babadeda | 1924be27896fc861692cf9247734cd87ec7b121a8a7ffdeda8d313f9d8a12981

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
03-03-2022 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bfc1b42014e76be8deee330ff944681.exe
Size

5.9MB
MD5

6bfc1b42014e76be8deee330ff944681
SHA1

df22b2d235964e322916818bd00c82799ccfe81b
SHA256

1924be27896fc861692cf9247734cd87ec7b121a8a7ffdeda8d313f9d8a12981
SHA512

cf4929bc89ab40ad03259277460d92c8543f36439f805995e47d135d0a3a0d33d8eedbec85d50f791ad8b43aa9dc9e3b9940a8e33bf22e80cf8033736dc0cfbb

Score

10^/10

babadeda systembc crypter evasion loader persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

systembc

5.101.78.2:4127

192.53.123.202:4127

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\asp	family_babadeda
behavioral2/memory/4844-180-0x00000000046E0000-0x00000000088E0000-memory.dmp	family_babadeda

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Go/Anubis CnC Activity (POST)
suricata: ET MALWARE Go/Anubis CnC Activity (POST)
suricata
suricata: ET MALWARE Go/Anubis Registration Activity
suricata: ET MALWARE Go/Anubis Registration Activity
suricata
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

6bfc1b42014e76be8deee330ff944681.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts 6bfc1b42014e76be8deee330ff944681.exe
Executes dropped EXE 7 IoCs

Processes:

1646278288.exe1646278288.tmp1646278288.exe1646278288.tmptracegen.exePDapp.exePDapp.exe

pid process

3224 1646278288.exe
392 1646278288.tmp
5084 1646278288.exe
4064 1646278288.tmp
3160 tracegen.exe
4844 PDapp.exe
4840 PDapp.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	6bfc1b42014e76be8deee330ff944681.exe

pid	process
3224	1646278288.exe
392	1646278288.tmp
5084	1646278288.exe
4064	1646278288.tmp
3160	tracegen.exe
4844	PDapp.exe
4840	PDapp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1646278288.tmp1646278288.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	1646278288.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	1646278288.tmp

Loads dropped DLL 13 IoCs

Processes:

PDapp.exePDapp.exe

pid	process
4844	PDapp.exe
4844	PDapp.exe
4844	PDapp.exe
4844	PDapp.exe
4844	PDapp.exe
4844	PDapp.exe
4844	PDapp.exe
4844	PDapp.exe
4844	PDapp.exe
4840	PDapp.exe
4840	PDapp.exe
4840	PDapp.exe
4840	PDapp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6bfc1b42014e76be8deee330ff944681.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\spoolsv.exe"	6bfc1b42014e76be8deee330ff944681.exe

Drops file in Windows directory 4 IoCs

Processes:

attrib.exe6bfc1b42014e76be8deee330ff944681.exePDapp.exe

description	ioc	process
File opened for modification	C:\Windows\spoolsv.exe	attrib.exe
File created	C:\Windows\1646278288.exe	6bfc1b42014e76be8deee330ff944681.exe
File created	C:\Windows\Tasks\wow64.job	PDapp.exe
File opened for modification	C:\Windows\Tasks\wow64.job	PDapp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

4300 ipconfig.exe
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 5 Go-http-client/1.1
HTTP User-Agent header 34 Go-http-client/1.1
HTTP User-Agent header 35 Go-http-client/1.1
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe1646278288.tmp

pid process

4164 powershell.exe
4164 powershell.exe
1516 powershell.exe
1516 powershell.exe
4064 1646278288.tmp
4064 1646278288.tmp
Suspicious behavior: RenamesItself 1 IoCs

Processes:

cmd.exe

pid process

4488 cmd.exe

pid	process
4300	ipconfig.exe

description	flow	ioc
HTTP User-Agent header	5	Go-http-client/1.1
HTTP User-Agent header	34	Go-http-client/1.1
HTTP User-Agent header	35	Go-http-client/1.1

pid	process
4164	powershell.exe
4164	powershell.exe
1516	powershell.exe
1516	powershell.exe
4064	1646278288.tmp
4064	1646278288.tmp

pid	process
4488	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exewhoami.exewhoami.exepowershell.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	2672	whoami.exe
Token: SeDebugPrivilege	1320	whoami.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeIncreaseQuotaPrivilege	1592	WMIC.exe
Token: SeSecurityPrivilege	1592	WMIC.exe
Token: SeTakeOwnershipPrivilege	1592	WMIC.exe
Token: SeLoadDriverPrivilege	1592	WMIC.exe
Token: SeSystemProfilePrivilege	1592	WMIC.exe
Token: SeSystemtimePrivilege	1592	WMIC.exe
Token: SeProfSingleProcessPrivilege	1592	WMIC.exe
Token: SeIncBasePriorityPrivilege	1592	WMIC.exe
Token: SeCreatePagefilePrivilege	1592	WMIC.exe
Token: SeBackupPrivilege	1592	WMIC.exe
Token: SeRestorePrivilege	1592	WMIC.exe
Token: SeShutdownPrivilege	1592	WMIC.exe
Token: SeDebugPrivilege	1592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1592	WMIC.exe
Token: SeRemoteShutdownPrivilege	1592	WMIC.exe
Token: SeUndockPrivilege	1592	WMIC.exe
Token: SeManageVolumePrivilege	1592	WMIC.exe
Token: 33	1592	WMIC.exe
Token: 34	1592	WMIC.exe
Token: 35	1592	WMIC.exe
Token: 36	1592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1592	WMIC.exe
Token: SeSecurityPrivilege	1592	WMIC.exe
Token: SeTakeOwnershipPrivilege	1592	WMIC.exe
Token: SeLoadDriverPrivilege	1592	WMIC.exe
Token: SeSystemProfilePrivilege	1592	WMIC.exe
Token: SeSystemtimePrivilege	1592	WMIC.exe
Token: SeProfSingleProcessPrivilege	1592	WMIC.exe
Token: SeIncBasePriorityPrivilege	1592	WMIC.exe
Token: SeCreatePagefilePrivilege	1592	WMIC.exe
Token: SeBackupPrivilege	1592	WMIC.exe
Token: SeRestorePrivilege	1592	WMIC.exe
Token: SeShutdownPrivilege	1592	WMIC.exe
Token: SeDebugPrivilege	1592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1592	WMIC.exe
Token: SeRemoteShutdownPrivilege	1592	WMIC.exe
Token: SeUndockPrivilege	1592	WMIC.exe
Token: SeManageVolumePrivilege	1592	WMIC.exe
Token: 33	1592	WMIC.exe
Token: 34	1592	WMIC.exe
Token: 35	1592	WMIC.exe
Token: 36	1592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3536	WMIC.exe
Token: SeSecurityPrivilege	3536	WMIC.exe
Token: SeTakeOwnershipPrivilege	3536	WMIC.exe
Token: SeLoadDriverPrivilege	3536	WMIC.exe
Token: SeSystemProfilePrivilege	3536	WMIC.exe
Token: SeSystemtimePrivilege	3536	WMIC.exe
Token: SeProfSingleProcessPrivilege	3536	WMIC.exe
Token: SeIncBasePriorityPrivilege	3536	WMIC.exe
Token: SeCreatePagefilePrivilege	3536	WMIC.exe
Token: SeBackupPrivilege	3536	WMIC.exe
Token: SeRestorePrivilege	3536	WMIC.exe
Token: SeShutdownPrivilege	3536	WMIC.exe
Token: SeDebugPrivilege	3536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3536	WMIC.exe
Token: SeRemoteShutdownPrivilege	3536	WMIC.exe
Token: SeUndockPrivilege	3536	WMIC.exe
Token: SeManageVolumePrivilege	3536	WMIC.exe
Token: 33	3536	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

1646278288.tmp

pid process

4064 1646278288.tmp

pid	process
4064	1646278288.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6bfc1b42014e76be8deee330ff944681.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe1646278288.exe1646278288.tmp1646278288.exe1646278288.tmp

description	pid	process	target process
PID 2700 wrote to memory of 4852	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 4852	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 4488	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 4488	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 4852 wrote to memory of 4164	4852	cmd.exe	powershell.exe
PID 4852 wrote to memory of 4164	4852	cmd.exe	powershell.exe
PID 2700 wrote to memory of 3396	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 3396	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 3396 wrote to memory of 1052	3396	cmd.exe	netsh.exe
PID 3396 wrote to memory of 1052	3396	cmd.exe	netsh.exe
PID 2700 wrote to memory of 660	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 660	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 4848	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 4848	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 1424	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 1424	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 660 wrote to memory of 2672	660	cmd.exe	whoami.exe
PID 660 wrote to memory of 2672	660	cmd.exe	whoami.exe
PID 1424 wrote to memory of 4284	1424	cmd.exe	reg.exe
PID 1424 wrote to memory of 4284	1424	cmd.exe	reg.exe
PID 4848 wrote to memory of 4300	4848	cmd.exe	ipconfig.exe
PID 4848 wrote to memory of 4300	4848	cmd.exe	ipconfig.exe
PID 2700 wrote to memory of 4912	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 4912	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 4904	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 4904	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 4804	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 4804	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 4912 wrote to memory of 1320	4912	cmd.exe	whoami.exe
PID 4912 wrote to memory of 1320	4912	cmd.exe	whoami.exe
PID 2700 wrote to memory of 1436	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 1436	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 4904 wrote to memory of 4752	4904	cmd.exe	attrib.exe
PID 4904 wrote to memory of 4752	4904	cmd.exe	attrib.exe
PID 4804 wrote to memory of 1516	4804	cmd.exe	powershell.exe
PID 4804 wrote to memory of 1516	4804	cmd.exe	powershell.exe
PID 1436 wrote to memory of 1592	1436	cmd.exe	WMIC.exe
PID 1436 wrote to memory of 1592	1436	cmd.exe	WMIC.exe
PID 2700 wrote to memory of 3916	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 3916	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 3916 wrote to memory of 3536	3916	cmd.exe	WMIC.exe
PID 3916 wrote to memory of 3536	3916	cmd.exe	WMIC.exe
PID 2700 wrote to memory of 112	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 112	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 3452	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 3452	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 3452 wrote to memory of 4472	3452	cmd.exe	WMIC.exe
PID 3452 wrote to memory of 4472	3452	cmd.exe	WMIC.exe
PID 2700 wrote to memory of 2756	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2700 wrote to memory of 2756	2700	6bfc1b42014e76be8deee330ff944681.exe	cmd.exe
PID 2756 wrote to memory of 3224	2756	cmd.exe	1646278288.exe
PID 2756 wrote to memory of 3224	2756	cmd.exe	1646278288.exe
PID 2756 wrote to memory of 3224	2756	cmd.exe	1646278288.exe
PID 3224 wrote to memory of 392	3224	1646278288.exe	1646278288.tmp
PID 3224 wrote to memory of 392	3224	1646278288.exe	1646278288.tmp
PID 3224 wrote to memory of 392	3224	1646278288.exe	1646278288.tmp
PID 392 wrote to memory of 5084	392	1646278288.tmp	1646278288.exe
PID 392 wrote to memory of 5084	392	1646278288.tmp	1646278288.exe
PID 392 wrote to memory of 5084	392	1646278288.tmp	1646278288.exe
PID 5084 wrote to memory of 4064	5084	1646278288.exe	1646278288.tmp
PID 5084 wrote to memory of 4064	5084	1646278288.exe	1646278288.tmp
PID 5084 wrote to memory of 4064	5084	1646278288.exe	1646278288.tmp
PID 4064 wrote to memory of 3160	4064	1646278288.tmp	tracegen.exe
PID 4064 wrote to memory of 3160	4064	1646278288.tmp	tracegen.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4752 attrib.exe

pid	process
4752	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6bfc1b42014e76be8deee330ff944681.exe
"C:\Users\Admin\AppData\Local\Temp\6bfc1b42014e76be8deee330ff944681.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\system32\cmd.exe
  cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4164
- C:\Windows\system32\cmd.exe
  cmd /Q /C move /Y C:\Users\Admin\AppData\Local\Temp\6bfc1b42014e76be8deee330ff944681.exe C:\Windows\spoolsv.exe
  2⤵
  - Suspicious behavior: RenamesItself
  PID:4488
- C:\Windows\system32\cmd.exe
  cmd /C "netsh advfirewall firewall add rule name=\"spoolsv\" dir=in action=allow program=\"C:\Users\Admin\AppData\Local\Temp\6bfc1b42014e76be8deee330ff944681.exe\" enable=yes"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name=\"spoolsv\" dir=in action=allow program=\"C:\Users\Admin\AppData\Local\Temp\6bfc1b42014e76be8deee330ff944681.exe\" enable=yes
    3⤵
    PID:1052
- C:\Windows\system32\cmd.exe
  cmd /C whoami
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\system32\whoami.exe
    whoami
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- C:\Windows\system32\cmd.exe
  cmd /C "ipconfig //flushdns"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\system32\ipconfig.exe
    ipconfig //flushdns
    3⤵
    - Gathers network information
    PID:4300
- C:\Windows\system32\cmd.exe
  cmd /Q /C reg add "HKCU\Software\Microsoft Partners" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft Partners" /f
    3⤵
    PID:4284
- C:\Windows\system32\cmd.exe
  cmd /C whoami
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\system32\whoami.exe
    whoami
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- C:\Windows\system32\cmd.exe
  cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- C:\Windows\system32\cmd.exe
  cmd /C "attrib +S +H C:\Windows\spoolsv.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\system32\attrib.exe
    attrib +S +H C:\Windows\spoolsv.exe
    3⤵
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:4752
- C:\Windows\system32\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- C:\Windows\system32\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3536
- C:\Windows\system32\cmd.exe
  cmd /C ver
  2⤵
  PID:112
- C:\Windows\system32\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    PID:4472
- C:\Windows\system32\cmd.exe
  cmd /C start C:\Windows\1646278288.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\1646278288.exe
    C:\Windows\1646278288.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Users\Admin\AppData\Local\Temp\is-NOQPC.tmp\1646278288.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NOQPC.tmp\1646278288.tmp" /SL5="$70056,9084029,780800,C:\Windows\1646278288.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\1646278288.exe
        
        "C:\Windows\1646278288.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5084
      - C:\Users\Admin\AppData\Local\Temp\is-6G3PD.tmp\1646278288.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6G3PD.tmp\1646278288.tmp" /SL5="$401D8,9084029,780800,C:\Windows\1646278288.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\tracegen.exe
        
        "C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\tracegen.exe"
        7⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\PDapp.exe
        
        "C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\PDapp.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:4844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x4bc
1⤵
PID:3276

C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\PDapp.exe
"C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\PDapp.exe" start
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6G3PD.tmp\1646278288.tmp

MD5
681f67c011ee0ac7fd112ed351fc07db

SHA1
cc02d9564dc3e29faf3e4945567d2ce6612d1f8c

SHA256
69d2e938368d9dc2fe5ae956d49ed1005dc4bb18b878cf2e55a0931c7a5eb003

SHA512
c2011f82d2bdb135b7db862cf89298df424a6f31719ce75a9c1fb89493ae65692d3fdfafe45515be5e0459ed6c40bd3db43fb19c8aa49f3e0e9a194ac36cab6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NOQPC.tmp\1646278288.tmp

MD5
681f67c011ee0ac7fd112ed351fc07db

SHA1
cc02d9564dc3e29faf3e4945567d2ce6612d1f8c

SHA256
69d2e938368d9dc2fe5ae956d49ed1005dc4bb18b878cf2e55a0931c7a5eb003

SHA512
c2011f82d2bdb135b7db862cf89298df424a6f31719ce75a9c1fb89493ae65692d3fdfafe45515be5e0459ed6c40bd3db43fb19c8aa49f3e0e9a194ac36cab6a

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\DBClient.dll

MD5
d64cbc9613edc8b8799dd36b8e3f8a62

SHA1
edacb98a4b6ac6407d0b0bdd86317b12a322ab51

SHA256
cdbe7dba0562816180f4d678a55b78c9675dbe09617fb7e3ecb0508bfe2b8681

SHA512
efdd78b35e5f24c0f3ec7a689eb8a53a24f819321cb2d790cc45ba1708209b462928ab5047a14933e4795d569d41a2ecc261158c84467698be2c57392810f19b

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\DBClient.dll

MD5
d64cbc9613edc8b8799dd36b8e3f8a62

SHA1
edacb98a4b6ac6407d0b0bdd86317b12a322ab51

SHA256
cdbe7dba0562816180f4d678a55b78c9675dbe09617fb7e3ecb0508bfe2b8681

SHA512
efdd78b35e5f24c0f3ec7a689eb8a53a24f819321cb2d790cc45ba1708209b462928ab5047a14933e4795d569d41a2ecc261158c84467698be2c57392810f19b

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\DBClient.dll

MD5
d64cbc9613edc8b8799dd36b8e3f8a62

SHA1
edacb98a4b6ac6407d0b0bdd86317b12a322ab51

SHA256
cdbe7dba0562816180f4d678a55b78c9675dbe09617fb7e3ecb0508bfe2b8681

SHA512
efdd78b35e5f24c0f3ec7a689eb8a53a24f819321cb2d790cc45ba1708209b462928ab5047a14933e4795d569d41a2ecc261158c84467698be2c57392810f19b

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\MSVCP140.dll

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\MSVCP90.dll

MD5
30afaf23c37c439c2c83ec6518287076

SHA1
2ece38dc601315f4d05d034f66ad1d77f2845c00

SHA256
f5b6ed22ff07743402a2c90f469fa91f46fba8bf35b55312a5aaf26a448a9064

SHA512
0f87a1c55d54dccf5007a82d51ded65be9ee5619e0c82bd94b53c7d10b33237cd39e5b481dad00698bafdeac2687a7ff920ee5c5900468b5c0c93b996e803e1d

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\MSVCR90.dll

MD5
8d8325e8cdc31ffd3ba95e69d9a5bf91

SHA1
4bbe261d907e58a8487c27d2dc007ae98f1d3d2c

SHA256
1eab5f18a5733d746e681bc3d60175f8fca219dc1f94a7bb19db9e4c2c36224a

SHA512
49ba10c7ec86cff01568520c2092a993184df0b667a8bd197bc6cbe5918575028c1cd127e7d911344e5a88133827cda99aa3c1a331f26f809b04395da599c6b5

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\PDapp.exe

MD5
8c91eacff0f53860ecfc5fd67168927b

SHA1
4062cf4e7c5457849e60232f34afa2b9bbb3d827

SHA256
7e5f8c916e7359dd8a9cd4e476803cf0d89496668879aa34731a38c7ad13a45e

SHA512
dbc5f3f07b3f108d0ddc5e93256ed40cd70c8f32383dd58d698498a4cd8de3d970bd70da3c47b2e2bd9d19d5e90159ffaaf5d6e43039158b23c5cd74ae60403e

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\PDapp.exe

MD5
8c91eacff0f53860ecfc5fd67168927b

SHA1
4062cf4e7c5457849e60232f34afa2b9bbb3d827

SHA256
7e5f8c916e7359dd8a9cd4e476803cf0d89496668879aa34731a38c7ad13a45e

SHA512
dbc5f3f07b3f108d0ddc5e93256ed40cd70c8f32383dd58d698498a4cd8de3d970bd70da3c47b2e2bd9d19d5e90159ffaaf5d6e43039158b23c5cd74ae60403e

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\PDapp.exe

MD5
8c91eacff0f53860ecfc5fd67168927b

SHA1
4062cf4e7c5457849e60232f34afa2b9bbb3d827

SHA256
7e5f8c916e7359dd8a9cd4e476803cf0d89496668879aa34731a38c7ad13a45e

SHA512
dbc5f3f07b3f108d0ddc5e93256ed40cd70c8f32383dd58d698498a4cd8de3d970bd70da3c47b2e2bd9d19d5e90159ffaaf5d6e43039158b23c5cd74ae60403e

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\VCRUNTIME140.dll

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\adbeape.dll

MD5
819b4664a21827749250288b514e2494

SHA1
2bc3885716b1d6b7de41c201ccb40a74a38d8e7b

SHA256
068302bd6b30978c739f4599bfe33f15c2ce3aefdf8abc2ef394139c94d09705

SHA512
cad17c78dfc4ffef030f677373a19fa045d9cbd627de87f35e5bf740147d894ac8c218f070d94b8832241a6dd35f81e6f1e0740f6f5412dd9fb6c5c7257b0734

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\adbeape.dll

MD5
819b4664a21827749250288b514e2494

SHA1
2bc3885716b1d6b7de41c201ccb40a74a38d8e7b

SHA256
068302bd6b30978c739f4599bfe33f15c2ce3aefdf8abc2ef394139c94d09705

SHA512
cad17c78dfc4ffef030f677373a19fa045d9cbd627de87f35e5bf740147d894ac8c218f070d94b8832241a6dd35f81e6f1e0740f6f5412dd9fb6c5c7257b0734

