Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29/02/2024, 06:42
General
-
Target
Backdoor.Win32.Padodor.exe
-
Size
89KB
-
MD5
deb1ef2a5ba79cb49d1a07adb9e94ffb
-
SHA1
d6a010cbcd62c3bda825d728eb246012788cef82
-
SHA256
bdc75545b6bc5dd48e053e64aee6f6adc1c1120f10b0e1751a9cf10ba0dbc9bc
-
SHA512
e53aa33a3b94958d31f4d63ac1d8408a81269b9b446e4baf5e82a0587ee352c95d666a7fabdf5662ff73588b7a24a803822e7fb8897192b28374ee3c642000e8
-
SSDEEP
1536:UmwtjU4YQkUsiiXnXoRh3lwMpyUF3MaxRhRQyD68a+VMKKTRVGFtUhQfR1WRaROu:DwtA4YQXsFXo/3lwGyUF3MOhejr4MKym
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Program crash 1 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Padodor.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Njfmke32.exeC:\Windows\system32\Njfmke32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ndkahnhh.exeC:\Windows\system32\Ndkahnhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ogjmdigk.exeC:\Windows\system32\Ogjmdigk.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Okeieh32.exeC:\Windows\system32\Okeieh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Oboaabga.exeC:\Windows\system32\Oboaabga.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ocqnij32.exeC:\Windows\system32\Ocqnij32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Okhfjh32.exeC:\Windows\system32\Okhfjh32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ojjffddl.exeC:\Windows\system32\Ojjffddl.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Oqdoboli.exeC:\Windows\system32\Oqdoboli.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Occkojkm.exeC:\Windows\system32\Occkojkm.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Okjbpglo.exeC:\Windows\system32\Okjbpglo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\Ojmcld32.exeC:\Windows\system32\Ojmcld32.exe1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Obdkma32.exeC:\Windows\system32\Obdkma32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Oqgkhnjf.exeC:\Windows\system32\Oqgkhnjf.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\Odbgim32.exeC:\Windows\system32\Odbgim32.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ocegdjij.exeC:\Windows\system32\Ocegdjij.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ogaceh32.exeC:\Windows\system32\Ogaceh32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\Okloegjl.exeC:\Windows\system32\Okloegjl.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ojopad32.exeC:\Windows\system32\Ojopad32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\Onklabip.exeC:\Windows\system32\Onklabip.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Obfhba32.exeC:\Windows\system32\Obfhba32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Oqihnn32.exeC:\Windows\system32\Oqihnn32.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ogcpjhoq.exeC:\Windows\system32\Ogcpjhoq.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Onmhgb32.exeC:\Windows\system32\Onmhgb32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Pcjapi32.exeC:\Windows\system32\Pcjapi32.exe6⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Pkaiqf32.exeC:\Windows\system32\Pkaiqf32.exe7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pbkamqmd.exeC:\Windows\system32\Pbkamqmd.exe8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Peimil32.exeC:\Windows\system32\Peimil32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pclneicb.exeC:\Windows\system32\Pclneicb.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Pnbbbabh.exeC:\Windows\system32\Pnbbbabh.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Pqpnombl.exeC:\Windows\system32\Pqpnombl.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pkfblfab.exeC:\Windows\system32\Pkfblfab.exe13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pbpjhp32.exeC:\Windows\system32\Pbpjhp32.exe14⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pgmcqggf.exeC:\Windows\system32\Pgmcqggf.exe15⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pjkombfj.exeC:\Windows\system32\Pjkombfj.exe16⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Paegjl32.exeC:\Windows\system32\Paegjl32.exe17⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Pjmlbbdg.exeC:\Windows\system32\Pjmlbbdg.exe18⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pnihcq32.exeC:\Windows\system32\Pnihcq32.exe19⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pagdol32.exeC:\Windows\system32\Pagdol32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Qcepkg32.exeC:\Windows\system32\Qcepkg32.exe21⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Qkmhlekj.exeC:\Windows\system32\Qkmhlekj.exe22⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Qbgqio32.exeC:\Windows\system32\Qbgqio32.exe23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Qeemej32.exeC:\Windows\system32\Qeemej32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Qgciaf32.exeC:\Windows\system32\Qgciaf32.exe25⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Qnnanphk.exeC:\Windows\system32\Qnnanphk.exe26⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Acjjfggb.exeC:\Windows\system32\Acjjfggb.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Alabgd32.exeC:\Windows\system32\Alabgd32.exe28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Aanjpk32.exeC:\Windows\system32\Aanjpk32.exe29⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Acmflf32.exeC:\Windows\system32\Acmflf32.exe30⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Ajfoiqll.exeC:\Windows\system32\Ajfoiqll.exe31⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Anbkio32.exeC:\Windows\system32\Anbkio32.exe32⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Abngjnmo.exeC:\Windows\system32\Abngjnmo.exe33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Aaqgek32.exeC:\Windows\system32\Aaqgek32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Acocaf32.exeC:\Windows\system32\Acocaf32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Alfkbc32.exeC:\Windows\system32\Alfkbc32.exe36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Abpcon32.exeC:\Windows\system32\Abpcon32.exe37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Alhhhcal.exeC:\Windows\system32\Alhhhcal.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ajkhdp32.exeC:\Windows\system32\Ajkhdp32.exe39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Angddopp.exeC:\Windows\system32\Angddopp.exe40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Aaepqjpd.exeC:\Windows\system32\Aaepqjpd.exe41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ahoimd32.exeC:\Windows\system32\Ahoimd32.exe42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Aniajnnn.exeC:\Windows\system32\Aniajnnn.exe43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Bahmfj32.exeC:\Windows\system32\Bahmfj32.exe44⤵
-
C:\Windows\SysWOW64\Bjpaooda.exeC:\Windows\system32\Bjpaooda.exe45⤵
-
C:\Windows\SysWOW64\Bnlnon32.exeC:\Windows\system32\Bnlnon32.exe46⤵
-
C:\Windows\SysWOW64\Bajjli32.exeC:\Windows\system32\Bajjli32.exe47⤵
-
C:\Windows\SysWOW64\Beeflhdh.exeC:\Windows\system32\Beeflhdh.exe48⤵
-
C:\Windows\SysWOW64\Bbifelba.exeC:\Windows\system32\Bbifelba.exe49⤵
-
C:\Windows\SysWOW64\Balfaiil.exeC:\Windows\system32\Balfaiil.exe50⤵
-
C:\Windows\SysWOW64\Bhfonc32.exeC:\Windows\system32\Bhfonc32.exe51⤵
-
C:\Windows\SysWOW64\Bopgjmhe.exeC:\Windows\system32\Bopgjmhe.exe52⤵
-
C:\Windows\SysWOW64\Bblckl32.exeC:\Windows\system32\Bblckl32.exe53⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bejogg32.exeC:\Windows\system32\Bejogg32.exe54⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Bhikcb32.exeC:\Windows\system32\Bhikcb32.exe55⤵
-
C:\Windows\SysWOW64\Bjghpn32.exeC:\Windows\system32\Bjghpn32.exe56⤵
-
C:\Windows\SysWOW64\Bbnpqk32.exeC:\Windows\system32\Bbnpqk32.exe57⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cbqlfkmi.exeC:\Windows\system32\Cbqlfkmi.exe58⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ceoibflm.exeC:\Windows\system32\Ceoibflm.exe59⤵
-
C:\Windows\SysWOW64\Chmeobkq.exeC:\Windows\system32\Chmeobkq.exe60⤵
-
C:\Windows\SysWOW64\Cddecc32.exeC:\Windows\system32\Cddecc32.exe61⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Clkndpag.exeC:\Windows\system32\Clkndpag.exe62⤵
-
C:\Windows\SysWOW64\Cojjqlpk.exeC:\Windows\system32\Cojjqlpk.exe63⤵
-
C:\Windows\SysWOW64\Cahfmgoo.exeC:\Windows\system32\Cahfmgoo.exe64⤵
-
C:\Windows\SysWOW64\Cdfbibnb.exeC:\Windows\system32\Cdfbibnb.exe65⤵
-
C:\Windows\SysWOW64\Chbnia32.exeC:\Windows\system32\Chbnia32.exe66⤵
-
C:\Windows\SysWOW64\Cajcbgml.exeC:\Windows\system32\Cajcbgml.exe67⤵
-
C:\Windows\SysWOW64\Chdkoa32.exeC:\Windows\system32\Chdkoa32.exe68⤵
