babadeda | 140262c1d462d8faa68febe744a8db66679bdc6ffda3cdafba931ea3119f2f82

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14-11-2022 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe
Size

4.8MB
MD5

6678549db6974d6962363d8b82ee7be2
SHA1

b3fc1aca4ff8ad96d48895d7d9bc8e136151b844
SHA256

ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc
SHA512

39ed85ba147bbfb9625afa993993867676ebfd6efddf43f49a0d838a498c6d6be45501a8f02f3be682b5711c38119899547301bb7a02e13c003614f13a4f13b1
SSDEEP

98304:nSibgJW3oGqaFvY9Jp+oyyuMNfyCUFStjqNsNM5NEQ2Z+dnPcMc:1TtY9JpXXuMNzUwANsu5z2Z+1cd

Score

10^/10

babadeda fickerstealer crypter infostealer loader

Malware Config

Extracted

Family

fickerstealer

45.142.212.149:80

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000014156-78.dat	family_babadeda

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Executes dropped EXE 3 IoCs

pid	Process
1944	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp
900	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp
568	volcenter.exe

Loads dropped DLL 5 IoCs

pid	Process
536	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe
1700	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe
900	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp
900	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp
568	volcenter.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
900	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp
900	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
900	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1944	536	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe	27
PID 536 wrote to memory of 1944	536	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe	27
PID 536 wrote to memory of 1944	536	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe	27
PID 536 wrote to memory of 1944	536	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe	27
PID 536 wrote to memory of 1944	536	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe	27
PID 536 wrote to memory of 1944	536	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe	27
PID 536 wrote to memory of 1944	536	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe	27
PID 1944 wrote to memory of 1700	1944	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp	28
PID 1944 wrote to memory of 1700	1944	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp	28
PID 1944 wrote to memory of 1700	1944	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp	28
PID 1944 wrote to memory of 1700	1944	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp	28
PID 1944 wrote to memory of 1700	1944	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp	28
PID 1944 wrote to memory of 1700	1944	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp	28
PID 1944 wrote to memory of 1700	1944	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp	28
PID 1700 wrote to memory of 900	1700	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe	29
PID 1700 wrote to memory of 900	1700	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe	29
PID 1700 wrote to memory of 900	1700	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe	29
PID 1700 wrote to memory of 900	1700	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe	29
PID 1700 wrote to memory of 900	1700	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe	29
PID 1700 wrote to memory of 900	1700	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe	29
PID 1700 wrote to memory of 900	1700	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe	29
PID 900 wrote to memory of 568	900	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp	30
PID 900 wrote to memory of 568	900	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp	30
PID 900 wrote to memory of 568	900	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp	30
PID 900 wrote to memory of 568	900	ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp	30

C:\Users\Admin\AppData\Local\Temp\ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe
"C:\Users\Admin\AppData\Local\Temp\ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\is-PVAF1.tmp\ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PVAF1.tmp\ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp" /SL5="$60120,4197708,831488,C:\Users\Admin\AppData\Local\Temp\ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe
    "C:\Users\Admin\AppData\Local\Temp\ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\is-GCNHB.tmp\ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-GCNHB.tmp\ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp" /SL5="$70120,4197708,831488,C:\Users\Admin\AppData\Local\Temp\ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:900
    - - C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe
        
        "C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-GCNHB.tmp\ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp

Filesize
3.0MB

MD5
e1f761cde120ab5fb715eaa71bfdf516

SHA1
b56561aa0cbcd55eafeec32d6e88a9b3c503dfc2

SHA256
98a177df49a0e70e73202e033ed2e2a4e7e4d55f3a0824eff90b057ba34c3c90

SHA512
4bd1c4fdcc83c34ab89b7c68c926019c291d85e99fb16031ccf582215bb305635fff29a74c7b3306dcf8d13aa14901ed7a7ace59b55ec8d1b9e0e553ae94b591

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PVAF1.tmp\ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp

Filesize
3.0MB

MD5
e1f761cde120ab5fb715eaa71bfdf516

SHA1
b56561aa0cbcd55eafeec32d6e88a9b3c503dfc2

SHA256
98a177df49a0e70e73202e033ed2e2a4e7e4d55f3a0824eff90b057ba34c3c90

SHA512
4bd1c4fdcc83c34ab89b7c68c926019c291d85e99fb16031ccf582215bb305635fff29a74c7b3306dcf8d13aa14901ed7a7ace59b55ec8d1b9e0e553ae94b591

Download Submit
C:\Users\Admin\AppData\Roaming\SharpShell Configurator\menu.xml

Filesize
863KB

MD5
cb2d543f6b9936599848824ddb769661

SHA1
707c7bf30bc47aab26780c70accaaa6824395aa1

SHA256
b3f91f360c775655a7c22acb7f81905c9f2b1217c456f0542418e2460c998191

SHA512
61e621aa47bacca92aafa8765c494871d3409b807427479fe6ab5cbc87f37310621710b7cd180ba894b7eee643ce9467fcdc625ecfa5c837480b4de845d23346

