Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
27/09/2021, 06:15
Static task
static1
Behavioral task
behavioral1
Sample
c3f20c9b1318e18c27bf77039ce49157.exe
Resource
win7-en-20210920
arkeichinese_generic_botnetraccoonredlinesmokeloadertofseexmrig5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4a72c96f6762e4258a13dee8bc0dd14557df18467b2f2e53f9e27f901d453d8f6fbafe1b4d5266bb7blissc524886d28411e80660e573d1de51f17556d70f6karmabackdoorbotnetdiscoveryevasioninfostealerminerpersistencespywarestealerthemidatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
c3f20c9b1318e18c27bf77039ce49157.exe
Resource
win10-en-20210920
windows10_x64
0 signatures
0 seconds
General
-
Target
c3f20c9b1318e18c27bf77039ce49157.exe
-
Size
135KB
-
MD5
c3f20c9b1318e18c27bf77039ce49157
-
SHA1
ee544248e7b8bb6703812b40b698e3cf8f6a9268
-
SHA256
9b047c007e428da0cc6a5c01b143ac1f299133ae7509e88923c430f7ee8b3f27
-
SHA512
9fe84246083c9d2ae5467e396a406a3dffa0fc438599a2f5cf822966d6b15f992c3db4b53b714e6312ea1a06271a35f6d1b70e6a8798272b636b1d6034f928f4
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
rc4.i32
rc4.i32
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 2972 Process not Found -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1832 set thread context of 1516 1832 c3f20c9b1318e18c27bf77039ce49157.exe 70 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c3f20c9b1318e18c27bf77039ce49157.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c3f20c9b1318e18c27bf77039ce49157.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c3f20c9b1318e18c27bf77039ce49157.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1516 c3f20c9b1318e18c27bf77039ce49157.exe 1516 c3f20c9b1318e18c27bf77039ce49157.exe 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found 2972 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2972 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1516 c3f20c9b1318e18c27bf77039ce49157.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1832 wrote to memory of 1516 1832 c3f20c9b1318e18c27bf77039ce49157.exe 70 PID 1832 wrote to memory of 1516 1832 c3f20c9b1318e18c27bf77039ce49157.exe 70 PID 1832 wrote to memory of 1516 1832 c3f20c9b1318e18c27bf77039ce49157.exe 70 PID 1832 wrote to memory of 1516 1832 c3f20c9b1318e18c27bf77039ce49157.exe 70 PID 1832 wrote to memory of 1516 1832 c3f20c9b1318e18c27bf77039ce49157.exe 70 PID 1832 wrote to memory of 1516 1832 c3f20c9b1318e18c27bf77039ce49157.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3f20c9b1318e18c27bf77039ce49157.exe"C:\Users\Admin\AppData\Local\Temp\c3f20c9b1318e18c27bf77039ce49157.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\c3f20c9b1318e18c27bf77039ce49157.exe"C:\Users\Admin\AppData\Local\Temp\c3f20c9b1318e18c27bf77039ce49157.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1516
-