eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

Analysis

max time kernel
9s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2023 19:16

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

trojan-leaks-main/BaldiTrojan-x32.exe
Size

4.2MB
MD5

0aeaafa78906f0977c4af8963bcd84c2
SHA1

59a4a0e73d646349c4dde83ceb996e20167cfcc0
SHA256

822023abab19f62e0b5243390df4639cb7697dac75a323682f7478db477dee24
SHA512

82ac5b2e225c30ee4f2197562b77ca1ec1b5c5cd438bf819d3b91adb9cca6421943afdf43b4748a3f9a321c30a274d145e248ac9da5bf76799440612ec13419d
SSDEEP

98304:fKgez/S9bL+M0QVtYD0JCqfZlVcc9uNSwfrNaSQMU0qay9jT:uzk0mtyTqj6W4SGYSQcqD9P

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Disables Task Manager via registry modification
evasion
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Baldi.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation Baldi.exe
Executes dropped EXE 2 IoCs

Processes:

Baldi.exeDisableUAC.exe

pid process

3776 Baldi.exe
3208 DisableUAC.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Baldi.exe

pid	process
3776	Baldi.exe
3208	DisableUAC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Baldi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GG.exe = "C:\\Baldi\\Baldi.exe"	Baldi.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Baldi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\Wallpaper = "C:\\Baldi\\lol.png"	Baldi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3404 taskkill.exe

pid	process
3404	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

Baldi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\TileWallpaper = "0"	Baldi.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\desktop	Baldi.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "241"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

shutdown.exetaskkill.exe

description pid process

Token: SeShutdownPrivilege 228 shutdown.exe
Token: SeRemoteShutdownPrivilege 228 shutdown.exe
Token: SeDebugPrivilege 3404 taskkill.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

1652 LogonUI.exe

description	pid	process
Token: SeShutdownPrivilege	228	shutdown.exe
Token: SeRemoteShutdownPrivilege	228	shutdown.exe
Token: SeDebugPrivilege	3404	taskkill.exe

pid	process
1652	LogonUI.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

BaldiTrojan-x32.execmd.exeDisableUAC.execmd.exeBaldi.exe

description	pid	process	target process
PID 1296 wrote to memory of 5104	1296	BaldiTrojan-x32.exe	cmd.exe
PID 1296 wrote to memory of 5104	1296	BaldiTrojan-x32.exe	cmd.exe
PID 1296 wrote to memory of 5104	1296	BaldiTrojan-x32.exe	cmd.exe
PID 5104 wrote to memory of 3776	5104	cmd.exe	Baldi.exe
PID 5104 wrote to memory of 3776	5104	cmd.exe	Baldi.exe
PID 5104 wrote to memory of 3776	5104	cmd.exe	Baldi.exe
PID 5104 wrote to memory of 3208	5104	cmd.exe	DisableUAC.exe
PID 5104 wrote to memory of 3208	5104	cmd.exe	DisableUAC.exe
PID 5104 wrote to memory of 3208	5104	cmd.exe	DisableUAC.exe
PID 3208 wrote to memory of 1000	3208	DisableUAC.exe	cmd.exe
PID 3208 wrote to memory of 1000	3208	DisableUAC.exe	cmd.exe
PID 1000 wrote to memory of 248	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 248	1000	cmd.exe	reg.exe
PID 1000 wrote to memory of 228	1000	cmd.exe	shutdown.exe
PID 1000 wrote to memory of 228	1000	cmd.exe	shutdown.exe
PID 3776 wrote to memory of 3404	3776	Baldi.exe	taskkill.exe
PID 3776 wrote to memory of 3404	3776	Baldi.exe	taskkill.exe
PID 3776 wrote to memory of 3404	3776	Baldi.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\BaldiTrojan-x32.exe
"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\BaldiTrojan-x32.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Baldi\Baldi.exe
    C:\Baldi\Baldi.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3404
- - C:\Baldi\DisableUAC.exe
    C:\Baldi\DisableUAC.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\16E3.tmp\16E4.bat C:\Baldi\DisableUAC.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1000
    - - C:\Windows\system32\reg.exe
        
        reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        
        PID:248
    - - C:\Windows\system32\shutdown.exe
        
        shutdown -r -t 1 -c "BALDI EVIL..."
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:228

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39db855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Baldi\Baldi.exe

Filesize
12.4MB

MD5
515bc425daa9558e4a12a917e7dfc701

SHA1
bef7a2a3f78189922be2b1f59b9e2636c6a8156e

SHA256
fd27fb8b14a5fa99bba87560510030a5ab9df47e4f7584cb4d0e31c04e11808b

SHA512
41b2b95aea7ed7bc039f64146581ba695af8a441cfb7cba989d2204fe47f8de974334c224a085f30fbc3fc51455986a73c3bdb90952f1e7bc9b6c8074432dbdc

Download Submit
C:\Baldi\CleanZUpdater.bat

Filesize
66B

MD5
b54e64a1f0b58d09cf57d983d7ba7361

SHA1
d6c36454390be4eea41512bd39a9c68d77f614bf

SHA256
2683d451ab3423e25bcbeca902e6b586d0d9e8689c9c1bb6dca47bfae547a7d7

SHA512
583a6b07d584a433a78c8a948807caf5d1bfa0a1b8ef6dcf5a7f67db38e03baf875cabdc91f974276295c01485b78c11002b4cf10f08346ab92c2375479beb0a

Download Submit
C:\Baldi\DisableUAC.exe

Filesize
71KB

MD5
6efbafb622199eabc427a101d601aa8a

SHA1
099cd80eb158feb9c833bf70a37de99c1fbae5e1

SHA256
bfb2eb05fbdb0181040e6d741789e586fca09a48e18224e313c4bdc3a7918ca6

SHA512
fee1ace6c3ca254c558381032966957a28bb64b7111551a168bd659dae03dd74786dc029946503dc66e11c339cc790f8b97f92d9de846251358323bd41758dbc

Download Submit
C:\Baldi\DisableUAC.exe

Filesize
71KB

MD5
6efbafb622199eabc427a101d601aa8a

SHA1
099cd80eb158feb9c833bf70a37de99c1fbae5e1

SHA256
bfb2eb05fbdb0181040e6d741789e586fca09a48e18224e313c4bdc3a7918ca6

SHA512
fee1ace6c3ca254c558381032966957a28bb64b7111551a168bd659dae03dd74786dc029946503dc66e11c339cc790f8b97f92d9de846251358323bd41758dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\16E3.tmp\16E4.bat

Filesize
186B

MD5
a708b066fda65f8d7f94a2cbd4919b0f

SHA1
5c723e4f1ba46b5cb6813b5db490dd63748cb07c

SHA256
754d5b111ec7225c4d643142ddf0dfaab585f12b2f69bcca088abbd0d23a5a79

SHA512
75b7a6401ebfb2aa9194ff3ef48f8c23044342ddb2f2b9b33020b6ec7592dd2a1b0546ef7387641fb17cccd7f726fe665386c471f01b4e715d7e9b713baa1bc5

Download Submit
memory/3776-149-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/3776-150-0x0000000000400000-0x0000000001080000-memory.dmp

Filesize
12.5MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads