Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05/01/2023, 02:43
Static task
static1
Behavioral task
behavioral1
Sample
7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe
-
Size
362KB
-
MD5
50d0b50252602b684eedb2ef77a518ae
-
SHA1
89f0c274f06718fd01676664b9d310c97dcf743e
-
SHA256
7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378
-
SHA512
9813e471c24fed8cd57a39deb5cb6170035727ce90c1eacd89e93f3c82b2578643aef8ddbdfce2f0bf6a595de300ba9428455e5f6502835da2ad922b21bdb301
-
SSDEEP
6144:lrL//aMSvSBVC4xd5uxA6s9NoxupmLe7LjT:lrLaM0E6s9NoxupmLe
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/1636-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4908-135-0x00000000030B0000-0x00000000030B9000-memory.dmp family_smokeloader behavioral1/memory/1636-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/1636-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4908 set thread context of 1636 4908 7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe 80 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1636 7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe 1636 7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3024 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1636 7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4908 wrote to memory of 1636 4908 7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe 80 PID 4908 wrote to memory of 1636 4908 7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe 80 PID 4908 wrote to memory of 1636 4908 7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe 80 PID 4908 wrote to memory of 1636 4908 7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe 80 PID 4908 wrote to memory of 1636 4908 7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe 80 PID 4908 wrote to memory of 1636 4908 7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe"C:\Users\Admin\AppData\Local\Temp\7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe"C:\Users\Admin\AppData\Local\Temp\7c18cbae951f6a358e0938f7f597c01aeeef75438349a1c0b262b0968a1fc378.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1636
-