Analysis
-
max time kernel
133s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-01-2025 02:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2025-01-07_feee936997197db0e4595247039460e2_bkransomware_wapomi.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
General
-
Target
2025-01-07_feee936997197db0e4595247039460e2_bkransomware_wapomi.exe
-
Size
190KB
-
MD5
feee936997197db0e4595247039460e2
-
SHA1
3f99e182ed63a4163beb0140259c5ac4b4dfd754
-
SHA256
47abfed8127c52887adfd69f5dc64c1222d3d33e80e2c953a422c2980b711768
-
SHA512
0b877d34ff11d2d567bfc4c28f16d5d39cd546c199f517766444f12dfc017534cbe79c4b1ffd8b556ba5c888446007d4aceddda07515fdca760471509e4edcf5
-
SSDEEP
3072:BFrRQ09DLEm/BTrgDjN7EnjEL00VVQLnVdY89STQR6NPnThVVqheWOGCH:7rRQ09DLEm/B43CjYQL/9AWoWn
Malware Config
Extracted
Family
bdaejec
C2
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral2/memory/4120-8-0x0000000000C30000-0x0000000000C39000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral2/files/0x000d000000023b33-3.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation cAWMSk.exe -
Executes dropped EXE 1 IoCs
pid Process 4120 cAWMSk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe cAWMSk.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe cAWMSk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe cAWMSk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe cAWMSk.exe File opened for modification C:\Program Files\Windows Mail\wab.exe cAWMSk.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe cAWMSk.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe cAWMSk.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe cAWMSk.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe cAWMSk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe cAWMSk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe cAWMSk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe cAWMSk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe cAWMSk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe cAWMSk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe cAWMSk.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE cAWMSk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe cAWMSk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe cAWMSk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe cAWMSk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe cAWMSk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe cAWMSk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe cAWMSk.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe cAWMSk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe cAWMSk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe cAWMSk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe cAWMSk.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe cAWMSk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe cAWMSk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe cAWMSk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe cAWMSk.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe cAWMSk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe cAWMSk.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe cAWMSk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe cAWMSk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe cAWMSk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe cAWMSk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe cAWMSk.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe cAWMSk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE cAWMSk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe cAWMSk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe cAWMSk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe cAWMSk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe cAWMSk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-07_feee936997197db0e4595247039460e2_bkransomware_wapomi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cAWMSk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1068 wrote to memory of 4120 1068 2025-01-07_feee936997197db0e4595247039460e2_bkransomware_wapomi.exe 85 PID 1068 wrote to memory of 4120 1068 2025-01-07_feee936997197db0e4595247039460e2_bkransomware_wapomi.exe 85 PID 1068 wrote to memory of 4120 1068 2025-01-07_feee936997197db0e4595247039460e2_bkransomware_wapomi.exe 85 PID 4120 wrote to memory of 3216 4120 cAWMSk.exe 95 PID 4120 wrote to memory of 3216 4120 cAWMSk.exe 95 PID 4120 wrote to memory of 3216 4120 cAWMSk.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-07_feee936997197db0e4595247039460e2_bkransomware_wapomi.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-07_feee936997197db0e4595247039460e2_bkransomware_wapomi.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\cAWMSk.exeC:\Users\Admin\AppData\Local\Temp\cAWMSk.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\086d38ac.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:3216
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD5c45abaa20ca916cd808a9db9de79f46a
SHA1a62a9b632ca58c12b3447b5a21d9ddeeb2d9af13
SHA256b4f68f9b16fc3290f72a8b4a259bd38dfa320e2a6dfdc1fa5a46d2651f43aa3c
SHA51220a46ea0a32a65d5f56a145ab6409a53278f978bd20c84f05f6ef2b96360c0a2a2f4cc9714ee75fcfb9c6e6cbf60ee74b606089985a86fff1cc292b9a3f50eb4
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e