Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03/02/2025, 03:33

General

  • Target

    2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe

  • Size

    24KB

  • MD5

    fe92ccb3a6f9d06f24cadd44211525d2

  • SHA1

    a392460b01e5a41bf26ac70261a55a82308d2d92

  • SHA256

    e13c94e813fd3da26f23f6029e6b46d607a0a465fc4f898f4893e927e7a8b205

  • SHA512

    fe45e6410730d20fb44bdd3719f300c77d2378c8c04c1289f8b001c3c75b42ebd0b04ff0c863d13d45a7067df78dc37f6a53bb47dd7a26bfcec7ddde507877c7

  • SSDEEP

    384:vVMEEDYM3MVAgrgBScXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9Pffr:vGE4YM32A4H8QGPL4vzZq2o9W7GsxBbz

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

  • Bdaejec family
  • Detects Bdaejec Backdoor. 2 IoCs

    Bdaejec is backdoor written in C++.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Users\Admin\AppData\Local\Temp\IvxcQ.exe
      C:\Users\Admin\AppData\Local\Temp\IvxcQ.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1285060a.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1285060a.bat

    Filesize

    185B

    MD5

    397844dde6acd2b811c266806f2a2dab

    SHA1

    f227279a995714dc624a80e69c3f1068568db4a3

    SHA256

    28d5a30f36ec0faa3f402d57264272a1ad20411cf99ec81238698b9d6f8ead2f

    SHA512

    598eb6c11a07394db66db0ef34ede4d9b056a9786b4890ccad0c1656e0404ae11b88f37e74c447eb71804e3206aeea0fee5f66fc52dac8b6c07052d682b79b88

  • \Users\Admin\AppData\Local\Temp\IvxcQ.exe

    Filesize

    15KB

    MD5

    f7d21de5c4e81341eccd280c11ddcc9a

    SHA1

    d4e9ef10d7685d491583c6fa93ae5d9105d815bd

    SHA256

    4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

    SHA512

    e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

  • memory/2404-0-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2404-3-0x0000000000B50000-0x0000000000B59000-memory.dmp

    Filesize

    36KB

  • memory/2404-10-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/3068-12-0x0000000000B50000-0x0000000000B59000-memory.dmp

    Filesize

    36KB

  • memory/3068-15-0x0000000000B50000-0x0000000000B59000-memory.dmp

    Filesize

    36KB