Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/01/2025, 19:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
734218ba8f1507bab801818afb9047c8477e51ae41ae32d4abf407d96e777de1N.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
General
-
Target
734218ba8f1507bab801818afb9047c8477e51ae41ae32d4abf407d96e777de1N.exe
-
Size
80KB
-
MD5
3e0b5d63a01ca7c6e327331bf7526d70
-
SHA1
ea6f02a39d22e96a66695c745436d941d7541c41
-
SHA256
734218ba8f1507bab801818afb9047c8477e51ae41ae32d4abf407d96e777de1
-
SHA512
655c404f5a144e8d7f62355a4080f544aa07f087e994415f7c147694ecdd64c0adeffa501cbefa18ae815057df9cf392ca4f7c5384a8470b4ec27f4ce3690edd
-
SSDEEP
1536:RfnLq01weW5yX3jFxv49Nu4GhQcGGCq2iW7z:Y3ysTGhQHGCH
Malware Config
Extracted
Family
bdaejec
C2
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral1/memory/2108-14-0x0000000000060000-0x0000000000069000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral1/files/0x000700000001211a-9.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2108 fhlqFW.exe -
Loads dropped DLL 2 IoCs
pid Process 2532 734218ba8f1507bab801818afb9047c8477e51ae41ae32d4abf407d96e777de1N.exe 2532 734218ba8f1507bab801818afb9047c8477e51ae41ae32d4abf407d96e777de1N.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe fhlqFW.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe fhlqFW.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe fhlqFW.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe fhlqFW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe fhlqFW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe fhlqFW.exe File opened for modification C:\Program Files\Windows Mail\wab.exe fhlqFW.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe fhlqFW.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe fhlqFW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE fhlqFW.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe fhlqFW.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe fhlqFW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE fhlqFW.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe fhlqFW.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe fhlqFW.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{5EB8F02B-573C-439E-BE36-635B3B6563D9}\chrome_installer.exe fhlqFW.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe fhlqFW.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe fhlqFW.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe fhlqFW.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe fhlqFW.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe fhlqFW.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe fhlqFW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe fhlqFW.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe fhlqFW.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe fhlqFW.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe fhlqFW.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe fhlqFW.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe fhlqFW.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe fhlqFW.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe fhlqFW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe fhlqFW.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe fhlqFW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe fhlqFW.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe fhlqFW.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe fhlqFW.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe fhlqFW.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe fhlqFW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE fhlqFW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\misc.exe fhlqFW.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 734218ba8f1507bab801818afb9047c8477e51ae41ae32d4abf407d96e777de1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fhlqFW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2108 2532 734218ba8f1507bab801818afb9047c8477e51ae41ae32d4abf407d96e777de1N.exe 31 PID 2532 wrote to memory of 2108 2532 734218ba8f1507bab801818afb9047c8477e51ae41ae32d4abf407d96e777de1N.exe 31 PID 2532 wrote to memory of 2108 2532 734218ba8f1507bab801818afb9047c8477e51ae41ae32d4abf407d96e777de1N.exe 31 PID 2532 wrote to memory of 2108 2532 734218ba8f1507bab801818afb9047c8477e51ae41ae32d4abf407d96e777de1N.exe 31 PID 2108 wrote to memory of 1148 2108 fhlqFW.exe 35 PID 2108 wrote to memory of 1148 2108 fhlqFW.exe 35 PID 2108 wrote to memory of 1148 2108 fhlqFW.exe 35 PID 2108 wrote to memory of 1148 2108 fhlqFW.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\734218ba8f1507bab801818afb9047c8477e51ae41ae32d4abf407d96e777de1N.exe"C:\Users\Admin\AppData\Local\Temp\734218ba8f1507bab801818afb9047c8477e51ae41ae32d4abf407d96e777de1N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\fhlqFW.exeC:\Users\Admin\AppData\Local\Temp\fhlqFW.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\45643d4f.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:1148
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD5d787c3fea37c8565caf4c6c7e345fc10
SHA1bda116ef287d6e895dc5f96eb6b911b77762cb23
SHA256ce09c98ff8d2f421eb432156b78062c83cf1119181df97fcf3e8658b9946c8f0
SHA512fff2f66504e3bdf088a82bd98c807871f0944af0234992dbf9ad3bf879c04c0eef8e77798122c8c5fc99548b100901328b4aca5fd0ec94eacd18620648811faf
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e