Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2024 03:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
General
-
Target
2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe
-
Size
36KB
-
MD5
c205558b705dbf77c766e78d25e57e60
-
SHA1
80358a4a30c0a4786b9764160e1e20ad624c795c
-
SHA256
83904ffe5a5c3e8b3af0c98d7a81ac9ac78f9140e55e9944b22a4c7436d672be
-
SHA512
b796e11783466c0f3e603e1a2ab93a9d0764fae89d374ac74ef004cad79cbf3b6a074dd2ba6d038240c761519db0f6cb0c4e88d30afc00f225f7c235e3eeae10
-
SSDEEP
768:Y4BZwegjJmxWJQpk84Ul+3xOXB27QGPL4vzZq2o9W7GsxBbPr:Y4BZ2Jm/kWmOXB28GCq2iW7z
Malware Config
Extracted
Family
bdaejec
C2
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
Processes:
resource yara_rule behavioral2/memory/2352-8-0x0000000000DB0000-0x0000000000DB9000-memory.dmp family_bdaejec_backdoor -
Processes:
resource yara_rule behavioral2/files/0x000b000000023b5e-3.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ySZeVE.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ySZeVE.exe -
Executes dropped EXE 1 IoCs
Processes:
ySZeVE.exepid Process 2352 ySZeVE.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ySZeVE.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe ySZeVE.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE ySZeVE.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe ySZeVE.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe ySZeVE.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe ySZeVE.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe ySZeVE.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe ySZeVE.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe ySZeVE.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe ySZeVE.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe ySZeVE.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe ySZeVE.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe ySZeVE.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE ySZeVE.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe ySZeVE.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe ySZeVE.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE ySZeVE.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe ySZeVE.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe ySZeVE.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe ySZeVE.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe ySZeVE.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe ySZeVE.exe File opened for modification C:\Program Files\7-Zip\7zG.exe ySZeVE.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{F123CA10-B28F-434D-9884-6C3679B73C43}\chrome_installer.exe ySZeVE.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe ySZeVE.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe ySZeVE.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe ySZeVE.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE ySZeVE.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe ySZeVE.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe ySZeVE.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe ySZeVE.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe ySZeVE.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe ySZeVE.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe ySZeVE.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe ySZeVE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exe2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exeySZeVE.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ySZeVE.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exeySZeVE.exedescription pid Process procid_target PID 3204 wrote to memory of 2352 3204 2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe 84 PID 3204 wrote to memory of 2352 3204 2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe 84 PID 3204 wrote to memory of 2352 3204 2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe 84 PID 2352 wrote to memory of 4496 2352 ySZeVE.exe 102 PID 2352 wrote to memory of 4496 2352 ySZeVE.exe 102 PID 2352 wrote to memory of 4496 2352 ySZeVE.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-28_c205558b705dbf77c766e78d25e57e60_smoke-loader_wapomi.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\ySZeVE.exeC:\Users\Admin\AppData\Local\Temp\ySZeVE.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\72c90b8c.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:4496
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD5c0ba0d2a3b205a6370e8da4a971fe72a
SHA1fb55b803cf056758272277b546fa176b1dcc52a2
SHA25691c7b6a9e77736f21531b7b62216af6193839de759e2b0fb13cafaf6711d65ef
SHA512c6051b66311487ff5626b5f4472084884d57ee9578adaf22c6a2a58a5f2333daa5446d22d7b588c33c61bfeea76ae343c2f488386196af4dea6880fd2618a267
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e