28af95bea8456409bdb09856b0f46304eff9801c3c841b1362ca7a794d7628a5

General

Target

931fdd551975cf30ae02f85a90c5ee22.exe
Size

215KB
MD5

931fdd551975cf30ae02f85a90c5ee22
SHA1

d0330b0199af3e6c06534fee5cbf9d5e88966bc1
SHA256

28af95bea8456409bdb09856b0f46304eff9801c3c841b1362ca7a794d7628a5
SHA512

68b29d615d97e0be26d799390ba526b5959a805006f1294238073b980266e73b86b5f9a90948bd5170023b80b5d0141baa4784eb1a71b2036a7e36fdf8b71f32

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

bdalGDAA.exebdalGDAA.exebdalGDAA.exebdalGDAA.exe

pid process

1580 bdalGDAA.exe
620 bdalGDAA.exe
1968 bdalGDAA.exe
1584 bdalGDAA.exe
Loads dropped DLL 2 IoCs

Processes:

931fdd551975cf30ae02f85a90c5ee22.exe

pid process

1632 931fdd551975cf30ae02f85a90c5ee22.exe
1632 931fdd551975cf30ae02f85a90c5ee22.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1208 schtasks.exe

pid	process
1580	bdalGDAA.exe
620	bdalGDAA.exe
1968	bdalGDAA.exe
1584	bdalGDAA.exe

pid	process
1632	931fdd551975cf30ae02f85a90c5ee22.exe
1632	931fdd551975cf30ae02f85a90c5ee22.exe

pid	process
1208	schtasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

931fdd551975cf30ae02f85a90c5ee22.execmd.exetaskeng.exe

description	pid	process	target process
PID 1632 wrote to memory of 1580	1632	931fdd551975cf30ae02f85a90c5ee22.exe	bdalGDAA.exe
PID 1632 wrote to memory of 1580	1632	931fdd551975cf30ae02f85a90c5ee22.exe	bdalGDAA.exe
PID 1632 wrote to memory of 1580	1632	931fdd551975cf30ae02f85a90c5ee22.exe	bdalGDAA.exe
PID 1632 wrote to memory of 1580	1632	931fdd551975cf30ae02f85a90c5ee22.exe	bdalGDAA.exe
PID 1632 wrote to memory of 1740	1632	931fdd551975cf30ae02f85a90c5ee22.exe	cmd.exe
PID 1632 wrote to memory of 1740	1632	931fdd551975cf30ae02f85a90c5ee22.exe	cmd.exe
PID 1632 wrote to memory of 1740	1632	931fdd551975cf30ae02f85a90c5ee22.exe	cmd.exe
PID 1632 wrote to memory of 1740	1632	931fdd551975cf30ae02f85a90c5ee22.exe	cmd.exe
PID 1740 wrote to memory of 1208	1740	cmd.exe	schtasks.exe
PID 1740 wrote to memory of 1208	1740	cmd.exe	schtasks.exe
PID 1740 wrote to memory of 1208	1740	cmd.exe	schtasks.exe
PID 1740 wrote to memory of 1208	1740	cmd.exe	schtasks.exe
PID 548 wrote to memory of 620	548	taskeng.exe	bdalGDAA.exe
PID 548 wrote to memory of 620	548	taskeng.exe	bdalGDAA.exe
PID 548 wrote to memory of 620	548	taskeng.exe	bdalGDAA.exe
PID 548 wrote to memory of 620	548	taskeng.exe	bdalGDAA.exe
PID 548 wrote to memory of 1968	548	taskeng.exe	bdalGDAA.exe
PID 548 wrote to memory of 1968	548	taskeng.exe	bdalGDAA.exe
PID 548 wrote to memory of 1968	548	taskeng.exe	bdalGDAA.exe
PID 548 wrote to memory of 1968	548	taskeng.exe	bdalGDAA.exe
PID 548 wrote to memory of 1584	548	taskeng.exe	bdalGDAA.exe
PID 548 wrote to memory of 1584	548	taskeng.exe	bdalGDAA.exe
PID 548 wrote to memory of 1584	548	taskeng.exe	bdalGDAA.exe
PID 548 wrote to memory of 1584	548	taskeng.exe	bdalGDAA.exe

C:\Users\Admin\AppData\Local\Temp\931fdd551975cf30ae02f85a90c5ee22.exe
"C:\Users\Admin\AppData\Local\Temp\931fdd551975cf30ae02f85a90c5ee22.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\bdalGDAA.exe
"C:\Users\Admin\AppData\Local\Temp\bdalGDAA.exe"
2⤵
- Executes dropped EXE
PID:1580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\bdalGDAA.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /F /sc minute /mo 1 /tn "\WindowsAppPool\AppPool" /tr "C:\Users\Admin\AppData\Local\Temp\bdalGDAA.exe"
3⤵
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\taskeng.exe
taskeng.exe {00727168-A724-4494-888A-669FA25954FC} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Local\Temp\bdalGDAA.exe
C:\Users\Admin\AppData\Local\Temp\bdalGDAA.exe
2⤵
- Executes dropped EXE
PID:620

