Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
13/02/2023, 22:58 UTC
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
182KB
-
MD5
80f9ccb2188e8fe8d8add22f4a2214d9
-
SHA1
994922fcf284ccd4f6bce9da29d0b501be590cad
-
SHA256
d001876dc21a9d8c5d116d1dd29d87c8de4654afb74a2dfbc361a99cd4c855ab
-
SHA512
e3b902000c80452a22900718c37432f72e3a8d844422f86ebe46702c5a10d5e7d8f7724b97a5223d10371ca279a763b5db35764afca67e86ba4427f2b43f2c09
-
SSDEEP
3072:DK7w/AyWmDpxYsmntNlUpi+wW6AWuqoC9H1TpHyud5bK1E:DGwYyp1xYssHUEbW6GqoO1Vfd5bV
Malware Config
Signatures
-
Detects Smokeloader packer 6 IoCs
resource yara_rule behavioral2/memory/360-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral2/memory/2264-135-0x00000000007F0000-0x00000000007F9000-memory.dmp family_smokeloader behavioral2/memory/360-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral2/memory/360-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral2/memory/3788-144-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral2/memory/3788-145-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 2 IoCs
pid Process 3360 vgjejjw 3788 vgjejjw -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2264 set thread context of 360 2264 file.exe 83 PID 3360 set thread context of 3788 3360 vgjejjw 86 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vgjejjw Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vgjejjw Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vgjejjw -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 360 file.exe 360 file.exe 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found 2164 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2164 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 360 file.exe 3788 vgjejjw -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 2164 Process not Found Token: SeCreatePagefilePrivilege 2164 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2264 wrote to memory of 360 2264 file.exe 83 PID 2264 wrote to memory of 360 2264 file.exe 83 PID 2264 wrote to memory of 360 2264 file.exe 83 PID 2264 wrote to memory of 360 2264 file.exe 83 PID 2264 wrote to memory of 360 2264 file.exe 83 PID 2264 wrote to memory of 360 2264 file.exe 83 PID 3360 wrote to memory of 3788 3360 vgjejjw 86 PID 3360 wrote to memory of 3788 3360 vgjejjw 86 PID 3360 wrote to memory of 3788 3360 vgjejjw 86 PID 3360 wrote to memory of 3788 3360 vgjejjw 86 PID 3360 wrote to memory of 3788 3360 vgjejjw 86 PID 3360 wrote to memory of 3788 3360 vgjejjw 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:360
-
-
C:\Users\Admin\AppData\Roaming\vgjejjwC:\Users\Admin\AppData\Roaming\vgjejjw1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Users\Admin\AppData\Roaming\vgjejjwC:\Users\Admin\AppData\Roaming\vgjejjw2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3788
-
Network
-
Remote address:8.8.8.8:53Request15.89.54.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesthost-file-host6.comIN AResponsehost-file-host6.comIN A185.246.221.63
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesthost-host-file8.comIN AResponse
-
Remote address:8.8.8.8:53Requesthost-host-file8.comIN AResponse
-
Remote address:8.8.8.8:53Requesthost-host-file8.comIN AResponse
-
Remote address:8.8.8.8:53Requesthost-host-file8.comIN AResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
46 B 40 B 1 1
-
260 B 5
-
260 B 5
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
92 B 111 B 2 2
-
46 B 40 B 1 1
-
46 B 40 B 1 1
-
70 B 156 B 1 1
DNS Request
15.89.54.20.in-addr.arpa
-
65 B 81 B 1 1
DNS Request
host-file-host6.com
DNS Response
185.246.221.63
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
260 B 260 B 4 4
DNS Request
host-host-file8.com
DNS Request
host-host-file8.com
DNS Request
host-host-file8.com
DNS Request
host-host-file8.com
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182KB
MD580f9ccb2188e8fe8d8add22f4a2214d9
SHA1994922fcf284ccd4f6bce9da29d0b501be590cad
SHA256d001876dc21a9d8c5d116d1dd29d87c8de4654afb74a2dfbc361a99cd4c855ab
SHA512e3b902000c80452a22900718c37432f72e3a8d844422f86ebe46702c5a10d5e7d8f7724b97a5223d10371ca279a763b5db35764afca67e86ba4427f2b43f2c09
-
Filesize
182KB
MD580f9ccb2188e8fe8d8add22f4a2214d9
SHA1994922fcf284ccd4f6bce9da29d0b501be590cad
SHA256d001876dc21a9d8c5d116d1dd29d87c8de4654afb74a2dfbc361a99cd4c855ab
SHA512e3b902000c80452a22900718c37432f72e3a8d844422f86ebe46702c5a10d5e7d8f7724b97a5223d10371ca279a763b5db35764afca67e86ba4427f2b43f2c09
-
Filesize
182KB
MD580f9ccb2188e8fe8d8add22f4a2214d9
SHA1994922fcf284ccd4f6bce9da29d0b501be590cad
SHA256d001876dc21a9d8c5d116d1dd29d87c8de4654afb74a2dfbc361a99cd4c855ab
SHA512e3b902000c80452a22900718c37432f72e3a8d844422f86ebe46702c5a10d5e7d8f7724b97a5223d10371ca279a763b5db35764afca67e86ba4427f2b43f2c09