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\adbeape.dll

MD5
819b4664a21827749250288b514e2494

SHA1
2bc3885716b1d6b7de41c201ccb40a74a38d8e7b

SHA256
068302bd6b30978c739f4599bfe33f15c2ce3aefdf8abc2ef394139c94d09705

SHA512
cad17c78dfc4ffef030f677373a19fa045d9cbd627de87f35e5bf740147d894ac8c218f070d94b8832241a6dd35f81e6f1e0740f6f5412dd9fb6c5c7257b0734

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\asp

MD5
3c0f89972dfc853512bbf9069fbe4f36

SHA1
c9ac0d13094dd5beb8158cf2f2b9a2d9c5dc251f

SHA256
78799fa3535d592b5589a47b3af214cde9337b9e0255d3b1784d2827223c81b9

SHA512
87097c9d4314752ac499b3c56b1709eaf2e29a4b4dd9fa79e67ace4d34ca54432ecfe338b81c971411397b95ad4b7e0e35e39008852ec14fef3d776559cfd4d1

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\libchart.dll

MD5
79bf2c18072ee2a8831866e07646cf93

SHA1
fd7271b234a567127b47d687fafc88273ece3e8f

SHA256
af91253362b0451fee3f8d9faf946a09cc70b7f157d8281ef1c2f50e1d2f71f9

SHA512
2191ed7135845691afe9cc749f82f5278cdd3c2a1b816f32d2a21d5e8f1c23dd48a74579d5fbe305970533bc67b0ce1b5967e60b1da8fa101ce61f8d8e62a728

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\libchart.dll

MD5
79bf2c18072ee2a8831866e07646cf93

SHA1
fd7271b234a567127b47d687fafc88273ece3e8f

SHA256
af91253362b0451fee3f8d9faf946a09cc70b7f157d8281ef1c2f50e1d2f71f9

SHA512
2191ed7135845691afe9cc749f82f5278cdd3c2a1b816f32d2a21d5e8f1c23dd48a74579d5fbe305970533bc67b0ce1b5967e60b1da8fa101ce61f8d8e62a728

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\msvcp140.dll

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\msvcp90.dll

MD5
30afaf23c37c439c2c83ec6518287076

SHA1
2ece38dc601315f4d05d034f66ad1d77f2845c00

SHA256
f5b6ed22ff07743402a2c90f469fa91f46fba8bf35b55312a5aaf26a448a9064

SHA512
0f87a1c55d54dccf5007a82d51ded65be9ee5619e0c82bd94b53c7d10b33237cd39e5b481dad00698bafdeac2687a7ff920ee5c5900468b5c0c93b996e803e1d

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\msvcp90.dll

MD5
30afaf23c37c439c2c83ec6518287076

SHA1
2ece38dc601315f4d05d034f66ad1d77f2845c00

SHA256
f5b6ed22ff07743402a2c90f469fa91f46fba8bf35b55312a5aaf26a448a9064

SHA512
0f87a1c55d54dccf5007a82d51ded65be9ee5619e0c82bd94b53c7d10b33237cd39e5b481dad00698bafdeac2687a7ff920ee5c5900468b5c0c93b996e803e1d

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\msvcr90.dll

MD5
8d8325e8cdc31ffd3ba95e69d9a5bf91

SHA1
4bbe261d907e58a8487c27d2dc007ae98f1d3d2c

SHA256
1eab5f18a5733d746e681bc3d60175f8fca219dc1f94a7bb19db9e4c2c36224a

SHA512
49ba10c7ec86cff01568520c2092a993184df0b667a8bd197bc6cbe5918575028c1cd127e7d911344e5a88133827cda99aa3c1a331f26f809b04395da599c6b5

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\msvcr90.dll

MD5
8d8325e8cdc31ffd3ba95e69d9a5bf91

SHA1
4bbe261d907e58a8487c27d2dc007ae98f1d3d2c

SHA256
1eab5f18a5733d746e681bc3d60175f8fca219dc1f94a7bb19db9e4c2c36224a

SHA512
49ba10c7ec86cff01568520c2092a993184df0b667a8bd197bc6cbe5918575028c1cd127e7d911344e5a88133827cda99aa3c1a331f26f809b04395da599c6b5

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\msvcr90.dll

MD5
8d8325e8cdc31ffd3ba95e69d9a5bf91

SHA1
4bbe261d907e58a8487c27d2dc007ae98f1d3d2c

SHA256
1eab5f18a5733d746e681bc3d60175f8fca219dc1f94a7bb19db9e4c2c36224a

SHA512
49ba10c7ec86cff01568520c2092a993184df0b667a8bd197bc6cbe5918575028c1cd127e7d911344e5a88133827cda99aa3c1a331f26f809b04395da599c6b5