C:\Users\Admin\AppData\Local\Temp\bdalGDAA.exe
C:\Users\Admin\AppData\Local\Temp\bdalGDAA.exe
2⤵
- Executes dropped EXE
PID:1968

C:\Users\Admin\AppData\Local\Temp\bdalGDAA.exe
C:\Users\Admin\AppData\Local\Temp\bdalGDAA.exe
2⤵
- Executes dropped EXE
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bdalGDAA.exe
MD5
8b377bd11678351f77f18969a195dab4

SHA1
95f04cb44182840f36002e91aabfd25ffa03b45f

SHA256
59b2349a342acd43b45f8627da9efde914a6ace21ac9c711cb2e62eda115154f

SHA512
47a66ca9821a9ac6d893be3c6dbcda370ee7931873d0f50edc7b41f75037f9cf4db3e0158ffb127a97349d378da0bcce4cb5f0b02254d940c75d2b9b93feac83

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdalGDAA.exe
MD5
8b377bd11678351f77f18969a195dab4

SHA1
95f04cb44182840f36002e91aabfd25ffa03b45f

SHA256
59b2349a342acd43b45f8627da9efde914a6ace21ac9c711cb2e62eda115154f

SHA512
47a66ca9821a9ac6d893be3c6dbcda370ee7931873d0f50edc7b41f75037f9cf4db3e0158ffb127a97349d378da0bcce4cb5f0b02254d940c75d2b9b93feac83

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdalGDAA.exe
MD5
8b377bd11678351f77f18969a195dab4

SHA1
95f04cb44182840f36002e91aabfd25ffa03b45f

SHA256
59b2349a342acd43b45f8627da9efde914a6ace21ac9c711cb2e62eda115154f

SHA512
47a66ca9821a9ac6d893be3c6dbcda370ee7931873d0f50edc7b41f75037f9cf4db3e0158ffb127a97349d378da0bcce4cb5f0b02254d940c75d2b9b93feac83

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdalGDAA.exe
MD5
8b377bd11678351f77f18969a195dab4

SHA1
95f04cb44182840f36002e91aabfd25ffa03b45f

SHA256
59b2349a342acd43b45f8627da9efde914a6ace21ac9c711cb2e62eda115154f

SHA512
47a66ca9821a9ac6d893be3c6dbcda370ee7931873d0f50edc7b41f75037f9cf4db3e0158ffb127a97349d378da0bcce4cb5f0b02254d940c75d2b9b93feac83

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdalGDAA.exe
MD5
8b377bd11678351f77f18969a195dab4

SHA1
95f04cb44182840f36002e91aabfd25ffa03b45f

SHA256
59b2349a342acd43b45f8627da9efde914a6ace21ac9c711cb2e62eda115154f

SHA512
47a66ca9821a9ac6d893be3c6dbcda370ee7931873d0f50edc7b41f75037f9cf4db3e0158ffb127a97349d378da0bcce4cb5f0b02254d940c75d2b9b93feac83

Download Submit
\Users\Admin\AppData\Local\Temp\bdalGDAA.exe
MD5
8b377bd11678351f77f18969a195dab4

SHA1
95f04cb44182840f36002e91aabfd25ffa03b45f

SHA256
59b2349a342acd43b45f8627da9efde914a6ace21ac9c711cb2e62eda115154f

SHA512
47a66ca9821a9ac6d893be3c6dbcda370ee7931873d0f50edc7b41f75037f9cf4db3e0158ffb127a97349d378da0bcce4cb5f0b02254d940c75d2b9b93feac83

Download Submit
\Users\Admin\AppData\Local\Temp\bdalGDAA.exe
MD5
8b377bd11678351f77f18969a195dab4

SHA1
95f04cb44182840f36002e91aabfd25ffa03b45f

SHA256
59b2349a342acd43b45f8627da9efde914a6ace21ac9c711cb2e62eda115154f

SHA512
47a66ca9821a9ac6d893be3c6dbcda370ee7931873d0f50edc7b41f75037f9cf4db3e0158ffb127a97349d378da0bcce4cb5f0b02254d940c75d2b9b93feac83

Download Submit
memory/620-13-0x0000000000000000-mapping.dmp

Download
memory/620-16-0x00000000007A0000-0x00000000007B1000-memory.dmp

Filesize
68KB

Download
memory/684-2-0x000007FEF6100000-0x000007FEF637A000-memory.dmp

Filesize
2.5MB

Download
memory/1208-11-0x0000000000000000-mapping.dmp

Download
memory/1580-15-0x0000000000980000-0x0000000000991000-memory.dmp

Filesize
68KB

Download
memory/1580-8-0x0000000000000000-mapping.dmp

Download
memory/1584-20-0x0000000000000000-mapping.dmp

Download
memory/1632-0-0x00000000005AB000-0x00000000005AC000-memory.dmp

Filesize
4KB

Download
memory/1632-1-0x0000000001F10000-0x0000000001F21000-memory.dmp

Filesize
68KB

Download
memory/1740-10-0x0000000000000000-mapping.dmp

Download
memory/1968-17-0x0000000000000000-mapping.dmp

Download
memory/1968-19-0x0000000000A30000-0x0000000000A41000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads