Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2023, 06:53
Static task
static1
Behavioral task
behavioral1
Sample
5d6f9643c46654b623b5a6b17bc9a4fa8033e7e6f20e8e539c595c6cc97c794a.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
5d6f9643c46654b623b5a6b17bc9a4fa8033e7e6f20e8e539c595c6cc97c794a.exe
-
Size
282KB
-
MD5
d22826ce95df9e8f60a95f349500afc9
-
SHA1
4f06c5415f7bfacdd199ea4ec225dc59a782b0b4
-
SHA256
5d6f9643c46654b623b5a6b17bc9a4fa8033e7e6f20e8e539c595c6cc97c794a
-
SHA512
3fa87f7c06a21ec1a46e77b15c74369692f396653bdfa52a7c1859617602d978c47873dc2a34303f6f83ed88c8213c2dccb7bb7bf503be11cb9a456f46f3b83b
-
SSDEEP
6144:NTKRLE+TDOKietwUV6F6XcV3vuZzxEmXCgyG:NTKR4+TDOKFwUV6F6kmZznS
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/4748-133-0x0000000002180000-0x0000000002189000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 27 1032 rundll32.exe 28 1032 rundll32.exe 66 1032 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2088 CAB7.exe -
Loads dropped DLL 1 IoCs
pid Process 1032 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1032 set thread context of 4988 1032 rundll32.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2564 2088 WerFault.exe 89 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5d6f9643c46654b623b5a6b17bc9a4fa8033e7e6f20e8e539c595c6cc97c794a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5d6f9643c46654b623b5a6b17bc9a4fa8033e7e6f20e8e539c595c6cc97c794a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5d6f9643c46654b623b5a6b17bc9a4fa8033e7e6f20e8e539c595c6cc97c794a.exe -
Checks processor information in registry 2 TTPs 24 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found -
Modifies registry class 30 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002d56bb3e100054656d7000003a0009000400efbe6b557d6c2d56c23e2e0000000000000000000000000000000000000000000000000067466900540065006d007000000014000000 Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2616 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4748 5d6f9643c46654b623b5a6b17bc9a4fa8033e7e6f20e8e539c595c6cc97c794a.exe 4748 5d6f9643c46654b623b5a6b17bc9a4fa8033e7e6f20e8e539c595c6cc97c794a.exe 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found 2616 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2616 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4748 5d6f9643c46654b623b5a6b17bc9a4fa8033e7e6f20e8e539c595c6cc97c794a.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeShutdownPrivilege 2616 Process not Found Token: SeCreatePagefilePrivilege 2616 Process not Found Token: SeShutdownPrivilege 2616 Process not Found Token: SeCreatePagefilePrivilege 2616 Process not Found Token: SeShutdownPrivilege 2616 Process not Found Token: SeCreatePagefilePrivilege 2616 Process not Found Token: SeShutdownPrivilege 2616 Process not Found Token: SeCreatePagefilePrivilege 2616 Process not Found Token: SeShutdownPrivilege 2616 Process not Found Token: SeCreatePagefilePrivilege 2616 Process not Found Token: SeShutdownPrivilege 2616 Process not Found Token: SeCreatePagefilePrivilege 2616 Process not Found Token: SeShutdownPrivilege 2616 Process not Found Token: SeCreatePagefilePrivilege 2616 Process not Found Token: SeShutdownPrivilege 2616 Process not Found Token: SeCreatePagefilePrivilege 2616 Process not Found Token: SeShutdownPrivilege 2616 Process not Found Token: SeCreatePagefilePrivilege 2616 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4988 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2616 Process not Found 2616 Process not Found -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2616 wrote to memory of 2088 2616 Process not Found 89 PID 2616 wrote to memory of 2088 2616 Process not Found 89 PID 2616 wrote to memory of 2088 2616 Process not Found 89 PID 2088 wrote to memory of 1032 2088 CAB7.exe 91 PID 2088 wrote to memory of 1032 2088 CAB7.exe 91 PID 2088 wrote to memory of 1032 2088 CAB7.exe 91 PID 1032 wrote to memory of 4988 1032 rundll32.exe 94 PID 1032 wrote to memory of 4988 1032 rundll32.exe 94 PID 1032 wrote to memory of 4988 1032 rundll32.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d6f9643c46654b623b5a6b17bc9a4fa8033e7e6f20e8e539c595c6cc97c794a.exe"C:\Users\Admin\AppData\Local\Temp\5d6f9643c46654b623b5a6b17bc9a4fa8033e7e6f20e8e539c595c6cc97c794a.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4748
-
C:\Users\Admin\AppData\Local\Temp\CAB7.exeC:\Users\Admin\AppData\Local\Temp\CAB7.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Rruwtqrefy.tmp",Uuhpdwiyer2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 171793⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4988
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 5322⤵
- Program crash
PID:2564
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2088 -ip 20881⤵PID:3436
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3136
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD563daad7360dd6885fad4ade1cbb89c60
SHA17e726442b90526b6ab518e6ec65f3c27e405bda5
SHA256b49d29722055d11c8411e35bea7871d5c3fb0faf60650354900d1f346afbdc06
SHA512e1c5cb5a6c4240e04ac682d913fb1898f8200dc6d8f8ce1dfa50d663d49d0e5ac9790dc70d010832d4d80bbdf700cea46903097ee1ad56d2177b751deae68a58
-
Filesize
1.1MB
MD563daad7360dd6885fad4ade1cbb89c60
SHA17e726442b90526b6ab518e6ec65f3c27e405bda5
SHA256b49d29722055d11c8411e35bea7871d5c3fb0faf60650354900d1f346afbdc06
SHA512e1c5cb5a6c4240e04ac682d913fb1898f8200dc6d8f8ce1dfa50d663d49d0e5ac9790dc70d010832d4d80bbdf700cea46903097ee1ad56d2177b751deae68a58
-
Filesize
805KB
MD544d724c9ad9ae3149d4997852eea3e96
SHA1dcd92e1b704b3f25ba455e079004c5a5aaf903f9
SHA256c5cd7d52ba95127c18556a2ddca64e4ef80a2945e6579545c0067abdab3a0ad0
SHA512791c3b62685a475799a991b2f0f9535781c888d48d1dd47b5b2cd407ff46e15231247f07ceb63c012bd923bf88fffaecf29030186e3d569b9886048881012e44
-
Filesize
805KB
MD544d724c9ad9ae3149d4997852eea3e96
SHA1dcd92e1b704b3f25ba455e079004c5a5aaf903f9
SHA256c5cd7d52ba95127c18556a2ddca64e4ef80a2945e6579545c0067abdab3a0ad0
SHA512791c3b62685a475799a991b2f0f9535781c888d48d1dd47b5b2cd407ff46e15231247f07ceb63c012bd923bf88fffaecf29030186e3d569b9886048881012e44