eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

Analysis

max time kernel
32s
max time network
90s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-05-2023 19:16

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

trojan-leaks-main/BaldiTrojan-x64.exe
Size

4.2MB
MD5

e2c4c4dd8c6a357eca164955a8fe040c
SHA1

f4114815bce62efbc78c79f9a83ccf74a4ea075c
SHA256

f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5
SHA512

389bf398f9f9f6ae7e6dfca835f5877befa4ebfee5938d4b50728d77fb0450b2eb2cb67e3f4d9abaaad77231754968b27c69a510448dfd7f52c63b1ce3a1c3e1
SSDEEP

98304:3c9jNgez/S9bL+M0QVtYD0JCqfZlVcc9uNSwfrNaSQHbfU0qC:s95zk0mtyTqj6W4SGYSQ/qC

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

Baldi.exeDisableUAC.exe

pid process

580 Baldi.exe
756 DisableUAC.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exeBaldi.exe

pid process

2040 cmd.exe
2040 cmd.exe
580 Baldi.exe
580 Baldi.exe
1872

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
580	Baldi.exe
756	DisableUAC.exe

pid	process
2040	cmd.exe
2040	cmd.exe
580	Baldi.exe
580	Baldi.exe
1872

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Baldi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\GG.exe = "C:\\Baldi\\Baldi.exe"	Baldi.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Baldi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\Wallpaper = "C:\\Baldi\\lol.png"	Baldi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1484 taskkill.exe

pid	process
1484	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

Baldi.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\desktop	Baldi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\Desktop\TileWallpaper = "0"	Baldi.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shutdown.exe

description pid process

Token: SeShutdownPrivilege 1772 shutdown.exe
Token: SeRemoteShutdownPrivilege 1772 shutdown.exe

description	pid	process
Token: SeShutdownPrivilege	1772	shutdown.exe
Token: SeRemoteShutdownPrivilege	1772	shutdown.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

BaldiTrojan-x64.execmd.exeDisableUAC.execmd.exeBaldi.exe

description	pid	process	target process
PID 912 wrote to memory of 2040	912	BaldiTrojan-x64.exe	cmd.exe
PID 912 wrote to memory of 2040	912	BaldiTrojan-x64.exe	cmd.exe
PID 912 wrote to memory of 2040	912	BaldiTrojan-x64.exe	cmd.exe
PID 912 wrote to memory of 2040	912	BaldiTrojan-x64.exe	cmd.exe
PID 912 wrote to memory of 2040	912	BaldiTrojan-x64.exe	cmd.exe
PID 912 wrote to memory of 2040	912	BaldiTrojan-x64.exe	cmd.exe
PID 912 wrote to memory of 2040	912	BaldiTrojan-x64.exe	cmd.exe
PID 2040 wrote to memory of 580	2040	cmd.exe	Baldi.exe
PID 2040 wrote to memory of 580	2040	cmd.exe	Baldi.exe
PID 2040 wrote to memory of 580	2040	cmd.exe	Baldi.exe
PID 2040 wrote to memory of 580	2040	cmd.exe	Baldi.exe
PID 2040 wrote to memory of 580	2040	cmd.exe	Baldi.exe
PID 2040 wrote to memory of 580	2040	cmd.exe	Baldi.exe
PID 2040 wrote to memory of 580	2040	cmd.exe	Baldi.exe
PID 2040 wrote to memory of 756	2040	cmd.exe	DisableUAC.exe
PID 2040 wrote to memory of 756	2040	cmd.exe	DisableUAC.exe
PID 2040 wrote to memory of 756	2040	cmd.exe	DisableUAC.exe
PID 2040 wrote to memory of 756	2040	cmd.exe	DisableUAC.exe
PID 756 wrote to memory of 1868	756	DisableUAC.exe	cmd.exe
PID 756 wrote to memory of 1868	756	DisableUAC.exe	cmd.exe
PID 756 wrote to memory of 1868	756	DisableUAC.exe	cmd.exe
PID 1868 wrote to memory of 1768	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 1768	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 1768	1868	cmd.exe	reg.exe
PID 1868 wrote to memory of 1772	1868	cmd.exe	shutdown.exe
PID 1868 wrote to memory of 1772	1868	cmd.exe	shutdown.exe
PID 1868 wrote to memory of 1772	1868	cmd.exe	shutdown.exe
PID 580 wrote to memory of 1484	580	Baldi.exe	taskkill.exe
PID 580 wrote to memory of 1484	580	Baldi.exe	taskkill.exe
PID 580 wrote to memory of 1484	580	Baldi.exe	taskkill.exe
PID 580 wrote to memory of 1484	580	Baldi.exe	taskkill.exe
PID 580 wrote to memory of 1484	580	Baldi.exe	taskkill.exe
PID 580 wrote to memory of 1484	580	Baldi.exe	taskkill.exe
PID 580 wrote to memory of 1484	580	Baldi.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\BaldiTrojan-x64.exe
"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\BaldiTrojan-x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c CleanZUpdater.bat
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Baldi\Baldi.exe
C:\Baldi\Baldi.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
4⤵
- Kills process with taskkill
PID:1484

C:\Baldi\DisableUAC.exe
C:\Baldi\DisableUAC.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\38DD.tmp\38ED.bat C:\Baldi\DisableUAC.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\system32\reg.exe
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
5⤵
- UAC bypass
PID:1768

C:\Windows\system32\shutdown.exe
shutdown -r -t 1 -c "BALDI EVIL..."
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1700

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:888

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Baldi\Baldi.exe
Filesize
12.4MB

MD5
515bc425daa9558e4a12a917e7dfc701

SHA1
bef7a2a3f78189922be2b1f59b9e2636c6a8156e

SHA256
fd27fb8b14a5fa99bba87560510030a5ab9df47e4f7584cb4d0e31c04e11808b

SHA512
41b2b95aea7ed7bc039f64146581ba695af8a441cfb7cba989d2204fe47f8de974334c224a085f30fbc3fc51455986a73c3bdb90952f1e7bc9b6c8074432dbdc

Download Submit
C:\Baldi\Baldi.exe
Filesize
12.4MB

MD5
515bc425daa9558e4a12a917e7dfc701

SHA1
bef7a2a3f78189922be2b1f59b9e2636c6a8156e

SHA256
fd27fb8b14a5fa99bba87560510030a5ab9df47e4f7584cb4d0e31c04e11808b

SHA512
41b2b95aea7ed7bc039f64146581ba695af8a441cfb7cba989d2204fe47f8de974334c224a085f30fbc3fc51455986a73c3bdb90952f1e7bc9b6c8074432dbdc

Download Submit
C:\Baldi\CleanZUpdater.bat
Filesize
66B

MD5
b54e64a1f0b58d09cf57d983d7ba7361

SHA1
d6c36454390be4eea41512bd39a9c68d77f614bf

SHA256
2683d451ab3423e25bcbeca902e6b586d0d9e8689c9c1bb6dca47bfae547a7d7

SHA512
583a6b07d584a433a78c8a948807caf5d1bfa0a1b8ef6dcf5a7f67db38e03baf875cabdc91f974276295c01485b78c11002b4cf10f08346ab92c2375479beb0a

Download Submit
C:\Baldi\CleanZUpdater.bat
Filesize
66B

MD5
b54e64a1f0b58d09cf57d983d7ba7361

SHA1
d6c36454390be4eea41512bd39a9c68d77f614bf

SHA256
2683d451ab3423e25bcbeca902e6b586d0d9e8689c9c1bb6dca47bfae547a7d7

SHA512
583a6b07d584a433a78c8a948807caf5d1bfa0a1b8ef6dcf5a7f67db38e03baf875cabdc91f974276295c01485b78c11002b4cf10f08346ab92c2375479beb0a

Download Submit
C:\Baldi\DisableUAC.exe
Filesize
104KB

MD5
9ad923e0b582d7520dbd655c36c1cdd5

SHA1
189c9b2c40f0a84af365e0bb8b88e97243560cc3

SHA256
f5add589da4bfb1492531306d12e84ef27bfcb0c31ff51fed710215765ac95f4

SHA512
ea73a7e5262fd148bc8b5d7d5a7c20a1c6683defb7c2ea48cdc22595420307b18ca20ecaf1135ad24131d2ab6ce1346e3abf78abed0e2728878c0f993509fb0c

