bdaejec | dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78.exe
Size

1.4MB
MD5

0ec7425d2a0ff149d89db3e0347debe3
SHA1

80d229945b6267b85528e1d2c29615c66a5e04fa
SHA256

dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78
SHA512

4dfa00e8690ab894c5b806810296399032ad5e65f764632fc2ad4aeda72c5d91140701117084e80fc4c95d13fcde79d8c09e71b770c751ab71e89def9cebd76f
SSDEEP

24576:3NBIc0OQms+rYW6eRrRBKkuKgt10f+3ggrTmCmclq14:AViYW6+1ck/gte+QMmCmclqO

Score

10^/10

bdaejec aspackv2 backdoor discovery

Malware Config

Extracted

Family

bdaejec

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec

Detects Bdaejec Backdoor. 1 IoCs

Bdaejec is backdoor written in C++.

resource	yara_rule
behavioral1/memory/2708-77-0x00000000000D0000-0x00000000000D9000-memory.dmp	family_bdaejec_backdoor

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000500000001870c-43.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
2560	Autopatch.exe
2708	xJX.exe

Loads dropped DLL 12 IoCs

pid	Process
2276	dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78.exe
2276	dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78.exe
2276	dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78.exe
2276	dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78.exe
2560	Autopatch.exe
2560	Autopatch.exe
2560	Autopatch.exe
2560	Autopatch.exe
2560	Autopatch.exe
2708	xJX.exe
2708	xJX.exe
2708	xJX.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	xJX.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	xJX.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	xJX.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	xJX.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	xJX.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	xJX.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	xJX.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	xJX.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	xJX.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	xJX.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	xJX.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	xJX.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	xJX.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	xJX.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	xJX.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	xJX.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	xJX.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	xJX.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	xJX.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	xJX.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	xJX.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	xJX.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	xJX.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	xJX.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	xJX.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	xJX.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	xJX.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	xJX.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	xJX.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	xJX.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	xJX.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	xJX.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	xJX.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C650E966-B14F-4E38-8E3C-8BE886B090A9}\chrome_installer.exe	xJX.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	xJX.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	xJX.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	xJX.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	xJX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autopatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xJX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf60000000002000000000010660000000100002000000098900e2cb7cc4d99872da6c25f39fe7f01a4483c7ee8fbacb4fb8e682d46fe7a000000000e80000000020000200000001971591a7edebbd9c7faeccbc808b931c3d4d6fbf61f32d4c7ddeea1ce889f7520000000d99bf464fbc20e1dda4bbc7218cb6757bac0973bf562925d161aa567f5e52f4640000000d662cd2e27af7c7b18d5bc2554552b6b324b126b3ba0a3b49689fa37afc5f6a6a29b6f0fa6111bb6a39dd30f2edb09443b9dfd45c8c405d51c1be927c9f55bc6	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000a61130d37a14d8545ee6704ebcf61e92e04121865e931908ca693282a0f786ef000000000e800000000200002000000073551e25faa4a8b102613a9d241f6ad36703377a5965e370e6bd13728f9ec39190000000dad3d37640ae18fd00af1eee01cbf6f33f091203e312df94bd023cb7ef540a018eba27d188a687d55c5aa04d1366f6f4834a7e4ae910e5a4436dfaf91e2123903803d4f21a1f6bafb4f4065e049679ef757c958d2ae9b10e7acf4b3e42718949dd6cc52b0491054353ed5d1b7a4a04d679be341c2fc2ce63ae156bb218160ca6d99bba9425da1f7f298a12e74c267f22400000006d9a96ca597f9053ed12a8d4a674f940d75bdd2b00ffdf89cc9f605b47934e2bec8a840c0cd31fabd81f4ab610db49af16c31046df5156eacbe8a1dcf37620c1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435862661"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{914FEB01-915B-11EF-808B-E61828AB23DD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8066da656825db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1804	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2560	Autopatch.exe
2560	Autopatch.exe
1804	iexplore.exe
1804	iexplore.exe
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE
2632	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2560	2276	dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78.exe	28
PID 2276 wrote to memory of 2560	2276	dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78.exe	28
PID 2276 wrote to memory of 2560	2276	dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78.exe	28
PID 2276 wrote to memory of 2560	2276	dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78.exe	28
PID 2276 wrote to memory of 2560	2276	dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78.exe	28
PID 2276 wrote to memory of 2560	2276	dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78.exe	28
PID 2276 wrote to memory of 2560	2276	dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78.exe	28
PID 2560 wrote to memory of 2708	2560	Autopatch.exe	29
PID 2560 wrote to memory of 2708	2560	Autopatch.exe	29
PID 2560 wrote to memory of 2708	2560	Autopatch.exe	29
PID 2560 wrote to memory of 2708	2560	Autopatch.exe	29
PID 2560 wrote to memory of 2708	2560	Autopatch.exe	29
PID 2560 wrote to memory of 2708	2560	Autopatch.exe	29
PID 2560 wrote to memory of 2708	2560	Autopatch.exe	29
PID 2560 wrote to memory of 1804	2560	Autopatch.exe	33
PID 2560 wrote to memory of 1804	2560	Autopatch.exe	33
PID 2560 wrote to memory of 1804	2560	Autopatch.exe	33
PID 2560 wrote to memory of 1804	2560	Autopatch.exe	33
PID 1804 wrote to memory of 2632	1804	iexplore.exe	34
PID 1804 wrote to memory of 2632	1804	iexplore.exe	34
PID 1804 wrote to memory of 2632	1804	iexplore.exe	34
PID 1804 wrote to memory of 2632	1804	iexplore.exe	34
PID 1804 wrote to memory of 2632	1804	iexplore.exe	34
PID 1804 wrote to memory of 2632	1804	iexplore.exe	34
PID 1804 wrote to memory of 2632	1804	iexplore.exe	34
PID 2708 wrote to memory of 1076	2708	xJX.exe	35
PID 2708 wrote to memory of 1076	2708	xJX.exe	35
PID 2708 wrote to memory of 1076	2708	xJX.exe	35
PID 2708 wrote to memory of 1076	2708	xJX.exe	35
PID 2708 wrote to memory of 1076	2708	xJX.exe	35
PID 2708 wrote to memory of 1076	2708	xJX.exe	35
PID 2708 wrote to memory of 1076	2708	xJX.exe	35

