Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
14/01/2023, 09:36
Static task
static1
Behavioral task
behavioral1
Sample
9dca3e3498bd37d51f9d81cdcb80d10af93b908d9e09f4f248fe09e7ebb89480.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
9dca3e3498bd37d51f9d81cdcb80d10af93b908d9e09f4f248fe09e7ebb89480.exe
-
Size
259KB
-
MD5
7ef58ea7ca5efcc101ff220729517ad4
-
SHA1
5380a22d4e472d672a18a769cf74587d78e7a3b6
-
SHA256
9dca3e3498bd37d51f9d81cdcb80d10af93b908d9e09f4f248fe09e7ebb89480
-
SHA512
96857a173d9410c4b0338133077049f02b5156d2d5e71905bd6e428cd4446187fe3865965770d341fc968f607c89ee7fe687df569bdb3d3f6e827bdfcf9ece88
-
SSDEEP
3072:fXmQMwbWsel5xks26WbniBvW1krx6Aapb8pBI8jwWRjoV:PcLsei6fwRNpgpRjFE
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/3448-133-0x00000000048E0000-0x00000000048E9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 25 1356 rundll32.exe 26 1356 rundll32.exe 77 1356 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2100 CA69.exe -
Loads dropped DLL 1 IoCs
pid Process 1356 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1356 set thread context of 4468 1356 rundll32.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1620 2100 WerFault.exe 81 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9dca3e3498bd37d51f9d81cdcb80d10af93b908d9e09f4f248fe09e7ebb89480.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9dca3e3498bd37d51f9d81cdcb80d10af93b908d9e09f4f248fe09e7ebb89480.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9dca3e3498bd37d51f9d81cdcb80d10af93b908d9e09f4f248fe09e7ebb89480.exe -
Checks processor information in registry 2 TTPs 24 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found -
Modifies registry class 30 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000002e56a254100054656d7000003a0009000400efbe6b557d6c2e56a7542e000000000000000000000000000000000000000000000000005945f000540065006d007000000014000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Process not Found -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2584 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3448 9dca3e3498bd37d51f9d81cdcb80d10af93b908d9e09f4f248fe09e7ebb89480.exe 3448 9dca3e3498bd37d51f9d81cdcb80d10af93b908d9e09f4f248fe09e7ebb89480.exe 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found 2584 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2584 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3448 9dca3e3498bd37d51f9d81cdcb80d10af93b908d9e09f4f248fe09e7ebb89480.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeShutdownPrivilege 2584 Process not Found Token: SeCreatePagefilePrivilege 2584 Process not Found Token: SeShutdownPrivilege 2584 Process not Found Token: SeCreatePagefilePrivilege 2584 Process not Found Token: SeShutdownPrivilege 2584 Process not Found Token: SeCreatePagefilePrivilege 2584 Process not Found Token: SeShutdownPrivilege 2584 Process not Found Token: SeCreatePagefilePrivilege 2584 Process not Found Token: SeShutdownPrivilege 2584 Process not Found Token: SeCreatePagefilePrivilege 2584 Process not Found Token: SeShutdownPrivilege 2584 Process not Found Token: SeCreatePagefilePrivilege 2584 Process not Found Token: SeShutdownPrivilege 2584 Process not Found Token: SeCreatePagefilePrivilege 2584 Process not Found Token: SeShutdownPrivilege 2584 Process not Found Token: SeCreatePagefilePrivilege 2584 Process not Found Token: SeShutdownPrivilege 2584 Process not Found Token: SeCreatePagefilePrivilege 2584 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4468 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2584 Process not Found 2584 Process not Found -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2584 wrote to memory of 2100 2584 Process not Found 81 PID 2584 wrote to memory of 2100 2584 Process not Found 81 PID 2584 wrote to memory of 2100 2584 Process not Found 81 PID 2100 wrote to memory of 1356 2100 CA69.exe 83 PID 2100 wrote to memory of 1356 2100 CA69.exe 83 PID 2100 wrote to memory of 1356 2100 CA69.exe 83 PID 1356 wrote to memory of 4468 1356 rundll32.exe 92 PID 1356 wrote to memory of 4468 1356 rundll32.exe 92 PID 1356 wrote to memory of 4468 1356 rundll32.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\9dca3e3498bd37d51f9d81cdcb80d10af93b908d9e09f4f248fe09e7ebb89480.exe"C:\Users\Admin\AppData\Local\Temp\9dca3e3498bd37d51f9d81cdcb80d10af93b908d9e09f4f248fe09e7ebb89480.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3448
-
C:\Users\Admin\AppData\Local\Temp\CA69.exeC:\Users\Admin\AppData\Local\Temp\CA69.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Rruwtqrefy.tmp",Uuhpdwiyer2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 171793⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4468
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 5322⤵
- Program crash
PID:1620
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2100 -ip 21001⤵PID:1476
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2876
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD56ad8a5ecc9359b8825b1a7d53fe497d6
SHA1e379532ec20dcecf5c3ab180f19d6aa0aac36278
SHA256edbacf685ef533534452a92453e861ceece56dadfcc539a38206534098bc7f53
SHA512c38c47369f9a20c071ac75f82d4e4f0a8ae38fccb740af08bafd6ee10206eb5124918b111fb4292346f7766d7365d9a66a319a0929830d88cdea6d8dbff5ea39
-
Filesize
1.1MB
MD56ad8a5ecc9359b8825b1a7d53fe497d6
SHA1e379532ec20dcecf5c3ab180f19d6aa0aac36278
SHA256edbacf685ef533534452a92453e861ceece56dadfcc539a38206534098bc7f53
SHA512c38c47369f9a20c071ac75f82d4e4f0a8ae38fccb740af08bafd6ee10206eb5124918b111fb4292346f7766d7365d9a66a319a0929830d88cdea6d8dbff5ea39
-
Filesize
805KB
MD544d724c9ad9ae3149d4997852eea3e96
SHA1dcd92e1b704b3f25ba455e079004c5a5aaf903f9
SHA256c5cd7d52ba95127c18556a2ddca64e4ef80a2945e6579545c0067abdab3a0ad0
SHA512791c3b62685a475799a991b2f0f9535781c888d48d1dd47b5b2cd407ff46e15231247f07ceb63c012bd923bf88fffaecf29030186e3d569b9886048881012e44
-
Filesize
805KB
MD544d724c9ad9ae3149d4997852eea3e96
SHA1dcd92e1b704b3f25ba455e079004c5a5aaf903f9
SHA256c5cd7d52ba95127c18556a2ddca64e4ef80a2945e6579545c0067abdab3a0ad0
SHA512791c3b62685a475799a991b2f0f9535781c888d48d1dd47b5b2cd407ff46e15231247f07ceb63c012bd923bf88fffaecf29030186e3d569b9886048881012e44