Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
22/04/2024, 04:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe
Resource
win7-20240215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe
-
Size
224KB
-
MD5
57e3a3a300f99ad87076de6975a04261
-
SHA1
f707f6cb91142fc61c729eba75c5902a20b50414
-
SHA256
e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275
-
SHA512
92cda2e4d183d11ec2ebdfd07e8cf8dbc94f64dbb88ed27f7f45be494c442c8be0592e53095f63b2f82aaee621b20622288551ec82d59424d033ae1951537c29
-
SSDEEP
3072:9k6kvZjWnE5b68qaAF/OVLj4UbaxxmLQTi2//9U33T+NVzo:91kBmdaAF4RFSs
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" baomai.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe -
Executes dropped EXE 1 IoCs
pid Process 2008 baomai.exe -
Loads dropped DLL 2 IoCs
pid Process 1512 e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe 1512 e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /q" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /k" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /c" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /x" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /d" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /z" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /r" e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /l" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /a" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /r" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /j" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /m" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /g" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /b" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /i" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /w" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /o" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /u" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /s" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /f" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /y" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /n" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /p" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /v" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /t" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /h" baomai.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\baomai = "C:\\Users\\Admin\\baomai.exe /e" baomai.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1512 e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe 2008 baomai.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1512 e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe 2008 baomai.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1512 wrote to memory of 2008 1512 e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe 28 PID 1512 wrote to memory of 2008 1512 e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe 28 PID 1512 wrote to memory of 2008 1512 e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe 28 PID 1512 wrote to memory of 2008 1512 e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe"C:\Users\Admin\AppData\Local\Temp\e24966ceb01b0b84fa06ff1d701c0a633c1a7805d6822ac537aafc7dbe1d7275.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\baomai.exe"C:\Users\Admin\baomai.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD5ef06fe7103e8ca7ab92dd8b0fcc3722f
SHA1530bcb5377efcf0878d8feba28cc916070de8c24
SHA256a01556e077e3506c8c3d0127533fe453432b4783d1e12c15efdbd8d9b92cea26
SHA512f5f828fdcf3dfa7d44d0e762c6914bc245818e85996efcaa0c4732a476c5cd2f8809e9013561be3f16712740d14426c90f82f9f0f4b687205a58f6f0a0328eff