Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17-01-2025 06:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bdc39bd177902f25904a6438c353c34f5b34d06d2a6796e80bc9d173cf1b52d1N.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
120 seconds
General
-
Target
bdc39bd177902f25904a6438c353c34f5b34d06d2a6796e80bc9d173cf1b52d1N.exe
-
Size
96KB
-
MD5
ce104d074340dd089df7027b04edac00
-
SHA1
3df55cb6c62d0bd17264ed780da355c270b7fe21
-
SHA256
bdc39bd177902f25904a6438c353c34f5b34d06d2a6796e80bc9d173cf1b52d1
-
SHA512
cfe1c7643d7ebabda241286e334ae4a8ccea3e23c46f02dae6f23c4b518a652971a569bf77ebb95e88fc00d7871f0f205274eadb1bb93a14df5e91499f6375a7
-
SSDEEP
1536:MqPjvlpp/06w6Px9+3cu9V+gKf8GCq2iW7z:MqPL1/7w6ZAs+VBKkGCH
Malware Config
Extracted
Family
bdaejec
C2
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral1/memory/2164-26-0x0000000000EF0000-0x0000000000EF9000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral1/files/0x00080000000120f9-2.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2164 mhW.exe -
Loads dropped DLL 2 IoCs
pid Process 2644 bdc39bd177902f25904a6438c353c34f5b34d06d2a6796e80bc9d173cf1b52d1N.exe 2644 bdc39bd177902f25904a6438c353c34f5b34d06d2a6796e80bc9d173cf1b52d1N.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe mhW.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe mhW.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe mhW.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe mhW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE mhW.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe mhW.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe mhW.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe mhW.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe mhW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE mhW.exe File opened for modification C:\Program Files\7-Zip\7z.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe mhW.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe mhW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE mhW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe mhW.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe mhW.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe mhW.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe mhW.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe mhW.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe mhW.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe mhW.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe mhW.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe mhW.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe mhW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe mhW.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe mhW.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe mhW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE mhW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE mhW.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe mhW.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe mhW.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe mhW.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe mhW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE mhW.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE mhW.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe mhW.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe mhW.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe mhW.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.exe mhW.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe mhW.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe mhW.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{EBB1980D-D3FB-4EE3-8028-3788F037127D}\chrome_installer.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe mhW.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe mhW.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe mhW.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe mhW.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe mhW.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mhW.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdc39bd177902f25904a6438c353c34f5b34d06d2a6796e80bc9d173cf1b52d1N.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2164 2644 bdc39bd177902f25904a6438c353c34f5b34d06d2a6796e80bc9d173cf1b52d1N.exe 30 PID 2644 wrote to memory of 2164 2644 bdc39bd177902f25904a6438c353c34f5b34d06d2a6796e80bc9d173cf1b52d1N.exe 30 PID 2644 wrote to memory of 2164 2644 bdc39bd177902f25904a6438c353c34f5b34d06d2a6796e80bc9d173cf1b52d1N.exe 30 PID 2644 wrote to memory of 2164 2644 bdc39bd177902f25904a6438c353c34f5b34d06d2a6796e80bc9d173cf1b52d1N.exe 30 PID 2164 wrote to memory of 1704 2164 mhW.exe 31 PID 2164 wrote to memory of 1704 2164 mhW.exe 31 PID 2164 wrote to memory of 1704 2164 mhW.exe 31 PID 2164 wrote to memory of 1704 2164 mhW.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdc39bd177902f25904a6438c353c34f5b34d06d2a6796e80bc9d173cf1b52d1N.exe"C:\Users\Admin\AppData\Local\Temp\bdc39bd177902f25904a6438c353c34f5b34d06d2a6796e80bc9d173cf1b52d1N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\mhW.exeC:\Users\Admin\AppData\Local\Temp\mhW.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\09ae48a4.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:1704
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181B
MD5c666ea57aa7bb4926072466871a7513e
SHA16370e455f8c2620e7e00b9002ed82eface409b69
SHA2565839cd4dd6780da9da33f52468b76e5e8760bbc7c081e293623db43e2b86c2cb
SHA51274b6a74f4b1bd5fb4995146158b4e2331d0ff80d7c80e755b318a4bf9ae538335b439907407d3f22be883c6947a8888920406a1a4fd056dc65f86f6e8362ebb4
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e