Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 882703
MD5: e2c4c4dd8c6a357eca164955a8fe040c
SHA1: f4114815bce62efbc78c79f9a83ccf74a4ea075c
SHA256: f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5
Tags: exe
Infos:

Detection

Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Changes the wallpaper picture
Uses shutdown.exe to shutdown or reboot the system
Yara detected BatToExe compiled binary
Machine Learning detection for sample
Disables the Windows task manager (taskmgr)
Machine Learning detection for dropped file
Disables UAC (registry)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Drops PE files
Potential key logger detected (key state polling based)
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 72%
Antivirus detection for dropped file
Source: C:\Baldi\Baldi.exe Avira: detection malicious, Label: TR/BAS.Samca.amdgw
Source: C:\Baldi\kill.exe Avira: detection malicious, Label: TR/AD.Nekark.sjwrf
Source: C:\Baldi\mbr.exe Avira: detection malicious, Label: DR/Delphi.Gen
Multi AV Scanner detection for dropped file
Source: C:\Baldi\Baldi.exe ReversingLabs: Detection: 70%
Source: C:\Baldi\DisableUAC.exe ReversingLabs: Detection: 20%
Source: C:\Baldi\kill.exe ReversingLabs: Detection: 75%
Source: C:\Baldi\mbr.exe ReversingLabs: Detection: 70%
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Baldi\kill.exe Joe Sandbox ML: detected
Source: C:\Baldi\DisableUAC.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405D07 FindFirstFileA,FindClose, 0_2_00405D07
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405331
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
Source: Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr String found in binary or memory: <YT: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-A equals www.youtube.com (Youtube)
Source: Baldi.exe, 00000003.00000002.637111077.0000000002E36000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: <YT: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-AExperience Controls LibraryX equals www.youtube.com (Youtube)
Source: Baldi.exe, 00000003.00000002.637111077.0000000002E0A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: ~YT: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-Ang equals www.youtube.com (Youtube)
Source: file.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: file.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Baldi.exe, 00000003.00000002.637111077.0000000002EEC000.00000004.00001000.00020000.00000000.sdmp, Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr String found in binary or memory: https://vk.com/endnet
Source: Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr String found in binary or memory: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-A
Source: Baldi.exe, 00000003.00000002.637111077.0000000002E36000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-AExperience
Source: Baldi.exe, 00000003.00000002.637111077.0000000002E0A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-Ang
Creates a DirectInput object (often for capturing keystrokes)
Source: file.exe, 00000000.00000002.376997062.0000000000528000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Baldi\DisableUAC.exe Code function: 4_2_000000014000E9BC GetFocus,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetClassNameA,strncmp,SendMessageA,GetKeyState,GetKeyState,GetKeyState,GetPropA,GetPropA,GetWindowThreadProcessId,GetCurrentProcessId, 4_2_000000014000E9BC
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404EE8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404EE8

Spam, unwanted Advertisements and Ransom Demands
barindex
Changes the wallpaper picture
Source: C:\Baldi\Baldi.exe Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop Wallpaper C:\Baldi\lol.png Jump to behavior

System Summary
barindex
Uses shutdown.exe to shutdown or reboot the system
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\shutdown.exe shutdown -r -t 1 -c "BALDI EVIL..."
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004030FA EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FA
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406128 0_2_00406128
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004046F9 0_2_004046F9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004068FF 0_2_004068FF
Source: C:\Baldi\DisableUAC.exe Code function: 4_3_021A79B8 4_3_021A79B8
Source: C:\Baldi\DisableUAC.exe Code function: 4_2_000000014000A15C 4_2_000000014000A15C
Source: C:\Baldi\DisableUAC.exe Code function: 4_2_0000000140012B80 4_2_0000000140012B80
Source: C:\Baldi\DisableUAC.exe Code function: 4_2_00000001400127C0 4_2_00000001400127C0
Source: C:\Baldi\DisableUAC.exe Code function: 4_2_000000014000DFD0 4_2_000000014000DFD0
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
PE file contains more sections than normal
Source: Baldi.exe.0.dr Static PE information: Number of sections : 12 > 10
Source: file.exe ReversingLabs: Detection: 72%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Baldi\Baldi.exe C:\Baldi\Baldi.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Baldi\DisableUAC.exe C:\Baldi\DisableUAC.exe
Source: C:\Baldi\DisableUAC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Baldi\Baldi.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
Source: C:\Baldi\DisableUAC.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd" /c "C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat C:\Baldi\DisableUAC.exe
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\shutdown.exe shutdown -r -t 1 -c "BALDI EVIL..."
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c CleanZUpdater.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Baldi\Baldi.exe C:\Baldi\Baldi.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Baldi\DisableUAC.exe C:\Baldi\DisableUAC.exe Jump to behavior
Source: C:\Baldi\Baldi.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im explorer.exe Jump to behavior
Source: C:\Baldi\DisableUAC.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd" /c "C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat C:\Baldi\DisableUAC.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\shutdown.exe shutdown -r -t 1 -c "BALDI EVIL..." Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;explorer.exe&quot;)
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\nseED18.tmp Jump to behavior
Source: classification engine Classification label: mal92.rans.evad.winEXE@19/8@0/0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar, 0_2_00402020
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004041FC GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004041FC
Source: C:\Baldi\Baldi.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Baldi\Baldi.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_01
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
Source: C:\Baldi\Baldi.exe Window found: window name: TButton Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 4444053 > 1048576