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\tracegen.exe

MD5
f0ce1fc1ef4cdae853428faf62c7e0bb

SHA1
cc68f5f4922095219de0ed10c39e225ddd1bd99c

SHA256
1381c53093d2bc83d20e466a0e07f7d6963347862283d64582aa9960c187ad75

SHA512
d8301bc03acd774d8216cbf95e6fa59d220c5d7a6182deafcc8d9af78fa53fb89964128b81f2b6247ec48a44c538cd604159415b69754368e3dcf62b98776837

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\tracegen.exe

MD5
f0ce1fc1ef4cdae853428faf62c7e0bb

SHA1
cc68f5f4922095219de0ed10c39e225ddd1bd99c

SHA256
1381c53093d2bc83d20e466a0e07f7d6963347862283d64582aa9960c187ad75

SHA512
d8301bc03acd774d8216cbf95e6fa59d220c5d7a6182deafcc8d9af78fa53fb89964128b81f2b6247ec48a44c538cd604159415b69754368e3dcf62b98776837

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\vcruntime140.dll

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\vcruntime140.dll

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Windows\1646278288.exe

MD5
686b40dcb167653cb7a8463928c26af1

SHA1
d6146b6fdf516223735e4e881fa797432dff3923

SHA256
595e1545c53d27fb1315e70b241e66f44b28a49be59a717ca4936d167e121470

SHA512
c40d9c17e1b6d1100425b15d0f800562579b935a83e1c9b8f4099d8a4262b7287f545f4c0a00ab040c92e239fe946416242461dd712d4cb63deca5f651558f8f

Download Submit
C:\Windows\1646278288.exe

MD5
686b40dcb167653cb7a8463928c26af1

SHA1
d6146b6fdf516223735e4e881fa797432dff3923

SHA256
595e1545c53d27fb1315e70b241e66f44b28a49be59a717ca4936d167e121470

SHA512
c40d9c17e1b6d1100425b15d0f800562579b935a83e1c9b8f4099d8a4262b7287f545f4c0a00ab040c92e239fe946416242461dd712d4cb63deca5f651558f8f

Download Submit
C:\Windows\1646278288.exe

MD5
686b40dcb167653cb7a8463928c26af1

SHA1
d6146b6fdf516223735e4e881fa797432dff3923

SHA256
595e1545c53d27fb1315e70b241e66f44b28a49be59a717ca4936d167e121470

SHA512
c40d9c17e1b6d1100425b15d0f800562579b935a83e1c9b8f4099d8a4262b7287f545f4c0a00ab040c92e239fe946416242461dd712d4cb63deca5f651558f8f

Download Submit
memory/392-147-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/1516-140-0x00000252C3A66000-0x00000252C3A68000-memory.dmp

Filesize
8KB

Download
memory/1516-139-0x00000252C3A68000-0x00000252C3A69000-memory.dmp

Filesize
4KB

Download
memory/1516-137-0x00000252C3A60000-0x00000252C3A62000-memory.dmp

Filesize
8KB

Download
memory/1516-138-0x00000252C3A63000-0x00000252C3A65000-memory.dmp

Filesize
8KB

Download
memory/1516-136-0x00007FFB2BB13000-0x00007FFB2BB15000-memory.dmp

Filesize
8KB

Download
memory/3224-142-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3224-145-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4064-152-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/4164-133-0x0000014B7A553000-0x0000014B7A555000-memory.dmp

Filesize
8KB

Download
memory/4164-131-0x00007FFB2BB13000-0x00007FFB2BB15000-memory.dmp

Filesize
8KB

Download
memory/4164-130-0x0000014B7A520000-0x0000014B7A542000-memory.dmp

Filesize
136KB

Download
memory/4164-132-0x0000014B7A550000-0x0000014B7A552000-memory.dmp

Filesize
8KB

Download
memory/4844-174-0x00000000030E0000-0x00000000030E7000-memory.dmp

Filesize
28KB

Download
memory/4844-180-0x00000000046E0000-0x00000000088E0000-memory.dmp

Filesize
66.0MB

Download
memory/5084-149-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download