C:\Users\Admin\AppData\Local\Temp\dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78.exe
"C:\Users\Admin\AppData\Local\Temp\dbddbf3b43a5d9cbfc20359ef87a295045a2ba9306ed0c62c018073e91f60d78.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\Autopatch.exe
  "C:\Users\Admin\AppData\Local\Temp\Autopatch.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\xJX.exe
    C:\Users\Admin\AppData\Local\Temp\xJX.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\5da03402.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1076
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://universal-eo.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1804 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b57e8a5c9cfb7f0d91a4eaaf1c8a90c

SHA1
d1f2a7be14d2b7c3addc4d03eb31d98767350b46

SHA256
234157e8ed31e9c7b3333644f977ba06b648c2e859354d1b2b2efcfaab725a68

SHA512
d36ad2b333657af4c0f5c2732173dcf18e9e4cdbf9514848bf466555fa1576431e81b59fda1792f8f4effe725c50b7ba3abe3f402fc72dd8213cd506fd65762a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8935855e49a9b72dfe9bc1df6f7c7d8f

SHA1
bad5f582e946151eec3a56533b41a65afa7b62c2

SHA256
a829682040ec58b38a6565483c8e90fbb3f3d8477dd4579d7e372f59a6d2937b

SHA512
5963e00a8e5e425729755804505bfeb6238c11e0fca6b78f8b537374e3f2e500330e886ead8a1d11d23670a38889edd64daf6518621bed95ca4ee88d93ef043a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
424c121f05df41e03a7ca083ff140e7a

