Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25/10/2022, 09:15
Static task
static1
Behavioral task
behavioral1
Sample
19663abcbb5a271e0893a5f9a009a1dd.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
19663abcbb5a271e0893a5f9a009a1dd.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
19663abcbb5a271e0893a5f9a009a1dd.exe
-
Size
230KB
-
MD5
19663abcbb5a271e0893a5f9a009a1dd
-
SHA1
17159ee4eecfd627b3e9ce3ddabd09be32d7b79f
-
SHA256
8445e9539c776b7538e2a9a665f5a1506df9ec5bbd1bf3a8a88cc6e572afda64
-
SHA512
00c324c766d8cfc7d7dc0f0dd88385da1099175d85970c0b82ed716e16d9c4904cf7e44aeff73603853980b7c92c93e152165a6fa27aaaa11335548ee0f98869
-
SSDEEP
3072:+XV1DLeQ4WgY5tPxxNU+FwxVRdSnEcsHYb7HMnmh/DMl:GbDLeRWgczFnfqc7Yl
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1280-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 19663abcbb5a271e0893a5f9a009a1dd.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 19663abcbb5a271e0893a5f9a009a1dd.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 19663abcbb5a271e0893a5f9a009a1dd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1280 19663abcbb5a271e0893a5f9a009a1dd.exe 1280 19663abcbb5a271e0893a5f9a009a1dd.exe 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1280 19663abcbb5a271e0893a5f9a009a1dd.exe