Overview

overview

10

Static

static

1

PUBGM Bp (1).rar

windows10-2004-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    82s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2025 14:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PUBGM Bp (1).rar

  • Size

    26.4MB

  • MD5

    5f4136d2bf8eb7a6f8efd36c7c82550f

  • SHA1

    d0b8c5e3dee41720b77374ffd40ca0bf59d78c5c

  • SHA256

    9a060c3a9aa0640fdb24d491255d96d1d82d8d5e1d2dc02aa12fcd427294017f

  • SHA512

    38f20d5200dba5fad17956feba31cf309776137b65603ee5548394ec9821458848f4f17fe6ccfbbcc2761da538fcd85134e517b776a46a1c88f5709cbe2ec700

  • SSDEEP

    393216:tET/VwQVNl3s04rygE/e9L7XvqHvtLxwWX2X/hkA+izXBWIedCd3YFfsEu8wvcfj:2Td13VUGWpDGvaA5vu8wv9/kEigjvw

Score
10/10
bdaejecaspackv2backdoordefense_evasiondiscoverythemida

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

    backdoorbdaejec
  • Bdaejec family
    bdaejec
  • Detects Bdaejec Backdoor. 1 IoCs

    Bdaejec is backdoor written in C++.

  • Downloads MZ/PE file 1 IoCs
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PUBGM Bp (1).rar"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1344
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:748
    • C:\Users\Admin\Desktop\Encrypted\Divine Bp.vmp_protected.exe
      "C:\Users\Admin\Desktop\Encrypted\Divine Bp.vmp_protected.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3404
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del C:\MyHackKey.lic
        2⤵
        • System Location Discovery: System Language Discovery
        PID:4760
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:468
      • C:\Users\Admin\Desktop\Encrypted\Divine Bp.vmp_protected.exe
        "Divine Bp.vmp_protected.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4768
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del C:\MyHackKey.lic
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3536
    • C:\Users\Admin\Desktop\Encrypted\Hile\WN Hax.exe
      "C:\Users\Admin\Desktop\Encrypted\Hile\WN Hax.exe"
      1⤵
      • Downloads MZ/PE file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4808
      • C:\Users\Admin\AppData\Local\Temp\rHhGks.exe
        C:\Users\Admin\AppData\Local\Temp\rHhGks.exe
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3708
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3ba260a2.bat" "
          3⤵
          • System Location Discovery: System Language Discovery
          PID:5064
      • C:\Users\Admin\Desktop\Encrypted\Hile\daemon.exe
        C:\Users\Admin\Desktop\Encrypted\Hile\daemon.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1008

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6JHG9EK\k2[1].rar
      Filesize

      4B

      MD5

      d3b07384d113edec49eaa6238ad5ff00

      SHA1

      f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

      SHA256

      b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

      SHA512

      0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\117C749C.exe
      Filesize

      4B

      MD5

      20879c987e2f9a916e578386d499f629

      SHA1

      c7b33ddcc42361fdb847036fc07e880b81935d5d

      SHA256

      9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

      SHA512

      bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3ba260a2.bat
      Filesize

      187B

      MD5

      2df0c858e0c6147ee88adfc6ffd8f233

      SHA1

      4ca19f6aa048f9f9d1151cb382b8adb85ae5e867

      SHA256

      287c9509b8ee128db503e206d2e1787009fd01771bc9c127d80f5744aab08440

      SHA512

      1baa74df720864e927dc63a5b1129361bd8d951d941636da0113ce6a828d41610459d4d467c6bf09e1787f5f74bd3e94d7a4073182e9a5ecbaa8005d6872027f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\rHhGks.exe
      Filesize

      15KB

      MD5

      56b2c3810dba2e939a8bb9fa36d3cf96

      SHA1

      99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

      SHA256

      4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

      SHA512

      27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

      Download Submit

    • C:\Users\Admin\Desktop\Encrypted\Divine Bp.vmp_protected.exe
      Filesize

      6.8MB

      MD5

      23dda8d58fb0d43272013081dea75898

      SHA1

      46331207f7e3126a7a7c7746ec1801e82b544fec

      SHA256

      4b8ad200e572ff370d141d5c12281f1a9a2a619954285d4105956f15c8e9ff9a

      SHA512

      807fdbb3bc547a675bbdf31489b02fed194a1a8b9b2699d888c418c33a53163e894e809a410db8b3015750eb4a07fa22b76a7cbd930aedc746dd835946bc409f