SHA1
4d5a7b8c08357688b01b30ad7a0af05b08c414a8

SHA256
0b4a9a91e626be5ac0225df24aec7ba4cb096630300eb160798163981aec7347

SHA512
a688ffd4ee8233c388c50ab52b77a21a4eb217595e318e5a458782e3a39d2e31026b1caf894fed528dfadcf188d4ff1c1541d923f27a9809f9fa6c0da4bab25a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1bc4aeaf2b84222e35557a4c2606912

SHA1
75e0782f70ef51f907948273844044d7fc472818

SHA256
c2def8c4d3ef5b5b9fc8433b4e8c9084427e9ab33fcfd02773d21ff9f1e28741

SHA512
d3c099e327aa5d03d7ac087811bb1c145bff8a5c33b5376bf07a51a828fb3eea3dc8b2c8b73ff2670e69f12a8d4985632237ed8f1720e9f53e669a42043d7419

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f055b3aeb4e8e4211088717ccb9666d

SHA1
0641ba79d636d916abee09359e6d82770c4a3ab1

SHA256
b69328d5afee737b3b37ab59d79d6a36e9b8ac67c19be80eed917ceea5569508

SHA512
00789985e05d14a7e6ad7c74d66b05104b3b9d124ff537a5183caa35806a2e0b565445655dac0ecbe7d513fe7fa8dc8d373506a0ebed52638a5e7895293826de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
511851f2ea5a69f16a3e668c088dfa2c

SHA1
3d58a0ec780b313748027a468027fb932c3e5757

SHA256
d0e18cabd70181a04dad45d8d9cd4db544839d2112ad0088eca8bffc02da11ee

SHA512
d8609f466032a3a8aee3373e10d4bf7d854891dc49698ce23a6c1426118f34675b84ed02aa9bf2efe22d4861f6d32b20bdc41997719c57e3b3cf1a6012e2a88c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ef321ad193a8c3b979208e5e9f01966

SHA1
7d66c645b34491304c5fe647ac278be69f53994c

SHA256
93e7e25d320aac0201e5650da814579d75673aff2258a8eb5c53acc672ee45ad

SHA512
3c98f8f6c37cf9f0b5740206777c7a05292cecf4b4c7a5ca4ac519f93d85b76c31e29b4e92b2ff92d59cd47dcab20eec92e2b3b94093298243e8e8bcc5c9d2d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab2106519efe7ef3a16fced876e45eeb

SHA1
cc2825f617d5c78da1b7d676d6b0444da781d2cf

SHA256
fa5a7c00b8c1b1bd18193ae49011d7c8099e7fe7e057dd8cb19028009ba9a61e

SHA512
b2b013f6270f39fccbe07b7a4560ae23c9d42034eb401f7978fe4bb0287006a514d79d761dec90a0a43da70eb0d8d26b5010d3432f0bd037cf83e19b846ca3d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ead2bb0830dbe3546830426dada1a474

SHA1
9d27601db6a7e7db2166d0d9a94c9bb6dbc15b5c

SHA256
540b3bc36c568295438796d1ce8f575664acedf60c5ca8efbb81f73a3e58c6f2

SHA512
f2cb5ad703369023f250d1c3e79710c6e804f0e45273e77cc2ad94e53858b4d879c3b3c37582e6ba68945529a507668ffcbf27718f0b5ed9eecbdc5bb0c2ff66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03aa3f46ffd4d57ff8d6459d6dd23eee

SHA1
8cd6d2bb1491d33650c49dceaa2519b46d3c485b

SHA256
c83208897a9b024b75bbe8444927190fa76669eb569661eb73038b552232097a

SHA512
0093b1f3351153790ab3fdc90404d25384fce7813b934bd0a15bb2c44f6df7524727b7e24be626c037dfc064935009eb3a4f2c530e4801e829ba21d3e74d9fbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f74301700b0d93c97c5df2e1586607d5

SHA1
c159f40e0aad96b878dab9cf01afc2dbe102c0c4

SHA256
21fd6d79345b686ac03fbe77974f078f3e73675e3bb653d8f51b0c7a13cb8830

SHA512
1c82e8d8e8e8a37706cbec237d816e3c796e9dd26e2d8862672df81ba69c5a76665ab663c0a96df895b6dd34123aa5d987cfa2cd04ca2a0826a2bf14aae99e91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15516707375f34b3160f9293f8b1eabc

SHA1
cce830c1d51405b40e6026533d028b1e9d609535

SHA256
8f1e78d37635f70399129848996cd5a307c9afed7331a46fe787f357d05deb73

SHA512
54d921baa4c6e91d7916748ffb84277d3fa0ba1010b8659a73bdac36ef5122efa079007a609ef24aa271a403c0cd82147362180f71d94d8f9a27f8cd29828ffe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecb244517021bf24bc46cc3a28274b53

SHA1
3c0b496c3323c68f5c0ed005bd2b76d6b3a82e8b

SHA256
a11232a116b41ed795aca9a5355f43ff806e6d2558ccb9e66f949e2632d371fe

SHA512
86c916374c403abaa7f67677595dcba255ce278989fed96283ca950f58d78c82c648a47076312276f9d36ff43dd95e2a03da217fd002fdd6e0ecffbb33211192

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3dc3647d53cf9fc27153d926e92f78b5

SHA1
3f0d9e0b45fa261e5957a5c7d3445e968ed03ea7

SHA256
3c75597040b3b77fc478d10129f1abe4f06819be4f3416b1581b0c1eeeb778ca

SHA512
166905a60513fe2e32f640e955831f5554f2e077e5186372a75d9b3a75f68ba0724c902c4af54cb6c7c3a305e19173cd7666b3d5cf21966ecedcd328d08f43e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e687e4dbd4a8f158a9f04c11cdaa7171

SHA1
7afb3c4b4c652977a25b30b849489a341a39685c

SHA256
158f99745789131cf59134ec3a5f2143b854069163ea6965886a66c1218a9de5

SHA512
f0bb2c57350e4dcc243be9c221268a0cf7b5cad2b7c8b87339d9bac343e4dd014c36d59f93a7f0e09ef92d474ff3110406f2ec81cc188f8ee7ec43fc0983c2e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aee212fbaa2e7bec95c032b0591cdba4

SHA1
7739fc60c5bd259279df4b7d1eb6d851413c81d2

SHA256
86b052f492ee549805e246e474316f45c14725fde8af9dfaa5cd284aec542af4

SHA512
a8cc0e182a78d2b3881ec8aa7b6cb96d673f6863e7c9815640029d7a8d919cc903de9e7ccf8df32bdaea530cb702a0ab23f590055b7b3c6af38c6862d724891a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a51c435074cc484a2b6eea2dec92f2da

SHA1
52a6b90bfe70370388914e0a2ca89504be6d3ae9

SHA256
559e42864182a48b052cef305838517ad609209d0d9fe9e74c6ac40ae0a8d205

SHA512
6a76ebfed03145adeba36d6903e7907ae82a4cd3a2a409c16c2346a101189f7e2533e68ebf3f894c61c6ac9051a43300f771bc94aac55f113d0a909830269738

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63b543706e6e3e23a76d77707c99a9e8

SHA1
b64a9d6c1d0b478c4e6dc38c7e377e66ddc97790

SHA256
575392a6d68f67b2c1e861ce66f6ad82746c9180b7ce07b04992aefce85308b1

SHA512
264115c51a7b84f2a894d8c71b9d0e50201ebe8cb6017ec7a312da51f3ec398538a4f8385aa5320975720611fba44acd56ede11ec54dbcd54ef0b60ddec97394

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
342ffeba2c63bd696a7ec296d5f38fc8

SHA1
e1476bf00738641672efe42dcccdea2e6535705c

SHA256
e11945ba529cc4f8e8babb802926ec3a4bff7acf5abc492a141a3d949c9a90bd

SHA512
9bc898f6096f2872b0d9d9cfbaf7d3f2f83e88f495b8a0b7d1b6907d0164d4c3ad805549c23f3790dec0b9204c793a72f242f2c2d539ca93958f8328759091e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5da03402.bat

Filesize
181B

MD5
d1ed5e5aadea87823f66bc5b0c17f8d8

SHA1
0b0dda5c96a82059d7937f6123917f73ec50eab2

SHA256
2fa49c37b76a0525b0bfb0062313af9dc906b22244f4f206d6e96f3cb2b7c3dd

SHA512
d2306152ce1b9175af7f52cd1ff8a28601437dfc493fe193c96f5f85a98decb06c4d6243f93556f8209f74957b5b894241fd34514924aeda69516c514723345c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoPatch.exe

Filesize
300KB

MD5
408e41d45388acb3738c3835eaf22c4c

SHA1
3690d22dd9b81421597edc15deb49a31526d068f

SHA256
593f678aa71743d0d916efa39de9a15ab433089cad3dd117dfb32d455fba3d6d

SHA512
5e8bfd82e7bde251be33a2f47fe91eb6ee612b64712f8477c3ae094df669229aef9bc5b512aeda5e70e7d42bb3bf383253dbb5eadb20c489d6aa63b3bbe1b887

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoPatch\SocketConfig.ini

Filesize
305B

MD5
01e1951ce818d30a9adddf5e45f03cfd

SHA1
cabde24499cacedb8ff7550594a33af27c6f6b58

SHA256
64c55e6463bbc2749fb3a90dae13cde53bbee051986abfd2a24952ab5438887b

SHA512
c07795604e759c6c09442fd0a6725d4764604a2559bea57b79094d004cd871024a89581bb3cca182c2297e6aebcd987e5ba2aeb20dcd234a207c3f480684e47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoPatch\Update.log

Filesize
2KB

MD5
cd61ca85044ea843240a2884bcf22b93

SHA1
b83b474116e72a725663680aa504afa6c6eee7d1

SHA256
57613ccec51a5d1305848054940fc50a3edba857cf681f0fb09eab143c8958bb

SHA512
c0d52d1c861c7f0d2cfd0f5e0b6eea9ede9893d92186a470f5164d6bc4d788f90272c2ebe5146c9a478516e796908dba632d6cd161d6c8d75fc8138aab9204fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoPatch\config.ini

Filesize
1KB

MD5
325a3fe9191c18e85653de016928f26a

SHA1
8db59795dfa79d07baf89289c72ee777d799ee26

SHA256
8440e1ec82043b66430a5b7aade340ff7570aef3ee6d8b2c05394d824dc79903

SHA512
bedf4af818cb70c8349be13167d02b1d3120bb9796bb96b2a757484dd5c9dc6e82352543761c7010b3a941a85e77ed8dd8a2a7ab8e36da55f728c1d980ea6594

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE457.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE4CA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\version.dat

Filesize
4B

MD5
fba9d88164f3e2d9109ee770223212a0

SHA1
a5b1d7e217aa227d5b2b8a84920780cf637960e2

SHA256
b281bc2c616cb3c3a097215fdc9397ae87e6e06b156cc34e656be7a1a9ce8839

SHA512
59963bfd1fef9ea453959517c8755d00cfa0d7c57f112404f3ca9def63986c149d9aabb28ccb225b5a3470e42a170141558d6d6b87ff104931c754fad0d5c933

Download Submit
\Users\Admin\AppData\Local\Temp\xJX.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/2276-35-0x0000000003650000-0x000000000369F000-memory.dmp

Filesize
316KB

Download
memory/2276-25-0x0000000003650000-0x000000000369F000-memory.dmp

Filesize
316KB

Download
memory/2276-56-0x0000000003650000-0x000000000369F000-memory.dmp

Filesize
316KB

Download
memory/2560-65-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2560-81-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2560-37-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2560-49-0x0000000000250000-0x0000000000259000-memory.dmp

Filesize
36KB

Download
memory/2560-44-0x0000000000250000-0x0000000000259000-memory.dmp

Filesize
36KB

Download
memory/2560-80-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2708-77-0x00000000000D0000-0x00000000000D9000-memory.dmp

Filesize
36KB

Download
memory/2708-58-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2708-57-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download