Overview

overview

10

Static

static

1.exe

windows7_x64

10

1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220331-en
  • submitted
    02-04-2022 04:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.exe

  • Size

    8.1MB

  • MD5

    72ad5cebf69de22b971997bb261ef519

  • SHA1

    27aef0b7214b93b44cbeab76af1dd39db3d938fd

  • SHA256

    1b9a300d4e882a59e4bb15f7aa7069df6cc48057d1f89a71fff6df4e70d483f1

  • SHA512

    a4879dae60d580b3fad31311ae64acdc92604164cc95bd721a4a789c66791c5586eac3922e621c33aab5f919ad92e68ef6cbbc43b3d4857b547e627855bcefe8

Score
10/10
babadedaphoboscrypterevasionloaderpersistenceransomware

Malware Config

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    loadercrypterbabadeda
  • Babadeda Crypter 3 IoCs
  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Loads dropped DLL 12 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:932
    • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\AdobeIPCBroker.exe
      "C:\Users\Admin\AppData\Roaming\GreatSim\Milling\AdobeIPCBroker.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:2316
      • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\AdobeIPCBroker.exe
        C:\Users\Admin\AppData\Roaming\GreatSim\Milling\AdobeIPCBroker.exe "-relaunchedForIntegrityLevel -launchedbyvulcan-2316 C:\Users\Admin\AppData\Roaming\GreatSim\Milling\AdobeIPCBroker.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops desktop.ini file(s)
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4476
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4520
          • C:\Windows\system32\netsh.exe
            netsh advfirewall set currentprofile state off
            5⤵
              PID:3196
            • C:\Windows\system32\netsh.exe
              netsh firewall set opmode mode=disable
              5⤵
                PID:4828
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4340
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                5⤵
                • Interacts with shadow copies
                PID:1916
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic shadowcopy delete
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4120
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                5⤵
                • Modifies boot configuration data using bcdedit
                PID:208
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled no
                5⤵
                • Modifies boot configuration data using bcdedit
                PID:5012
              • C:\Windows\system32\wbadmin.exe
                wbadmin delete catalog -quiet
                5⤵
                • Deletes backup catalog
                PID:4788
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
        1⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5068
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1972
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2072
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:3900
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:3936

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\pb670893A4\PB3Dll.dll
          Filesize

          202KB

          MD5

          142bc2bb269b896cc0f11f9021dcbc52

          SHA1

          75b09b25f8f6b3b0fc94fcdcc61d932f303ac418

          SHA256

          5da7da9abb77790ddbb87d86b9ea4b01a4f375035827e30fa879dab8c2a737db

          SHA512

          150ffd4e66ee126912c6a5071bec750e4b5e603af9cc79b26c63e482f7d5d0aafcae1c995f10b60ba2da138effb19c668e1515f35db3b8b7a508ef34f59d134a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\pb670893A4\PBCore.dll
          Filesize

          444KB

          MD5

          bf34ceda78a3ff4016e8eca82337ec06

          SHA1

          38966df0f48da3ee15e2a44545c982693d6f552a

          SHA256

          3b4e89de9ccb5b1beba22030e29e921460b375bcbe5364115cc093f329596889

          SHA512

          b5d4af43a78e8c061c823778786fa53db2736543ed2513a033b93302328f4af10d565a7ce4116ee6580400a02e23694eb2183ccfbc9c3d8132fef3e63ae58cae

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\AdobeIPCBroker.exe
          Filesize

          4.6MB

          MD5

          25d5826c1136dde91cb8ed3b9319c50d

          SHA1

          627b989677c7d3d7431ca2d1c591fee095197a1e

          SHA256

          098467cdf594b08bd6643592f24745f6f37132ab794da2d0263919d5d131bc81

          SHA512

          73bf5a1b8371bd70df4fb40ed1c08e2ad0db72722634de0167c8bcca7423b0f7fec9fa20bea66521aa051d842442432c623d440873d448af07b85914dbdf532e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\AdobeIPCBroker.exe
          Filesize

          4.6MB

          MD5

          25d5826c1136dde91cb8ed3b9319c50d

          SHA1

          627b989677c7d3d7431ca2d1c591fee095197a1e

          SHA256

          098467cdf594b08bd6643592f24745f6f37132ab794da2d0263919d5d131bc81

          SHA512

          73bf5a1b8371bd70df4fb40ed1c08e2ad0db72722634de0167c8bcca7423b0f7fec9fa20bea66521aa051d842442432c623d440873d448af07b85914dbdf532e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\AdobeIPCBroker.exe
          Filesize

          4.6MB

          MD5

          25d5826c1136dde91cb8ed3b9319c50d

          SHA1

          627b989677c7d3d7431ca2d1c591fee095197a1e

          SHA256

          098467cdf594b08bd6643592f24745f6f37132ab794da2d0263919d5d131bc81

          SHA512

          73bf5a1b8371bd70df4fb40ed1c08e2ad0db72722634de0167c8bcca7423b0f7fec9fa20bea66521aa051d842442432c623d440873d448af07b85914dbdf532e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\CRClient.dll
          Filesize

          839KB

          MD5

          08abdf28c00df306cb339fc1324f2f43

          SHA1

          e54e1a1c009b3f6d94c0a9731ab3a1b54e8d50c6

          SHA256

          874f47e7f82114b68f443ef80a0188553dcba74356ccc579ffb41ecea606dde8

          SHA512

          e14e83356dc5f4c741d9479b33abac65dd365865605973c5b10b477bccab89b836bd41677e015c894c81c642ab582bb3f75e85374b44efde0f4acacbbb848027

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\CRClient.dll
          Filesize

          839KB

          MD5

          08abdf28c00df306cb339fc1324f2f43

          SHA1

          e54e1a1c009b3f6d94c0a9731ab3a1b54e8d50c6

          SHA256

          874f47e7f82114b68f443ef80a0188553dcba74356ccc579ffb41ecea606dde8

          SHA512

          e14e83356dc5f4c741d9479b33abac65dd365865605973c5b10b477bccab89b836bd41677e015c894c81c642ab582bb3f75e85374b44efde0f4acacbbb848027

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\CRClient.dll
          Filesize

          839KB

          MD5

          08abdf28c00df306cb339fc1324f2f43

          SHA1

          e54e1a1c009b3f6d94c0a9731ab3a1b54e8d50c6

          SHA256

          874f47e7f82114b68f443ef80a0188553dcba74356ccc579ffb41ecea606dde8

          SHA512

          e14e83356dc5f4c741d9479b33abac65dd365865605973c5b10b477bccab89b836bd41677e015c894c81c642ab582bb3f75e85374b44efde0f4acacbbb848027

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\MSVCP140.dll
          Filesize

          439KB

          MD5

          5ff1fca37c466d6723ec67be93b51442

          SHA1

          34cc4e158092083b13d67d6d2bc9e57b798a303b

          SHA256

          5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

          SHA512

          4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\StartupOptions.xml
          Filesize

          1KB

          MD5

          dcd02122ff75c24cee25500ad3a3d812

          SHA1

          76e733331554e9aaff6ccf0df22931db9ca852a4

          SHA256

          059280e2b72f31d15fe6b83b9362be359ebd2f16a5de4763a21d0885183854ba

          SHA512

          e7fb7605a3d46b302a977b21e14743a5d367ffd50a9ab339108a356894b5d75c7c2693609c9aed84cb8aeaddeb041dc018428ce20f7bc9bbc984b431db58ff21

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\TmEvent.dll
          Filesize

          196KB

          MD5

          5766b7a2fd2431d5fd95e7dfe53e9059

          SHA1

          d59d571b7ea52a1cc08d734794825e19bbb8c5da

          SHA256

          58e6af41baa0b14777ee3daa03e1ed021e80c8a7b773efebb532b1225bf821b9

          SHA512

          6ddae690f205b81e58eab38a93c504ff18903bc58e10620f8a8ef2d17a862cded1f6654ffbd8803f1473a265a10b3b1f5ae2b80c39b4542fe428a914f8a5b017

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\TmEvent.dll
          Filesize

          196KB

          MD5

          5766b7a2fd2431d5fd95e7dfe53e9059

          SHA1

          d59d571b7ea52a1cc08d734794825e19bbb8c5da

          SHA256

          58e6af41baa0b14777ee3daa03e1ed021e80c8a7b773efebb532b1225bf821b9

          SHA512

          6ddae690f205b81e58eab38a93c504ff18903bc58e10620f8a8ef2d17a862cded1f6654ffbd8803f1473a265a10b3b1f5ae2b80c39b4542fe428a914f8a5b017

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\TmEvent.dll
          Filesize

