Analysis
-
max time kernel
80s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
05-12-2024 05:14
Static task
static1
Behavioral task
behavioral1
Sample
05c30daba17211b85a8ea0c9c4f08ba62645d62bde3df0852709be2bb82c4c68.exe
Resource
win7-20240708-en
General
-
Target
05c30daba17211b85a8ea0c9c4f08ba62645d62bde3df0852709be2bb82c4c68.exe
-
Size
72KB
-
MD5
8091c892cd2045a5fa4c85ccf229ba34
-
SHA1
b907ff0750d28a568348c693b295a3a01ef7043e
-
SHA256
05c30daba17211b85a8ea0c9c4f08ba62645d62bde3df0852709be2bb82c4c68
-
SHA512
90d2bf96265ceaaa5381fddf247457980837b972972c7cd46fb3414f02ab764e4608887f83978331369f10fa0bad7b0112a3250ad853de3a746a9c4c5c08cb53
-
SSDEEP
768:Qdwz0k23YXEL5kYcDjf19W6q0GEiMywPoTVIgsQGPL4vzZq2o9W7GsxBbPru:7e6HfDWs3oTVPvGCq2iW7za
Malware Config
Extracted
bdaejec
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral1/memory/2184-29-0x0000000000E50000-0x0000000000E59000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral1/files/0x000b00000001225f-2.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2184 qJgbivN.exe -
Loads dropped DLL 2 IoCs
pid Process 2756 05c30daba17211b85a8ea0c9c4f08ba62645d62bde3df0852709be2bb82c4c68.exe 2756 05c30daba17211b85a8ea0c9c4f08ba62645d62bde3df0852709be2bb82c4c68.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe qJgbivN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE qJgbivN.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe qJgbivN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE qJgbivN.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe qJgbivN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe qJgbivN.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe qJgbivN.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe qJgbivN.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe qJgbivN.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe qJgbivN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE qJgbivN.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe qJgbivN.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe qJgbivN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE qJgbivN.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe qJgbivN.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe qJgbivN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe qJgbivN.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe qJgbivN.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe qJgbivN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE qJgbivN.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe qJgbivN.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe qJgbivN.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe qJgbivN.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE qJgbivN.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe qJgbivN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE qJgbivN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE qJgbivN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE qJgbivN.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe qJgbivN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE qJgbivN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE qJgbivN.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe qJgbivN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE qJgbivN.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe qJgbivN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE qJgbivN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe qJgbivN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05c30daba17211b85a8ea0c9c4f08ba62645d62bde3df0852709be2bb82c4c68.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qJgbivN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2184 2756 05c30daba17211b85a8ea0c9c4f08ba62645d62bde3df0852709be2bb82c4c68.exe 31 PID 2756 wrote to memory of 2184 2756 05c30daba17211b85a8ea0c9c4f08ba62645d62bde3df0852709be2bb82c4c68.exe 31 PID 2756 wrote to memory of 2184 2756 05c30daba17211b85a8ea0c9c4f08ba62645d62bde3df0852709be2bb82c4c68.exe 31 PID 2756 wrote to memory of 2184 2756 05c30daba17211b85a8ea0c9c4f08ba62645d62bde3df0852709be2bb82c4c68.exe 31 PID 2184 wrote to memory of 2820 2184 qJgbivN.exe 32 PID 2184 wrote to memory of 2820 2184 qJgbivN.exe 32 PID 2184 wrote to memory of 2820 2184 qJgbivN.exe 32 PID 2184 wrote to memory of 2820 2184 qJgbivN.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\05c30daba17211b85a8ea0c9c4f08ba62645d62bde3df0852709be2bb82c4c68.exe"C:\Users\Admin\AppData\Local\Temp\05c30daba17211b85a8ea0c9c4f08ba62645d62bde3df0852709be2bb82c4c68.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\qJgbivN.exeC:\Users\Admin\AppData\Local\Temp\qJgbivN.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\33b21f92.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189B
MD50015a20d59e066d160165143a189cd9a
SHA1075586f9117c55af847e86632cd06d7694bcaf75
SHA25624f36d169e66837f3e3addd5e2d952b899ad7d623b7065257102030a7705919c
SHA51218a34f969f345cfde8fb960c4e6ea76b86bc9c7c7aadedc0862404103ce639475a1a4d36f1995a3dd4ceaf06e2134642c858ae104f6cafa5e0c042b572c0967f
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e