Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
101s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
01/01/2023, 17:43
Static task
static1
Behavioral task
behavioral1
Sample
66a0d0f33e178ec233bc7661f36d4ab9e74cb56449fc2f459156909bf7bb7a52.exe
Resource
win10-20220812-en
General
-
Target
66a0d0f33e178ec233bc7661f36d4ab9e74cb56449fc2f459156909bf7bb7a52.exe
-
Size
238KB
-
MD5
c40fa573a4c8d8be4789ff752c2fa86a
-
SHA1
02578b4dfb0cfeadb2db77f0c2805a4155b39b3f
-
SHA256
66a0d0f33e178ec233bc7661f36d4ab9e74cb56449fc2f459156909bf7bb7a52
-
SHA512
bb00aca6d0049debd61ab14e331f26e963ac9a5e7964413b9e0a05a841ef70af64636cf9228707dc21b225c582cb4849effee9c33033206be5077713c16cec71
-
SSDEEP
3072:zXOit41LmHYBJa5GHtbK0kp1SKuNda1L8Zx4kb7WkETM2nvQGW7iSWt:rPiL1JnbJKodAbkATV4b7i
Malware Config
Signatures
-
Detects Smokeloader packer 2 IoCs
resource yara_rule behavioral1/memory/2760-145-0x00000000004F0000-0x00000000004F9000-memory.dmp family_smokeloader behavioral1/memory/2760-157-0x00000000004F0000-0x00000000004F9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2264 26F1.exe -
Deletes itself 1 IoCs
pid Process 2820 Process not Found -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 66a0d0f33e178ec233bc7661f36d4ab9e74cb56449fc2f459156909bf7bb7a52.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 66a0d0f33e178ec233bc7661f36d4ab9e74cb56449fc2f459156909bf7bb7a52.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 66a0d0f33e178ec233bc7661f36d4ab9e74cb56449fc2f459156909bf7bb7a52.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2760 66a0d0f33e178ec233bc7661f36d4ab9e74cb56449fc2f459156909bf7bb7a52.exe 2760 66a0d0f33e178ec233bc7661f36d4ab9e74cb56449fc2f459156909bf7bb7a52.exe 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found 2820 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2820 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2760 66a0d0f33e178ec233bc7661f36d4ab9e74cb56449fc2f459156909bf7bb7a52.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2264 26F1.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2264 26F1.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2264 26F1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2264 2820 Process not Found 66 PID 2820 wrote to memory of 2264 2820 Process not Found 66 PID 2820 wrote to memory of 2264 2820 Process not Found 66
Processes
-
C:\Users\Admin\AppData\Local\Temp\66a0d0f33e178ec233bc7661f36d4ab9e74cb56449fc2f459156909bf7bb7a52.exe"C:\Users\Admin\AppData\Local\Temp\66a0d0f33e178ec233bc7661f36d4ab9e74cb56449fc2f459156909bf7bb7a52.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2760
-
C:\Users\Admin\AppData\Local\Temp\26F1.exeC:\Users\Admin\AppData\Local\Temp\26F1.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2264
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD586ccf28f3accb4eb7b6e2852cc39593d
SHA1f31f4fc3a3c3396b61626fa8891c162bfba212a8
SHA2564c61833e2f49634448a66566ef75b7ed04a3d83725d0a39594e35a366e5e4c66
SHA5128e5d4663e4ca5ea509a05c8e176d39dfeb4f46bed6a78fff3cfb3c98aef1fc69dfb4ee2176ec1e4e9a40def78460b8e42ec47403a9b7c51bbe51b6c8ab13b984
-
Filesize
1.4MB
MD586ccf28f3accb4eb7b6e2852cc39593d
SHA1f31f4fc3a3c3396b61626fa8891c162bfba212a8
SHA2564c61833e2f49634448a66566ef75b7ed04a3d83725d0a39594e35a366e5e4c66
SHA5128e5d4663e4ca5ea509a05c8e176d39dfeb4f46bed6a78fff3cfb3c98aef1fc69dfb4ee2176ec1e4e9a40def78460b8e42ec47403a9b7c51bbe51b6c8ab13b984