Overview
overview
6Static
static
3ASYCFILT.dll
windows7-x64
3ASYCFILT.dll
windows10-2004-x64
3AUTORUN.exe
windows7-x64
1AUTORUN.exe
windows10-2004-x64
3BYDS.exe
windows7-x64
6BYDS.exe
windows10-2004-x64
6COMCAT.dll
windows7-x64
3COMCAT.dll
windows10-2004-x64
3DAO350.dll
windows7-x64
3DAO350.dll
windows10-2004-x64
3DBGRDCHS.dll
windows7-x64
1DBGRDCHS.dll
windows10-2004-x64
1DBGRID32.dll
windows7-x64
3DBGRID32.dll
windows10-2004-x64
3MCI32.dll
windows7-x64
3MCI32.dll
windows10-2004-x64
3MCICHS.dll
windows7-x64
1MCICHS.dll
windows10-2004-x64
1MSCC2CHS.dll
windows7-x64
1MSCC2CHS.dll
windows10-2004-x64
1MSCMCCHS.dll
windows7-x64
1MSCMCCHS.dll
windows10-2004-x64
1MSCOMCT2.dll
windows7-x64
3MSCOMCT2.dll
windows10-2004-x64
3MSCOMCTL.dll
windows7-x64
3MSCOMCTL.dll
windows10-2004-x64
3MSJET35.dll
windows7-x64
3MSJET35.dll
windows10-2004-x64
3MSJINT35.dll
windows7-x64
3MSJINT35.dll
windows10-2004-x64
3MSJTER35.dll
windows7-x64
3MSJTER35.dll
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-09-2024 12:41
Static task
static1
Behavioral task
behavioral1
Sample
ASYCFILT.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
ASYCFILT.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
AUTORUN.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral4
Sample
AUTORUN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
BYDS.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
BYDS.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
COMCAT.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
COMCAT.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
DAO350.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral10
Sample
DAO350.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
DBGRDCHS.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
DBGRDCHS.dll
Resource
win10v2004-20240910-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
DBGRID32.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
DBGRID32.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
MCI32.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
MCI32.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
MCICHS.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
MCICHS.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
MSCC2CHS.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral20
Sample
MSCC2CHS.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
MSCMCCHS.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
MSCMCCHS.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
MSCOMCT2.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
MSCOMCT2.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
MSCOMCTL.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral26
Sample
MSCOMCTL.dll
Resource
win10v2004-20240910-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
MSJET35.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
MSJET35.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
MSJINT35.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
MSJINT35.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
MSJTER35.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral32
Sample
MSJTER35.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
BYDS.exe
-
Size
228KB
-
MD5
4fc5fb20abd408edf5d67269742d4bc6
-
SHA1
9790e25f0411ee48fb47115f3480171a473894a7
-
SHA256
2e3d9852004b31b7f859314dc85e516a10882f7dbcc29d9adfcdc211f69b7a2f
-
SHA512
2416487f4488cade3aaa96a58842535764960bf36280527ecc872a7c1b966de66c03b8deb2397d78ceac2b8e7f4ed150f59394f42560e0285b959d02e49f5462
-
SSDEEP
3072:uepfnUGWR95FYrXm9Fk3eRqkQNrYO7mDnuWr9Sds:sT5QuOYOQnuWr9Sd
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: BYDS.exe File opened (read-only) \??\G: BYDS.exe File opened (read-only) \??\M: BYDS.exe File opened (read-only) \??\S: BYDS.exe File opened (read-only) \??\W: BYDS.exe File opened (read-only) \??\A: BYDS.exe File opened (read-only) \??\Q: BYDS.exe File opened (read-only) \??\R: BYDS.exe File opened (read-only) \??\T: BYDS.exe File opened (read-only) \??\U: BYDS.exe File opened (read-only) \??\V: BYDS.exe File opened (read-only) \??\Z: BYDS.exe File opened (read-only) \??\I: BYDS.exe File opened (read-only) \??\N: BYDS.exe File opened (read-only) \??\X: BYDS.exe File opened (read-only) \??\Y: BYDS.exe File opened (read-only) \??\E: BYDS.exe File opened (read-only) \??\H: BYDS.exe File opened (read-only) \??\J: BYDS.exe File opened (read-only) \??\K: BYDS.exe File opened (read-only) \??\L: BYDS.exe File opened (read-only) \??\O: BYDS.exe File opened (read-only) \??\P: BYDS.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 BYDS.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\osln.dll BYDS.exe File created C:\Windows\SysWOW64\ospk.dll BYDS.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BYDS.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60CC5D5F-2D08-11D0-BDBE-00AA00575603}\ProxyStubClsid BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C46780-499F-101B-BB78-00AA00383CBB} BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}\6.0\9\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSVBVM60.DLL\\3" BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45046D60-08CA-11CF-A90F-00AA0062BB4C}\TypeLib\Version = "6.0" BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CBB76011-C508-11D1-A3E3-00A0C90AEA82}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}" BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C1-4442-11D1-8906-00A0C9110049}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8284B8A2-A8A8-11D1-A3D2-00A0C90AEA82}\ = "LicenseInfo" BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C46780-499F-101B-BB78-00AA00383CBB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C5-4442-11D1-8906-00A0C9110049}\ = "_DPersistableDataSourceClass" BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{60CC5D62-2D08-11D0-BDBE-00AA00575603}\1.0\FLAGS BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00028C00-0000-0000-0000-000000000046}\Version BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8284B8A2-A8A8-11D1-A3D2-00A0C90AEA82}\TypeLib\Version = "6.0" BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{737361EC-467F-11D1-810F-0000F87557AA} BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{60CC5D62-2D08-11D0-BDBE-00AA00575603}\1.0\HELPDIR BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60CC5D61-2D08-11D0-BDBE-00AA00575603}\TypeLib BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00028C00-0000-0000-0000-000000000046}\MiscStatus BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{00028C01-0000-0000-0000-000000000046} BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F2-7697-11D1-A1E9-00A0C90F2731}\ = "EventInfo" BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00028C00-0000-0000-0000-000000000046}\Control BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45046D60-08CA-11CF-A90F-00AA0062BB4C}\TypeLib BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F2-7697-11D1-A1E9-00A0C90F2731}\TypeLib\Version = "6.0" BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60CC5D61-2D08-11D0-BDBE-00AA00575603} BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60CC5D61-2D08-11D0-BDBE-00AA00575603}\TypeLib\Version = "1.0" BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731} BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C466B8-499F-101B-BB78-00AA00383CBB} BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4495AD01-C993-11D1-A3E4-00A0C90AEA82} BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}\TypeLib BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C4-4442-11D1-8906-00A0C9110049}\ = "_DPersistableClass" BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60CC5D5F-2D08-11D0-BDBE-00AA00575603}\TypeLib\Version = "1.0" BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C466B8-499F-101B-BB78-00AA00383CBB}\TypeLib\ = "{000204EF-0000-0000-C000-000000000046}" BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C46780-499F-101B-BB78-00AA00383CBB}\TypeLib\Version = "6.0" BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60CC5D5F-2D08-11D0-BDBE-00AA00575603} BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60CC5D60-2D08-11D0-BDBE-00AA00575603}\TypeLib\ = "{60CC5D62-2D08-11D0-BDBE-00AA00575603}" BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00028C00-0000-0000-0000-000000000046}\ = "DBGrid Control" BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00028C08-0000-0000-0000-000000000046}\InprocServer32\ = "C:\\USERS\\ADMIN\\APPDATA\\LOCAL\\TEMP\\DBGRID32.OCX" BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{737361EC-467F-11D1-810F-0000F87557AA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{60CC5D62-2D08-11D0-BDBE-00AA00575603}\1.0\0 BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60CC5D60-2D08-11D0-BDBE-00AA00575603}\Control\ BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{60CC5D60-2D08-11D0-BDBE-00AA00575603}\VERSION BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSDBGrid.DBGrid\CLSID BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0324960-2AAA-11CF-AD67-00AA00614F3E}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}" BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7500A6BA-EB65-11D1-938D-0000F87557C9}\TypeLib BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\TypeLib\Version = "6.0" BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00028C00-0000-0000-0000-000000000046}\MiscStatus\1 BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{60CC5D62-2D08-11D0-BDBE-00AA00575603}\1.0\0\win32 BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60CC5D61-2D08-11D0-BDBE-00AA00575603}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D761-6018-11CF-9016-00AA0068841E}\ = "DataObjectFiles" BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\TypeLib\Version = "6.0" BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C3-4442-11D1-8906-00A0C9110049}\ProxyStubClsid32 BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C3-4442-11D1-8906-00A0C9110049}\ = "_DDataBoundAndDataSourceClass" BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{60CC5D62-2D08-11D0-BDBE-00AA00575603}\1.0 BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C466B8-499F-101B-BB78-00AA00383CBB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4495AD01-C993-11D1-A3E4-00A0C90AEA82}\ = "_PropertyBag" BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\TypeLib BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F1-7697-11D1-A1E9-00A0C90F2731}\ = "EventParameters" BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CBB76011-C508-11D1-A3E3-00A0C90AEA82}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C2-4442-11D1-8906-00A0C9110049}\ProxyStubClsid32 BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{00028C01-0000-0000-0000-000000000046}\1.0\FLAGS\ = "2" BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\ProxyStubClsid32 BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60CC5D5F-2D08-11D0-BDBE-00AA00575603}\ = "_cSysTray" BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00028C00-0000-0000-0000-000000000046}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} BYDS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00028C00-0000-0000-0000-000000000046}\InprocServer32\ = "C:\\USERS\\ADMIN\\APPDATA\\LOCAL\\TEMP\\DBGRID32.OCX" BYDS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\TypeLib BYDS.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeSystemtimePrivilege 1236 BYDS.exe Token: SeSystemtimePrivilege 1236 BYDS.exe Token: SeSystemtimePrivilege 1236 BYDS.exe Token: SeSystemtimePrivilege 1236 BYDS.exe Token: SeSystemtimePrivilege 1236 BYDS.exe Token: SeSystemtimePrivilege 1236 BYDS.exe Token: SeSystemtimePrivilege 1236 BYDS.exe Token: SeSystemtimePrivilege 1236 BYDS.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1236 BYDS.exe 1236 BYDS.exe 1236 BYDS.exe 1236 BYDS.exe 1236 BYDS.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 1236 BYDS.exe 1236 BYDS.exe 1236 BYDS.exe 1236 BYDS.exe 1236 BYDS.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1236 BYDS.exe 1236 BYDS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BYDS.exe"C:\Users\Admin\AppData\Local\Temp\BYDS.exe"1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1236