          196KB

          MD5

          5766b7a2fd2431d5fd95e7dfe53e9059

          SHA1

          d59d571b7ea52a1cc08d734794825e19bbb8c5da

          SHA256

          58e6af41baa0b14777ee3daa03e1ed021e80c8a7b773efebb532b1225bf821b9

          SHA512

          6ddae690f205b81e58eab38a93c504ff18903bc58e10620f8a8ef2d17a862cded1f6654ffbd8803f1473a265a10b3b1f5ae2b80c39b4542fe428a914f8a5b017

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\VCRUNTIME140.dll
          Filesize

          78KB

          MD5

          a37ee36b536409056a86f50e67777dd7

          SHA1

          1cafa159292aa736fc595fc04e16325b27cd6750

          SHA256

          8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

          SHA512

          3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\ground
          Filesize

          393KB

          MD5

          996c12ac07c7955fe018b68ac29ff8fb

          SHA1

          a88d9543aaa0f748a1997162b0e7e67249ba7cfa

          SHA256

          94f19678077f95de2f8200fa32dbc538cd8ec839a0513741613e35a86a2ad3e2

          SHA512

          8271c0aa844b4b5598690bb44012d3597edb347c3e171835a340d66d5874f5e6bd2d76fda0e62b0e28967fcb479e227d95d67d120ab4977ea1e029890dd1cf21

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\libcui40.dll
          Filesize

          125KB

          MD5

          a43453dc3f04860653ff23db54f91f0d

          SHA1

          17877adc35e03eb2e7f7a90281a97067a839b70d

          SHA256

          55135de67a5816c6622ae671c934d5a2bfac1b8f3f09083f64a3ae5997bfbfdf

          SHA512

          8b97417f00175408eaf348cd2315f954609b98434337c2d822b9e0f11d2d249c584ef8e58fc33ffbd107ef56581964735a62801096779a9f43899e69fd8d9a66

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\libcui40.dll
          Filesize

          125KB

          MD5

          a43453dc3f04860653ff23db54f91f0d

          SHA1

          17877adc35e03eb2e7f7a90281a97067a839b70d

          SHA256

          55135de67a5816c6622ae671c934d5a2bfac1b8f3f09083f64a3ae5997bfbfdf

          SHA512

          8b97417f00175408eaf348cd2315f954609b98434337c2d822b9e0f11d2d249c584ef8e58fc33ffbd107ef56581964735a62801096779a9f43899e69fd8d9a66

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\libcui40.dll
          Filesize

          125KB

          MD5

          a43453dc3f04860653ff23db54f91f0d

          SHA1

          17877adc35e03eb2e7f7a90281a97067a839b70d

          SHA256

          55135de67a5816c6622ae671c934d5a2bfac1b8f3f09083f64a3ae5997bfbfdf

          SHA512

          8b97417f00175408eaf348cd2315f954609b98434337c2d822b9e0f11d2d249c584ef8e58fc33ffbd107ef56581964735a62801096779a9f43899e69fd8d9a66

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\msvcp140.dll
          Filesize

          439KB

          MD5

          5ff1fca37c466d6723ec67be93b51442

          SHA1

          34cc4e158092083b13d67d6d2bc9e57b798a303b

          SHA256

          5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

          SHA512

          4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\msvcp140.dll
          Filesize

          439KB

          MD5

          5ff1fca37c466d6723ec67be93b51442

          SHA1

          34cc4e158092083b13d67d6d2bc9e57b798a303b

          SHA256

          5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

          SHA512

          4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\vcruntime140.dll
          Filesize

          78KB

          MD5

          a37ee36b536409056a86f50e67777dd7

          SHA1

          1cafa159292aa736fc595fc04e16325b27cd6750

          SHA256

          8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

          SHA512

          3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

          Download Submit

        • C:\Users\Admin\AppData\Roaming\GreatSim\Milling\vcruntime140.dll
          Filesize

          78KB

          MD5

          a37ee36b536409056a86f50e67777dd7

          SHA1

          1cafa159292aa736fc595fc04e16325b27cd6750

          SHA256

          8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

          SHA512

          3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

          Download Submit

        • memory/2316-141-0x0000000002C10000-0x0000000002C23000-memory.dmp

          Filesize

          76KB

          Download

        • memory/2316-153-0x00000000030E0000-0x00000000062E0000-memory.dmp

          Filesize

          50.0MB

          Download

        • memory/4476-159-0x0000000003050000-0x0000000006250000-memory.dmp

          Filesize

          50.0MB

          Download

        • memory/4476-154-0x0000000006250000-0x0000000006263000-memory.dmp

          Filesize

          76KB

          Download