Overview

overview

10

Static

static

686b40dcb1...f1.exe

windows7_x64

10

686b40dcb1...f1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    09-03-2022 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    686b40dcb167653cb7a8463928c26af1.exe

  • Size

    9.5MB

  • MD5

    686b40dcb167653cb7a8463928c26af1

  • SHA1

    d6146b6fdf516223735e4e881fa797432dff3923

  • SHA256

    595e1545c53d27fb1315e70b241e66f44b28a49be59a717ca4936d167e121470

  • SHA512

    c40d9c17e1b6d1100425b15d0f800562579b935a83e1c9b8f4099d8a4262b7287f545f4c0a00ab040c92e239fe946416242461dd712d4cb63deca5f651558f8f

Score
10/10
babadedasystembccrypterloadertrojan

Malware Config

Extracted

Family

systembc

C2

5.101.78.2:4127

192.53.123.202:4127

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    loadercrypterbabadeda
  • Babadeda Crypter 3 IoCs
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 16 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\686b40dcb167653cb7a8463928c26af1.exe
    "C:\Users\Admin\AppData\Local\Temp\686b40dcb167653cb7a8463928c26af1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Users\Admin\AppData\Local\Temp\is-OEDAI.tmp\686b40dcb167653cb7a8463928c26af1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-OEDAI.tmp\686b40dcb167653cb7a8463928c26af1.tmp" /SL5="$50116,9084029,780800,C:\Users\Admin\AppData\Local\Temp\686b40dcb167653cb7a8463928c26af1.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3704
      • C:\Users\Admin\AppData\Local\Temp\686b40dcb167653cb7a8463928c26af1.exe
        "C:\Users\Admin\AppData\Local\Temp\686b40dcb167653cb7a8463928c26af1.exe" /VERYSILENT
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Users\Admin\AppData\Local\Temp\is-JCBE9.tmp\686b40dcb167653cb7a8463928c26af1.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-JCBE9.tmp\686b40dcb167653cb7a8463928c26af1.tmp" /SL5="$E002A,9084029,780800,C:\Users\Admin\AppData\Local\Temp\686b40dcb167653cb7a8463928c26af1.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:652
          • C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\tracegen.exe
            "C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\tracegen.exe"
            5⤵
            • Executes dropped EXE
            PID:620
          • C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\PDapp.exe
            "C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\PDapp.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            PID:2852
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x500 0x4fc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3448
  • C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\PDapp.exe
    "C:\Users\Admin\AppData\Roaming\Sure Cuts A Lot 5\PDapp.exe" start
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:3784

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/652-139-0x00000000007F0000-0x00000000007F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2028-137-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/2028-135-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/2852-164-0x0000000004880000-0x0000000008A80000-memory.dmp

    Filesize

    66.0MB

    Download

  • memory/2852-163-0x0000000003060000-0x0000000003067000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2952-130-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/2952-132-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

    Download

  • memory/3704-134-0x00000000026A0000-0x00000000026A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3784-173-0x0000000001EE0000-0x0000000001EE7000-memory.dmp

    Filesize

    28KB

    Download

  • memory/3784-178-0x00000000025F0000-0x00000000067F0000-memory.dmp

    Filesize

    66.0MB

    Download