Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03/01/2023, 05:43
Static task
static1
Behavioral task
behavioral1
Sample
f3d6ae3f3e6f54bf4b9e34b7a39f3123dd69b87f4e0462dd4e8304791f2ac1f0.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral2
Sample
f3d6ae3f3e6f54bf4b9e34b7a39f3123dd69b87f4e0462dd4e8304791f2ac1f0.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
f3d6ae3f3e6f54bf4b9e34b7a39f3123dd69b87f4e0462dd4e8304791f2ac1f0.exe
-
Size
285KB
-
MD5
cbd62ba3193d542e9b824acf51b9981d
-
SHA1
cc3a26c55c1f153508215b07c96ebd9653a304e5
-
SHA256
f3d6ae3f3e6f54bf4b9e34b7a39f3123dd69b87f4e0462dd4e8304791f2ac1f0
-
SHA512
e2757ff50050e570d284662b4a38dccc71deb53a8dc91d28d640c3cc6811dd45f8128785656dbbfdc35be457373ee0ef6536a9c3ec4364daf5d6d8cef945a228
-
SSDEEP
3072:WhquUUgg2O5qnNoNYeFh3Gmf0BP/BIFptqabn6p/IhcfcrEjUs:sqs2NnaCmFGC08LtqC4whtDs
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/852-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f3d6ae3f3e6f54bf4b9e34b7a39f3123dd69b87f4e0462dd4e8304791f2ac1f0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f3d6ae3f3e6f54bf4b9e34b7a39f3123dd69b87f4e0462dd4e8304791f2ac1f0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f3d6ae3f3e6f54bf4b9e34b7a39f3123dd69b87f4e0462dd4e8304791f2ac1f0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 852 f3d6ae3f3e6f54bf4b9e34b7a39f3123dd69b87f4e0462dd4e8304791f2ac1f0.exe 852 f3d6ae3f3e6f54bf4b9e34b7a39f3123dd69b87f4e0462dd4e8304791f2ac1f0.exe 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1212 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 852 f3d6ae3f3e6f54bf4b9e34b7a39f3123dd69b87f4e0462dd4e8304791f2ac1f0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3d6ae3f3e6f54bf4b9e34b7a39f3123dd69b87f4e0462dd4e8304791f2ac1f0.exe"C:\Users\Admin\AppData\Local\Temp\f3d6ae3f3e6f54bf4b9e34b7a39f3123dd69b87f4e0462dd4e8304791f2ac1f0.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:852