Data Obfuscation
barindex
Yara detected BatToExe compiled binary
Source: Yara match File source: 00000004.00000002.380014233.0000000000470000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.378526790.000001FFF3EF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.379502958.0000016157B60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.378545012.000001FFF3F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.378633984.0000016157B70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.379811354.0000000002370000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.379822097.00000000001C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.379169390.000001E5CE7B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.379654166.0000016157B70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.379112663.000001E5CE4F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.378526790.000001FFF3EF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.379112663.000001E5CE4F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.379239394.0000016157B6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.379709392.0000016157DD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.379502958.0000016157B6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.379169390.000001E5CE7B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.380014233.0000000000448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DisableUAC.exe PID: 7140, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 6040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: reg.exe PID: 5744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: shutdown.exe PID: 3816, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Baldi\DisableUAC.exe Code function: 4_2_000000014001BA98 push rax; retf 4_2_000000014001BA99
PE file contains sections with non-standard names
Source: Baldi.exe.0.dr Static PE information: section name: .didata
Source: Baldi.exe.0.dr Static PE information: section name: .debug
Source: DisableUAC.exe.0.dr Static PE information: section name: .code
Source: kill.exe.0.dr Static PE information: section name: .code
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405D2E
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Baldi\mbr.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Baldi\DisableUAC.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Baldi\Baldi.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Baldi\kill.exe Jump to dropped file
Source: C:\Baldi\Baldi.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run GG.exe Jump to behavior
Source: C:\Baldi\Baldi.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run GG.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\Baldi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\DisableUAC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\DisableUAC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\DisableUAC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\DisableUAC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\DisableUAC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Baldi\DisableUAC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Baldi\mbr.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Baldi\kill.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405D07 FindFirstFileA,FindClose, 0_2_00405D07
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405331
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405D2E
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Uses taskkill to terminate processes
Source: C:\Baldi\Baldi.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im explorer.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Baldi\Baldi.exe C:\Baldi\Baldi.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Baldi\DisableUAC.exe C:\Baldi\DisableUAC.exe Jump to behavior
Source: C:\Baldi\Baldi.exe Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im explorer.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\shutdown.exe shutdown -r -t 1 -c "BALDI EVIL..." Jump to behavior
Source: Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr Binary or memory string: @Winapi@Windows@DOF_PROGMAN
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405A2E GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405A2E

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disables the Windows task manager (taskmgr)
Source: C:\Baldi\Baldi.exe Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr Jump to behavior
Disables UAC (registry)
Source: C:\Windows\System32\reg.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 882703 Sample: file.exe Startdate: 06/06/2023 Architecture: WINDOWS Score: 92 43 Antivirus detection for dropped file 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 3 other signatures 2->49 9 file.exe 12 2->9         started        process3 file4 35 C:\Baldi\mbr.exe, PE32 9->35 dropped 37 C:\Baldi\kill.exe, PE32+ 9->37 dropped 39 C:\Baldi\DisableUAC.exe, PE32+ 9->39 dropped 41 2 other malicious files 9->41 dropped 12 cmd.exe 1 9->12         started        process5 process6 14 DisableUAC.exe 6 12->14         started        17 Baldi.exe 4 1 12->17         started        19 conhost.exe 12->19         started        signatures7 55 Multi AV Scanner detection for dropped file 14->55 57 Machine Learning detection for dropped file 14->57 21 cmd.exe 1 14->21         started        24 conhost.exe 14->24         started        59 Antivirus detection for dropped file 17->59 61 Changes the wallpaper picture 17->61 63 Disables the Windows task manager (taskmgr) 17->63 26 taskkill.exe 1 17->26         started        process8 signatures9 51 Uses shutdown.exe to shutdown or reboot the system 21->51 28 reg.exe 1 21->28         started        31 shutdown.exe 1 21->31         started        33 conhost.exe 26->33         started        process10 signatures11 53 Disables UAC (registry) 28->53
No contacted IP infos