Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

a28ede8afe...a8.exe

windows7-x64

10

a28ede8afe...a8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/12/2022, 14:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a28ede8afeb2ac43b84985c279c94c25d001d00a035b82eb2ab1a019c5a6faa8.exe

  • Size

    30KB

  • MD5

    e7c7dd1609c0ae7d9948db9f5cecb2ab

  • SHA1

    f7d951dee4dd309a299f583afbab259d11221a28

  • SHA256

    a28ede8afeb2ac43b84985c279c94c25d001d00a035b82eb2ab1a019c5a6faa8

  • SHA512

    5aa6b52c049ddb96b491e8f9c1657bf992df0cfc7075859e4d91eda3e027d64265ca753b96737717546d7b65c41c4f6a1f9938faa8b0372cf8ec7725e60ce2fd

  • SSDEEP

    768:S172poBiLfK2Ss/2q2P66B9QeytQZAERS:O2mBibK4/2PB9Qr2S

Score
10/10
smokeloaderbackdoorcollectiontrojan

Malware Config

Signatures

  • Detects Smokeloader packer 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a28ede8afeb2ac43b84985c279c94c25d001d00a035b82eb2ab1a019c5a6faa8.exe
    "C:\Users\Admin\AppData\Local\Temp\a28ede8afeb2ac43b84985c279c94c25d001d00a035b82eb2ab1a019c5a6faa8.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:5108
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
    • Accesses Microsoft Outlook profiles
    • outlook_office_path
    • outlook_win_path
    PID:4292
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    1⤵
      PID:740
    • C:\Users\Admin\AppData\Roaming\ejwcset
      C:\Users\Admin\AppData\Roaming\ejwcset
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:2464

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\ejwcset
      Filesize

      30KB

      MD5

      e7c7dd1609c0ae7d9948db9f5cecb2ab

      SHA1

      f7d951dee4dd309a299f583afbab259d11221a28

      SHA256

      a28ede8afeb2ac43b84985c279c94c25d001d00a035b82eb2ab1a019c5a6faa8

      SHA512

      5aa6b52c049ddb96b491e8f9c1657bf992df0cfc7075859e4d91eda3e027d64265ca753b96737717546d7b65c41c4f6a1f9938faa8b0372cf8ec7725e60ce2fd

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ejwcset
      Filesize

      30KB

      MD5

      e7c7dd1609c0ae7d9948db9f5cecb2ab

      SHA1

      f7d951dee4dd309a299f583afbab259d11221a28

      SHA256

      a28ede8afeb2ac43b84985c279c94c25d001d00a035b82eb2ab1a019c5a6faa8

      SHA512

      5aa6b52c049ddb96b491e8f9c1657bf992df0cfc7075859e4d91eda3e027d64265ca753b96737717546d7b65c41c4f6a1f9938faa8b0372cf8ec7725e60ce2fd

      Download Submit

    • memory/740-136-0x00000000008E0000-0x00000000008EC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2464-142-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2464-143-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4292-137-0x0000000001200000-0x0000000001275000-memory.dmp

      Filesize

      468KB

      Download

    • memory/4292-138-0x0000000000F80000-0x0000000000FEB000-memory.dmp

      Filesize

      428KB

      Download

    • memory/4292-139-0x0000000000F80000-0x0000000000FEB000-memory.dmp

      Filesize

      428KB

      Download

    • memory/5108-132-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download

    • memory/5108-133-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

      Download