Download Submit
C:\Baldi\lol.png
Filesize
148KB

MD5
41c46f443e8ee13bfaa86399eb6ee3f8

SHA1
e1de323885e86321591d6b31c3354fe2f7236510

SHA256
88135e8ced1ddd25e2d92fbc5ab19b5c251cd8fdb8303cf4026ec644a989a8ab

SHA512
e638200b40a19fe282dd7f1ba38558bd02d81f7dd10765e0207e2b2f77b9840848c8a9982092d02e76dea76c12b3ef6db5c9f8ee896b8aeea475f9118d32ac18

Download Submit
C:\Users\Admin\AppData\Local\Temp\38DD.tmp\38ED.bat
Filesize
186B

MD5
a708b066fda65f8d7f94a2cbd4919b0f

SHA1
5c723e4f1ba46b5cb6813b5db490dd63748cb07c

SHA256
754d5b111ec7225c4d643142ddf0dfaab585f12b2f69bcca088abbd0d23a5a79

SHA512
75b7a6401ebfb2aa9194ff3ef48f8c23044342ddb2f2b9b33020b6ec7592dd2a1b0546ef7387641fb17cccd7f726fe665386c471f01b4e715d7e9b713baa1bc5

Download Submit
\Baldi\Baldi.exe
Filesize
12.4MB

MD5
515bc425daa9558e4a12a917e7dfc701

SHA1
bef7a2a3f78189922be2b1f59b9e2636c6a8156e

SHA256
fd27fb8b14a5fa99bba87560510030a5ab9df47e4f7584cb4d0e31c04e11808b

SHA512
41b2b95aea7ed7bc039f64146581ba695af8a441cfb7cba989d2204fe47f8de974334c224a085f30fbc3fc51455986a73c3bdb90952f1e7bc9b6c8074432dbdc

Download Submit
\Baldi\Baldi.exe
Filesize
12.4MB

MD5
515bc425daa9558e4a12a917e7dfc701

SHA1
bef7a2a3f78189922be2b1f59b9e2636c6a8156e

SHA256
fd27fb8b14a5fa99bba87560510030a5ab9df47e4f7584cb4d0e31c04e11808b

SHA512
41b2b95aea7ed7bc039f64146581ba695af8a441cfb7cba989d2204fe47f8de974334c224a085f30fbc3fc51455986a73c3bdb90952f1e7bc9b6c8074432dbdc

Download Submit
\Baldi\Baldi.exe
Filesize
12.4MB

MD5
515bc425daa9558e4a12a917e7dfc701

SHA1
bef7a2a3f78189922be2b1f59b9e2636c6a8156e

SHA256
fd27fb8b14a5fa99bba87560510030a5ab9df47e4f7584cb4d0e31c04e11808b

SHA512
41b2b95aea7ed7bc039f64146581ba695af8a441cfb7cba989d2204fe47f8de974334c224a085f30fbc3fc51455986a73c3bdb90952f1e7bc9b6c8074432dbdc

Download Submit
\Baldi\DisableUAC.exe
Filesize
104KB

MD5
9ad923e0b582d7520dbd655c36c1cdd5

SHA1
189c9b2c40f0a84af365e0bb8b88e97243560cc3

SHA256
f5add589da4bfb1492531306d12e84ef27bfcb0c31ff51fed710215765ac95f4

SHA512
ea73a7e5262fd148bc8b5d7d5a7c20a1c6683defb7c2ea48cdc22595420307b18ca20ecaf1135ad24131d2ab6ce1346e3abf78abed0e2728878c0f993509fb0c

Download Submit
\Baldi\DisableUAC.exe
Filesize
104KB

MD5
9ad923e0b582d7520dbd655c36c1cdd5

SHA1
189c9b2c40f0a84af365e0bb8b88e97243560cc3

SHA256
f5add589da4bfb1492531306d12e84ef27bfcb0c31ff51fed710215765ac95f4

SHA512
ea73a7e5262fd148bc8b5d7d5a7c20a1c6683defb7c2ea48cdc22595420307b18ca20ecaf1135ad24131d2ab6ce1346e3abf78abed0e2728878c0f993509fb0c

Download Submit
memory/580-79-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/580-82-0x0000000000400000-0x0000000001080000-memory.dmp

Filesize
12.5MB

Download
memory/888-83-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1700-81-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads