KB
-
MD5
e81b64e167a82274326035abfcca58dd
-
SHA1
074f8417cdba35a0d3d51ca1fddc69939b4dcc2c
-
SHA256
eb6e244c66a5598aab05cdc653a5781faa499773294f2016bb5c13f9bfc7c782
-
SHA512
f0a6b4a4b90aa59c5ba1ec592ed44e04859de5c56bccc62dec689fec4284ca4500cb207e447fbf7d161ae4d0ad4d2e6d0759b7cc7c0a7331fc4e28fccfe6f94c
-
SSDEEP
6144:LqOLtzdutR5v6AfkJyCdZwEkk0hXnigabwVfs:LqOJzdEoJyCd2Fti
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 49 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb6e244c66a5598aab05cdc653a5781faa499773294f2016bb5c13f9bfc7c782.exe"C:\Users\Admin\AppData\Local\Temp\eb6e244c66a5598aab05cdc653a5781faa499773294f2016bb5c13f9bfc7c782.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\EB20.exeC:\Users\Admin\AppData\Local\Temp\EB20.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\13F6.exeC:\Users\Admin\AppData\Local\Temp\13F6.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1E77.exeC:\Users\Admin\AppData\Local\Temp\1E77.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "Get-WmiObject Win32_PortConnector"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
509KB
MD563dda87c7869028ef80b5038c9627191
SHA186f15cdac475317fc3a796792b78f74ccb61e1e9
SHA256855c9907076eff340498370dcab67b5a229da93168a99ae33672e0031f15b329
SHA512bfcc8b314eba95e85d89a0dbf0f77e9b4bbea079b511003ec2d0515e2f2c2b4f85112b5a5d3c30c79d8bcc408c6fb1e05fa99a3d5280b9f1259eaf8179511b36
-
Filesize
509KB
MD563dda87c7869028ef80b5038c9627191
SHA186f15cdac475317fc3a796792b78f74ccb61e1e9
SHA256855c9907076eff340498370dcab67b5a229da93168a99ae33672e0031f15b329
SHA512bfcc8b314eba95e85d89a0dbf0f77e9b4bbea079b511003ec2d0515e2f2c2b4f85112b5a5d3c30c79d8bcc408c6fb1e05fa99a3d5280b9f1259eaf8179511b36
-
Filesize
5.1MB
MD588a97d011f511b0f820d784520797f5d
SHA1f627b180eb1beae6f9f8320d2fd015523967ca7a
SHA256c243ce72605b11f0136f74d54ece5cad4c9d5a099a52798fca637a5fe0e31549
SHA5123069bed92afd9cd30d63b7d7427f4f0a35a371bba3a22068a102ff6f1d42c35f0b5343eeba64f2d2136fb2d1d6e5323ec299b876e52f033b983ad853fe36849f
-
Filesize
5.1MB
MD588a97d011f511b0f820d784520797f5d
SHA1f627b180eb1beae6f9f8320d2fd015523967ca7a
SHA256c243ce72605b11f0136f74d54ece5cad4c9d5a099a52798fca637a5fe0e31549
SHA5123069bed92afd9cd30d63b7d7427f4f0a35a371bba3a22068a102ff6f1d42c35f0b5343eeba64f2d2136fb2d1d6e5323ec299b876e52f033b983ad853fe36849f
-
Filesize
358KB
MD5184a9b3b2ce488d7a11741898fcb236c
SHA112c9c6d786bc342dd1e7361ace1aed079c0fb393
SHA256a7b8f421b8cdb00be57e58a963443c872272387a1f7c405809f5bb32597c6345
SHA51224797456784434ea984d2b604a2e97e6eb9ed087f1ffee86a992ae93c35dae7868edee00130abf0c60ff20c153e1b32bf292ed0ef7360f0572ce85f2fad608ed
-
Filesize
358KB
MD5184a9b3b2ce488d7a11741898fcb236c
SHA112c9c6d786bc342dd1e7361ace1aed079c0fb393
SHA256a7b8f421b8cdb00be57e58a963443c872272387a1f7c405809f5bb32597c6345
SHA51224797456784434ea984d2b604a2e97e6eb9ed087f1ffee86a992ae93c35dae7868edee00130abf0c60ff20c153e1b32bf292ed0ef7360f0572ce85f2fad608ed
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
18.5MB
-
Filesize
18.5MB
-
Filesize
18.5MB
-
Filesize
312KB
-
Filesize
312KB
-
Filesize
68KB
-
Filesize
36KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB