Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
7BH2002/BH2002.exe
windows7-x64
8BH2002/BH2002.exe
windows10-2004-x64
1BH2002/BH2...H2.exe
windows7-x64
3BH2002/BH2...H2.exe
windows10-2004-x64
1BH2002/PlayGame.exe
windows7-x64
7BH2002/PlayGame.exe
windows10-2004-x64
7BH2002/RegSetup.exe
windows7-x64
1BH2002/RegSetup.exe
windows10-2004-x64
1BH2002/bh2.exe
windows7-x64
3BH2002/bh2.exe
windows10-2004-x64
1安装程序.exe
windows7-x64
7安装程序.exe
windows10-2004-x64
7Analysis
-
max time kernel
119s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 12:38
Behavioral task
behavioral1
Sample
BH2002/BH2002.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
BH2002/BH2002.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
BH2002/BH2Game/BH2.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
BH2002/BH2Game/BH2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
BH2002/PlayGame.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
BH2002/PlayGame.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
BH2002/RegSetup.exe
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
BH2002/RegSetup.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
BH2002/bh2.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
BH2002/bh2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
安装程序.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
安装程序.exe
Resource
win10v2004-20240426-en
General
-
Target
BH2002/BH2002.exe
-
Size
28KB
-
MD5
d0d456759ea4ac29c4e0f6765c4736b7
-
SHA1
182f9650c34006185c6a459e188cf931c952d420
-
SHA256
b4a061f6ccd0b45be67a8725c3e0c33beaeeb4a6a685ac96cba8947330bec94a
-
SHA512
701505608bf5585e2811f6efb92aaa1319b5fedbfaaf29280bc0875059765895213acf6aa25677bb1bb400570763145bef95fcd216193ab93a3d48295d72ede9
-
SSDEEP
384:e+evThZNl951Aml8XdM4yyXQJ8mVh+jMoXF7FJtKD:errhjlH1IyaQxVh+jMoXF
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 5 640 rundll32.exe 7 640 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\OOBGameInstalled = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\GameUX\ServiceLocation rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2584 BH2.EWS 2584 BH2.EWS 2584 BH2.EWS -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1300 wrote to memory of 640 1300 BH2002.exe 28 PID 1300 wrote to memory of 640 1300 BH2002.exe 28 PID 1300 wrote to memory of 640 1300 BH2002.exe 28 PID 1300 wrote to memory of 640 1300 BH2002.exe 28 PID 1300 wrote to memory of 640 1300 BH2002.exe 28 PID 1300 wrote to memory of 640 1300 BH2002.exe 28 PID 1300 wrote to memory of 640 1300 BH2002.exe 28 PID 1300 wrote to memory of 2584 1300 BH2002.exe 31 PID 1300 wrote to memory of 2584 1300 BH2002.exe 31 PID 1300 wrote to memory of 2584 1300 BH2002.exe 31 PID 1300 wrote to memory of 2584 1300 BH2002.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\BH2002\BH2002.exe"C:\Users\Admin\AppData\Local\Temp\BH2002\BH2002.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {09671ded-a376-46f4-b248-9763ed9bfd76};C:\Users\Admin\AppData\Local\Temp\BH2002\BH2002.exe;13002⤵
- Blocklisted process makes network request
- Modifies registry class
PID:640
-
-
C:\Users\Admin\AppData\Local\Temp\BH2002\BH2.EWSintro2⤵
- Suspicious use of SetWindowsHookEx
PID:2584
-