Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2024, 23:23

General

  • Target

    808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe

  • Size

    634KB

  • MD5

    026ecb902b5b7f30506e32414daf1720

  • SHA1

    daae8c4583aac745d2246e88d3673770d3cf061c

  • SHA256

    808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacf

  • SHA512

    0e55a5c8e81516825e2f71a9b7219ca06ddfd52cca5ab9b3e53b31b9fdf21d223ed118a9ba65722872b6de249d04e346966a9234867de2cd5ba4d85dea12851d

  • SSDEEP

    12288:PFUNDayA1X0y8ET2RUzcRg8EoVK4HJlA+X8qdwS/GaHTZfn/ZR:PFOayA1KEDzCg8EmTJlFXfTZfP

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

  • Bdaejec family
  • Detects Bdaejec Backdoor. 1 IoCs

    Bdaejec is backdoor written in C++.

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe
    "C:\Users\Admin\AppData\Local\Temp\808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfN.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3032
    • \??\c:\users\admin\appdata\local\temp\808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe 
      c:\users\admin\appdata\local\temp\808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe 
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Users\Admin\AppData\Local\Temp\XhmNEB.exe
        C:\Users\Admin\AppData\Local\Temp\XhmNEB.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\172720fd.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1080
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2628
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2536
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:304
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:872
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1924
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:25 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2488
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:26 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1112
        • C:\Windows\Explorer.exe
          C:\Windows\Explorer.exe
          4⤵
            PID:2712

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0I0VVMWQ\k2[1].rar

      Filesize

      4B

      MD5

      d3b07384d113edec49eaa6238ad5ff00

      SHA1

      f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

      SHA256

      b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

      SHA512

      0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

    • C:\Users\Admin\AppData\Local\Temp\172720fd.bat

      Filesize

      187B

      MD5

      c4eb35e731a5ad716a17761cc1d30997

      SHA1

      5d265803fe221cb8fce3f44d1aa23b4c80fc9bd8

      SHA256

      4d74032223894b279ae6d6c8bd033c461b3d7167f3a002f03015d9247a941f12

      SHA512

      477d57a14e822dbbf7627f622f53114178eebfde96ccdca8c6194909b761b8ab4bd99c69ad5dcc3554195a3c24a9de1ed76af6fc3b60d99243d8cf7a79a5e314

    • C:\Users\Admin\AppData\Local\Temp\XhmNEB.exe

      Filesize

      15KB

      MD5

      56b2c3810dba2e939a8bb9fa36d3cf96

      SHA1

      99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

      SHA256

      4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

      SHA512

      27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

    • C:\Windows\Resources\Themes\explorer.exe

      Filesize

      135KB

      MD5

      116b0e933e94cd66308a3b935a380385

      SHA1

      1504d4c93151d7c4df39080b2f587aa7fb70d394

      SHA256

      42a5a1b50e92054a13477fd52789b3329b131760c80d04f686c3511a7fa3bffb

      SHA512

      d793309aab7a9078bb70c163600388d8717a31b8d79ec6f2a284e9150be4a4ad06c8e68f27bf31964813bc1f8f936c35b664c4149964e18c2dea8344c17d52b0

    • \Users\Admin\AppData\Local\Temp\808d2f83c7b699aa3fd06c208c44d9decaba701b000d40f7d8aa8ade1395bacfn.exe 

      Filesize

      499KB

      MD5

      fe1c73a64fff4bdf575f4a9118ebcfd6

      SHA1

      964a991f99d9131dbcee088dcfd520996fff2aef

      SHA256

      f19b8229adf7dfa9524eb1649acf7686482c4a0cf066de218d2569689a9a802f

      SHA512

      2f0f40541a4f039b1e3143d4ada19cba72f3586a9f98aa94a61765f7a0c20ca773904e3e089bb0fd2997f4be3fb0cd2af2929ec79d0535e19d72be8f696e978d

    • \Windows\Resources\Themes\icsys.icn.exe

      Filesize

      135KB

      MD5

      cf83fbea38390db07d284e1ac29176b4

      SHA1

      3c1fe39f8f1ddb2d28e9e1928bd5c2758a3254a2

      SHA256

      4e7f8c1c0a55c1dfe6e29bce4f110e89cc8c0174bc84144577c02f18a77b50de

      SHA512

      7de5089689f943a24fa5720ab63636c53a0e2d421995a9b9d99f2f5201705eb5ceff4872f8e113a739a319c229207dae9a231b4a7a39a4c61c9f2e67d77c553e

    • \Windows\Resources\spoolsv.exe

      Filesize

      135KB

      MD5

      8afc4dcfc9443520f3dea034ee228dd6

      SHA1

      670a33cf306e8aa317ff977a13f99415d29254a2

      SHA256

      2254c13ec3a40c428b562a906c301180095d3840c10fd079dc2fc12ef9081071

      SHA512

      f0dce724430a854f3feaf8e9b21e4db9535eff0bdcc3f970d9d2ecfb2744ad9ac0560748491fb83353232751547a8a0226db3d0565699a47fc922d608a346a2f

    • \Windows\Resources\svchost.exe

      Filesize

      135KB

      MD5

      2bca9731bf7de56aaa47329026df9d5e

      SHA1

      cb98bf980874d896deace337d42dc97f913197d8

      SHA256

      baa2c5346ce8ed0213492190bd7c16aea73ec7c18e62c1d96a898b6676665d5f

      SHA512

      b8d854b33d3d62330e9703a894a38a889fb4dc7cf462ebccf756cceae70873395935db39276d65ebb23047902d2ee11565f5fdad2c1aaf579f367cd11e1ace68

    • memory/304-64-0x0000000001B70000-0x0000000001B8F000-memory.dmp

      Filesize

      124KB

    • memory/304-78-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/872-106-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/1924-75-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/1924-77-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2536-53-0x0000000000300000-0x000000000031F000-memory.dmp

      Filesize

      124KB

    • memory/2536-105-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2628-79-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2748-32-0x0000000000EE0000-0x0000000000EE9000-memory.dmp

      Filesize

      36KB

    • memory/2748-33-0x0000000000EE0000-0x0000000000EE9000-memory.dmp

      Filesize

      36KB

    • memory/2748-36-0x00000000010E0000-0x0000000001165000-memory.dmp

      Filesize

      532KB

    • memory/2748-18-0x00000000010E0000-0x0000000001165000-memory.dmp

      Filesize

      532KB

    • memory/2792-35-0x0000000000EE0000-0x0000000000EE9000-memory.dmp

      Filesize

      36KB

    • memory/2792-103-0x0000000000EE0000-0x0000000000EE9000-memory.dmp

      Filesize

      36KB

    • memory/3032-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/3032-80-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/3032-12-0x0000000002730000-0x00000000027B5000-memory.dmp

      Filesize

      532KB

    • memory/3032-13-0x0000000002730000-0x00000000027B5000-memory.dmp

      Filesize

      532KB

    • memory/3032-19-0x0000000000270000-0x000000000028F000-memory.dmp

      Filesize

      124KB