Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2025-01-21...mi.exe

windows7-x64

10

2025-01-21...mi.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/01/2025, 02:52 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-21_f482f8628d2c6228ad5d2b1cdc089b6f_icedid_smoke-loader_wapomi.exe

  • Size

    561KB

  • MD5

    f482f8628d2c6228ad5d2b1cdc089b6f

  • SHA1

    6e2d73ded040010ea239b892efc4164c9f92362a

  • SHA256

    b5f77605f3372b9bd1ca3b696c82b1c099fa3c7866dd392f9c4e5ed48dd5e5c8

  • SHA512

    abd042ddcd28922dbb4929d654458d9b8bf6b8743a76c834a1d155dc910092cea2befb6ee37e73d723da4ff2b1ba096d11b6d52138df4ba2b0c6e71a9598d69d

  • SSDEEP

    12288:knsIcbXp6mxTx1H4yhMbBgOMU5ouiDaFSwNZi+s4fw:knscoyyhMbBgOrhiJSTfw

Score
10/10
bdaejecaspackv2backdoordiscovery

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

    backdoorbdaejec
  • Bdaejec family
    bdaejec
  • Detects Bdaejec Backdoor. 1 IoCs

    Bdaejec is backdoor written in C++.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-21_f482f8628d2c6228ad5d2b1cdc089b6f_icedid_smoke-loader_wapomi.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-21_f482f8628d2c6228ad5d2b1cdc089b6f_icedid_smoke-loader_wapomi.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5024
    • C:\Users\Admin\AppData\Local\Temp\wlomFx.exe
      C:\Users\Admin\AppData\Local\Temp\wlomFx.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3104
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1e7f691b.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:448

Network

  • flag-us
    DNS
    ddos.dnsnb8.net
    wlomFx.exe
    Remote address:
    8.8.8.8:53
    Request
    ddos.dnsnb8.net
    IN A
    Response
    ddos.dnsnb8.net
    IN A
    44.221.84.105
  • flag-us
    DNS
    ddos.dnsnb8.net
    wlomFx.exe
    Remote address:
    8.8.8.8:53
    Request
    ddos.dnsnb8.net
    IN A
    Response
    ddos.dnsnb8.net
    IN A
    44.221.84.105
  • flag-us
    DNS
    ddos.dnsnb8.net
    wlomFx.exe
    Remote address:
    8.8.8.8:53
    Request
    ddos.dnsnb8.net
    IN A
    Response
    ddos.dnsnb8.net
    IN A
    44.221.84.105
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    181.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    181.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    182.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    182.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.153.16.2.in-addr.arpa
    IN PTR
    Response
    8.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-8deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 44.221.84.105:799
    ddos.dnsnb8.net
    wlomFx.exe
    260 B
     5
  • 44.221.84.105:799
    ddos.dnsnb8.net
    wlomFx.exe
    260 B
     5
  • 44.221.84.105:799
    ddos.dnsnb8.net
    wlomFx.exe
    260 B
     5
  • 44.221.84.105:799
    ddos.dnsnb8.net
    wlomFx.exe
    260 B
     5
  • 44.221.84.105:799
    ddos.dnsnb8.net
    wlomFx.exe
    260 B
     5
  • 13.69.239.73:443
  • 104.78.173.167:80
  • 8.8.8.8:53
    ddos.dnsnb8.net
    dns
    wlomFx.exe
    183 B
     231 B
     3
    3

    DNS Request

    ddos.dnsnb8.net

    DNS Request

    ddos.dnsnb8.net

    DNS Request

    ddos.dnsnb8.net

    DNS Response

    44.221.84.105

    DNS Response

    44.221.84.105

    DNS Response

    44.221.84.105

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    181.129.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    181.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    73.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    73.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    182.129.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    182.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    8.153.16.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    8.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1e7f691b.bat
    Filesize

    187B

    MD5

    eabee75d2d6a5d473cf1c12e3c8b164f

    SHA1

    f99e8f378c14b4aac1e218473bda0d3edd567405

    SHA256

    9dead35b35b956b507e9c75917886c54f00baa3901dcb949b4824d63de3f345c

    SHA512

    7027efb6b819cae8d110c11dacb2bad883db8178e1d8db63a07b6c8601b6fbe1ddd66c283afc809ac153f22b5277aab39067b831fdfa85fd51561b937b1fd3db

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wlomFx.exe
    Filesize

    15KB

    MD5

    56b2c3810dba2e939a8bb9fa36d3cf96

    SHA1

    99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

    SHA256

    4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

    SHA512

    27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

    Download Submit

  • memory/3104-4-0x0000000000DB0000-0x0000000000DB9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3104-8-0x0000000000DB0000-0x0000000000DB9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/5024-0-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/5024-7-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.