Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-12-2024 02:33
General
-
Target
2024-12-26_83125ab9dfa745107a71601710d2fbfa_smoke-loader_wapomi.exe
-
Size
193KB
-
MD5
83125ab9dfa745107a71601710d2fbfa
-
SHA1
15e9191aa572f1478f6d4ba4bfbf78c323eb3a5e
-
SHA256
3720e64a9c7bfd4d158e16924336ae553beb78313657a45d5477142b0693c017
-
SHA512
dbf678d9a76f85b7fffa57baf21f94757889737ea8f073ee7407622d0d23d231345975e2bcd29730676c43cdc335a8d7e2b567731cb324fc448d08a6119bc989
-
SSDEEP
6144:F8ToK31I1qZQxU4ouUnnk4LNaj8co7Ns:FHKlYqZQxUiSnkO6I7
Malware Config
Extracted
bdaejec
ddos.dnsnb8.net
Signatures
-
Bdaejec
Bdaejec is a backdoor written in C++.
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
-
Detected Nirsoft tools 1 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-26_83125ab9dfa745107a71601710d2fbfa_smoke-loader_wapomi.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-26_83125ab9dfa745107a71601710d2fbfa_smoke-loader_wapomi.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hvRVDMP.exeC:\Users\Admin\AppData\Local\Temp\hvRVDMP.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5e7e4ef5.bat" "3⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189B
MD57be98bb47d4950ae58839bc3dd49b00a
SHA1245d0f1d6b12c3503337c808b9fb8cb5486bb4c8
SHA25625a5c0972011944d0264be6e26ba5a132039758a85712e4515d7538f6fc34d02
SHA512e9f8f33a837398bfee4f77bfb8facef184bb7d5c25b7a0d88f1f1109094b50b084445d7cd6177ab0ba7d7d6e1430437e6a301c11131e4b441b839d43357b10b6
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
36KB
-
Filesize
36KB