Overview

overview

10

Static

static

6a98d63304...0f.msi

windows7_x64

10

6a98d63304...0f.msi

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    26-06-2022 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a98d63304df05f55265f42ad5f8e2e4be63c35181a103f1328f60e96e3f0e0f.msi

  • Size

    6.8MB

  • MD5

    f2e78426d5fd410725ceb00c4f821903

  • SHA1

    13bccee212ce368477259b317cb36d1b65f43f58

  • SHA256

    6a98d63304df05f55265f42ad5f8e2e4be63c35181a103f1328f60e96e3f0e0f

  • SHA512

    737e94d4932139b1b5944658b1c498effdbdf0ee881c8e35889cb5cfc1309eab5bdf4fa97366262bf4c8860fff9407f92e095c1bc003b40c17791dbc211abc89

Score
10/10
babadedaremcoswin32luxcrypterloaderrat

Malware Config

Extracted

Family

remcos

Botnet

Win32LUX

C2

144.91.79.86:4783

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Win32_64.exe

  • copy_folder

    Logs

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %UserProfile%

  • keylog_crypt

    false

  • keylog_file

    log.dat

  • keylog_flag

    false

  • keylog_folder

    Logs

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    GDSGFDS42424FSAF-RP31EK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    loadercrypterbabadeda
  • Babadeda Crypter 2 IoCs
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Detects BABADEDA Crypter 2 IoCs

    Detects BABADEDA Crypter.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6a98d63304df05f55265f42ad5f8e2e4be63c35181a103f1328f60e96e3f0e0f.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4220
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5B520BC9558F6FC5DFAF24461483C12C
      2⤵
      • Loads dropped DLL
      PID:2564
    • C:\Users\Admin\AppData\Roaming\PDFsam Basic\PDFsam Basic\Mp3tag.exe
      "C:\Users\Admin\AppData\Roaming\PDFsam Basic\PDFsam Basic\Mp3tag.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:3424

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\PDFsam Basic\PDFsam Basic\MSVCP140.dll
    Filesize

    428KB

    MD5

    fdd04dbbcf321eee5f4dd67266f476b0

    SHA1

    65ffdfe2664a29a41fcf5039229ccecad5b825b9

    SHA256

    21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794

    SHA512

    04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PDFsam Basic\PDFsam Basic\Mp3tag.exe
    Filesize

    8.6MB

    MD5

    92c1655770e49b1dc19359ea1f02e780

    SHA1

    16b459328f086dd988bfb2b45288d32652400301

    SHA256

    bf9a506f8c9409fe9609c9590477fdb5cbd185c7b76344260a2494ec064feb28

    SHA512

    b5e7d6eb435411449402840161d47ec17a6d7f24853e3536d0619dfec5b5fead9de9336560a434735c343e2d96f22d97b9be6c5a52e708c97ced6999808946f6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PDFsam Basic\PDFsam Basic\VCRUNTIME140.dll
    Filesize

    77KB

    MD5

    ba65db6bfef78a96aee7e29f1449bf8a

    SHA1

    06c7beb9fd1f33051b0e77087350903c652f4b77

    SHA256

    141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493

    SHA512

    ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PDFsam Basic\PDFsam Basic\intro.dat
    Filesize

    452KB

    MD5

    8be35e234332d62efa23e2a3a155bc6b

    SHA1

    af1e8eb9fb32a685c7b65eea73634b52530dbce1

    SHA256

    5f7b5f2fe88dcfb1235e0d2a9edcd2b510f486ddb15920910d59d746101f9be9

    SHA512

    a34c6a77ef6fc923e3d7e6c87e6fc4346f24bce0734db8bd4a4cf77646e311e8a9ad33bdad6ee924e4e5e76d232765f457faf86a0750b2e18f6aefbbd84c7900

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PDFsam Basic\PDFsam Basic\libwlp-20.dll
    Filesize

    19KB

    MD5

    fa847fa54c646c39fcf8e58c6fdcb46f

    SHA1

    d052ac0346c77be6d87c2da668543c63d3307036

    SHA256

    a15614de6f933f1941dbbb57641900439c02b3a90c40e409e32cae5c04426378

    SHA512

    3dca61429b7572d3106d095cea128b8b0bb8c685f0251b5920c8d69d828d33f90d507ba62033ab29cb8bb2d46e8574d0b52c7dba8181c2fa98ed304a8ed80cb2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PDFsam Basic\PDFsam Basic\libwlp-20.dll
    Filesize

    19KB

    MD5

    fa847fa54c646c39fcf8e58c6fdcb46f

    SHA1

    d052ac0346c77be6d87c2da668543c63d3307036

    SHA256

    a15614de6f933f1941dbbb57641900439c02b3a90c40e409e32cae5c04426378

    SHA512

    3dca61429b7572d3106d095cea128b8b0bb8c685f0251b5920c8d69d828d33f90d507ba62033ab29cb8bb2d46e8574d0b52c7dba8181c2fa98ed304a8ed80cb2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PDFsam Basic\PDFsam Basic\msvcp140.dll
    Filesize

    428KB

    MD5

    fdd04dbbcf321eee5f4dd67266f476b0

    SHA1

    65ffdfe2664a29a41fcf5039229ccecad5b825b9

    SHA256

    21570bcb7a77e856f3113235d2b05b2b328d4bb71b4fd9ca4d46d99adac80794

    SHA512

    04cfc3097fbce6ee1b7bac7bd63c3cffe7dca16f0ec9cd8fe657d8b7ebd06dcba272ff472f98c6385c3cfb9b1ac3f47be8ca6d3ea80ab4aeed44a0e2ce3185dd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PDFsam Basic\PDFsam Basic\page
    Filesize

    1.3MB

    MD5

    bc23ffe164676054ce5e5314abeaf11a

    SHA1

    eebc94229ce1b1a51d4dc96399d1ebda0b52b075

    SHA256

    dc36a03e536fbc03b4a89caa83435ec57fd021386341b53e23b56b359d988ab0

    SHA512

    78262e6a18988981e8a4f82fbf84e00d9058480912947851c5491a822f8f3c27a3345acf37bc2aeff514251024a1304fba087cf63f699b99af0299e9b0b26cdf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PDFsam Basic\PDFsam Basic\tak_deco_lib.dll
    Filesize

    127KB

    MD5

    f0bf722006ebf17f9a194e892ba2bf37

    SHA1

    a483e46857f29e98535a992438006c962e0404e5

    SHA256

    a737f6f613c161938ef4c795fb0cf1a0a7bf7e1539cefebc030fc36ac37bf0af

    SHA512

    47e4113ef649539db6b7ba52106477ac415fafcc0fad5b9a92575d18d110d1fd21e906cecf2546ddc20ef554e09f3da418a5066b70b31dc1360e555eb2cbd0e4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PDFsam Basic\PDFsam Basic\tak_deco_lib.dll
    Filesize

    127KB

    MD5

    f0bf722006ebf17f9a194e892ba2bf37

    SHA1

    a483e46857f29e98535a992438006c962e0404e5

    SHA256

    a737f6f613c161938ef4c795fb0cf1a0a7bf7e1539cefebc030fc36ac37bf0af

    SHA512

    47e4113ef649539db6b7ba52106477ac415fafcc0fad5b9a92575d18d110d1fd21e906cecf2546ddc20ef554e09f3da418a5066b70b31dc1360e555eb2cbd0e4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PDFsam Basic\PDFsam Basic\tak_deco_lib.dll
    Filesize

    127KB

    MD5

    f0bf722006ebf17f9a194e892ba2bf37

    SHA1

    a483e46857f29e98535a992438006c962e0404e5

    SHA256

    a737f6f613c161938ef4c795fb0cf1a0a7bf7e1539cefebc030fc36ac37bf0af

    SHA512

    47e4113ef649539db6b7ba52106477ac415fafcc0fad5b9a92575d18d110d1fd21e906cecf2546ddc20ef554e09f3da418a5066b70b31dc1360e555eb2cbd0e4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PDFsam Basic\PDFsam Basic\vcruntime140.dll
    Filesize

    77KB

    MD5

    ba65db6bfef78a96aee7e29f1449bf8a

    SHA1

    06c7beb9fd1f33051b0e77087350903c652f4b77

    SHA256

    141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493

    SHA512

    ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\PDFsam Basic\PDFsam Basic\vcruntime140.dll
    Filesize

    77KB

    MD5

    ba65db6bfef78a96aee7e29f1449bf8a

    SHA1

    06c7beb9fd1f33051b0e77087350903c652f4b77

    SHA256

    141690572594dbd3618a4984712e9e36fc09c9906bb845ce1a9531ac8f7ad493

    SHA512

    ca63eeac10ef55d7e2e55479b25cf394e58aef1422951f361f762ab667f72a3454f55afc04e967e8cdd20cf3eebe97083e0438ea941916a09e7d091818ea830e

    Download Submit

  • C:\Windows\Installer\MSI798A.tmp
    Filesize

    524KB

    MD5

    6ea65025106536eb75f026e46643b099

    SHA1

    d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

    SHA256

    dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

    SHA512

    062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

    Download Submit

  • C:\Windows\Installer\MSI798A.tmp
    Filesize

    524KB

    MD5

    6ea65025106536eb75f026e46643b099

    SHA1

    d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

    SHA256

    dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

    SHA512

    062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

    Download Submit

  • C:\Windows\Installer\MSI7CA8.tmp
    Filesize

    524KB

    MD5

    6ea65025106536eb75f026e46643b099

    SHA1

    d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

    SHA256

    dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

    SHA512

    062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

    Download Submit

  • C:\Windows\Installer\MSI7CA8.tmp
    Filesize

    524KB

    MD5

    6ea65025106536eb75f026e46643b099

    SHA1

    d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

    SHA256

    dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

    SHA512

    062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

    Download Submit

  • C:\Windows\Installer\MSI7DC2.tmp
    Filesize

    524KB

    MD5

    6ea65025106536eb75f026e46643b099

    SHA1

    d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

    SHA256

    dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

    SHA512

    062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

    Download Submit

  • C:\Windows\Installer\MSI7DC2.tmp
    Filesize

    524KB

    MD5

    6ea65025106536eb75f026e46643b099

    SHA1

    d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

    SHA256

    dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

    SHA512

    062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

    Download Submit

  • C:\Windows\Installer\MSI7E40.tmp
    Filesize

    524KB

    MD5

    6ea65025106536eb75f026e46643b099

    SHA1

    d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

    SHA256

    dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

    SHA512

    062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

    Download Submit

  • C:\Windows\Installer\MSI7E40.tmp
    Filesize

    524KB

    MD5

    6ea65025106536eb75f026e46643b099

    SHA1

    d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

    SHA256

    dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

    SHA512

    062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

    Download Submit

  • memory/3424-144-0x0000000000E40000-0x0000000000E65000-memory.dmp

    Filesize

    148KB

    Download

  • memory/3424-148-0x0000000000E40000-0x0000000000E65000-memory.dmp

    Filesize

    148KB

    Download

  • memory/3424-155-0x0000000005F20000-0x0000000005FB9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/3424-162-0x0000000007690000-0x000000000AE90000-memory.dmp

    Filesize

    56.0MB

    Download

  • memory/3424-163-0x000000000B390000-0x000000000B407000-memory.dmp

    Filesize

    476KB

    Download

  • memory/3424-164-0x000000000B390000-0x000000000B407000-memory.dmp

    Filesize

    476KB

    Download