Analysis

  • max time kernel
    80s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2024 05:14

General

  • Target

    05c30daba17211b85a8ea0c9c4f08ba62645d62bde3df0852709be2bb82c4c68.exe

  • Size

    72KB

  • MD5

    8091c892cd2045a5fa4c85ccf229ba34

  • SHA1

    b907ff0750d28a568348c693b295a3a01ef7043e

  • SHA256

    05c30daba17211b85a8ea0c9c4f08ba62645d62bde3df0852709be2bb82c4c68

  • SHA512

    90d2bf96265ceaaa5381fddf247457980837b972972c7cd46fb3414f02ab764e4608887f83978331369f10fa0bad7b0112a3250ad853de3a746a9c4c5c08cb53

  • SSDEEP

    768:Qdwz0k23YXEL5kYcDjf19W6q0GEiMywPoTVIgsQGPL4vzZq2o9W7GsxBbPru:7e6HfDWs3oTVPvGCq2iW7za

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

  • Bdaejec family
  • Detects Bdaejec Backdoor. 1 IoCs

    Bdaejec is backdoor written in C++.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05c30daba17211b85a8ea0c9c4f08ba62645d62bde3df0852709be2bb82c4c68.exe
    "C:\Users\Admin\AppData\Local\Temp\05c30daba17211b85a8ea0c9c4f08ba62645d62bde3df0852709be2bb82c4c68.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Local\Temp\qJgbivN.exe
      C:\Users\Admin\AppData\Local\Temp\qJgbivN.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\33b21f92.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\33b21f92.bat

    Filesize

    189B

    MD5

    0015a20d59e066d160165143a189cd9a

    SHA1

    075586f9117c55af847e86632cd06d7694bcaf75

    SHA256

    24f36d169e66837f3e3addd5e2d952b899ad7d623b7065257102030a7705919c

    SHA512

    18a34f969f345cfde8fb960c4e6ea76b86bc9c7c7aadedc0862404103ce639475a1a4d36f1995a3dd4ceaf06e2134642c858ae104f6cafa5e0c042b572c0967f

  • \Users\Admin\AppData\Local\Temp\qJgbivN.exe

    Filesize

    15KB

    MD5

    56b2c3810dba2e939a8bb9fa36d3cf96

    SHA1

    99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

    SHA256

    4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

    SHA512

    27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

  • memory/2184-11-0x0000000000E50000-0x0000000000E59000-memory.dmp

    Filesize

    36KB

  • memory/2184-29-0x0000000000E50000-0x0000000000E59000-memory.dmp

    Filesize

    36KB

  • memory/2756-0-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2756-9-0x0000000000220000-0x0000000000229000-memory.dmp

    Filesize

    36KB

  • memory/2756-4-0x0000000000220000-0x0000000000229000-memory.dmp

    Filesize

    36KB

  • memory/2756-31-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2756-32-0x0000000000220000-0x0000000000229000-memory.dmp

    Filesize

    36KB

  • memory/2756-33-0x0000000000220000-0x0000000000229000-memory.dmp

    Filesize

    36KB