Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 22:45
Static task
static1
Behavioral task
behavioral1
Sample
04d85ed0df5a4e1ecb16d8dfa296d5aaa9654b2a39730cb265d0cf684311ecb1.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral2
Sample
04d85ed0df5a4e1ecb16d8dfa296d5aaa9654b2a39730cb265d0cf684311ecb1.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
General
-
Target
04d85ed0df5a4e1ecb16d8dfa296d5aaa9654b2a39730cb265d0cf684311ecb1.exe
-
Size
167KB
-
MD5
69780ca3e35643f69b0e2d6a4cde8130
-
SHA1
15a3ed86e6dabf55bf2df41bf37b7dcac8611104
-
SHA256
04d85ed0df5a4e1ecb16d8dfa296d5aaa9654b2a39730cb265d0cf684311ecb1
-
SHA512
5f68a3e3ccbb64073f64c5ca2664faa964d0ef12d7f9482b4153a394c30ea1faade4caadf0254920718d47aaa783274f9b3f919f698745869d970abb150c68e0
-
SSDEEP
3072:OtBdw5VsGu2CERRS5hKJBdCcssg6cHuRvHF:i4CG8ERxBdCeg6cO
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1060-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 04d85ed0df5a4e1ecb16d8dfa296d5aaa9654b2a39730cb265d0cf684311ecb1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 04d85ed0df5a4e1ecb16d8dfa296d5aaa9654b2a39730cb265d0cf684311ecb1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 04d85ed0df5a4e1ecb16d8dfa296d5aaa9654b2a39730cb265d0cf684311ecb1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1060 04d85ed0df5a4e1ecb16d8dfa296d5aaa9654b2a39730cb265d0cf684311ecb1.exe 1060 04d85ed0df5a4e1ecb16d8dfa296d5aaa9654b2a39730cb265d0cf684311ecb1.exe 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1284 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1060 04d85ed0df5a4e1ecb16d8dfa296d5aaa9654b2a39730cb265d0cf684311ecb1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04d85ed0df5a4e1ecb16d8dfa296d5aaa9654b2a39730cb265d0cf684311ecb1.exe"C:\Users\Admin\AppData\Local\Temp\04d85ed0df5a4e1ecb16d8dfa296d5aaa9654b2a39730cb265d0cf684311ecb1.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1060