Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
27/11/2022, 20:59
General
-
Target
a9a9844f37ba6c20d2fba0f1b4fd5c7e1acd06f75b10d8a88ca72567430b1630.exe
-
Size
167KB
-
MD5
f1d96c5821eb465ded1b71741495160b
-
SHA1
2fd76d480926bbf64e5d735eecece6e8cb321b8d
-
SHA256
a9a9844f37ba6c20d2fba0f1b4fd5c7e1acd06f75b10d8a88ca72567430b1630
-
SHA512
b8881c880ab85392937265123285ba72111f9269b8b20a54546d84a20f00c710ef6e488b577dde46e4e4dfa2348a469610c999fb500b5f07fbce6f9d37fe5899
-
SSDEEP
3072:uyq1JTIDugFXJS5rCQGXTqmGxQHAHmBVUdaJnXTSnj2:mtwRFXTqVeAsVUEJG2
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9a9844f37ba6c20d2fba0f1b4fd5c7e1acd06f75b10d8a88ca72567430b1630.exe"C:\Users\Admin\AppData\Local\Temp\a9a9844f37ba6c20d2fba0f1b4fd5c7e1acd06f75b10d8a88ca72567430b1630.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\68AD.exeC:\Users\Admin\AppData\Local\Temp\68AD.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Weheooup.dll,start2⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 4922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1820 -ip 18201⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5ae7a6e5474e6f83bd69291c89b322171
SHA1345fd599a443ac15d89df887121b602e40a375b5
SHA256bb263c2c0927449caf1a7a7fcb7d9665bc876d02977d9d8fec7665009e6e63e8
SHA5122154547451edd66a0b4adad43db0c909ed934ebf1ae14a667650184ae0bba55d00bb454759685b1ccc2c3fb5b04293e81c068e947c1998055b0bff720bc2c30e
-
Filesize
3.6MB
MD5ae7a6e5474e6f83bd69291c89b322171
SHA1345fd599a443ac15d89df887121b602e40a375b5
SHA256bb263c2c0927449caf1a7a7fcb7d9665bc876d02977d9d8fec7665009e6e63e8
SHA5122154547451edd66a0b4adad43db0c909ed934ebf1ae14a667650184ae0bba55d00bb454759685b1ccc2c3fb5b04293e81c068e947c1998055b0bff720bc2c30e
-
Filesize
4.2MB
MD5aac25d16eeab705a9de4cc269646de91
SHA1565213e9f1bbcd04541588e670cc8a98225bc3a3
SHA2569c3707a5255ad32654b34ae6c3a42a85a794b29d3a01cf4b42512198beb40978
SHA5122bc76b040bd1a542eddf7641370e2090a2148262e1c53cea5ae6544ad5eeafa2c3bf1bc8c9684ca339237f5913c35984496427f18f1451278bd9a3a2c452a159
-
Filesize
4.2MB
MD5aac25d16eeab705a9de4cc269646de91
SHA1565213e9f1bbcd04541588e670cc8a98225bc3a3
SHA2569c3707a5255ad32654b34ae6c3a42a85a794b29d3a01cf4b42512198beb40978
SHA5122bc76b040bd1a542eddf7641370e2090a2148262e1c53cea5ae6544ad5eeafa2c3bf1bc8c9684ca339237f5913c35984496427f18f1451278bd9a3a2c452a159
-
Filesize
4.2MB
MD5aac25d16eeab705a9de4cc269646de91
SHA1565213e9f1bbcd04541588e670cc8a98225bc3a3
SHA2569c3707a5255ad32654b34ae6c3a42a85a794b29d3a01cf4b42512198beb40978
SHA5122bc76b040bd1a542eddf7641370e2090a2148262e1c53cea5ae6544ad5eeafa2c3bf1bc8c9684ca339237f5913c35984496427f18f1451278bd9a3a2c452a159
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
3.5MB
-
Filesize
4.9MB
-
Filesize
64KB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
36KB