Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/12/2022, 02:12
Static task
static1
Behavioral task
behavioral1
Sample
fc4d449e540c2adc6d3a7cfb175f72ca776cc38461d5c282db12fbe117f40cf1.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
fc4d449e540c2adc6d3a7cfb175f72ca776cc38461d5c282db12fbe117f40cf1.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
General
-
Target
fc4d449e540c2adc6d3a7cfb175f72ca776cc38461d5c282db12fbe117f40cf1.exe
-
Size
273KB
-
MD5
09e920d56233fd77bed9d60ebce218c9
-
SHA1
6b55be6b3220c1740ef71825264f165069bda2c0
-
SHA256
fc4d449e540c2adc6d3a7cfb175f72ca776cc38461d5c282db12fbe117f40cf1
-
SHA512
58f1877996b893e0831a9a92d2a497c4fe156a9eda2f651282201f72d7c2761bed30cc876db5d55e359e927dd14038eb675e9a415c32f5c42e89017865d48580
-
SSDEEP
6144:Amp8hFuzquZsEhZMcMqeBhAqIDcF0JVS:AmpUFuzqkhZMcnoSDcF0JVS
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1752-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fc4d449e540c2adc6d3a7cfb175f72ca776cc38461d5c282db12fbe117f40cf1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fc4d449e540c2adc6d3a7cfb175f72ca776cc38461d5c282db12fbe117f40cf1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fc4d449e540c2adc6d3a7cfb175f72ca776cc38461d5c282db12fbe117f40cf1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1752 fc4d449e540c2adc6d3a7cfb175f72ca776cc38461d5c282db12fbe117f40cf1.exe 1752 fc4d449e540c2adc6d3a7cfb175f72ca776cc38461d5c282db12fbe117f40cf1.exe 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1752 fc4d449e540c2adc6d3a7cfb175f72ca776cc38461d5c282db12fbe117f40cf1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc4d449e540c2adc6d3a7cfb175f72ca776cc38461d5c282db12fbe117f40cf1.exe"C:\Users\Admin\AppData\Local\Temp\fc4d449e540c2adc6d3a7cfb175f72ca776cc38461d5c282db12fbe117f40cf1.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1752