Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
3Static
static
3BpmSyncVmd...IR.dll
windows11-21h2-x64
3BpmSyncVmd...15.dll
windows11-21h2-x64
3BpmSyncVmd...ry.exe
windows11-21h2-x64
3BpmSyncVmd...32.dll
windows11-21h2-x64
3BpmSyncVmd...it.dll
windows11-21h2-x64
3BpmSyncVmd...cp.dll
windows11-21h2-x64
3BpmSyncVmd...or.exe
windows11-21h2-x64
3Analysis
-
max time kernel
1478s -
max time network
1497s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
13/10/2024, 01:13
Static task
static1
Behavioral task
behavioral1
Sample
BpmSyncVmdGenerator/Adobe AIR/Versions/1.0/Adobe AIR.dll
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
BpmSyncVmdGenerator/Adobe AIR/Versions/1.0/Resources/AdobeCP15.dll
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
BpmSyncVmdGenerator/Adobe AIR/Versions/1.0/Resources/CaptiveAppEntry.exe
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
BpmSyncVmdGenerator/Adobe AIR/Versions/1.0/Resources/NPSWF32.dll
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
BpmSyncVmdGenerator/Adobe AIR/Versions/1.0/Resources/WebKit.dll
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
BpmSyncVmdGenerator/Adobe AIR/Versions/1.0/Resources/adobecp.dll
Resource
win11-20240802-en
Behavioral task
behavioral7
Sample
BpmSyncVmdGenerator/BpmSyncVmdGenerator.exe
Resource
win11-20241007-en
General
-
Target
BpmSyncVmdGenerator/Adobe AIR/Versions/1.0/Adobe AIR.dll
-
Size
20.8MB
-
MD5
451b05096ee1344126c4e772a6ddfe42
-
SHA1
91439e1e8b845a350f9c633c4627c98ddd497896
-
SHA256
45fd91cad8fd8f3f4e2bb310a584a18165289f364f2d4f363139d9d8d08962a8
-
SHA512
ae0ede59af1c0aa51d0ad6c9aa868d8278979f93bb3d418c56dcf793bd7d16e9f028939db079798b1839480ab31defe0b52b5bc1190dbaa665c64a01eb9ae965
-
SSDEEP
393216:++AYKm5gsDbTwpz+5LGhJObj/yuw+bwi3Qk6/AVSwm2:++N5gaiGvbv
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3484 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2168 wrote to memory of 3484 2168 rundll32.exe 77 PID 2168 wrote to memory of 3484 2168 rundll32.exe 77 PID 2168 wrote to memory of 3484 2168 rundll32.exe 77
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\BpmSyncVmdGenerator\Adobe AIR\Versions\1.0\Adobe AIR.dll",#11⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\BpmSyncVmdGenerator\Adobe AIR\Versions\1.0\Adobe AIR.dll",#12⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3484
-