eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

Analysis

max time kernel
14s
max time network
55s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-05-2023 19:16

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

trojan-leaks-main/BaldiTrojan-x32.exe
Size

4.2MB
MD5

0aeaafa78906f0977c4af8963bcd84c2
SHA1

59a4a0e73d646349c4dde83ceb996e20167cfcc0
SHA256

822023abab19f62e0b5243390df4639cb7697dac75a323682f7478db477dee24
SHA512

82ac5b2e225c30ee4f2197562b77ca1ec1b5c5cd438bf819d3b91adb9cca6421943afdf43b4748a3f9a321c30a274d145e248ac9da5bf76799440612ec13419d
SSDEEP

98304:fKgez/S9bL+M0QVtYD0JCqfZlVcc9uNSwfrNaSQMU0qay9jT:uzk0mtyTqj6W4SGYSQcqD9P

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

Baldi.exeDisableUAC.exe

pid process

1008 Baldi.exe
1576 DisableUAC.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exeBaldi.exeDisableUAC.exe

pid process

1564 cmd.exe
1564 cmd.exe
1008 Baldi.exe
1008 Baldi.exe
1576 DisableUAC.exe
1576 DisableUAC.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
1008	Baldi.exe
1576	DisableUAC.exe

pid	process
1564	cmd.exe
1564	cmd.exe
1008	Baldi.exe
1008	Baldi.exe
1576	DisableUAC.exe
1576	DisableUAC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Baldi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\GG.exe = "C:\\Baldi\\Baldi.exe"	Baldi.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Baldi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\Wallpaper = "C:\\Baldi\\lol.png"	Baldi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1396 taskkill.exe

pid	process
1396	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

Baldi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\TileWallpaper = "0"	Baldi.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\desktop	Baldi.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

shutdown.exetaskkill.exe

description	pid	process
Token: SeShutdownPrivilege	1696	shutdown.exe
Token: SeRemoteShutdownPrivilege	1696	shutdown.exe
Token: SeDebugPrivilege	1396	taskkill.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

BaldiTrojan-x32.execmd.exeDisableUAC.execmd.exeBaldi.exe

description	pid	process	target process
PID 1304 wrote to memory of 1564	1304	BaldiTrojan-x32.exe	cmd.exe
PID 1304 wrote to memory of 1564	1304	BaldiTrojan-x32.exe	cmd.exe
PID 1304 wrote to memory of 1564	1304	BaldiTrojan-x32.exe	cmd.exe
PID 1304 wrote to memory of 1564	1304	BaldiTrojan-x32.exe	cmd.exe
PID 1304 wrote to memory of 1564	1304	BaldiTrojan-x32.exe	cmd.exe
PID 1304 wrote to memory of 1564	1304	BaldiTrojan-x32.exe	cmd.exe
PID 1304 wrote to memory of 1564	1304	BaldiTrojan-x32.exe	cmd.exe
PID 1564 wrote to memory of 1008	1564	cmd.exe	Baldi.exe
PID 1564 wrote to memory of 1008	1564	cmd.exe	Baldi.exe
PID 1564 wrote to memory of 1008	1564	cmd.exe	Baldi.exe
PID 1564 wrote to memory of 1008	1564	cmd.exe	Baldi.exe
PID 1564 wrote to memory of 1008	1564	cmd.exe	Baldi.exe
PID 1564 wrote to memory of 1008	1564	cmd.exe	Baldi.exe
PID 1564 wrote to memory of 1008	1564	cmd.exe	Baldi.exe
PID 1564 wrote to memory of 1576	1564	cmd.exe	DisableUAC.exe
PID 1564 wrote to memory of 1576	1564	cmd.exe	DisableUAC.exe
PID 1564 wrote to memory of 1576	1564	cmd.exe	DisableUAC.exe
PID 1564 wrote to memory of 1576	1564	cmd.exe	DisableUAC.exe
PID 1564 wrote to memory of 1576	1564	cmd.exe	DisableUAC.exe
PID 1564 wrote to memory of 1576	1564	cmd.exe	DisableUAC.exe
PID 1564 wrote to memory of 1576	1564	cmd.exe	DisableUAC.exe
PID 1576 wrote to memory of 1552	1576	DisableUAC.exe	cmd.exe
PID 1576 wrote to memory of 1552	1576	DisableUAC.exe	cmd.exe
PID 1576 wrote to memory of 1552	1576	DisableUAC.exe	cmd.exe
PID 1576 wrote to memory of 1552	1576	DisableUAC.exe	cmd.exe
PID 1552 wrote to memory of 1644	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 1644	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 1644	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 1696	1552	cmd.exe	shutdown.exe
PID 1552 wrote to memory of 1696	1552	cmd.exe	shutdown.exe
PID 1552 wrote to memory of 1696	1552	cmd.exe	shutdown.exe
PID 1008 wrote to memory of 1396	1008	Baldi.exe	taskkill.exe
PID 1008 wrote to memory of 1396	1008	Baldi.exe	taskkill.exe
PID 1008 wrote to memory of 1396	1008	Baldi.exe	taskkill.exe
PID 1008 wrote to memory of 1396	1008	Baldi.exe	taskkill.exe
PID 1008 wrote to memory of 1396	1008	Baldi.exe	taskkill.exe
PID 1008 wrote to memory of 1396	1008	Baldi.exe	taskkill.exe
PID 1008 wrote to memory of 1396	1008	Baldi.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\BaldiTrojan-x32.exe
"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\BaldiTrojan-x32.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c CleanZUpdater.bat
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Baldi\Baldi.exe
    C:\Baldi\Baldi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1396
- - C:\Baldi\DisableUAC.exe
    C:\Baldi\DisableUAC.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1814.tmp\1824.bat C:\Baldi\DisableUAC.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1552
    - - C:\Windows\system32\reg.exe
        
        reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        
        PID:1644
    - - C:\Windows\system32\shutdown.exe
        
        shutdown -r -t 1 -c "BALDI EVIL..."
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Baldi\Baldi.exe

Filesize
12.4MB

MD5
515bc425daa9558e4a12a917e7dfc701

SHA1
bef7a2a3f78189922be2b1f59b9e2636c6a8156e

SHA256
fd27fb8b14a5fa99bba87560510030a5ab9df47e4f7584cb4d0e31c04e11808b

SHA512
41b2b95aea7ed7bc039f64146581ba695af8a441cfb7cba989d2204fe47f8de974334c224a085f30fbc3fc51455986a73c3bdb90952f1e7bc9b6c8074432dbdc

Download Submit
C:\Baldi\Baldi.exe

Filesize
12.4MB

MD5
515bc425daa9558e4a12a917e7dfc701

SHA1
bef7a2a3f78189922be2b1f59b9e2636c6a8156e

SHA256
fd27fb8b14a5fa99bba87560510030a5ab9df47e4f7584cb4d0e31c04e11808b

SHA512
41b2b95aea7ed7bc039f64146581ba695af8a441cfb7cba989d2204fe47f8de974334c224a085f30fbc3fc51455986a73c3bdb90952f1e7bc9b6c8074432dbdc

Download Submit
C:\Baldi\CleanZUpdater.bat

Filesize
66B

MD5
b54e64a1f0b58d09cf57d983d7ba7361

SHA1
d6c36454390be4eea41512bd39a9c68d77f614bf

SHA256
2683d451ab3423e25bcbeca902e6b586d0d9e8689c9c1bb6dca47bfae547a7d7

SHA512
583a6b07d584a433a78c8a948807caf5d1bfa0a1b8ef6dcf5a7f67db38e03baf875cabdc91f974276295c01485b78c11002b4cf10f08346ab92c2375479beb0a

Download Submit
C:\Baldi\CleanZUpdater.bat

Filesize
66B

MD5
b54e64a1f0b58d09cf57d983d7ba7361

SHA1
d6c36454390be4eea41512bd39a9c68d77f614bf

SHA256
2683d451ab3423e25bcbeca902e6b586d0d9e8689c9c1bb6dca47bfae547a7d7

SHA512
583a6b07d584a433a78c8a948807caf5d1bfa0a1b8ef6dcf5a7f67db38e03baf875cabdc91f974276295c01485b78c11002b4cf10f08346ab92c2375479beb0a

Download Submit
C:\Baldi\DisableUAC.exe

Filesize
71KB

MD5
6efbafb622199eabc427a101d601aa8a

SHA1
099cd80eb158feb9c833bf70a37de99c1fbae5e1

SHA256
bfb2eb05fbdb0181040e6d741789e586fca09a48e18224e313c4bdc3a7918ca6

SHA512
fee1ace6c3ca254c558381032966957a28bb64b7111551a168bd659dae03dd74786dc029946503dc66e11c339cc790f8b97f92d9de846251358323bd41758dbc

Download Submit
C:\Baldi\DisableUAC.exe

Filesize
71KB

MD5
6efbafb622199eabc427a101d601aa8a

SHA1
099cd80eb158feb9c833bf70a37de99c1fbae5e1

SHA256
bfb2eb05fbdb0181040e6d741789e586fca09a48e18224e313c4bdc3a7918ca6

SHA512
fee1ace6c3ca254c558381032966957a28bb64b7111551a168bd659dae03dd74786dc029946503dc66e11c339cc790f8b97f92d9de846251358323bd41758dbc

