eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

max time kernel
10s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2023 19:22

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

trojan-leaks-main/BaldiTrojan-x64.exe
Size

4.2MB
MD5

e2c4c4dd8c6a357eca164955a8fe040c
SHA1

f4114815bce62efbc78c79f9a83ccf74a4ea075c
SHA256

f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5
SHA512

389bf398f9f9f6ae7e6dfca835f5877befa4ebfee5938d4b50728d77fb0450b2eb2cb67e3f4d9abaaad77231754968b27c69a510448dfd7f52c63b1ce3a1c3e1
SSDEEP

98304:3c9jNgez/S9bL+M0QVtYD0JCqfZlVcc9uNSwfrNaSQHbfU0qC:s95zk0mtyTqj6W4SGYSQ/qC

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Disables Task Manager via registry modification
evasion
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Baldi.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation Baldi.exe
Executes dropped EXE 2 IoCs

Processes:

Baldi.exeDisableUAC.exe

pid process

3812 Baldi.exe
2024 DisableUAC.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	Baldi.exe

pid	process
3812	Baldi.exe
2024	DisableUAC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Baldi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GG.exe = "C:\\Baldi\\Baldi.exe"	Baldi.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Baldi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop\Wallpaper = "C:\\Baldi\\lol.png"	Baldi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3680 taskkill.exe

pid	process
3680	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

Baldi.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\desktop	Baldi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop\TileWallpaper = "0"	Baldi.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "192"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

shutdown.exetaskkill.exe

description	pid	process
Token: SeShutdownPrivilege	3536	shutdown.exe
Token: SeRemoteShutdownPrivilege	3536	shutdown.exe
Token: SeDebugPrivilege	3680	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2056 LogonUI.exe

pid	process
2056	LogonUI.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

BaldiTrojan-x64.execmd.exeDisableUAC.execmd.exeBaldi.exe

description	pid	process	target process
PID 3348 wrote to memory of 1116	3348	BaldiTrojan-x64.exe	cmd.exe
PID 3348 wrote to memory of 1116	3348	BaldiTrojan-x64.exe	cmd.exe
PID 3348 wrote to memory of 1116	3348	BaldiTrojan-x64.exe	cmd.exe
PID 1116 wrote to memory of 3812	1116	cmd.exe	Baldi.exe
PID 1116 wrote to memory of 3812	1116	cmd.exe	Baldi.exe
PID 1116 wrote to memory of 3812	1116	cmd.exe	Baldi.exe
PID 1116 wrote to memory of 2024	1116	cmd.exe	DisableUAC.exe
PID 1116 wrote to memory of 2024	1116	cmd.exe	DisableUAC.exe
PID 2024 wrote to memory of 3292	2024	DisableUAC.exe	cmd.exe
PID 2024 wrote to memory of 3292	2024	DisableUAC.exe	cmd.exe
PID 3292 wrote to memory of 4292	3292	cmd.exe	reg.exe
PID 3292 wrote to memory of 4292	3292	cmd.exe	reg.exe
PID 3292 wrote to memory of 3536	3292	cmd.exe	shutdown.exe
PID 3292 wrote to memory of 3536	3292	cmd.exe	shutdown.exe
PID 3812 wrote to memory of 3680	3812	Baldi.exe	taskkill.exe
PID 3812 wrote to memory of 3680	3812	Baldi.exe	taskkill.exe
PID 3812 wrote to memory of 3680	3812	Baldi.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\BaldiTrojan-x64.exe
"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\BaldiTrojan-x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Baldi\Baldi.exe
    C:\Baldi\Baldi.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    - Suspicious use of WriteProcessMemory
    PID:3812
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3680
- - C:\Baldi\DisableUAC.exe
    C:\Baldi\DisableUAC.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F90.tmp\F91.bat C:\Baldi\DisableUAC.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3292
    - - C:\Windows\system32\reg.exe
        
        reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        
        PID:4292
    - - C:\Windows\system32\shutdown.exe
        
        shutdown -r -t 1 -c "BALDI EVIL..."
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39f5055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Baldi\Baldi.exe

Filesize
12.4MB

MD5
515bc425daa9558e4a12a917e7dfc701

SHA1
bef7a2a3f78189922be2b1f59b9e2636c6a8156e

SHA256
fd27fb8b14a5fa99bba87560510030a5ab9df47e4f7584cb4d0e31c04e11808b

SHA512
41b2b95aea7ed7bc039f64146581ba695af8a441cfb7cba989d2204fe47f8de974334c224a085f30fbc3fc51455986a73c3bdb90952f1e7bc9b6c8074432dbdc

Download Submit
C:\Baldi\CleanZUpdater.bat

Filesize
66B

MD5
b54e64a1f0b58d09cf57d983d7ba7361

SHA1
d6c36454390be4eea41512bd39a9c68d77f614bf

SHA256
2683d451ab3423e25bcbeca902e6b586d0d9e8689c9c1bb6dca47bfae547a7d7

SHA512
583a6b07d584a433a78c8a948807caf5d1bfa0a1b8ef6dcf5a7f67db38e03baf875cabdc91f974276295c01485b78c11002b4cf10f08346ab92c2375479beb0a

Download Submit
C:\Baldi\DisableUAC.exe

Filesize
104KB

MD5
9ad923e0b582d7520dbd655c36c1cdd5

SHA1
189c9b2c40f0a84af365e0bb8b88e97243560cc3

SHA256
f5add589da4bfb1492531306d12e84ef27bfcb0c31ff51fed710215765ac95f4

SHA512
ea73a7e5262fd148bc8b5d7d5a7c20a1c6683defb7c2ea48cdc22595420307b18ca20ecaf1135ad24131d2ab6ce1346e3abf78abed0e2728878c0f993509fb0c

Download Submit
C:\Baldi\DisableUAC.exe

Filesize
104KB

MD5
9ad923e0b582d7520dbd655c36c1cdd5

SHA1
189c9b2c40f0a84af365e0bb8b88e97243560cc3

SHA256
f5add589da4bfb1492531306d12e84ef27bfcb0c31ff51fed710215765ac95f4

SHA512
ea73a7e5262fd148bc8b5d7d5a7c20a1c6683defb7c2ea48cdc22595420307b18ca20ecaf1135ad24131d2ab6ce1346e3abf78abed0e2728878c0f993509fb0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F90.tmp\F91.bat

Filesize
186B

MD5
a708b066fda65f8d7f94a2cbd4919b0f

SHA1
5c723e4f1ba46b5cb6813b5db490dd63748cb07c

SHA256
754d5b111ec7225c4d643142ddf0dfaab585f12b2f69bcca088abbd0d23a5a79

SHA512
75b7a6401ebfb2aa9194ff3ef48f8c23044342ddb2f2b9b33020b6ec7592dd2a1b0546ef7387641fb17cccd7f726fe665386c471f01b4e715d7e9b713baa1bc5

Download Submit
memory/3812-149-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/3812-150-0x0000000000400000-0x0000000001080000-memory.dmp

Filesize
12.5MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads