Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03/02/2025, 03:33 UTC

General

  • Target

    2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe

  • Size

    24KB

  • MD5

    fe92ccb3a6f9d06f24cadd44211525d2

  • SHA1

    a392460b01e5a41bf26ac70261a55a82308d2d92

  • SHA256

    e13c94e813fd3da26f23f6029e6b46d607a0a465fc4f898f4893e927e7a8b205

  • SHA512

    fe45e6410730d20fb44bdd3719f300c77d2378c8c04c1289f8b001c3c75b42ebd0b04ff0c863d13d45a7067df78dc37f6a53bb47dd7a26bfcec7ddde507877c7

  • SSDEEP

    384:vVMEEDYM3MVAgrgBScXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9Pffr:vGE4YM32A4H8QGPL4vzZq2o9W7GsxBbz

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

  • Bdaejec family
  • Detects Bdaejec Backdoor. 2 IoCs

    Bdaejec is backdoor written in C++.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-03_fe92ccb3a6f9d06f24cadd44211525d2_smoke-loader_wapomi.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Users\Admin\AppData\Local\Temp\IvxcQ.exe
      C:\Users\Admin\AppData\Local\Temp\IvxcQ.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1285060a.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2312

Network

  • flag-us
    DNS
    ddos.dnsnb8.net
    IvxcQ.exe
    Remote address:
    8.8.8.8:53
    Request
    ddos.dnsnb8.net
    IN A
    Response
    ddos.dnsnb8.net
    IN A
    44.221.84.105
  • 44.221.84.105:799
    ddos.dnsnb8.net
    IvxcQ.exe
    152 B
    3
  • 44.221.84.105:799
    ddos.dnsnb8.net
    IvxcQ.exe
    152 B
    3
  • 44.221.84.105:799
    ddos.dnsnb8.net
    IvxcQ.exe
    152 B
    3
  • 44.221.84.105:799
    ddos.dnsnb8.net
    IvxcQ.exe
    152 B
    3
  • 44.221.84.105:799
    ddos.dnsnb8.net
    IvxcQ.exe
    152 B
    3
  • 8.8.8.8:53
    ddos.dnsnb8.net
    dns
    IvxcQ.exe
    61 B
    77 B
    1
    1

    DNS Request

    ddos.dnsnb8.net

    DNS Response

    44.221.84.105

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1285060a.bat

    Filesize

    185B

    MD5

    397844dde6acd2b811c266806f2a2dab

    SHA1

    f227279a995714dc624a80e69c3f1068568db4a3

    SHA256

    28d5a30f36ec0faa3f402d57264272a1ad20411cf99ec81238698b9d6f8ead2f

    SHA512

    598eb6c11a07394db66db0ef34ede4d9b056a9786b4890ccad0c1656e0404ae11b88f37e74c447eb71804e3206aeea0fee5f66fc52dac8b6c07052d682b79b88

  • \Users\Admin\AppData\Local\Temp\IvxcQ.exe

    Filesize

    15KB

    MD5

    f7d21de5c4e81341eccd280c11ddcc9a

    SHA1

    d4e9ef10d7685d491583c6fa93ae5d9105d815bd

    SHA256

    4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

    SHA512

    e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

  • memory/2404-0-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/2404-3-0x0000000000B50000-0x0000000000B59000-memory.dmp

    Filesize

    36KB

  • memory/2404-10-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

  • memory/3068-12-0x0000000000B50000-0x0000000000B59000-memory.dmp

    Filesize

    36KB

  • memory/3068-15-0x0000000000B50000-0x0000000000B59000-memory.dmp

    Filesize

    36KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.