Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 21:04
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
186KB
-
MD5
212889c268e37fdf0052b3ec0e6dd6fe
-
SHA1
78037cf5caa71fb7ab0f9fa44b22dc988cfab2c0
-
SHA256
438aa9cc91d13dfa86644426b8f90be7f3302bbdbb70fcd71b3ede8c5ff9e464
-
SHA512
549c9adc2d0346162854d34aeea5d55490e071e64705c8549f8e41a18af75502bbf913afb095240380e748fe67a906c82115948f924f0aa33e1b9f1899d878b4
-
SSDEEP
3072:WkfRIWEJ/Fk2wLE4k3Vxj5RttJFtDQ5KMoupWGERWM:XfKwLE4iXbJFDhVGEg
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral2/memory/4344-134-0x0000000002380000-0x0000000002389000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 63 100 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 216 F349.exe -
Loads dropped DLL 1 IoCs
pid Process 100 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 100 set thread context of 3716 100 rundll32.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 752 216 WerFault.exe 87 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Checks processor information in registry 2 TTPs 25 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found -
Modifies registry class 8 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4344 file.exe 4344 file.exe 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found 3076 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3076 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4344 file.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeDebugPrivilege 100 rundll32.exe Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found Token: SeShutdownPrivilege 3076 Process not Found Token: SeCreatePagefilePrivilege 3076 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3716 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3076 Process not Found 3076 Process not Found -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3076 wrote to memory of 216 3076 Process not Found 87 PID 3076 wrote to memory of 216 3076 Process not Found 87 PID 3076 wrote to memory of 216 3076 Process not Found 87 PID 216 wrote to memory of 100 216 F349.exe 88 PID 216 wrote to memory of 100 216 F349.exe 88 PID 216 wrote to memory of 100 216 F349.exe 88 PID 100 wrote to memory of 3716 100 rundll32.exe 92 PID 100 wrote to memory of 3716 100 rundll32.exe 92 PID 100 wrote to memory of 3716 100 rundll32.exe 92 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4344
-
C:\Users\Admin\AppData\Local\Temp\F349.exeC:\Users\Admin\AppData\Local\Temp\F349.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp",Rrptfe2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:100 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 141773⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3716
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 5362⤵
- Program crash
PID:752
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 216 -ip 2161⤵PID:5072
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD550dc29462e6fa8a11f318d807bf8e576
SHA1f451955773ef0c5a2381aeb0dccfbc9d3ee85c7e
SHA2563aad58d46fbe80b58a6d7eb22f1049c7c900a9764c36d3b10708dd8d536b6862
SHA5120aa13299262046781208158e5b046e1df155e198927d2bb9fad5358e8255fc50dfc906c98f42c9d057c8078a1af91e088cab5e4920ea4b7478ccce19d7178a70
-
Filesize
1.0MB
MD550dc29462e6fa8a11f318d807bf8e576
SHA1f451955773ef0c5a2381aeb0dccfbc9d3ee85c7e
SHA2563aad58d46fbe80b58a6d7eb22f1049c7c900a9764c36d3b10708dd8d536b6862
SHA5120aa13299262046781208158e5b046e1df155e198927d2bb9fad5358e8255fc50dfc906c98f42c9d057c8078a1af91e088cab5e4920ea4b7478ccce19d7178a70
-
Filesize
774KB
MD5d5e88f35e214f2dff51a7d494316bac2
SHA16306dfa71c4e32dede210631cf90732693c0afcf
SHA256f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4
SHA512ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d
-
Filesize
774KB
MD5d5e88f35e214f2dff51a7d494316bac2
SHA16306dfa71c4e32dede210631cf90732693c0afcf
SHA256f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4
SHA512ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d