babadeda | 1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165

Resubmissions

19-01-2022 16:34

220119-t22y6abeh8 10

25-11-2021 12:35

211125-pshrpsfbgm 8

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
19-01-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe
Size

11.7MB
MD5

51f468fa1f11ef59ad7fd5f339906661
SHA1

03887d2684aff18df484ca39c8f070a0bc725e4a
SHA256

1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165
SHA512

493e7d68f3ffdb6e9b0587457370253f72e3d6b2c6fa3bafb1e96dcb36db0e6b78b2a52bcf86c9b42f1bf260da639a1e88ca13d8a43ad9826ed4f680e9c3ba7f

Score

10^/10

babadeda fickerstealer crypter discovery infostealer loader upx

Malware Config

Extracted

Family

fickerstealer

prunerflowershop.com:80

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\FAQ.pdf	family_babadeda

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
Executes dropped EXE 2 IoCs

Processes:

irsetup.exealcodec.exe

pid process

3464 irsetup.exe
4048 alcodec.exe

pid	process
3464	irsetup.exe
4048	alcodec.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

irsetup.exe1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	irsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe

Loads dropped DLL 3 IoCs

Processes:

irsetup.exealcodec.exe

pid process

3464 irsetup.exe
3464 irsetup.exe
4048 alcodec.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3464	irsetup.exe
3464	irsetup.exe
4048	alcodec.exe

flow	ioc
31	api.ipify.org

Modifies registry class 10 IoCs

Processes:

irsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}\InprocServer32	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}\InprocServer32	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}\InprocServer32\ThreadingModel = "both"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}\ = "Elecard LC"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Creative Labs Al32 Codec\\Filters\\LC.dll"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}\InprocServer32\ThreadingModel = "both"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}\ = "Elecard LC"	irsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Creative Labs Al32 Codec\\Filters\\LC.dll"	irsetup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

irsetup.exe

pid process

3464 irsetup.exe
3464 irsetup.exe

pid	process
3464	irsetup.exe
3464	irsetup.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exeirsetup.exe

description	pid	process	target process
PID 2336 wrote to memory of 3464	2336	1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe	irsetup.exe
PID 2336 wrote to memory of 3464	2336	1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe	irsetup.exe
PID 2336 wrote to memory of 3464	2336	1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe	irsetup.exe
PID 3464 wrote to memory of 4048	3464	irsetup.exe	alcodec.exe
PID 3464 wrote to memory of 4048	3464	irsetup.exe	alcodec.exe
PID 3464 wrote to memory of 4048	3464	irsetup.exe	alcodec.exe

C:\Users\Admin\AppData\Local\Temp\1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe
"C:\Users\Admin\AppData\Local\Temp\1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1810466 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-790714498-1549421491-1643397139-1000"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3464
- - C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\alcodec.exe
    "C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\alcodec.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5
ac23d03c4b8d531016a3c1ebfa2bc91c

SHA1
11383627d5515ed2257f594db7fbce3a4b9106f8

SHA256
0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06

SHA512
bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5
ac23d03c4b8d531016a3c1ebfa2bc91c

SHA1
11383627d5515ed2257f594db7fbce3a4b9106f8

SHA256
0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06

SHA512
bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\FAQ.pdf

MD5
7d48ba5bfc96796ab7dc48f6764aec44

SHA1
bec9f2d46ad903fdbf66a92aeb95c6da1d29441a

SHA256
4d8fa3c825223e76c1ec3a002ff10208a3d3a91366de8472d3afa61fdf3e0ab8

SHA512
71914f9266aca04de7e01d04fc7c213a82bb082968e4b8e88cc0e9bf765cb5e1d40a89cc994c03569533ec1355497e853a21a1ac22ae098de8a686241235ce1f

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\Filters\LC.dll

MD5
6316c4082cacf8f3f4f22daef56cb15c

SHA1
cea3de90b20396b092797ec8c7e241e822c8faed

SHA256
5594b08c79a4d188a674713011cd516618fa36d2f988f7d353fb3370939a4062

SHA512
e1e0a6440f91b208b61775e30d8fc1be299a298e00ed564ca7c74fa8728738af66e6c3c0805553abbc4a8d2838cd21bfde61ac2322fff4e62ac4d6796a0821bc

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\alcodec.exe

MD5
f387a40e95f63b5647beecdd9c4bf80e

SHA1
6d3e94f983eb4260e828048f464febfe80fdc5cb

SHA256
f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118

SHA512
49ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\alcodec.exe

MD5
f387a40e95f63b5647beecdd9c4bf80e

SHA1
6d3e94f983eb4260e828048f464febfe80fdc5cb

SHA256
f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118

SHA512
49ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\libftype-5.dll

MD5
3399513c46e46661a9d6c59ec92aefe7

SHA1
696d40c6c74d5fdffe60880a454dfe69fd5400cb

SHA256
a545d9fdff40e69b99b5f4a118b43666ce6c4f63aec5ca6316b8749c68286eb3

SHA512
f3d3eb2491ff640830773dc2e536a8ad196f06a89075c7cd041467a1d08860232a35fcc2da8a20420f4003eb68ca06a66128d73ebd3dbf4a371e5deb4de54ce9

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\libftype-5.dll

MD5
3399513c46e46661a9d6c59ec92aefe7

SHA1
696d40c6c74d5fdffe60880a454dfe69fd5400cb

SHA256
a545d9fdff40e69b99b5f4a118b43666ce6c4f63aec5ca6316b8749c68286eb3

SHA512
f3d3eb2491ff640830773dc2e536a8ad196f06a89075c7cd041467a1d08860232a35fcc2da8a20420f4003eb68ca06a66128d73ebd3dbf4a371e5deb4de54ce9

Download Submit
memory/4048-252-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download