Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
205s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 23:09
Static task
static1
Behavioral task
behavioral1
Sample
0045a01a972803b6709bd1d276e8aa000d9870ae90cae0ef66c2f138b9e8bcc5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
0045a01a972803b6709bd1d276e8aa000d9870ae90cae0ef66c2f138b9e8bcc5.exe
Resource
win10v2004-20221111-en
General
-
Target
0045a01a972803b6709bd1d276e8aa000d9870ae90cae0ef66c2f138b9e8bcc5.exe
-
Size
140KB
-
MD5
03ad175f6ba14fd44f890d617ff4a263
-
SHA1
4a3b9b5b685cefcb05aa633ee7c2aa85b01bb914
-
SHA256
0045a01a972803b6709bd1d276e8aa000d9870ae90cae0ef66c2f138b9e8bcc5
-
SHA512
c78355c06ad1c6fd381e2300198aa1f68822fb08ee435aa674e2aa2bf48710e6ad8fd4e402b45518d7d1700435a24a8aa13c69c801e7cb7121b6d01577488870
-
SSDEEP
3072:FbsubuLuwgRkWwuXdzDwWX0fTIZOaA481GkQr+drjOBgqEqh:FPuTWwuXdzDwWX0fTIZOaAYkQrGrjOBq
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bdkoor.exe -
Executes dropped EXE 1 IoCs
pid Process 4728 bdkoor.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 0045a01a972803b6709bd1d276e8aa000d9870ae90cae0ef66c2f138b9e8bcc5.exe -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /K" bdkoor.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\ bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /F" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /a" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /G" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /u" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /x" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /n" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /P" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /m" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /U" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /B" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /V" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /h" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /L" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /b" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /s" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /e" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /j" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /D" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /v" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /R" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /T" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /E" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /Z" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /N" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /w" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /I" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /Y" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /c" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /X" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /i" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /C" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /f" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /t" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /Q" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /A" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /k" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /d" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /p" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /z" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /r" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /S" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /O" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /y" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /o" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /q" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /H" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /g" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /M" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /l" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /J" bdkoor.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdkoor = "C:\\Users\\Admin\\bdkoor.exe /W" bdkoor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe 4728 bdkoor.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4364 0045a01a972803b6709bd1d276e8aa000d9870ae90cae0ef66c2f138b9e8bcc5.exe 4728 bdkoor.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4364 wrote to memory of 4728 4364 0045a01a972803b6709bd1d276e8aa000d9870ae90cae0ef66c2f138b9e8bcc5.exe 82 PID 4364 wrote to memory of 4728 4364 0045a01a972803b6709bd1d276e8aa000d9870ae90cae0ef66c2f138b9e8bcc5.exe 82 PID 4364 wrote to memory of 4728 4364 0045a01a972803b6709bd1d276e8aa000d9870ae90cae0ef66c2f138b9e8bcc5.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\0045a01a972803b6709bd1d276e8aa000d9870ae90cae0ef66c2f138b9e8bcc5.exe"C:\Users\Admin\AppData\Local\Temp\0045a01a972803b6709bd1d276e8aa000d9870ae90cae0ef66c2f138b9e8bcc5.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\bdkoor.exe"C:\Users\Admin\bdkoor.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4728
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD5438d6ca035f4fd327a41ddb70a526c2f
SHA1a4cfb20dcbd012b6402d96fba0e8e82ba7ddd706
SHA256e947e3671baccc65875fb12f5612c08f057cc5938dd2d650f78649ffa14552f4
SHA5128ebc11c8373c5dbb53e10193299484f455fd3fa448a5f7a616f5efca5da85880394ae93fcf94bcdcc57f60382bb1f241c630ba8a658084c02bcc180000804570
-
Filesize
140KB
MD5438d6ca035f4fd327a41ddb70a526c2f
SHA1a4cfb20dcbd012b6402d96fba0e8e82ba7ddd706
SHA256e947e3671baccc65875fb12f5612c08f057cc5938dd2d650f78649ffa14552f4
SHA5128ebc11c8373c5dbb53e10193299484f455fd3fa448a5f7a616f5efca5da85880394ae93fcf94bcdcc57f60382bb1f241c630ba8a658084c02bcc180000804570