babadeda | 1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165

Resubmissions

19-01-2022 16:34

220119-t22y6abeh8 10

25-11-2021 12:35

211125-pshrpsfbgm 8

Analysis

max time kernel
157s
max time network
157s
platform
windows7_x64
resource
win7-en-20211208
submitted
19-01-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe
Size

11.7MB
MD5

51f468fa1f11ef59ad7fd5f339906661
SHA1

03887d2684aff18df484ca39c8f070a0bc725e4a
SHA256

1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165
SHA512

493e7d68f3ffdb6e9b0587457370253f72e3d6b2c6fa3bafb1e96dcb36db0e6b78b2a52bcf86c9b42f1bf260da639a1e88ca13d8a43ad9826ed4f680e9c3ba7f

Score

10^/10

babadeda fickerstealer crypter discovery infostealer loader upx

Malware Config

Extracted

Family

fickerstealer

prunerflowershop.com:80

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\FAQ.pdf	family_babadeda

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
Executes dropped EXE 2 IoCs

Processes:

irsetup.exealcodec.exe

pid process

332 irsetup.exe
364 alcodec.exe

pid	process
332	irsetup.exe
364	alcodec.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx

Loads dropped DLL 14 IoCs

Processes:

1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exeirsetup.exealcodec.exe

pid	process
1212	1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe
1212	1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe
1212	1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe
1212	1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe
332	irsetup.exe
332	irsetup.exe
332	irsetup.exe
332	irsetup.exe
332	irsetup.exe
332	irsetup.exe
332	irsetup.exe
332	irsetup.exe
332	irsetup.exe
364	alcodec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
4	api.ipify.org

Modifies registry class 10 IoCs

Processes:

irsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}\InprocServer32	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Creative Labs Al32 Codec\\Filters\\LC.dll"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}\InprocServer32\ThreadingModel = "both"	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}\ = "Elecard LC"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Creative Labs Al32 Codec\\Filters\\LC.dll"	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}\InprocServer32	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}\InprocServer32\ThreadingModel = "both"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}\ = "Elecard LC"	irsetup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

irsetup.exe

pid process

332 irsetup.exe
332 irsetup.exe

pid	process
332	irsetup.exe
332	irsetup.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exeirsetup.exe

description	pid	process	target process
PID 1212 wrote to memory of 332	1212	1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe	irsetup.exe
PID 1212 wrote to memory of 332	1212	1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe	irsetup.exe
PID 1212 wrote to memory of 332	1212	1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe	irsetup.exe
PID 1212 wrote to memory of 332	1212	1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe	irsetup.exe
PID 1212 wrote to memory of 332	1212	1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe	irsetup.exe
PID 1212 wrote to memory of 332	1212	1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe	irsetup.exe
PID 1212 wrote to memory of 332	1212	1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe	irsetup.exe
PID 332 wrote to memory of 364	332	irsetup.exe	alcodec.exe
PID 332 wrote to memory of 364	332	irsetup.exe	alcodec.exe
PID 332 wrote to memory of 364	332	irsetup.exe	alcodec.exe
PID 332 wrote to memory of 364	332	irsetup.exe	alcodec.exe

C:\Users\Admin\AppData\Local\Temp\1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe
"C:\Users\Admin\AppData\Local\Temp\1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1810466 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-3846991908-3261386348-1409841751-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\alcodec.exe
"C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\alcodec.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
ac23d03c4b8d531016a3c1ebfa2bc91c

SHA1
11383627d5515ed2257f594db7fbce3a4b9106f8

SHA256
0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06

SHA512
bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
ac23d03c4b8d531016a3c1ebfa2bc91c

SHA1
11383627d5515ed2257f594db7fbce3a4b9106f8

SHA256
0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06

SHA512
bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\FAQ.pdf
MD5
7d48ba5bfc96796ab7dc48f6764aec44

