dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2

General

Target

dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2.exe
Size

136KB
MD5

c89ddcd7fbed1483463ae1d9d1931fa7
SHA1

26a7f9060de3a4dea3511b496578a08d47da7216
SHA256

dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2
SHA512

c002e438531bb9c821a5bbbb91d41419f3bbc5dbb11c4d8fd450a3b777b881adba1f283c6f61be42963508abee67ef17afc0759aa199d106696b88f6a43be4a5
SSDEEP

3072:IEH+GiEs2SMylNOjyFbxJW5eqwUY9SUTGrf4NUDZCdPVv:IsehzRFtI8IU1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

bdbr.exe

pid process

1132 bdbr.exe

pid	process
1132	bdbr.exe

Loads dropped DLL 3 IoCs

Processes:

dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2.exebdbr.exe

pid	process
2028	dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2.exe
2028	dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2.exe
1132	bdbr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2.exe

description	pid	process	target process
PID 2028 wrote to memory of 1132	2028	dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2.exe	bdbr.exe
PID 2028 wrote to memory of 1132	2028	dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2.exe	bdbr.exe
PID 2028 wrote to memory of 1132	2028	dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2.exe	bdbr.exe
PID 2028 wrote to memory of 1132	2028	dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2.exe	bdbr.exe
PID 2028 wrote to memory of 1132	2028	dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2.exe	bdbr.exe
PID 2028 wrote to memory of 1132	2028	dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2.exe	bdbr.exe
PID 2028 wrote to memory of 1132	2028	dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2.exe	bdbr.exe

C:\Users\Admin\AppData\Local\Temp\dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2.exe
"C:\Users\Admin\AppData\Local\Temp\dd589fa393e95bbc830026fdc08dbbf707553f74475b7760d099cb603a3952c2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bdbr.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bdbr.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bdbr.exe

Filesize
182KB

MD5
29542ad500f4380b5009144336508a39

SHA1
47cf785cc331477cc77d62b5ed2be9c90f71c0aa

SHA256
556d47bd921e84f64a31afe241e86961c3aa1c4f51be54b78824720fae34562f

SHA512
6ab53369934879f7508cb81f289edbf686db7ea84d84f4465762fcc3243a2f90cbda14d03b8844c957243d2625a96aa1454b9ac4ea9fcb7e2b803d4f099e2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bdbr.exe

Filesize
182KB

MD5
29542ad500f4380b5009144336508a39

SHA1
47cf785cc331477cc77d62b5ed2be9c90f71c0aa

SHA256
556d47bd921e84f64a31afe241e86961c3aa1c4f51be54b78824720fae34562f

SHA512
6ab53369934879f7508cb81f289edbf686db7ea84d84f4465762fcc3243a2f90cbda14d03b8844c957243d2625a96aa1454b9ac4ea9fcb7e2b803d4f099e2521

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\bdbr.exe

Filesize
182KB

MD5
29542ad500f4380b5009144336508a39

SHA1
47cf785cc331477cc77d62b5ed2be9c90f71c0aa

SHA256
556d47bd921e84f64a31afe241e86961c3aa1c4f51be54b78824720fae34562f

SHA512
6ab53369934879f7508cb81f289edbf686db7ea84d84f4465762fcc3243a2f90cbda14d03b8844c957243d2625a96aa1454b9ac4ea9fcb7e2b803d4f099e2521

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\bdbr.exe

Filesize
182KB

MD5
29542ad500f4380b5009144336508a39

SHA1
47cf785cc331477cc77d62b5ed2be9c90f71c0aa

SHA256
556d47bd921e84f64a31afe241e86961c3aa1c4f51be54b78824720fae34562f

SHA512
6ab53369934879f7508cb81f289edbf686db7ea84d84f4465762fcc3243a2f90cbda14d03b8844c957243d2625a96aa1454b9ac4ea9fcb7e2b803d4f099e2521

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\bdbr.exe

Filesize
182KB

MD5
29542ad500f4380b5009144336508a39

SHA1
47cf785cc331477cc77d62b5ed2be9c90f71c0aa

SHA256
556d47bd921e84f64a31afe241e86961c3aa1c4f51be54b78824720fae34562f

SHA512
6ab53369934879f7508cb81f289edbf686db7ea84d84f4465762fcc3243a2f90cbda14d03b8844c957243d2625a96aa1454b9ac4ea9fcb7e2b803d4f099e2521

Download Submit
memory/1132-57-0x0000000000000000-mapping.dmp

Download
memory/2028-54-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads