Analysis
-
max time kernel
150s -
max time network
108s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
18-11-2024 21:47
General
-
Target
a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe
-
Size
355KB
-
MD5
d80e625211db0a05bb8346f1fc2551f9
-
SHA1
2eab153918e144c22eb00d2f47e8757f21b39211
-
SHA256
a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f
-
SHA512
69261b12ffa2568f20752dab17cc48fe97598f4f640eba4d0dd54b0ab44ff6be529a97eadc1ef23d8758fd70d53c54fa9a764b9f4de86465e4004dffafd461cd
-
SSDEEP
6144:JnYGYzfdtj1alRL2ERw4UAJrx2A41E7vc7YI6Na2UX:JnYGYj/j428rx2ApvcUPbU
Malware Config
Extracted
bdaejec
ddos.dnsnb8.net
Extracted
C:\Users\Admin\Documents\!HELP_SOS.hta
http://'+s.bp
http://'+s.bp+s.txp+tx
Signatures
-
Bdaejec
Bdaejec is a backdoor written in C++.
-
Bdaejec family
-
Detects Bdaejec Backdoor. 2 IoCs
Bdaejec is backdoor written in C++.
-
Contacts a large (7700) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Deletes itself 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 19 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Control Panel 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 4 IoCs
-
Modifies registry class 14 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe"C:\Users\Admin\AppData\Local\Temp\a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zvweqmo.exeC:\Users\Admin\AppData\Local\Temp\zvweqmo.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\277b4efe.bat" "3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe"C:\Users\Admin\AppData\Local\Temp\a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f.exe" g2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zvweqmo.exeC:\Users\Admin\AppData\Local\Temp\zvweqmo.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7fc44a1e.bat" "4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe"C:\Users\Admin\AppData\Roaming\Rj3fNWF3.exe" g3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zvweqmo.exeC:\Users\Admin\AppData\Local\Temp\zvweqmo.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\04605a1f.bat" "5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet3⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\!HELP_SOS.hta"3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1.vbs"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f252888.vbs"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5c81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD5d3b07384d113edec49eaa6238ad5ff00
SHA1f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA5120cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6
-
Filesize
189B
MD5b824343e15b7decc3d81a66fd6d5e5e5
SHA16d7c2e80503bb7bc9b2bd418fad9206fbe37611b
SHA256ceebe0e30409659c1b24110bc6f57ba4da6bbd6c67529229c45d2d55aa899b31
SHA51200a9af601ce1caa87532e3011a9d6da13011cd066930073fd157e1dd2efdd17ee2fbe9e4f120d3ff036b28d1eafd46f4abd95f99cfc11dbd0875f9d8cbb6ccf9
-
Filesize
4B
MD520879c987e2f9a916e578386d499f629
SHA1c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA2569f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f
-
Filesize
189B
MD57e2ad1135823fc7f2ebcc5d8d2dd40ef
SHA1ba6cf2e23dfe8914d19064edd01ad6c74126ec34
SHA256cf4b4b8a3e720e73c79cdb6625e9c50d4196de509c69aac96e499b7634696373
SHA5128a41a417b0ee8c83e6558f404018f3723c239c4a8c7b1757499f79463011d9e338d03d2ce34e3b71baf236eae1e7113a9c19afa17424caac474e324b9b4f4b5d
-
Filesize
189B
MD557d9612a64cc8ccb893d5e4fcab2d9a9
SHA1f7defaf4e575cf3d7b2e95e27888bd825040e204
