Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13/02/2023, 22:35
Static task
static1
Behavioral task
behavioral1
Sample
576bac0735d3bd499705c86cffc66b24d76342e34867174fe608f3048ba4fdd0.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
576bac0735d3bd499705c86cffc66b24d76342e34867174fe608f3048ba4fdd0.exe
-
Size
183KB
-
MD5
53661d56d99c7e1a8ae0c86bdf8eb78c
-
SHA1
1e4952466cb30248d711692e65901ba9acfa3c0b
-
SHA256
576bac0735d3bd499705c86cffc66b24d76342e34867174fe608f3048ba4fdd0
-
SHA512
920f4ac6f8d4f9b5ad939f8a77e5fbe2bcfc1a226c1d05235eee4f1c9e2f3a93516d09a1068d46355525b44e87eb48533eb82142d42f4f6aeacc922ee591fe94
-
SSDEEP
3072:yKrcvVIirtxks71krnyDgtHzMbtQvF/gFJhbRvzZcp:y+cNDpxkspyysTMbevFIFbRr
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/5004-133-0x0000000002290000-0x0000000002299000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 99 1156 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4860 D43D.exe -
Loads dropped DLL 2 IoCs
pid Process 1156 rundll32.exe 1156 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1156 set thread context of 4304 1156 rundll32.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3796 4860 WerFault.exe 88 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 576bac0735d3bd499705c86cffc66b24d76342e34867174fe608f3048ba4fdd0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 576bac0735d3bd499705c86cffc66b24d76342e34867174fe608f3048ba4fdd0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 576bac0735d3bd499705c86cffc66b24d76342e34867174fe608f3048ba4fdd0.exe -
Checks processor information in registry 2 TTPs 20 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found -
Modifies registry class 30 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000004d5685bc100054656d7000003a0009000400efbe0c55ec984d568cbc2e00000000000000000000000000000000000000000000000000b19d0400540065006d007000000014000000 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Process not Found Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Process not Found Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" Process not Found -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 512 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5004 576bac0735d3bd499705c86cffc66b24d76342e34867174fe608f3048ba4fdd0.exe 5004 576bac0735d3bd499705c86cffc66b24d76342e34867174fe608f3048ba4fdd0.exe 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found 512 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 512 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 5004 576bac0735d3bd499705c86cffc66b24d76342e34867174fe608f3048ba4fdd0.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeShutdownPrivilege 512 Process not Found Token: SeCreatePagefilePrivilege 512 Process not Found Token: SeShutdownPrivilege 512 Process not Found Token: SeCreatePagefilePrivilege 512 Process not Found Token: SeShutdownPrivilege 512 Process not Found Token: SeCreatePagefilePrivilege 512 Process not Found Token: SeShutdownPrivilege 512 Process not Found Token: SeCreatePagefilePrivilege 512 Process not Found Token: SeShutdownPrivilege 512 Process not Found Token: SeCreatePagefilePrivilege 512 Process not Found Token: SeShutdownPrivilege 512 Process not Found Token: SeCreatePagefilePrivilege 512 Process not Found Token: SeShutdownPrivilege 512 Process not Found Token: SeCreatePagefilePrivilege 512 Process not Found Token: SeShutdownPrivilege 512 Process not Found Token: SeCreatePagefilePrivilege 512 Process not Found Token: SeShutdownPrivilege 512 Process not Found Token: SeCreatePagefilePrivilege 512 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4304 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 512 Process not Found 512 Process not Found -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 512 wrote to memory of 4860 512 Process not Found 88 PID 512 wrote to memory of 4860 512 Process not Found 88 PID 512 wrote to memory of 4860 512 Process not Found 88 PID 4860 wrote to memory of 1156 4860 D43D.exe 89 PID 4860 wrote to memory of 1156 4860 D43D.exe 89 PID 4860 wrote to memory of 1156 4860 D43D.exe 89 PID 1156 wrote to memory of 4304 1156 rundll32.exe 92 PID 1156 wrote to memory of 4304 1156 rundll32.exe 92 PID 1156 wrote to memory of 4304 1156 rundll32.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\576bac0735d3bd499705c86cffc66b24d76342e34867174fe608f3048ba4fdd0.exe"C:\Users\Admin\AppData\Local\Temp\576bac0735d3bd499705c86cffc66b24d76342e34867174fe608f3048ba4fdd0.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5004
-
C:\Users\Admin\AppData\Local\Temp\D43D.exeC:\Users\Admin\AppData\Local\Temp\D43D.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ruifriwreh.dll,start2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 141493⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4304
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 4802⤵
- Program crash
PID:3796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4860 -ip 48601⤵PID:3908
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD595663b67541988d99c075702b6f90129
SHA10866235b8ceb25d6f0357f373ee4564c40a2bcdf
SHA25624f9d55467f37985384eac5dd39f9e2dbe34e40ec8467510b1e3b53498b91de6
SHA51246855ef0b1b4fb6f143316fde69b3ca36638c6c05553a7126db8840c34d109734bb0cb0291e370027653ff93a24c8237ebcdc73f0f1afe0065919ea42e4f6bfc
-
Filesize
3.6MB
MD595663b67541988d99c075702b6f90129
SHA10866235b8ceb25d6f0357f373ee4564c40a2bcdf
SHA25624f9d55467f37985384eac5dd39f9e2dbe34e40ec8467510b1e3b53498b91de6
SHA51246855ef0b1b4fb6f143316fde69b3ca36638c6c05553a7126db8840c34d109734bb0cb0291e370027653ff93a24c8237ebcdc73f0f1afe0065919ea42e4f6bfc
-
Filesize
4.3MB
MD5e1a77cb3c1b5dcb71e99032c59000072
SHA1e18ea808060aa62a64fcc5cb3ee4e92d56c7b11a
SHA2568f86a1866b6aefa78db64bcd4344b8e33a8300d8e044ed962acade37abc8c8bf
SHA512cf3264309641602f7434438f4cda8ee933b60a8aeac453c4e3e1fa2eb5ecc939ba78a9505b4f96630ed13889286875d5e54160eda441a5988cf0d834933d42aa
-
Filesize
4.3MB
MD5e1a77cb3c1b5dcb71e99032c59000072
SHA1e18ea808060aa62a64fcc5cb3ee4e92d56c7b11a
SHA2568f86a1866b6aefa78db64bcd4344b8e33a8300d8e044ed962acade37abc8c8bf
SHA512cf3264309641602f7434438f4cda8ee933b60a8aeac453c4e3e1fa2eb5ecc939ba78a9505b4f96630ed13889286875d5e54160eda441a5988cf0d834933d42aa
-
Filesize
4.3MB
MD5e1a77cb3c1b5dcb71e99032c59000072
SHA1e18ea808060aa62a64fcc5cb3ee4e92d56c7b11a
SHA2568f86a1866b6aefa78db64bcd4344b8e33a8300d8e044ed962acade37abc8c8bf
SHA512cf3264309641602f7434438f4cda8ee933b60a8aeac453c4e3e1fa2eb5ecc939ba78a9505b4f96630ed13889286875d5e54160eda441a5988cf0d834933d42aa