-
C:\Windows\SysWOW64\Ckcgkldl.exeC:\Windows\system32\Ckcgkldl.exe69⤵
-
C:\Windows\SysWOW64\Cbjoljdo.exeC:\Windows\system32\Cbjoljdo.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Chghdqbf.exeC:\Windows\system32\Chghdqbf.exe71⤵
-
C:\Windows\SysWOW64\Clbceo32.exeC:\Windows\system32\Clbceo32.exe72⤵
-
C:\Windows\SysWOW64\Ckedalaj.exeC:\Windows\system32\Ckedalaj.exe73⤵
-
C:\Windows\SysWOW64\Dbllbibl.exeC:\Windows\system32\Dbllbibl.exe74⤵
-
C:\Windows\SysWOW64\Ddmhja32.exeC:\Windows\system32\Ddmhja32.exe75⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Docmgjhp.exeC:\Windows\system32\Docmgjhp.exe76⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ddpeoafg.exeC:\Windows\system32\Ddpeoafg.exe77⤵
-
C:\Windows\SysWOW64\Doeiljfn.exeC:\Windows\system32\Doeiljfn.exe78⤵
-
C:\Windows\SysWOW64\Ddbbeade.exeC:\Windows\system32\Ddbbeade.exe79⤵
-
C:\Windows\SysWOW64\Dkljak32.exeC:\Windows\system32\Dkljak32.exe80⤵
-
C:\Windows\SysWOW64\Dddojq32.exeC:\Windows\system32\Dddojq32.exe81⤵
-
C:\Windows\SysWOW64\Dhpjkojk.exeC:\Windows\system32\Dhpjkojk.exe82⤵
-
C:\Windows\SysWOW64\Dceohhja.exeC:\Windows\system32\Dceohhja.exe83⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ddgkpp32.exeC:\Windows\system32\Ddgkpp32.exe84⤵
-
C:\Windows\SysWOW64\Dhbgqohi.exeC:\Windows\system32\Dhbgqohi.exe85⤵
-
C:\Windows\SysWOW64\Eolpmi32.exeC:\Windows\system32\Eolpmi32.exe86⤵
-
C:\Windows\SysWOW64\Eaklidoi.exeC:\Windows\system32\Eaklidoi.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Edihepnm.exeC:\Windows\system32\Edihepnm.exe88⤵
-
C:\Windows\SysWOW64\Ehedfo32.exeC:\Windows\system32\Ehedfo32.exe89⤵
-
C:\Windows\SysWOW64\Ekcpbj32.exeC:\Windows\system32\Ekcpbj32.exe90⤵
-
C:\Windows\SysWOW64\Eoolbinc.exeC:\Windows\system32\Eoolbinc.exe91⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Ehgqln32.exeC:\Windows\system32\Ehgqln32.exe92⤵
-
C:\Windows\SysWOW64\Ekemhj32.exeC:\Windows\system32\Ekemhj32.exe93⤵
-
C:\Windows\SysWOW64\Ecmeig32.exeC:\Windows\system32\Ecmeig32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Eekaebcm.exeC:\Windows\system32\Eekaebcm.exe95⤵
-
C:\Windows\SysWOW64\Ehimanbq.exeC:\Windows\system32\Ehimanbq.exe96⤵
-
C:\Windows\SysWOW64\Ekhjmiad.exeC:\Windows\system32\Ekhjmiad.exe97⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Eocenh32.exeC:\Windows\system32\Eocenh32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Ecoangbg.exeC:\Windows\system32\Ecoangbg.exe99⤵
-
C:\Windows\SysWOW64\Eemnjbaj.exeC:\Windows\system32\Eemnjbaj.exe100⤵
-
C:\Windows\SysWOW64\Ehljfnpn.exeC:\Windows\system32\Ehljfnpn.exe101⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Eofbch32.exeC:\Windows\system32\Eofbch32.exe102⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Eadopc32.exeC:\Windows\system32\Eadopc32.exe103⤵
-
C:\Windows\SysWOW64\Edbklofb.exeC:\Windows\system32\Edbklofb.exe104⤵
-
C:\Windows\SysWOW64\Fohoigfh.exeC:\Windows\system32\Fohoigfh.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Fcckif32.exeC:\Windows\system32\Fcckif32.exe106⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Fafkecel.exeC:\Windows\system32\Fafkecel.exe107⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Fhqcam32.exeC:\Windows\system32\Fhqcam32.exe108⤵
-
C:\Windows\SysWOW64\Fkopnh32.exeC:\Windows\system32\Fkopnh32.exe109⤵
-
C:\Windows\SysWOW64\Fhcpgmjf.exeC:\Windows\system32\Fhcpgmjf.exe110⤵
-
C:\Windows\SysWOW64\Fomhdg32.exeC:\Windows\system32\Fomhdg32.exe111⤵
-
C:\Windows\SysWOW64\Fchddejl.exeC:\Windows\system32\Fchddejl.exe112⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Ffgqqaip.exeC:\Windows\system32\Ffgqqaip.exe113⤵
-
C:\Windows\SysWOW64\Fhemmlhc.exeC:\Windows\system32\Fhemmlhc.exe114⤵
-
C:\Windows\SysWOW64\Fkciihgg.exeC:\Windows\system32\Fkciihgg.exe115⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Fbnafb32.exeC:\Windows\system32\Fbnafb32.exe116⤵
-
C:\Windows\SysWOW64\Fdlnbm32.exeC:\Windows\system32\Fdlnbm32.exe117⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Fkffog32.exeC:\Windows\system32\Fkffog32.exe118⤵
-
C:\Windows\SysWOW64\Foabofnn.exeC:\Windows\system32\Foabofnn.exe119⤵
-
C:\Windows\SysWOW64\Fbpnkama.exeC:\Windows\system32\Fbpnkama.exe120⤵
-
C:\Windows\SysWOW64\Ffkjlp32.exeC:\Windows\system32\Ffkjlp32.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-