Analysis
-
max time kernel
140s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
23-02-2025 20:29
Behavioral task
behavioral1
Sample
2025-02-23_7a1e24880a849261663e5ad59ca8ab98_smoke-loader_wapomi.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
General
-
Target
2025-02-23_7a1e24880a849261663e5ad59ca8ab98_smoke-loader_wapomi.exe
-
Size
141KB
-
MD5
7a1e24880a849261663e5ad59ca8ab98
-
SHA1
b917b58f2e72bb6e093af615220becd60b6b6a0a
-
SHA256
99de41cedc2118dfe34ac6d6f7c682e3cf1ebcefe0cc9337dc07b50eeb22b023
-
SHA512
339023224ace42a1274b95219ef7aa4e840d840c71abdf5d4d3819cc47df21c8a7979a98539bbf8c89cabaef9327dc7921ca71d974725577a0cd509fe435c49f
-
SSDEEP
3072:fguzklQqvuTZMHNtCP0ip1Q4M621CO60hTrkGCH:7GvGTcibMrCh0hf5
Malware Config
Extracted
Family
bdaejec
C2
ddos.dnsnb8.net
Signatures
-
Bdaejec family
-
Detects Bdaejec Backdoor. 1 IoCs
Bdaejec is backdoor written in C++.
resource yara_rule behavioral2/memory/3540-9-0x0000000000300000-0x0000000000309000-memory.dmp family_bdaejec_backdoor -
resource yara_rule behavioral2/files/0x000c000000023be1-3.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation NFhqpu.exe -
Executes dropped EXE 1 IoCs
pid Process 3540 NFhqpu.exe -
resource yara_rule behavioral2/memory/3608-0-0x0000000000400000-0x00000000004F8000-memory.dmp upx behavioral2/memory/3608-7-0x0000000000400000-0x00000000004F8000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe NFhqpu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE NFhqpu.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe NFhqpu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe NFhqpu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe NFhqpu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe NFhqpu.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe NFhqpu.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe NFhqpu.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe NFhqpu.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe NFhqpu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe NFhqpu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE NFhqpu.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe NFhqpu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe NFhqpu.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe NFhqpu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe NFhqpu.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe NFhqpu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE NFhqpu.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe NFhqpu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe NFhqpu.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE NFhqpu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe NFhqpu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe NFhqpu.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe NFhqpu.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe NFhqpu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoia.exe NFhqpu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe NFhqpu.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe NFhqpu.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe NFhqpu.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe NFhqpu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE NFhqpu.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe NFhqpu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe NFhqpu.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe NFhqpu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE NFhqpu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe NFhqpu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe NFhqpu.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe NFhqpu.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe NFhqpu.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe NFhqpu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NFhqpu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-02-23_7a1e24880a849261663e5ad59ca8ab98_smoke-loader_wapomi.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3608 2025-02-23_7a1e24880a849261663e5ad59ca8ab98_smoke-loader_wapomi.exe 3608 2025-02-23_7a1e24880a849261663e5ad59ca8ab98_smoke-loader_wapomi.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3608 wrote to memory of 3540 3608 2025-02-23_7a1e24880a849261663e5ad59ca8ab98_smoke-loader_wapomi.exe 85 PID 3608 wrote to memory of 3540 3608 2025-02-23_7a1e24880a849261663e5ad59ca8ab98_smoke-loader_wapomi.exe 85 PID 3608 wrote to memory of 3540 3608 2025-02-23_7a1e24880a849261663e5ad59ca8ab98_smoke-loader_wapomi.exe 85 PID 3540 wrote to memory of 2640 3540 NFhqpu.exe 90 PID 3540 wrote to memory of 2640 3540 NFhqpu.exe 90 PID 3540 wrote to memory of 2640 3540 NFhqpu.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-02-23_7a1e24880a849261663e5ad59ca8ab98_smoke-loader_wapomi.exe"C:\Users\Admin\AppData\Local\Temp\2025-02-23_7a1e24880a849261663e5ad59ca8ab98_smoke-loader_wapomi.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\NFhqpu.exeC:\Users\Admin\AppData\Local\Temp\NFhqpu.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\32f87bba.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2640
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187B
MD5e785c58b92e17960f1fcf4c25c55cfb3
SHA1b0aa02f38a8e02f8e81df676c7d226ea2ab2cde2
SHA2560760cdcaa4554129bd278f046b269bff344ea9abd448d348c3e93975c60a2b49
SHA512bccbe5cca1682514546e1f971773a6ef6ce1eab09b9b3852d56ca3f7010ee2f320fcac963f8eb7679f84f7f08f9e5aa2b4e17a33b986b25cd1264ef4aa624823
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e