Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
3Static
static
3BpmSyncVmd...IR.dll
windows11-21h2-x64
3BpmSyncVmd...15.dll
windows11-21h2-x64
3BpmSyncVmd...ry.exe
windows11-21h2-x64
3BpmSyncVmd...32.dll
windows11-21h2-x64
3BpmSyncVmd...it.dll
windows11-21h2-x64
3BpmSyncVmd...cp.dll
windows11-21h2-x64
3BpmSyncVmd...or.exe
windows11-21h2-x64
3Analysis
-
max time kernel
1400s -
max time network
1162s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
13/10/2024, 01:13
Static task
static1
Behavioral task
behavioral1
Sample
BpmSyncVmdGenerator/Adobe AIR/Versions/1.0/Adobe AIR.dll
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
BpmSyncVmdGenerator/Adobe AIR/Versions/1.0/Resources/AdobeCP15.dll
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
BpmSyncVmdGenerator/Adobe AIR/Versions/1.0/Resources/CaptiveAppEntry.exe
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
BpmSyncVmdGenerator/Adobe AIR/Versions/1.0/Resources/NPSWF32.dll
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
BpmSyncVmdGenerator/Adobe AIR/Versions/1.0/Resources/WebKit.dll
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
BpmSyncVmdGenerator/Adobe AIR/Versions/1.0/Resources/adobecp.dll
Resource
win11-20240802-en
Behavioral task
behavioral7
Sample
BpmSyncVmdGenerator/BpmSyncVmdGenerator.exe
Resource
win11-20241007-en
General
-
Target
BpmSyncVmdGenerator/Adobe AIR/Versions/1.0/Resources/WebKit.dll
-
Size
4.7MB
-
MD5
9be245cb88d870bf95e235d4689eea71
-
SHA1
7e1d194b9611b1e18b577047e0d344158e0d088b
-
SHA256
1941fbba02d913ee83184957a7a280076c98cf15606eba2d8209d6fd5c642c5a
-
SHA512
6d138be8ed72e2c903ae43d8dd1e6f7dc7d3f1079d9fe0436d1a264aff93caecd137a6b3b94f247d4e7a4d873eba58952011ff7d811bd6aea718683efd1f2a1f
-
SSDEEP
98304:tWptcD1H3fCv0WUzxpBJCYidfYXd2c2GiNskfHBTJ:tvm8xpoSXdhsNskfX
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 2856 3604 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3048 wrote to memory of 3604 3048 rundll32.exe 81 PID 3048 wrote to memory of 3604 3048 rundll32.exe 81 PID 3048 wrote to memory of 3604 3048 rundll32.exe 81
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\BpmSyncVmdGenerator\Adobe AIR\Versions\1.0\Resources\WebKit.dll",#11⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\BpmSyncVmdGenerator\Adobe AIR\Versions\1.0\Resources\WebKit.dll",#12⤵
- System Location Discovery: System Language Discovery
PID:3604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 5363⤵
- Program crash
PID:2856
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3604 -ip 36041⤵PID:1588