Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 08:56
Static task
static1
Behavioral task
behavioral1
Sample
25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe
-
Size
320KB
-
MD5
bd9972da3a086cef4434f306b52dc371
-
SHA1
884ffea6090546877f9f1d3e209a781c3b2c8a19
-
SHA256
25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069
-
SHA512
e38055dbe65077dd0f28548a146e2e42e7aa0a085a45c4ff1acac9f20340bfe21d97a054393928c44d5aac0526e5733ef1a3728f2a9a27ac411e516f13f0e9bd
-
SSDEEP
6144:VNbLBjy4JXLLZfNYT400y63Mjv9ZiM4VqFF:VNJjy8vZfNYb0y63ivnjSqFF
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/4924-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4748-135-0x0000000000030000-0x0000000000039000-memory.dmp family_smokeloader behavioral1/memory/4924-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4924-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4748 set thread context of 4924 4748 25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe 80 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4924 25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe 4924 25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found 2980 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2980 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4924 25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4748 wrote to memory of 4924 4748 25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe 80 PID 4748 wrote to memory of 4924 4748 25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe 80 PID 4748 wrote to memory of 4924 4748 25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe 80 PID 4748 wrote to memory of 4924 4748 25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe 80 PID 4748 wrote to memory of 4924 4748 25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe 80 PID 4748 wrote to memory of 4924 4748 25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe"C:\Users\Admin\AppData\Local\Temp\25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Users\Admin\AppData\Local\Temp\25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe"C:\Users\Admin\AppData\Local\Temp\25efa3640c9ec3c4429740429b6bcdfc17a299bfa6f34880c1813ad289651069.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4924
-