Analysis
-
max time kernel
106s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-01-2025 03:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6cd6bcc4434c3b07b3ef598cb2bffed628ce64f7570b6f0d0c2ba5a84f3d23f5.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
6cd6bcc4434c3b07b3ef598cb2bffed628ce64f7570b6f0d0c2ba5a84f3d23f5.exe
-
Size
640KB
-
MD5
5ed2a3125ba2aff42060ba2f94aa0b8b
-
SHA1
46cbf7f4dfbce1a505d7c722594bbc241f2c219e
-
SHA256
6cd6bcc4434c3b07b3ef598cb2bffed628ce64f7570b6f0d0c2ba5a84f3d23f5
-
SHA512
7f4f0024087f89d0f10d8111ae4a91d277e0fde8151eb531152e013a0c0b7355b7ca5cfb6b2d248ef1c670fec8d6c4ad3ecee74f0cd21ff45cb49d19fa216654
-
SSDEEP
12288:hJUvxKcxpJ6HL3D0jwiZcaKqqnfrjSZYqWP8Eq7tbgVv09smaMQ:U3xQDdiZcaKZYkq7tbg9X
Malware Config
Extracted
Family
bdaejec
C2
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral2/memory/1800-8-0x0000000000EC0000-0x0000000000EC9000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral2/files/0x0009000000023c59-5.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation oUe.exe -
Executes dropped EXE 1 IoCs
pid Process 1800 oUe.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe oUe.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe oUe.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe oUe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe oUe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe oUe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe oUe.exe File opened for modification C:\Program Files\7-Zip\7z.exe oUe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe oUe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe oUe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe oUe.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe oUe.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe oUe.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe oUe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe oUe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe oUe.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe oUe.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe oUe.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe oUe.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe oUe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe oUe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe oUe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe oUe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe oUe.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe oUe.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe oUe.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe oUe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE oUe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe oUe.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe oUe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE oUe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe oUe.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe oUe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE oUe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe oUe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe oUe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msotd.exe oUe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe oUe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe oUe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe oUe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe oUe.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe oUe.exe File opened for modification C:\Program Files\7-Zip\7zG.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe oUe.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe oUe.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe oUe.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe oUe.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe oUe.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe oUe.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log 6cd6bcc4434c3b07b3ef598cb2bffed628ce64f7570b6f0d0c2ba5a84f3d23f5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6cd6bcc4434c3b07b3ef598cb2bffed628ce64f7570b6f0d0c2ba5a84f3d23f5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oUe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1404 6cd6bcc4434c3b07b3ef598cb2bffed628ce64f7570b6f0d0c2ba5a84f3d23f5.exe 1404 6cd6bcc4434c3b07b3ef598cb2bffed628ce64f7570b6f0d0c2ba5a84f3d23f5.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1404 wrote to memory of 1800 1404 6cd6bcc4434c3b07b3ef598cb2bffed628ce64f7570b6f0d0c2ba5a84f3d23f5.exe 83 PID 1404 wrote to memory of 1800 1404 6cd6bcc4434c3b07b3ef598cb2bffed628ce64f7570b6f0d0c2ba5a84f3d23f5.exe 83 PID 1404 wrote to memory of 1800 1404 6cd6bcc4434c3b07b3ef598cb2bffed628ce64f7570b6f0d0c2ba5a84f3d23f5.exe 83 PID 1800 wrote to memory of 3096 1800 oUe.exe 101 PID 1800 wrote to memory of 3096 1800 oUe.exe 101 PID 1800 wrote to memory of 3096 1800 oUe.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cd6bcc4434c3b07b3ef598cb2bffed628ce64f7570b6f0d0c2ba5a84f3d23f5.exe"C:\Users\Admin\AppData\Local\Temp\6cd6bcc4434c3b07b3ef598cb2bffed628ce64f7570b6f0d0c2ba5a84f3d23f5.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\oUe.exeC:\Users\Admin\AppData\Local\Temp\oUe.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\78464f29.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:3096
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181B
MD505a800b338e84a7f0b12fc4109f364d9
SHA168bb613751bca423e3ec1b6e9dcbf9944315ee62
SHA256d03df34d37dd95ff02e0ff6e0ab43b58b90bfa62f6246af804b4452604e3eeee
SHA51292c7250783a3625a67c1593417d34eccfc68b1918725fd135e589c515473cd1999bf42eb6455957dad5fe3fa8bb69589f9126be7ba835319648ab75c82b0a969
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e