Download Submit
C:\Users\Admin\AppData\Roaming\SharpShell Configurator\qclp.dll

Filesize
3.9MB

MD5
3a0507e45d22fe30bac2c45e72ea7450

SHA1
c0766576a3247c159ff8e15a42ca215efcb1c6fa

SHA256
530af0490c3dcc6b7e25e0aa3db208d20ca2a30a38349289cb2749a302d179d4

SHA512
63bf703cb9d466d398754c6d24b19a1ce5a6b39ece86dfca296a106c335a503cc0be2669f75808aeef64089132b5140a662a78b22354b7b83c34cdfb43546988

Download Submit
C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe

Filesize
4.8MB

MD5
b5cc4b918bc3873ff4a26951c17329fe

SHA1
66e4614ecc5eda9a376d3d21176a28968b964a06

SHA256
6ec2fc6c161771eca089e03330348b54b8d9a8dae5c73f59d58ac585f8c84082

SHA512
dc7829453592835c43af85d08029bf0d7519041d7d9494d169bd179b8f1b6c018e9f0f2b2ff184f9f5c608d5b6dd3285185e762402d5e80bc16e9eb351387691

Download Submit
\Users\Admin\AppData\Local\Temp\is-GCNHB.tmp\ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp

Filesize
3.0MB

MD5
e1f761cde120ab5fb715eaa71bfdf516

SHA1
b56561aa0cbcd55eafeec32d6e88a9b3c503dfc2

SHA256
98a177df49a0e70e73202e033ed2e2a4e7e4d55f3a0824eff90b057ba34c3c90

SHA512
4bd1c4fdcc83c34ab89b7c68c926019c291d85e99fb16031ccf582215bb305635fff29a74c7b3306dcf8d13aa14901ed7a7ace59b55ec8d1b9e0e553ae94b591

Download Submit
\Users\Admin\AppData\Local\Temp\is-PVAF1.tmp\ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc.tmp

Filesize
3.0MB

MD5
e1f761cde120ab5fb715eaa71bfdf516

SHA1
b56561aa0cbcd55eafeec32d6e88a9b3c503dfc2

SHA256
98a177df49a0e70e73202e033ed2e2a4e7e4d55f3a0824eff90b057ba34c3c90

SHA512
4bd1c4fdcc83c34ab89b7c68c926019c291d85e99fb16031ccf582215bb305635fff29a74c7b3306dcf8d13aa14901ed7a7ace59b55ec8d1b9e0e553ae94b591

Download Submit
\Users\Admin\AppData\Roaming\SharpShell Configurator\qclp.dll

Filesize
3.9MB

MD5
3a0507e45d22fe30bac2c45e72ea7450

SHA1
c0766576a3247c159ff8e15a42ca215efcb1c6fa

SHA256
530af0490c3dcc6b7e25e0aa3db208d20ca2a30a38349289cb2749a302d179d4

SHA512
63bf703cb9d466d398754c6d24b19a1ce5a6b39ece86dfca296a106c335a503cc0be2669f75808aeef64089132b5140a662a78b22354b7b83c34cdfb43546988

Download Submit
\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe

Filesize
4.8MB

MD5
b5cc4b918bc3873ff4a26951c17329fe

SHA1
66e4614ecc5eda9a376d3d21176a28968b964a06

SHA256
6ec2fc6c161771eca089e03330348b54b8d9a8dae5c73f59d58ac585f8c84082

SHA512
dc7829453592835c43af85d08029bf0d7519041d7d9494d169bd179b8f1b6c018e9f0f2b2ff184f9f5c608d5b6dd3285185e762402d5e80bc16e9eb351387691

Download Submit
\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe

Filesize
4.8MB

MD5
b5cc4b918bc3873ff4a26951c17329fe

SHA1
66e4614ecc5eda9a376d3d21176a28968b964a06

SHA256
6ec2fc6c161771eca089e03330348b54b8d9a8dae5c73f59d58ac585f8c84082

SHA512
dc7829453592835c43af85d08029bf0d7519041d7d9494d169bd179b8f1b6c018e9f0f2b2ff184f9f5c608d5b6dd3285185e762402d5e80bc16e9eb351387691

Download Submit
memory/536-64-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/536-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/536-55-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/568-82-0x0000000000400000-0x00000000008D2000-memory.dmp

Filesize
4.8MB

Download
memory/568-85-0x0000000000400000-0x00000000008D2000-memory.dmp

Filesize
4.8MB

Download
memory/900-71-0x0000000074F91000-0x0000000074F93000-memory.dmp

Filesize
8KB

Download
memory/900-79-0x0000000003330000-0x0000000003340000-memory.dmp

Filesize
64KB

Download
memory/900-81-0x00000000040E0000-0x00000000045B2000-memory.dmp

Filesize
4.8MB

Download
memory/900-84-0x00000000040E0000-0x00000000045B2000-memory.dmp

Filesize
4.8MB

Download
memory/1700-66-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1700-63-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1700-80-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download