SHA1
bec9f2d46ad903fdbf66a92aeb95c6da1d29441a

SHA256
4d8fa3c825223e76c1ec3a002ff10208a3d3a91366de8472d3afa61fdf3e0ab8

SHA512
71914f9266aca04de7e01d04fc7c213a82bb082968e4b8e88cc0e9bf765cb5e1d40a89cc994c03569533ec1355497e853a21a1ac22ae098de8a686241235ce1f

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\alcodec.exe
MD5
f387a40e95f63b5647beecdd9c4bf80e

SHA1
6d3e94f983eb4260e828048f464febfe80fdc5cb

SHA256
f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118

SHA512
49ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\libftype-5.dll
MD5
3399513c46e46661a9d6c59ec92aefe7

SHA1
696d40c6c74d5fdffe60880a454dfe69fd5400cb

SHA256
a545d9fdff40e69b99b5f4a118b43666ce6c4f63aec5ca6316b8749c68286eb3

SHA512
f3d3eb2491ff640830773dc2e536a8ad196f06a89075c7cd041467a1d08860232a35fcc2da8a20420f4003eb68ca06a66128d73ebd3dbf4a371e5deb4de54ce9

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
ac23d03c4b8d531016a3c1ebfa2bc91c

SHA1
11383627d5515ed2257f594db7fbce3a4b9106f8

SHA256
0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06

SHA512
bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
ac23d03c4b8d531016a3c1ebfa2bc91c

SHA1
11383627d5515ed2257f594db7fbce3a4b9106f8

SHA256
0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06

SHA512
bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
ac23d03c4b8d531016a3c1ebfa2bc91c

SHA1
11383627d5515ed2257f594db7fbce3a4b9106f8

SHA256
0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06

SHA512
bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
ac23d03c4b8d531016a3c1ebfa2bc91c

SHA1
11383627d5515ed2257f594db7fbce3a4b9106f8

SHA256
0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06

SHA512
bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
MD5
ac23d03c4b8d531016a3c1ebfa2bc91c

SHA1
11383627d5515ed2257f594db7fbce3a4b9106f8

SHA256
0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06

SHA512
bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\Filters\LC.dll
MD5
6316c4082cacf8f3f4f22daef56cb15c

SHA1
cea3de90b20396b092797ec8c7e241e822c8faed

SHA256
5594b08c79a4d188a674713011cd516618fa36d2f988f7d353fb3370939a4062

SHA512
e1e0a6440f91b208b61775e30d8fc1be299a298e00ed564ca7c74fa8728738af66e6c3c0805553abbc4a8d2838cd21bfde61ac2322fff4e62ac4d6796a0821bc

Download Submit
\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\alcodec.exe
MD5
f387a40e95f63b5647beecdd9c4bf80e

SHA1
6d3e94f983eb4260e828048f464febfe80fdc5cb

SHA256
f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118

SHA512
49ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b

Download Submit
\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\alcodec.exe
MD5
f387a40e95f63b5647beecdd9c4bf80e

SHA1
6d3e94f983eb4260e828048f464febfe80fdc5cb

SHA256
f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118

SHA512
49ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b

Download Submit
\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\alcodec.exe
MD5
f387a40e95f63b5647beecdd9c4bf80e

SHA1
6d3e94f983eb4260e828048f464febfe80fdc5cb

SHA256
f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118

SHA512
49ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b

Download Submit
\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\alcodec.exe
MD5
f387a40e95f63b5647beecdd9c4bf80e

SHA1
6d3e94f983eb4260e828048f464febfe80fdc5cb

SHA256
f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118

SHA512
49ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b

Download Submit
\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\libftype-5.dll
MD5
3399513c46e46661a9d6c59ec92aefe7

SHA1
696d40c6c74d5fdffe60880a454dfe69fd5400cb

SHA256
a545d9fdff40e69b99b5f4a118b43666ce6c4f63aec5ca6316b8749c68286eb3

SHA512
f3d3eb2491ff640830773dc2e536a8ad196f06a89075c7cd041467a1d08860232a35fcc2da8a20420f4003eb68ca06a66128d73ebd3dbf4a371e5deb4de54ce9

Download Submit
\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\lua5.1.dll
MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\lua5.1.dll
MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
memory/364-77-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download
memory/1212-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download