Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2025 15:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eedadfe1ed4b504c1acd956331b936d353e8bbf01a9c3072722551e6432427c4N.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
120 seconds
General
-
Target
eedadfe1ed4b504c1acd956331b936d353e8bbf01a9c3072722551e6432427c4N.exe
-
Size
385KB
-
MD5
27d0b2030e8eea5c5d49a2f26c974b30
-
SHA1
779b6b082a3921020bee88484df218470b1ce00e
-
SHA256
eedadfe1ed4b504c1acd956331b936d353e8bbf01a9c3072722551e6432427c4
-
SHA512
21a7aa9571d7726055a47bdb1f7c450499822c6cf6d69e955dd7f6bbdfbb24090af6560a970c6d9470f015f54f88d435c6f3c1b593107ee262cb6a4064e54dc5
-
SSDEEP
3072:5yWaZWKJGr4oLiDO4xpSZOhnzOPq/m7mSgAQyVg07dzynsbj0rkKTy/ISahGCH:5yM14oL0Jp8WnzOi/zSc7azynLkDQSd
Malware Config
Extracted
Family
bdaejec
C2
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 2 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral2/memory/2016-6-0x0000000000DE0000-0x0000000000DE9000-memory.dmp family_bdaejec_backdoor behavioral2/memory/2016-11-0x0000000000DE0000-0x0000000000DE9000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral2/files/0x000c000000023b4c-2.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation VdHbAG.exe -
Executes dropped EXE 1 IoCs
pid Process 2016 VdHbAG.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE VdHbAG.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe VdHbAG.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe VdHbAG.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe VdHbAG.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe VdHbAG.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe VdHbAG.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe VdHbAG.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe VdHbAG.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE VdHbAG.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe VdHbAG.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE VdHbAG.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe VdHbAG.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE VdHbAG.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe VdHbAG.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe VdHbAG.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe VdHbAG.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe VdHbAG.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe VdHbAG.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe VdHbAG.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe VdHbAG.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe VdHbAG.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe VdHbAG.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.exe VdHbAG.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE VdHbAG.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe VdHbAG.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe VdHbAG.exe File opened for modification C:\Program Files\7-Zip\7zG.exe VdHbAG.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe VdHbAG.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe VdHbAG.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe VdHbAG.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe VdHbAG.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe VdHbAG.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe VdHbAG.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe VdHbAG.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe VdHbAG.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE VdHbAG.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe VdHbAG.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE VdHbAG.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe VdHbAG.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe VdHbAG.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoasb.exe VdHbAG.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe VdHbAG.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe VdHbAG.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe VdHbAG.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe VdHbAG.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe VdHbAG.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe VdHbAG.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE VdHbAG.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe VdHbAG.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe VdHbAG.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe VdHbAG.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe VdHbAG.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe VdHbAG.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe VdHbAG.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe VdHbAG.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe VdHbAG.exe File opened for modification C:\Program Files\Windows Mail\wab.exe VdHbAG.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE VdHbAG.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe VdHbAG.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe VdHbAG.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe VdHbAG.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE VdHbAG.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe VdHbAG.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe VdHbAG.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eedadfe1ed4b504c1acd956331b936d353e8bbf01a9c3072722551e6432427c4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VdHbAG.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4456 wrote to memory of 2016 4456 eedadfe1ed4b504c1acd956331b936d353e8bbf01a9c3072722551e6432427c4N.exe 83 PID 4456 wrote to memory of 2016 4456 eedadfe1ed4b504c1acd956331b936d353e8bbf01a9c3072722551e6432427c4N.exe 83 PID 4456 wrote to memory of 2016 4456 eedadfe1ed4b504c1acd956331b936d353e8bbf01a9c3072722551e6432427c4N.exe 83 PID 2016 wrote to memory of 2712 2016 VdHbAG.exe 84 PID 2016 wrote to memory of 2712 2016 VdHbAG.exe 84 PID 2016 wrote to memory of 2712 2016 VdHbAG.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\eedadfe1ed4b504c1acd956331b936d353e8bbf01a9c3072722551e6432427c4N.exe"C:\Users\Admin\AppData\Local\Temp\eedadfe1ed4b504c1acd956331b936d353e8bbf01a9c3072722551e6432427c4N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\VdHbAG.exeC:\Users\Admin\AppData\Local\Temp\VdHbAG.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0916467e.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2712
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD59e9fa08f20eaaec3fcbfa1c0f3727e18
SHA164b766f3670c5f538f095440d5f6ac3429c3d1dc
SHA256adb97e3e8673767549a0ebb9ce81b70275141ae57bbfd66e99aef7717573e210
SHA512992c4f1ffe23c467ecfeec8af19a53ae28d17acdd7e57322c566b02e0bdc403820b9a935c0002f2ef8642455ee96e020058ddd76c85342c4dcc97cfea5a90266
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e