Overview

overview

10

Static

static

10

6d67d7c74a...44.exe

windows7_x64

10

6d67d7c74a...44.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    13-02-2022 09:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe

  • Size

    9.6MB

  • MD5

    cc2631ac48d53e47f9958142730d8132

  • SHA1

    ef9a754f025b682c7bf8d21fa59cb71e4a8c1be7

  • SHA256

    6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44

  • SHA512

    acc02eb8fcf5640503e1bd723121f16d9852553621b6c046159ca0358bbccd8f5455151e8ce0deee3907c31e2e4562bb61c52927fb728a3052833f116749e4c8

Score
10/10
babadedaphoboscrypterevasionloaderpersistenceransomwarespywarestealertrojan

Malware Config

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    loadercrypterbabadeda
  • Babadeda Crypter 3 IoCs
  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 1 IoCs
  • Loads dropped DLL 52 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
    "C:\Users\Admin\AppData\Local\Temp\6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe"
    1⤵
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:964
    • C:\Users\Admin\AppData\Roaming\DeltaConfig\PDapp.exe
      C:\Users\Admin\AppData\Roaming\DeltaConfig\PDapp.exe
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Users\Admin\AppData\Roaming\DeltaConfig\PDapp.exe
        "C:\Users\Admin\AppData\Roaming\DeltaConfig\PDapp.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1632
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:884
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:1544
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1672
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1900
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1216
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:1096
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:380
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          4⤵
            PID:652
          • C:\Windows\system32\netsh.exe
            netsh firewall set opmode mode=disable
            4⤵
              PID:1492
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1424
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1960
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:1988
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
            PID:516

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/652-131-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/964-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1320-110-0x0000000000CB0000-0x0000000000CC3000-memory.dmp

            Filesize

            76KB

            Download

          • memory/1320-122-0x0000000003FE0000-0x00000000081E0000-memory.dmp

            Filesize

            66.0MB

            Download

          • memory/1632-126-0x0000000000AD0000-0x0000000000AE3000-memory.dmp

            Filesize

            76KB

            Download

          • memory/1632-130-0x0000000003E10000-0x0000000008010000-memory.dmp

            Filesize

            66.0MB

            Download