Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
21/12/2022, 12:28
General
-
Target
71fa869efa924ab2112f97f4eeaee7062bddd34811ea29a8bb406047f08f9fc0.exe
-
Size
227KB
-
MD5
a9f127a12daffee261db244461d88d4d
-
SHA1
87c3daaeb52d3752cfe2490f2bd50fa4aa662c18
-
SHA256
71fa869efa924ab2112f97f4eeaee7062bddd34811ea29a8bb406047f08f9fc0
-
SHA512
d841a8164fed58f455ee035ff88bd42414af7ca1865b9e72ab79601b91d9f9752786020eeaea543dce9048431dd0270dc6ec146121a28f66f163a08b5e7ee522
-
SSDEEP
6144:5GtLRU8PORjhRzo53oTqW85sbqkfeRu4:ItKKgjno53cb68
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 26 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 30 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
-
Suspicious use of FindShellTrayWindow 10 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\71fa869efa924ab2112f97f4eeaee7062bddd34811ea29a8bb406047f08f9fc0.exe"C:\Users\Admin\AppData\Local\Temp\71fa869efa924ab2112f97f4eeaee7062bddd34811ea29a8bb406047f08f9fc0.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\EB6E.exeC:\Users\Admin\AppData\Local\Temp\EB6E.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Quspupodwqfhie.tmp",Ritwuoaoyiy2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 189163⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 5282⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3928 -ip 39281⤵
-
C:\Users\Admin\AppData\Local\Temp\3D68.exeC:\Users\Admin\AppData\Local\Temp\3D68.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3D68.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 19922⤵
- Program crash
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5016 -ip 50161⤵
-
C:\Users\Admin\AppData\Roaming\dsvjbcwC:\Users\Admin\AppData\Roaming\dsvjbcw1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
Filesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
Filesize
345KB
MD589337ce7760628d22c0852a4e8a4ec3c
SHA1f8a3de35622cef7badd7b7d8eed15d1efe533c03
SHA256f4903708e3119ee5614cdff2071f645a3e1be93826b7e45f7302854c1e925ced
SHA51210d8e9a5537c63ebda34f4966ea814c6996d1b2af5ea09131c570ab185e51e605e667f3e98614616661657864a3699facba9931040e77847e420446f622b2a08
-
Filesize
345KB
MD589337ce7760628d22c0852a4e8a4ec3c
SHA1f8a3de35622cef7badd7b7d8eed15d1efe533c03
SHA256f4903708e3119ee5614cdff2071f645a3e1be93826b7e45f7302854c1e925ced
SHA51210d8e9a5537c63ebda34f4966ea814c6996d1b2af5ea09131c570ab185e51e605e667f3e98614616661657864a3699facba9931040e77847e420446f622b2a08
-
Filesize
1.1MB
MD54d222d2ee00721bdf84d257393121cc8
SHA1f70941425a42c8234e6abee56bee71b6b9446cf3
SHA256bbe6ffbc1d76127fbc55dcaac50f78602d49037157253c772da036878b5a597d
SHA512d704eb36d4ebf6989e3b2b617f28ad473a444682d27e92177d0cc4843031e0ecd32a3948f6b48e211c31ca9020cb3725c3ff994a460fda72667eb91bf557ead7
-
Filesize
1.1MB
MD54d222d2ee00721bdf84d257393121cc8
SHA1f70941425a42c8234e6abee56bee71b6b9446cf3
SHA256bbe6ffbc1d76127fbc55dcaac50f78602d49037157253c772da036878b5a597d
SHA512d704eb36d4ebf6989e3b2b617f28ad473a444682d27e92177d0cc4843031e0ecd32a3948f6b48e211c31ca9020cb3725c3ff994a460fda72667eb91bf557ead7
-
Filesize
814KB
MD5f93876956e6e2f754c8be97ac269729d
SHA1bf0eb05f31b4177e5e2fdeb203698d5018c8ee12
SHA256226eac6b8ce415bf0900050818f8212129fc51d14dab026e7b8600aa89d65c8a
SHA512c3c53aca227ac035ac838002c8f68b2d449ac983a85780356eb8ef7791171fdb2133cf7f8b694cd4e62b6239b5b8ca21013c483c797153dcd57ea845d4b458cb
-
Filesize
814KB
MD5f93876956e6e2f754c8be97ac269729d
SHA1bf0eb05f31b4177e5e2fdeb203698d5018c8ee12
SHA256226eac6b8ce415bf0900050818f8212129fc51d14dab026e7b8600aa89d65c8a
SHA512c3c53aca227ac035ac838002c8f68b2d449ac983a85780356eb8ef7791171fdb2133cf7f8b694cd4e62b6239b5b8ca21013c483c797153dcd57ea845d4b458cb
-
Filesize
227KB
MD5a9f127a12daffee261db244461d88d4d
SHA187c3daaeb52d3752cfe2490f2bd50fa4aa662c18
SHA25671fa869efa924ab2112f97f4eeaee7062bddd34811ea29a8bb406047f08f9fc0
SHA512d841a8164fed58f455ee035ff88bd42414af7ca1865b9e72ab79601b91d9f9752786020eeaea543dce9048431dd0270dc6ec146121a28f66f163a08b5e7ee522
-
Filesize
227KB
MD5a9f127a12daffee261db244461d88d4d
SHA187c3daaeb52d3752cfe2490f2bd50fa4aa662c18
SHA25671fa869efa924ab2112f97f4eeaee7062bddd34811ea29a8bb406047f08f9fc0
SHA512d841a8164fed58f455ee035ff88bd42414af7ca1865b9e72ab79601b91d9f9752786020eeaea543dce9048431dd0270dc6ec146121a28f66f163a08b5e7ee522
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
36KB
-
Filesize
388KB
-
Filesize
388KB
-
Filesize
64KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
2.6MB
-
Filesize
2.7MB
-
Filesize
388KB
-
Filesize
388KB
-
Filesize
64KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
944KB
-
Filesize
184KB
-
Filesize
584KB
-
Filesize
184KB
-
Filesize
508KB
-
Filesize
184KB
-
Filesize
508KB
-
Filesize
508KB
-
Filesize
332KB