Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21/12/2022, 03:39
Static task
static1
Behavioral task
behavioral1
Sample
8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe
-
Size
220KB
-
MD5
8486895317ca2a41ee3dfe5aa4791e19
-
SHA1
c2faa783b03a1624732fb8ea0b0057604831d8ef
-
SHA256
8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5
-
SHA512
b927d832a9b40993dec1289d5b0be8922e77d96adcee74c573a18dc103f2f6cd05498a154022cdba27c94f255d12e38b5661366bbd47f875568d24784f1e0fb5
-
SSDEEP
3072:c44rLKd115rUWBdK3g5hpIGXYuERe/+V7b/73LNHCDml:d2LKd6WdKmIGXrP/mLpCa
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/4800-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4856-135-0x00000000001F0000-0x00000000001F9000-memory.dmp family_smokeloader behavioral1/memory/4800-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4800-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4856 set thread context of 4800 4856 8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe 81 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4800 8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe 4800 8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 764 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4800 8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4856 wrote to memory of 4800 4856 8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe 81 PID 4856 wrote to memory of 4800 4856 8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe 81 PID 4856 wrote to memory of 4800 4856 8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe 81 PID 4856 wrote to memory of 4800 4856 8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe 81 PID 4856 wrote to memory of 4800 4856 8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe 81 PID 4856 wrote to memory of 4800 4856 8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe"C:\Users\Admin\AppData\Local\Temp\8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Users\Admin\AppData\Local\Temp\8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe"C:\Users\Admin\AppData\Local\Temp\8d02a0c4a8b69f5521878aaa6b75ec810e230e75748efb74eb8067dc60d273d5.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4800
-