Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
174s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2022, 17:51
Static task
static1
Behavioral task
behavioral1
Sample
6a7dce505e0b3c2986f1b895c401c1f4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6a7dce505e0b3c2986f1b895c401c1f4.exe
Resource
win10v2004-20220812-en
General
-
Target
6a7dce505e0b3c2986f1b895c401c1f4.exe
-
Size
300KB
-
MD5
6a7dce505e0b3c2986f1b895c401c1f4
-
SHA1
bf2b8f824b1d3e790d9ee17f6f91fbec1720dfbc
-
SHA256
1bc77d71c5c8030ff0a59f02a18cbe036682f100490106bd78b6fe4a470076e1
-
SHA512
a2651e12f90ddefee1230ba7c2b454912d973654ab3ac64fd92ef7923f9b59e971af20fafb33498658a8f357c37ace37716801c16c58b1f49e8408ea559e387a
-
SSDEEP
6144:3S8scbJ3k4mIFrTJaHRBXb3J1eigavwVf:3WcBk4FHJaHPb51T
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral2/memory/1688-133-0x00000000006A0000-0x00000000006A9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4992 4963.exe 3936 4CA0.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6a7dce505e0b3c2986f1b895c401c1f4.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6a7dce505e0b3c2986f1b895c401c1f4.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6a7dce505e0b3c2986f1b895c401c1f4.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1688 6a7dce505e0b3c2986f1b895c401c1f4.exe 1688 6a7dce505e0b3c2986f1b895c401c1f4.exe 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found 2204 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2204 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1688 6a7dce505e0b3c2986f1b895c401c1f4.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2204 wrote to memory of 4992 2204 Process not Found 90 PID 2204 wrote to memory of 4992 2204 Process not Found 90 PID 2204 wrote to memory of 4992 2204 Process not Found 90 PID 2204 wrote to memory of 3936 2204 Process not Found 91 PID 2204 wrote to memory of 3936 2204 Process not Found 91 PID 2204 wrote to memory of 3936 2204 Process not Found 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a7dce505e0b3c2986f1b895c401c1f4.exe"C:\Users\Admin\AppData\Local\Temp\6a7dce505e0b3c2986f1b895c401c1f4.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1688
-
C:\Users\Admin\AppData\Local\Temp\4963.exeC:\Users\Admin\AppData\Local\Temp\4963.exe1⤵
- Executes dropped EXE
PID:4992
-
C:\Users\Admin\AppData\Local\Temp\4CA0.exeC:\Users\Admin\AppData\Local\Temp\4CA0.exe1⤵
- Executes dropped EXE
PID:3936
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
766KB
MD54442123bc9e93e314f0eb444adf258f0
SHA1ff0c60ef09499662a3607d8887ae21d4232446d3
SHA256adfcc3d526381c7c2fe99e2db561fa91de1591188aea020b08a90e6733209f05
SHA5127c5af88cfea196e7f4203b4c6a0379e58ae323ef4e879831258fabffba3fefce1363d57d9f075119779becebb3444528fd74e9fc8788774468c1af044f9f5dcb
-
Filesize
766KB
MD54442123bc9e93e314f0eb444adf258f0
SHA1ff0c60ef09499662a3607d8887ae21d4232446d3
SHA256adfcc3d526381c7c2fe99e2db561fa91de1591188aea020b08a90e6733209f05
SHA5127c5af88cfea196e7f4203b4c6a0379e58ae323ef4e879831258fabffba3fefce1363d57d9f075119779becebb3444528fd74e9fc8788774468c1af044f9f5dcb
-
Filesize
703KB
MD51ae1cabb5d6d98e32e779f1e866cd553
SHA1566d2e85d6466ce6b2568ca4db484362a5f8ba54
SHA256208ab84f20b1cb00245df65d3a8873fa14f75a567053777c8413e3e10c335ca2
SHA512fb1c825fa51750a737c35b24badd1f2919c4e2e9317d84d86e8029fc76f77898e6d6ab8af2851abbdd7de741c78c71889dec5928b0cfb79eb68b5f1bf0f3d7ba
-
Filesize
703KB
MD51ae1cabb5d6d98e32e779f1e866cd553
SHA1566d2e85d6466ce6b2568ca4db484362a5f8ba54
SHA256208ab84f20b1cb00245df65d3a8873fa14f75a567053777c8413e3e10c335ca2
SHA512fb1c825fa51750a737c35b24badd1f2919c4e2e9317d84d86e8029fc76f77898e6d6ab8af2851abbdd7de741c78c71889dec5928b0cfb79eb68b5f1bf0f3d7ba