Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
10/02/2023, 08:14
Static task
static1
Behavioral task
behavioral1
Sample
08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe
-
Size
347KB
-
MD5
09895122822d629f2c5f9165f11297b0
-
SHA1
745da9bfaad4cfdcc89bbf8523388b39b5064e1e
-
SHA256
08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3
-
SHA512
8327e7766135e35ec78981a1c98fd663964e241fb2567d980db1b213045d42e792729784af492765f8c2f8914c3fcd7201661b2dfad8d32fa3dea9c287124067
-
SSDEEP
3072:3/0RJccQi5P7ZT644knlMBBBkAIEQwryXj9nf6NeNpUUM:PUFP7F6pknlUeAIEdcpnfWeN
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/4172-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/1808-135-0x00000000008F0000-0x00000000008F9000-memory.dmp family_smokeloader behavioral1/memory/4172-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4172-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1808 set thread context of 4172 1808 08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe 79 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4172 08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe 4172 08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1192 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4172 08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1808 wrote to memory of 4172 1808 08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe 79 PID 1808 wrote to memory of 4172 1808 08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe 79 PID 1808 wrote to memory of 4172 1808 08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe 79 PID 1808 wrote to memory of 4172 1808 08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe 79 PID 1808 wrote to memory of 4172 1808 08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe 79 PID 1808 wrote to memory of 4172 1808 08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe"C:\Users\Admin\AppData\Local\Temp\08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Users\Admin\AppData\Local\Temp\08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe"C:\Users\Admin\AppData\Local\Temp\08c0f78ca25f7fffb45222d3ddaebb4fcb0dfb9be46580e177f4dbb0470663c3.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4172
-