Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03/02/2025, 03:33
Static task
static1
Behavioral task
behavioral1
Sample
2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe
Resource
win7-20240708-en
General
-
Target
2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe
-
Size
24KB
-
MD5
fe92ccb3a6f9d06f24cadd44211525d2
-
SHA1
a392460b01e5a41bf26ac70261a55a82308d2d92
-
SHA256
e13c94e813fd3da26f23f6029e6b46d607a0a465fc4f898f4893e927e7a8b205
-
SHA512
fe45e6410730d20fb44bdd3719f300c77d2378c8c04c1289f8b001c3c75b42ebd0b04ff0c863d13d45a7067df78dc37f6a53bb47dd7a26bfcec7ddde507877c7
-
SSDEEP
384:vVMEEDYM3MVAgrgBScXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9Pffr:vGE4YM32A4H8QGPL4vzZq2o9W7GsxBbz
Malware Config
Extracted
bdaejec
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 2 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral1/memory/3068-12-0x0000000000B50000-0x0000000000B59000-memory.dmp family_bdaejec_backdoor behavioral1/memory/3068-15-0x0000000000B50000-0x0000000000B59000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral1/files/0x00080000000120fb-2.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 3068 IvxcQ.exe -
Loads dropped DLL 2 IoCs
pid Process 2404 2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe 2404 2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe IvxcQ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE IvxcQ.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe IvxcQ.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe IvxcQ.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe IvxcQ.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe IvxcQ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE IvxcQ.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe IvxcQ.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe IvxcQ.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe IvxcQ.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe IvxcQ.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe IvxcQ.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe IvxcQ.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe IvxcQ.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe IvxcQ.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe IvxcQ.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe IvxcQ.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe IvxcQ.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe IvxcQ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE IvxcQ.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe IvxcQ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe IvxcQ.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe IvxcQ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE IvxcQ.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe IvxcQ.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe IvxcQ.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE IvxcQ.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe IvxcQ.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe IvxcQ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE IvxcQ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe IvxcQ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe IvxcQ.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe IvxcQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IvxcQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2404 wrote to memory of 3068 2404 2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe 30 PID 2404 wrote to memory of 3068 2404 2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe 30 PID 2404 wrote to memory of 3068 2404 2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe 30 PID 2404 wrote to memory of 3068 2404 2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe 30 PID 3068 wrote to memory of 2312 3068 IvxcQ.exe 33 PID 3068 wrote to memory of 2312 3068 IvxcQ.exe 33 PID 3068 wrote to memory of 2312 3068 IvxcQ.exe 33 PID 3068 wrote to memory of 2312 3068 IvxcQ.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe"C:\Users\Admin\AppData\Local\Temp\2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\IvxcQ.exeC:\Users\Admin\AppData\Local\Temp\IvxcQ.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1285060a.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2312
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185B
MD5397844dde6acd2b811c266806f2a2dab
SHA1f227279a995714dc624a80e69c3f1068568db4a3
SHA25628d5a30f36ec0faa3f402d57264272a1ad20411cf99ec81238698b9d6f8ead2f
SHA512598eb6c11a07394db66db0ef34ede4d9b056a9786b4890ccad0c1656e0404ae11b88f37e74c447eb71804e3206aeea0fee5f66fc52dac8b6c07052d682b79b88
-
Filesize
15KB
MD5f7d21de5c4e81341eccd280c11ddcc9a
SHA1d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA2564485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3