Overview

overview

10

Static

static

3

17ce57ab9f...cN.exe

windows7-x64

10

17ce57ab9f...cN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    85s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2024, 01:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    17ce57ab9ff4cbad82e635233b0e96d8603409cd046e85b604da20c066ec419cN.exe

  • Size

    445KB

  • MD5

    33b394a638dde9affb689b973c332c10

  • SHA1

    407ad1519ebbbda772711f924c2c5fa3b1cfd17e

  • SHA256

    17ce57ab9ff4cbad82e635233b0e96d8603409cd046e85b604da20c066ec419c

  • SHA512

    ddacc9438788c4a39bda979b2979295b30aabc90085871d0c5c755abef85f3b7a59081d205e2cc5e766750cc14c5f7bfbfe12536b473d57d1d4e1accc0ea2df1

  • SSDEEP

    3072:urAebkSuIgrIgp2XUJGCHwxn08peEoVgVs6L2cEJNQ7LzVCLVtjtVK:tIgrIgulMXVgb6NezkJvQ

Score
10/10
bdaejecramnitaspackv2backdoorbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

    backdoorbdaejec
  • Detects Bdaejec Backdoor. 1 IoCs

    Bdaejec is backdoor written in C++.

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17ce57ab9ff4cbad82e635233b0e96d8603409cd046e85b604da20c066ec419cN.exe
    "C:\Users\Admin\AppData\Local\Temp\17ce57ab9ff4cbad82e635233b0e96d8603409cd046e85b604da20c066ec419cN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Users\Admin\AppData\Local\Temp\17ce57ab9ff4cbad82e635233b0e96d8603409cd046e85b604da20c066ec419cNmgr.exe
      C:\Users\Admin\AppData\Local\Temp\17ce57ab9ff4cbad82e635233b0e96d8603409cd046e85b604da20c066ec419cNmgr.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2532
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 180
        3⤵
        • Program crash
        PID:2708
    • C:\Users\Admin\AppData\Local\Temp\nUUAXg.exe
      C:\Users\Admin\AppData\Local\Temp\nUUAXg.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\20fb6887.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1792
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 168
      2⤵
      • Program crash
      PID:3056

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WUBCGJ0A\k2[1].rar
          Filesize

          4B

          MD5

          d3b07384d113edec49eaa6238ad5ff00

          SHA1

          f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

          SHA256

          b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

          SHA512

          0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\20fb6887.bat
          Filesize

          187B

          MD5

          217b5d79241b009a8260845d515d7cd3

          SHA1

          dad84559a0b89fe6c8e62f077062bda838593d02

          SHA256

          1d8ae1ab933c11cfe267bbda08b83293151f6357ba62248a624bac069fbac59c

          SHA512

          a35472f62a28060c50105c585a58c87fe36afe67a93d039ff18070729f5aa33d393a74887cfec7b8e6cfe9aab48fb38ccf04efeee1c8c3a69848dd081c43b67f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\736061AD.exe
          Filesize

          4B

          MD5

          20879c987e2f9a916e578386d499f629

          SHA1

          c7b33ddcc42361fdb847036fc07e880b81935d5d

          SHA256

          9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

          SHA512

          bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nUUAXg.exe
          Filesize

          15KB

          MD5

          56b2c3810dba2e939a8bb9fa36d3cf96

          SHA1

          99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

          SHA256

          4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

          SHA512

          27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

          Download Submit

        • \Users\Admin\AppData\Local\Temp\17ce57ab9ff4cbad82e635233b0e96d8603409cd046e85b604da20c066ec419cNmgr.exe
          Filesize

          354KB

          MD5

          a8245f71e4e4aff10e574300abd2bcc2

          SHA1

          7ea3ae53a0697e526c6bc877b103b390af042d7a

          SHA256

          7bf945e4d87567106bfe8980b4fe1e6482578ab91fa9d82426c804ae5c3f2546

          SHA512

          8c32f1f55c0475ce06ddbd3db80d529addb401089bd61491641d2e2c0c36020eabc5a947735388ae7a90514c543cb29450afa13b1e3f90387e432b62d4628978

          Download Submit

        • \Users\Admin\AppData\Local\Temp\~TME08F.tmp
          Filesize

          1.2MB

          MD5

          d124f55b9393c976963407dff51ffa79

          SHA1

          2c7bbedd79791bfb866898c85b504186db610b5d

          SHA256

          ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

          SHA512

          278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

          Download Submit

        • \Users\Admin\AppData\Local\Temp\~TME10D.tmp
          Filesize

          1.1MB

          MD5

          9b98d47916ead4f69ef51b56b0c2323c

          SHA1

          290a80b4ded0efc0fd00816f373fcea81a521330

          SHA256

          96e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b

          SHA512

          68b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94

          Download Submit

        • memory/1984-12-0x0000000000240000-0x0000000000249000-memory.dmp

          Filesize

          36KB

          Download

        • memory/1984-11-0x00000000002E0000-0x000000000033C000-memory.dmp

          Filesize

          368KB

          Download

        • memory/1984-0-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/1984-33-0x0000000000400000-0x0000000000474000-memory.dmp

          Filesize

          464KB

          Download

        • memory/1984-34-0x00000000002E0000-0x000000000033C000-memory.dmp

          Filesize

          368KB

          Download

        • memory/1984-17-0x00000000002E0000-0x000000000033C000-memory.dmp

          Filesize

          368KB

          Download

        • memory/1984-19-0x0000000000240000-0x0000000000249000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2492-74-0x00000000009C0000-0x00000000009C9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2532-29-0x0000000000400000-0x000000000045C000-memory.dmp

          Filesize

          368KB

          Download

        • memory/2532-21-0x0000000000400000-0x000000000045C000-memory.dmp

          Filesize

          368KB

          Download