SHA2560a1698bf2dbab981a9567f1904356b93ea82072f7ddff24f893ffdf1effcb6a6
SHA512034fac89efd3ad2efced896a46844d62b5880a5706d00e3ae9a25df6145c862e1688ab58ec3a18dfe4a24307f9ce7eed7a40d1d5d1432f8a25918d6ca714f005
-
Filesize
3KB
MD537219fd2d09abee4189a1ae33de93e2d
SHA15e4cc26e169b6bd16843bcc86806556dac372c57
SHA2562a0d2418a2504ad14960dcff54f0892339eeed53e359585c9b04a29c4e6e4274
SHA512626b89eb5b132ac43a6fb2d5dcc1c62349a6a48045a486835aa51c17348b0c4849cf5d56b4b56359c7bab5bdccaa04adf659f7486de84f9c14d86032272e5069
-
Filesize
610B
MD5b7fa110b58fd4baad65a54c13289bbf1
SHA1b069553ff25022e1c8329d80649ea6b81daff492
SHA2563f0aaea937d81a3148c47c4a40d5e26133d65bff5b5aba532064a9465f4db2c4
SHA51291c8f3253ecb49e8f9b09f9856b9de4419bc28d1d3b7d5ed74fae5c9bca56da4ba795a3fe7f7a4b04ba4452af6f568ade473de0d5cc12528914fef28807b7122
-
Filesize
15KB
MD5f7d21de5c4e81341eccd280c11ddcc9a
SHA1d4e9ef10d7685d491583c6fa93ae5d9105d815bd
SHA2564485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794
SHA512e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3
-
Filesize
355KB
MD5d80e625211db0a05bb8346f1fc2551f9
SHA12eab153918e144c22eb00d2f47e8757f21b39211
SHA256a05806f9060f1f2de61cec62599ef7558dc0b8e4b0a62cc71a1d8e762d91ee1f
SHA51269261b12ffa2568f20752dab17cc48fe97598f4f640eba4d0dd54b0ab44ff6be529a97eadc1ef23d8758fd70d53c54fa9a764b9f4de86465e4004dffafd461cd
-
Filesize
72B
MD5564e0e966cf37c86ee808339589a7a40
SHA1888ca98f9497fb6c499ff92863a901bc2705fcdf
SHA2561638146320ebb9897e55d507e44b201bb87eacec8632c9b4c544112832676de1
SHA512f2c3a88385680b28548b7e6d8629ba1ae7d408d24f6cd4761b0cfef6d23afc46d749ddce23feeb6f118974e04df680079a5b68b3a91d6a2a5d75fd97f49e45cd
-
Filesize
99KB
MD5a8cfe14e62ab27e2c2706ba48278b38f
SHA1e49497f83c969ca718f90b5c87f0d6a845124fcf
SHA256c54923cf6cb45c6f0721fb83e2fd87e44c9c5d0ad10aa99de1e1966cdc1245b1
SHA512a685fe7aba89abe138ff0c8cbca2074d4e10d84b27ddf7d4aec87162e4b0361bf5597312a9e123b13fcc9b7eb73cd6dfdb5927435d5aac1dbe6628f6c074f5b6
-
Filesize
2.8MB
MD5095092f4e746810c5829038d48afd55a
SHA1246eb3d41194dddc826049bbafeb6fc522ec044a
SHA2562f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588
SHA5127f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400
-
Filesize
843KB
MD55bacfd51d926774c8dd8028bec9b4374
SHA182bfd05e61d9b2c5849c5dfc35e9bf533c52ec57
SHA256fd8a8fcf5c1d869864145fbbed7c2dabadd368e4e5b755821ffc4812c0eacf9f
SHA5125c2a6552501bd73041d8210c68b9a00f960448a6423a183d6b99b7ab40016c916a27f12f7f959b180de4227471a23b19bd977059e0065e987b8012928e042d44
-
Filesize
654KB
MD51fd347ee17287e9c9532c46a49c4abc4
SHA1ad5d9599030bfbcc828c4321fffd7b9066369393
SHA256912373af6f3c176b7e0a71c986d6288f76f5be80de7c9a580b110690271e9237
SHA5129e52622077e805fcff2c6fe510524bf9ca7246da9ef42843041e82ced28b59163a2729335139df9e2d2a4c748ed56471bb053f337655a77d2d0976370f07acf4
-
Filesize
966KB
MD53740507a1dc4ff4cb5c6e52652c10c20
SHA1b2c8a0a736fe81c101f4ab4cd6be8099c3f902b3
SHA2566a72cc8649a63b017844c4c1f3885a250d1a982ffe5f1e58b6f1432fe9198e62
SHA512d5299859a6121c6ae5813be61648ca1f005970ebe34a8217d05b570ffbd4651f64ad7b3a7bf5129e708e07b36e097333f754b213e73d5fe9246347afd8fa3c22
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
36KB
-
Filesize
376KB
-
Filesize
36KB
-
Filesize
376KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
376KB
-
Filesize
4KB
-
Filesize
376KB
-
Filesize
64KB
-
Filesize
376KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
376KB
-
Filesize
36KB