Download Submit
C:\Baldi\lol.png

Filesize
148KB

MD5
41c46f443e8ee13bfaa86399eb6ee3f8

SHA1
e1de323885e86321591d6b31c3354fe2f7236510

SHA256
88135e8ced1ddd25e2d92fbc5ab19b5c251cd8fdb8303cf4026ec644a989a8ab

SHA512
e638200b40a19fe282dd7f1ba38558bd02d81f7dd10765e0207e2b2f77b9840848c8a9982092d02e76dea76c12b3ef6db5c9f8ee896b8aeea475f9118d32ac18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1814.tmp\1824.bat

Filesize
186B

MD5
a708b066fda65f8d7f94a2cbd4919b0f

SHA1
5c723e4f1ba46b5cb6813b5db490dd63748cb07c

SHA256
754d5b111ec7225c4d643142ddf0dfaab585f12b2f69bcca088abbd0d23a5a79

SHA512
75b7a6401ebfb2aa9194ff3ef48f8c23044342ddb2f2b9b33020b6ec7592dd2a1b0546ef7387641fb17cccd7f726fe665386c471f01b4e715d7e9b713baa1bc5

Download Submit
\Baldi\Baldi.exe

Filesize
12.4MB

MD5
515bc425daa9558e4a12a917e7dfc701

SHA1
bef7a2a3f78189922be2b1f59b9e2636c6a8156e

SHA256
fd27fb8b14a5fa99bba87560510030a5ab9df47e4f7584cb4d0e31c04e11808b

SHA512
41b2b95aea7ed7bc039f64146581ba695af8a441cfb7cba989d2204fe47f8de974334c224a085f30fbc3fc51455986a73c3bdb90952f1e7bc9b6c8074432dbdc

Download Submit
\Baldi\Baldi.exe

Filesize
12.4MB

MD5
515bc425daa9558e4a12a917e7dfc701

SHA1
bef7a2a3f78189922be2b1f59b9e2636c6a8156e

SHA256
fd27fb8b14a5fa99bba87560510030a5ab9df47e4f7584cb4d0e31c04e11808b

SHA512
41b2b95aea7ed7bc039f64146581ba695af8a441cfb7cba989d2204fe47f8de974334c224a085f30fbc3fc51455986a73c3bdb90952f1e7bc9b6c8074432dbdc

Download Submit
\Baldi\Baldi.exe

Filesize
12.4MB

MD5
515bc425daa9558e4a12a917e7dfc701

SHA1
bef7a2a3f78189922be2b1f59b9e2636c6a8156e

SHA256
fd27fb8b14a5fa99bba87560510030a5ab9df47e4f7584cb4d0e31c04e11808b

SHA512
41b2b95aea7ed7bc039f64146581ba695af8a441cfb7cba989d2204fe47f8de974334c224a085f30fbc3fc51455986a73c3bdb90952f1e7bc9b6c8074432dbdc

Download Submit
\Baldi\DisableUAC.exe

Filesize
71KB

MD5
6efbafb622199eabc427a101d601aa8a

SHA1
099cd80eb158feb9c833bf70a37de99c1fbae5e1

SHA256
bfb2eb05fbdb0181040e6d741789e586fca09a48e18224e313c4bdc3a7918ca6

SHA512
fee1ace6c3ca254c558381032966957a28bb64b7111551a168bd659dae03dd74786dc029946503dc66e11c339cc790f8b97f92d9de846251358323bd41758dbc

Download Submit
\Baldi\DisableUAC.exe

Filesize
71KB

MD5
6efbafb622199eabc427a101d601aa8a

SHA1
099cd80eb158feb9c833bf70a37de99c1fbae5e1

SHA256
bfb2eb05fbdb0181040e6d741789e586fca09a48e18224e313c4bdc3a7918ca6

SHA512
fee1ace6c3ca254c558381032966957a28bb64b7111551a168bd659dae03dd74786dc029946503dc66e11c339cc790f8b97f92d9de846251358323bd41758dbc

Download Submit
\Baldi\DisableUAC.exe

Filesize
71KB

MD5
6efbafb622199eabc427a101d601aa8a

SHA1
099cd80eb158feb9c833bf70a37de99c1fbae5e1

SHA256
bfb2eb05fbdb0181040e6d741789e586fca09a48e18224e313c4bdc3a7918ca6

SHA512
fee1ace6c3ca254c558381032966957a28bb64b7111551a168bd659dae03dd74786dc029946503dc66e11c339cc790f8b97f92d9de846251358323bd41758dbc

Download Submit
memory/824-83-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1008-80-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1008-82-0x0000000000400000-0x0000000001080000-memory.dmp

Filesize
12.5MB

Download
memory/1808-84-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads