Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/12/2022, 01:03
Static task
static1
General
-
Target
2eef0e11d2a80a59af4884cf4596936f64ffe04385c81d691f642f6a5f12518e.exe
-
Size
220KB
-
MD5
1b3296feebd7acbb95209850fe0240a0
-
SHA1
f9c3aa88204b11032c5befab17ea3af0ba4b5ec4
-
SHA256
2eef0e11d2a80a59af4884cf4596936f64ffe04385c81d691f642f6a5f12518e
-
SHA512
0e79d43822842362a3203a8e39f96736da787fe38aa1907ab885f5c362d6cdb828cba8f3274ffdb042eacf020af671e0c5fd61e74e7d42de576d59e195233ecc
-
SSDEEP
3072:cELVLUN1156byKcxTvjjpkSLcjYCxMsehlV7b/99RONHCDml:55LUNkbEvXpkSLc0gMseh7F9yCa
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/2220-133-0x00000000001F0000-0x00000000001F9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 59 112 rundll32.exe 63 112 rundll32.exe 111 112 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1176 E10E.exe -
Loads dropped DLL 1 IoCs
pid Process 112 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 112 set thread context of 4100 112 rundll32.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3852 1176 WerFault.exe 86 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2eef0e11d2a80a59af4884cf4596936f64ffe04385c81d691f642f6a5f12518e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2eef0e11d2a80a59af4884cf4596936f64ffe04385c81d691f642f6a5f12518e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2eef0e11d2a80a59af4884cf4596936f64ffe04385c81d691f642f6a5f12518e.exe -
Checks processor information in registry 2 TTPs 23 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found -
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000095558d10100054656d7000003a0009000400efbe0c551999955590102e000000000000000000000000000000000000000000000000000dc92101540065006d007000000014000000 Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Process not Found -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 700 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2220 2eef0e11d2a80a59af4884cf4596936f64ffe04385c81d691f642f6a5f12518e.exe 2220 2eef0e11d2a80a59af4884cf4596936f64ffe04385c81d691f642f6a5f12518e.exe 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 700 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2220 2eef0e11d2a80a59af4884cf4596936f64ffe04385c81d691f642f6a5f12518e.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4100 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 700 Process not Found 700 Process not Found -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 700 wrote to memory of 1176 700 Process not Found 86 PID 700 wrote to memory of 1176 700 Process not Found 86 PID 700 wrote to memory of 1176 700 Process not Found 86 PID 1176 wrote to memory of 112 1176 E10E.exe 87 PID 1176 wrote to memory of 112 1176 E10E.exe 87 PID 1176 wrote to memory of 112 1176 E10E.exe 87 PID 112 wrote to memory of 4100 112 rundll32.exe 91 PID 112 wrote to memory of 4100 112 rundll32.exe 91 PID 112 wrote to memory of 4100 112 rundll32.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2eef0e11d2a80a59af4884cf4596936f64ffe04385c81d691f642f6a5f12518e.exe"C:\Users\Admin\AppData\Local\Temp\2eef0e11d2a80a59af4884cf4596936f64ffe04385c81d691f642f6a5f12518e.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2220
-
C:\Users\Admin\AppData\Local\Temp\E10E.exeC:\Users\Admin\AppData\Local\Temp\E10E.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 141443⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4100
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 5282⤵
- Program crash
PID:3852
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1176 -ip 11761⤵PID:564
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3488
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD57e9ce657b646e0ecff706bf6680061f0
SHA18f576b573c55ba4b3a36b495e9ab0361270b0fd7
SHA256f657d6f8f072dcf10f48e03b3b813cb9ab9c4b975dec12e9db8da868d3e50ab9
SHA512360890279533d6ad72f3640c31d7b7b69e5189ea65ca802e6855d6f874005838282b1caf0dde21ebcacc185d8db3229cf3c7fd4414a30660176ad4a6d352361d
-
Filesize
1.1MB
MD57e9ce657b646e0ecff706bf6680061f0
SHA18f576b573c55ba4b3a36b495e9ab0361270b0fd7
SHA256f657d6f8f072dcf10f48e03b3b813cb9ab9c4b975dec12e9db8da868d3e50ab9
SHA512360890279533d6ad72f3640c31d7b7b69e5189ea65ca802e6855d6f874005838282b1caf0dde21ebcacc185d8db3229cf3c7fd4414a30660176ad4a6d352361d
-
Filesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
Filesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26