Overview

overview

10

Static

static

3

2025-02-02...mi.exe

windows7-x64

10

2025-02-02...mi.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02/02/2025, 00:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-02_b63ba173024e59fb83cf1ed06e1c5204_icedid_wapomi.exe

  • Size

    1.0MB

  • MD5

    b63ba173024e59fb83cf1ed06e1c5204

  • SHA1

    597cb9eb8dbed8ef1f9a364215b8710f21502c6c

  • SHA256

    17f27aa3436e657d5012647e4232f9836f9848983d37d79dd99f44b5ac153197

  • SHA512

    4d185c22d24eb500c39722cee9c34f7db7f6ebdbbebe6009a7d544cd9f9aa82fa84ad9d7d2b161a09af80f6fbe3c5513c52076fcbb33770dc825cea994f2028a

  • SSDEEP

    24576:FDTss+PJ1RAdH1B8gIVhYgdG7ynoPiLd:lbQ

Score
10/10
bdaejecaspackv2backdoordiscovery

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

    backdoorbdaejec
  • Bdaejec family
    bdaejec
  • Detects Bdaejec Backdoor. 1 IoCs

    Bdaejec is backdoor written in C++.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-02_b63ba173024e59fb83cf1ed06e1c5204_icedid_wapomi.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-02_b63ba173024e59fb83cf1ed06e1c5204_icedid_wapomi.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Local\Temp\TBFEKy.exe
      C:\Users\Admin\AppData\Local\Temp\TBFEKy.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5ae224a8.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2160

Network

  • flag-us
    DNS
    ddos.dnsnb8.net
    TBFEKy.exe
    Remote address:
    8.8.8.8:53
    Request
    ddos.dnsnb8.net
    IN A
    Response
    ddos.dnsnb8.net
    IN A
    44.221.84.105
  • 44.221.84.105:799
    ddos.dnsnb8.net
    TBFEKy.exe
    152 B
     3
  • 44.221.84.105:799
    ddos.dnsnb8.net
    TBFEKy.exe
    152 B
     3
  • 44.221.84.105:799
    ddos.dnsnb8.net
    TBFEKy.exe
    152 B
     3
  • 44.221.84.105:799
    ddos.dnsnb8.net
    TBFEKy.exe
    152 B
     3
  • 44.221.84.105:799
    ddos.dnsnb8.net
    TBFEKy.exe
    152 B
     3
  • 8.8.8.8:53
    ddos.dnsnb8.net
    dns
    TBFEKy.exe
    61 B
     77 B
     1
    1

    DNS Request

    ddos.dnsnb8.net

    DNS Response

    44.221.84.105

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\5ae224a8.bat
    Filesize

    187B

    MD5

    87834e78ddada726bf1a4963d0517c0e

    SHA1

    54340676d031fb7dc0bfc47a73a72636a766d61d

    SHA256

    23602022f4f54913a9642aea16aeadf520d49ae9ccb8497ff16c6c4e55d9ddb5

    SHA512

    342ddab957a7ea5d8a28ca5683ae8a8751482f366cad2ec0ea22788ad4eb51ad3439831f5191545157d88ead5b43f74d7c12fb60f24babe4b06b140c21401abb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TBFEKy.exe
    Filesize

    15KB

    MD5

    56b2c3810dba2e939a8bb9fa36d3cf96

    SHA1

    99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

    SHA256

    4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

    SHA512

    27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

    Download Submit

  • memory/2180-1-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2180-10-0x0000000000220000-0x0000000000229000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2180-9-0x0000000000220000-0x0000000000229000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2180-15-0x0000000001FE0000-0x0000000001FE9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2180-17-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2180-19-0x0000000000400000-0x0000000000506000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3064-11-0x0000000000CB0000-0x0000000000CB9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3064-18-0x0000000000CB0000-0x0000000000CB9000-memory.dmp

    Filesize

    36KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.