Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 11:42
Static task
static1
Behavioral task
behavioral1
Sample
b049ca620ce8b9411ca6d7e05a5b1aa6420fb1381c32b36c121135f2ca3abb4d.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
b049ca620ce8b9411ca6d7e05a5b1aa6420fb1381c32b36c121135f2ca3abb4d.exe
-
Size
287KB
-
MD5
6dae8999963fbee8549ba06190964a1e
-
SHA1
03cbe60b26179b014202389d99811d5d9c56bf32
-
SHA256
b049ca620ce8b9411ca6d7e05a5b1aa6420fb1381c32b36c121135f2ca3abb4d
-
SHA512
d1a8f9d91d808a6965cdc3ecf8f333a7f465b5ecd3f3c7e58313d541692bf653e742e26e180a32bde096129ddd2c02e037a97af7c6fa0104821905e411eb2669
-
SSDEEP
6144:bUBv2rLXTSKcy3/oAgT02tB7GD5UZvbQr:bUBynEy3gAs0IGqMr
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/5008-133-0x0000000002D90000-0x0000000002D99000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b049ca620ce8b9411ca6d7e05a5b1aa6420fb1381c32b36c121135f2ca3abb4d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b049ca620ce8b9411ca6d7e05a5b1aa6420fb1381c32b36c121135f2ca3abb4d.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b049ca620ce8b9411ca6d7e05a5b1aa6420fb1381c32b36c121135f2ca3abb4d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5008 b049ca620ce8b9411ca6d7e05a5b1aa6420fb1381c32b36c121135f2ca3abb4d.exe 5008 b049ca620ce8b9411ca6d7e05a5b1aa6420fb1381c32b36c121135f2ca3abb4d.exe 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found 2644 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2644 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 5008 b049ca620ce8b9411ca6d7e05a5b1aa6420fb1381c32b36c121135f2ca3abb4d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b049ca620ce8b9411ca6d7e05a5b1aa6420fb1381c32b36c121135f2ca3abb4d.exe"C:\Users\Admin\AppData\Local\Temp\b049ca620ce8b9411ca6d7e05a5b1aa6420fb1381c32b36c121135f2ca3abb4d.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5008