Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2024 09:39
Behavioral task
behavioral1
Sample
9eaaa416014aa90bb49ee345b2be29497bc6163345f2caafca9b675f530d7945.exe
Resource
win7-20240903-en
General
-
Target
9eaaa416014aa90bb49ee345b2be29497bc6163345f2caafca9b675f530d7945.exe
-
Size
14.6MB
-
MD5
3563c402b8590bbedab9202ff48b38a7
-
SHA1
3942f2d5555134798eb16d9befc69403db0edf1b
-
SHA256
9eaaa416014aa90bb49ee345b2be29497bc6163345f2caafca9b675f530d7945
-
SHA512
d9658907abb6d11d62c4e85b4e73dac03ce1588fb3395a150a6cc940c11b97d3b30bd7255b30c53ad68f6a6dd0e8219c3d32efd91db0dad48a49dc444e4a2c0a
-
SSDEEP
393216:/JFmS2iB12kzyl4cyC4tjwdUPev3ZGRsYI2yc:/mS2iD2949+TvpGRO2F
Malware Config
Extracted
bdaejec
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Blackmoon family
-
Detect Blackmoon payload 2 IoCs
resource yara_rule behavioral2/memory/2908-28-0x0000000000400000-0x0000000002672000-memory.dmp family_blackmoon behavioral2/memory/2908-57-0x0000000000400000-0x0000000002672000-memory.dmp family_blackmoon -
Detects Bdaejec Backdoor. 2 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral2/memory/4172-6-0x0000000000810000-0x0000000000819000-memory.dmp family_bdaejec_backdoor behavioral2/memory/4172-54-0x0000000000810000-0x0000000000819000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral2/files/0x000c000000023b25-2.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation SimFLr.exe -
Executes dropped EXE 1 IoCs
pid Process 4172 SimFLr.exe -
Loads dropped DLL 1 IoCs
pid Process 2908 9eaaa416014aa90bb49ee345b2be29497bc6163345f2caafca9b675f530d7945.exe -
resource yara_rule behavioral2/memory/2908-5-0x0000000000400000-0x0000000002672000-memory.dmp vmprotect behavioral2/memory/2908-28-0x0000000000400000-0x0000000002672000-memory.dmp vmprotect behavioral2/memory/2908-57-0x0000000000400000-0x0000000002672000-memory.dmp vmprotect -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe SimFLr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE SimFLr.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe SimFLr.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe SimFLr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe SimFLr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe SimFLr.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe SimFLr.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe SimFLr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe SimFLr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe SimFLr.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe SimFLr.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe SimFLr.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe SimFLr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe SimFLr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE SimFLr.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe SimFLr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe SimFLr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msotd.exe SimFLr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE SimFLr.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe SimFLr.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe SimFLr.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe SimFLr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe SimFLr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe SimFLr.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe SimFLr.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe SimFLr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe SimFLr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe SimFLr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe SimFLr.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe SimFLr.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe SimFLr.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe SimFLr.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe SimFLr.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe SimFLr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe SimFLr.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe SimFLr.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe SimFLr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe SimFLr.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe SimFLr.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe SimFLr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE SimFLr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe SimFLr.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe SimFLr.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe SimFLr.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe SimFLr.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe SimFLr.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe SimFLr.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe SimFLr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe SimFLr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe SimFLr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe SimFLr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe SimFLr.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe SimFLr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE SimFLr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe SimFLr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE SimFLr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe SimFLr.exe File opened for modification C:\Program Files\7-Zip\7z.exe SimFLr.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe SimFLr.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe SimFLr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe SimFLr.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe SimFLr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe SimFLr.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe SimFLr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1952 2908 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SimFLr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9eaaa416014aa90bb49ee345b2be29497bc6163345f2caafca9b675f530d7945.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2908 9eaaa416014aa90bb49ee345b2be29497bc6163345f2caafca9b675f530d7945.exe 2908 9eaaa416014aa90bb49ee345b2be29497bc6163345f2caafca9b675f530d7945.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2908 wrote to memory of 4172 2908 9eaaa416014aa90bb49ee345b2be29497bc6163345f2caafca9b675f530d7945.exe 83 PID 2908 wrote to memory of 4172 2908 9eaaa416014aa90bb49ee345b2be29497bc6163345f2caafca9b675f530d7945.exe 83 PID 2908 wrote to memory of 4172 2908 9eaaa416014aa90bb49ee345b2be29497bc6163345f2caafca9b675f530d7945.exe 83 PID 4172 wrote to memory of 4104 4172 SimFLr.exe 84 PID 4172 wrote to memory of 4104 4172 SimFLr.exe 84 PID 4172 wrote to memory of 4104 4172 SimFLr.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9eaaa416014aa90bb49ee345b2be29497bc6163345f2caafca9b675f530d7945.exe"C:\Users\Admin\AppData\Local\Temp\9eaaa416014aa90bb49ee345b2be29497bc6163345f2caafca9b675f530d7945.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\SimFLr.exeC:\Users\Admin\AppData\Local\Temp\SimFLr.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7a2b1b39.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:4104
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 13162⤵
- Program crash
PID:1952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2908 -ip 29081⤵PID:4768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD5d3b07384d113edec49eaa6238ad5ff00
SHA1f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA5120cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6
-
Filesize
4B
MD520879c987e2f9a916e578386d499f629
SHA1c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA2569f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f
-
Filesize
187B
MD5b3734d14f8a7b12c9dd1231f20d128f9
SHA1ab9214e4279bb2258b2282690d7fbbf024eda26e
SHA2563b95ce2ef881038572258a61a6e4abadb1471b0caa908138eea316d6c0a35108
SHA512014f472c132ac3877205ea9d9e8f6589895575a37496e9bb8772944da1dbb71608ec77403a8bd42a54d96a04d9971a9b9e36d4057ad252b58b12f045a375642c
-
Filesize
10.6MB
MD550c266e46ccf9bc8956279f78d51f205
SHA10ba5b98a91a9a019cd9b87cf01796c65ee6a0839
SHA256c58e066a293ff260037487d37e37bf3d890c16383d817c7573dab51c514cbd00
SHA5127350a82820faeba3172fad3d87b04c6a2967b797a321a78a53e7156c37fed4661a66d2f78e2f3ddbcbc0d10a56f5d761f7eb761f05d2841568b34841c17e0d37
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e