Overview

overview

10

Static

static

42ccd61f13...78.exe

windows7_x64

10

42ccd61f13...78.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    163s
  • max time network
    177s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    18-02-2022 08:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42ccd61f1357d37d8c439082e195eed6eb0d3a6b060852ce57161b469919f778.exe

  • Size

    122.5MB

  • MD5

    c893af41e33ca5da0a8acf8ac623c2ae

  • SHA1

    65412f1aa3839e41a00adc2ebc7162880c258be7

  • SHA256

    42ccd61f1357d37d8c439082e195eed6eb0d3a6b060852ce57161b469919f778

  • SHA512

    20474b4ab6e85a7b33d544a5f8cdb5d6b03b86ee67b07a54a17ee6358d51abdcd0711a78999fceb83f971590707c62941f0d2c5d18abc1c091694ea29ceb517f

Score
10/10
babadedaremcoscrypterloaderrat

Malware Config

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    loadercrypterbabadeda
  • Babadeda Crypter 1 IoCs
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Detects BABADEDA Crypter 1 IoCs

    Detects BABADEDA Crypter.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42ccd61f1357d37d8c439082e195eed6eb0d3a6b060852ce57161b469919f778.exe
    "C:\Users\Admin\AppData\Local\Temp\42ccd61f1357d37d8c439082e195eed6eb0d3a6b060852ce57161b469919f778.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi" /q
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:960
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 89C051B2DDA7F5B6B63173E918FC29B7
      2⤵
      • Loads dropped DLL
      PID:1576
    • C:\Users\Admin\AppData\Roaming\Plex, Inc\Plex Media Server DLNA\iisexpress.exe
      "C:\Users\Admin\AppData\Roaming\Plex, Inc\Plex Media Server DLNA\iisexpress.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1752

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1276-55-0x00000000756C1000-0x00000000756C3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1752-124-0x0000000003D00000-0x0000000008E00000-memory.dmp

    Filesize

    81.0MB

    Download

  • memory/1872-58-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

    Filesize

    8KB

    Download