bdaejec | eb15944ffc429eedfedaae8f6bf4f72ad0a77756ee45cd3e29d1e300d9b5a47e

Analysis

max time kernel
106s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe
Size

1.6MB
MD5

24b6cb4a4e74e31d75456cc3d43444da
SHA1

682f244e75e459b5a483157b43138cb5b0379c33
SHA256

eb15944ffc429eedfedaae8f6bf4f72ad0a77756ee45cd3e29d1e300d9b5a47e
SHA512

b21d78466f2967c8f0a37b32173b8ab1c57d142d4e0d2a38073c749633dfdc99469a6263eccc4d08a70c9ed3180e9eb953479acf9ab0353565c38d0237226d28
SSDEEP

49152:XE4XbjEKOh3SbiwJjn7gu5LUvdW9apuLvht/cionurM0EIMa1:Xrj834iwJjn7gu5LmMapuNiiMurM0

Score

10^/10

bdaejec aspackv2 backdoor discovery

Malware Config

Extracted

Family

bdaejec

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec
Bdaejec family
bdaejec

Detects Bdaejec Backdoor. 1 IoCs

Bdaejec is backdoor written in C++.

resource	yara_rule
behavioral2/memory/1600-11-0x0000000000BF0000-0x0000000000BF9000-memory.dmp	family_bdaejec_backdoor

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0008000000023c9d-3.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	LaPUbseA.exe

Executes dropped EXE 1 IoCs

pid	Process
1600	LaPUbseA.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe	LaPUbseA.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	LaPUbseA.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	LaPUbseA.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE	LaPUbseA.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	LaPUbseA.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe	LaPUbseA.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1D4B5551-822C-42C0-B673-53AB80587853}\chrome_installer.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	LaPUbseA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	LaPUbseA.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	LaPUbseA.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	LaPUbseA.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	LaPUbseA.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE	LaPUbseA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE	LaPUbseA.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	LaPUbseA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	LaPUbseA.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe	LaPUbseA.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	LaPUbseA.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	LaPUbseA.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\oem1.PNF	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe
File created	C:\Windows\inf\oem2.PNF	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe
File created	C:\Windows\inf\oem0.PNF	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LaPUbseA.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 1600	2432	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe	84
PID 2432 wrote to memory of 1600	2432	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe	84
PID 2432 wrote to memory of 1600	2432	2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe	84
PID 1600 wrote to memory of 1712	1600	LaPUbseA.exe	101
PID 1600 wrote to memory of 1712	1600	LaPUbseA.exe	101
PID 1600 wrote to memory of 1712	1600	LaPUbseA.exe	101

C:\Users\Admin\AppData\Local\Temp\2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-07_24b6cb4a4e74e31d75456cc3d43444da_mafia_wapomi.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\LaPUbseA.exe
  C:\Users\Admin\AppData\Local\Temp\LaPUbseA.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1f9b510f.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1f9b510f.bat

Filesize
191B

MD5
8cd209922c6850357bc1ebacc8b26feb

SHA1
491ce49dd61ad891ed6d18f9a1a940ac6759bc71

SHA256
f496c38855c3cc58e062447938abb4965028ff6387e6a1af10cd4a04e591dc02

SHA512
974203f07cfc8218dd57baecb3ccb43862df315007d2e9ece078e19bd8bf54174cbc9178309c2504bf0e9b23361ceffe7d91170ae5ce86a6fb4a745c51ccfdce

Download Submit
C:\Users\Admin\AppData\Local\Temp\LaPUbseA.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/1600-4-0x0000000000BF0000-0x0000000000BF9000-memory.dmp

Filesize
36KB

Download
memory/1600-11-0x0000000000BF0000-0x0000000000BF9000-memory.dmp

Filesize
36KB

Download
memory/2432-0-0x0000000000390000-0x000000000053B000-memory.dmp

Filesize
1.7MB

Download
memory/2432-10-0x0000000000390000-0x000000000053B000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads