Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/10/2022, 07:31
Static task
static1
Behavioral task
behavioral1
Sample
c3b0bf7d0c11b5b2cf88a5a05879c649.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
c3b0bf7d0c11b5b2cf88a5a05879c649.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
General
-
Target
c3b0bf7d0c11b5b2cf88a5a05879c649.exe
-
Size
146KB
-
MD5
c3b0bf7d0c11b5b2cf88a5a05879c649
-
SHA1
063791ec150bdc93c5af7768cc0deabec1aafebc
-
SHA256
53e91aa8e47dc26f0289b1800aa76bafe0b8274e99585d91e2da679d8353d6a3
-
SHA512
f0bd7f97b1c1be55da42a8c5eb644330806c7021765c78ae0780374ce02432334d3379b1198d0590a1ea2fd3bc43fcc0c713a06a9a5d3be9fc5d4fe4e8ab6416
-
SSDEEP
1536:aJ2AD/fxK+FT+BN2++t4Bj8BkzCTl8XYiDraPCMu1iP+oo3r0ov1piQOuwluhOi:aJ2ADBlb++GB/2Tl8kCfXRZ4uhO
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1808-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c3b0bf7d0c11b5b2cf88a5a05879c649.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c3b0bf7d0c11b5b2cf88a5a05879c649.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c3b0bf7d0c11b5b2cf88a5a05879c649.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1808 c3b0bf7d0c11b5b2cf88a5a05879c649.exe 1808 c3b0bf7d0c11b5b2cf88a5a05879c649.exe 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found 1216 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1808 c3b0bf7d0c11b5b2cf88a5a05879c649.exe