      Download Submit

    • C:\Users\Admin\Desktop\Encrypted\Hile\FFont.ttf
      Filesize

      22.2MB

      MD5

      91f4475d007aa64dd9a0e79927f3d095

      SHA1

      22304b8546d594e3f184623645639093667de2bd

      SHA256

      fe50313c37c2eca0bbf8cc3565b5ef32314753889afbe44cb275d65c3b58f0df

      SHA512

      d3d95caf0355ed2c2142bb86afb11bc4a87d1873ffb340a4265f43c8ceb1f7ab8469a08e7d63a9f5a973d062aefe2d3a8a40343939de5287a3f844870f871115

      Download Submit

    • C:\Users\Admin\Desktop\Encrypted\Hile\WN Hax.exe
      Filesize

      939KB

      MD5

      80c69c90ce57c23dadf2ab2da24caa6d

      SHA1

      cceaafd6701ccebffff973e4dad7a49036c4e092

      SHA256

      f2ebcd883d6f2fb734914c036a986bbc33b59b1c06c234569cb60a98607b0a1c

      SHA512

      37ec28909e55052be08935a43028b65308433b848952b071feb638b0bbb459bf5a4812ebda650f6586c6d0b1048d0666cb893153b9d2c80b7cab83690543427d

      Download Submit

    • C:\Users\Admin\Desktop\Encrypted\Hile\daemon.exe
      Filesize

      378KB

      MD5

      207827e053174afbfa7bff685d03dd5a

      SHA1

      d7f25603519deaa8a240b6b8599200889c0939f7

      SHA256

      7a943c6fb763e210f1ed4dac2a5ca1670635a603d24ed348968c242ec9ba0942

      SHA512

      5d6018b6ffd1177b641bb782f7844ddde18e71524ec86d80613f9b8f103883370f48f8369fe052c9327592aa85ef5cc73a619eab74d6f9a619ef628290387396

      Download Submit

    • C:\Users\Admin\Desktop\Encrypted\Hile\tw_w32.dll
      Filesize

      2.9MB

      MD5

      54f40bfed252cc6d42e98c54d5d3ff49

      SHA1

      1bd9a0bed5d6d5f68ca3f701d63300d02cb8d7e1

      SHA256

      1f90fc5e3fc1ba1b9a266e950b3cbe2ae21d5c4391f0a13cac331e14955d4854

      SHA512

      6210e219b0274f982cd88722386ea4ae06fdf882d1c6591cb2b4d077864b8ae1e87dfec8ddf029fd071c5ad3b3c93413374a5e3ec7c447af1445aad302fb92de

      Download Submit

    • C:\Users\Admin\Desktop\Encrypted\adb.exe
      Filesize

      816KB

      MD5

      5d8eef4e23c00dafcf5fdc21427716be

      SHA1

      919de2e5b4b6b24c1cc28683e8a398ccfbbd010c

      SHA256

      ccf58f3707c44c8800226ff1c199225c5a98e4294c86f1bd3318c2cd54344abd

      SHA512

      a142360017396cec3f4dcd497faa6749edb779e0ae37998b27d84dc4718d6b9dfbb5d6b62f0344f55a0427d615e18555a4246eb3401cb5e39d16f8a679102b04

      Download Submit

    • memory/1008-98-0x0000000000F70000-0x0000000000FD5000-memory.dmp

      Filesize

      404KB

      Download

    • memory/1008-75-0x0000000000F70000-0x0000000000FD5000-memory.dmp

      Filesize

      404KB

      Download

    • memory/3404-34-0x00000000003B0000-0x0000000001071000-memory.dmp

      Filesize

      12.8MB

      Download

    • memory/3404-27-0x00000000011D0000-0x00000000011D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3404-26-0x0000000000633000-0x00000000009A9000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3404-28-0x00000000011F0000-0x00000000011F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3404-29-0x00000000003B0000-0x0000000001071000-memory.dmp

      Filesize

      12.8MB

      Download

    • memory/3404-32-0x0000000000633000-0x00000000009A9000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3404-36-0x0000000000633000-0x00000000009A9000-memory.dmp

      Filesize

      3.5MB

      Download

    • memory/3404-35-0x00000000003B0000-0x0000000001071000-memory.dmp

      Filesize

      12.8MB

      Download

    • memory/3404-33-0x00000000003B0000-0x0000000001071000-memory.dmp

      Filesize

      12.8MB

      Download

    • memory/3708-50-0x0000000000270000-0x0000000000279000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3708-103-0x0000000000270000-0x0000000000279000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4768-38-0x0000000001510000-0x0000000001511000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4768-41-0x00000000003B0000-0x0000000001071000-memory.dmp

      Filesize

      12.8MB

      Download

    • memory/4768-39-0x0000000001520000-0x0000000001521000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4808-97-0x00000000007E0000-0x00000000008CF000-memory.dmp

      Filesize

      956KB

      Download

    • memory/4808-44-0x00000000007E0000-0x00000000008CF000-memory.dmp

      Filesize

      956KB

      Download