Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2023, 14:50
Static task
static1
Behavioral task
behavioral1
Sample
01133b1ba174ac50eb0abfb99e167bcd23f5339670c52a715611c50f6d893b16.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
01133b1ba174ac50eb0abfb99e167bcd23f5339670c52a715611c50f6d893b16.exe
-
Size
193KB
-
MD5
84153d8aeef201672c88c9c51b3f09a4
-
SHA1
4fe0c6c8ccaf711fcc1dcd21cf12e6a8b9669217
-
SHA256
01133b1ba174ac50eb0abfb99e167bcd23f5339670c52a715611c50f6d893b16
-
SHA512
a3c2758618f60c532a7af2a13e836e82abd81e0353431ad089dfa8d61dbb6f83dacd94117188ceb6edcce55b4f75c2b7f5d9090b77a4b60c784350b0b5d5d326
-
SSDEEP
3072:fwVw1tCqoZxL2XujwamWY6IR5whqqOnAyFsXs3rCBWQsdHOR1ieytACekCB:fwVDLuuMamX0hPiAyCXsb+WQsdH7jY
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/4572-133-0x00000000021D0000-0x00000000021D9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 01133b1ba174ac50eb0abfb99e167bcd23f5339670c52a715611c50f6d893b16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 01133b1ba174ac50eb0abfb99e167bcd23f5339670c52a715611c50f6d893b16.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 01133b1ba174ac50eb0abfb99e167bcd23f5339670c52a715611c50f6d893b16.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4572 01133b1ba174ac50eb0abfb99e167bcd23f5339670c52a715611c50f6d893b16.exe 4572 01133b1ba174ac50eb0abfb99e167bcd23f5339670c52a715611c50f6d893b16.exe 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found 2420 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2420 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4572 01133b1ba174ac50eb0abfb99e167bcd23f5339670c52a715611c50f6d893b16.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01133b1ba174ac50eb0abfb99e167bcd23f5339670c52a715611c50f6d893b16.exe"C:\Users\Admin\AppData\Local\Temp\01133b1ba174ac50eb0abfb99e167bcd23f5339670c52a715611c50f6d893b16.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4572