Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05/01/2023, 18:14
Static task
static1
Behavioral task
behavioral1
Sample
8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe
-
Size
213KB
-
MD5
c6aac2239f973d8e45ebb942f8df96c6
-
SHA1
1cd936198cc1ce102a48bf4eb642c6a742959dd9
-
SHA256
8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e
-
SHA512
8d3718f3063bdb1591abf9bcd6451cd1ba76b9f41cd9ab2a183a5caff4c1c57e2b9c3b068e93ff1e3a7d7cb12ca627a74b5251e82e32ea979583f93772a7f2f0
-
SSDEEP
3072:JxaXhNuoLPLqTJrTXLX8SP5TvBlrCv7mAcwYehGPFU:L6FTLqTpLX8GPrI7RcpeqF
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/2112-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4992-135-0x0000000002E30000-0x0000000002E39000-memory.dmp family_smokeloader behavioral1/memory/2112-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/2112-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4992 set thread context of 2112 4992 8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe 80 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2112 8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe 2112 8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found 380 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 380 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2112 8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4992 wrote to memory of 2112 4992 8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe 80 PID 4992 wrote to memory of 2112 4992 8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe 80 PID 4992 wrote to memory of 2112 4992 8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe 80 PID 4992 wrote to memory of 2112 4992 8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe 80 PID 4992 wrote to memory of 2112 4992 8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe 80 PID 4992 wrote to memory of 2112 4992 8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe"C:\Users\Admin\AppData\Local\Temp\8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe"C:\Users\Admin\AppData\Local\Temp\8c03948c4d2825a3808f74a5d0b32de637f290b8e8a557386771414d9f256b5e.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2112
-