Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

d69e8d0678...c6.exe

windows7_x64

10

d69e8d0678...c6.exe

windows10-2004_x64

10

Resubmissions

19/01/2022, 16:33

220119-t2pntsbeh3 10

25/11/2021, 12:32

211125-pqpggafbfp 8

Analysis

  • max time kernel
    126s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19/01/2022, 16:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d69e8d0678be5a8da741058f0ae2a6f99ffb8e3326ac50fda54336b23a546fc6.exe

  • Size

    6.3MB

  • MD5

    d8f03daa4389b4e6ce37a3d3664e74f5

  • SHA1

    9f044353923afec678d50777e8dc2e18a4b5ce21

  • SHA256

    d69e8d0678be5a8da741058f0ae2a6f99ffb8e3326ac50fda54336b23a546fc6

  • SHA512

    4ea37e044be69b88c53f7bdecd0eb5c431fc3f112bd1cfd53942463756cd3187a3a5a2ead9a4ea82f6fc323213a17b9231d6ce9493f68cfe71aac250121a99f9

Score
10/10
babadedacryptbotcrypterloaderspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

veowvf15.top

morysl01.top
Attributes
  • payload_url

    http://tyngle01.top/download.php?file=lv.exe

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    loadercrypterbabadeda
  • Babadeda Crypter 1 IoCs
  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 12 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d69e8d0678be5a8da741058f0ae2a6f99ffb8e3326ac50fda54336b23a546fc6.exe
    "C:\Users\Admin\AppData\Local\Temp\d69e8d0678be5a8da741058f0ae2a6f99ffb8e3326ac50fda54336b23a546fc6.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:524
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter 3.2.1.6\install\B615D1E\adv2.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\d69e8d0678be5a8da741058f0ae2a6f99ffb8e3326ac50fda54336b23a546fc6.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1642579787 " AI_EUIMSI=""
      2⤵
      • Enumerates connected drives
      • Suspicious use of FindShellTrayWindow
      PID:3828
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3632
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 0DF6B08F74B38C02E9C09EF8AEBCCA2D C
      2⤵
      • Loads dropped DLL
      PID:1984
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1EAF16CBB6AFF6D3C1B50B3A12707D15
      2⤵
      • Loads dropped DLL
      PID:3936
    • C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe
      "C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\XKtGwQDe & timeout 4 & del /f /q "C:\Users\Admin\AppData\Roaming\Fieldston Software\Extended Voul Painter\syncapp.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:636
        • C:\Windows\SysWOW64\timeout.exe
          timeout 4
          4⤵
          • Delays execution with timeout.exe
          PID:2036
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    1⤵
      PID:1044

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2928-220-0x0000000000580000-0x000000000091B000-memory.dmp

      Filesize

      3.6MB

      Download