babadeda | fad9151bdf6b42b534a4eca9c0fa331970fc0596e1ffd4fcba245b2a1cfc936b

Resubmissions

09-04-2024 10:33

240409-mls8racg53 10

14-11-2022 09:44

221114-lqqgzsbf6y 10

Analysis

max time kernel
147s
max time network
112s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14-11-2022 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe
Size

10.7MB
MD5

60bce89d8df5caa28d3d73ee4c94313a
SHA1

878e237aeb528a1e4c6c3fe53cb4ffd1c420231e
SHA256

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d
SHA512

963629759df10731e7b49a113fd4eb462286d26d4b394bab89bea35f4515cc907d803b01313764b973ebd4876a40e2fff820ad6b10f7a142e74a31a836010665
SSDEEP

196608:yxthehwzf4soekmmf7zADj75xtw0QkyPAm2VxdG1P5K5S2njugWR:meCBoeq7adK7JonCxC7juR

Score

10^/10

babadeda fickerstealer crypter infostealer loader

Malware Config

Extracted

Family

fickerstealer

prunerflowershop.com:80

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0006000000014124-80.dat	family_babadeda

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Executes dropped EXE 3 IoCs

Processes:

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmpcf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmpalcodec.exe

pid	Process
1688	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
2020	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
1588	alcodec.exe

Loads dropped DLL 5 IoCs

Processes:

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.execf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.execf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmpalcodec.exe

pid	Process
1100	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe
1752	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe
2020	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
2020	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
1588	alcodec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

pid	Process
2020	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
2020	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

pid	Process
2020	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.execf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmpcf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.execf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

description	pid	Process	procid_target
PID 1100 wrote to memory of 1688	1100	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	28
PID 1100 wrote to memory of 1688	1100	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	28
PID 1100 wrote to memory of 1688	1100	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	28
PID 1100 wrote to memory of 1688	1100	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	28
PID 1100 wrote to memory of 1688	1100	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	28
PID 1100 wrote to memory of 1688	1100	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	28
PID 1100 wrote to memory of 1688	1100	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	28
PID 1688 wrote to memory of 1752	1688	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	29
PID 1688 wrote to memory of 1752	1688	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	29
PID 1688 wrote to memory of 1752	1688	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	29
PID 1688 wrote to memory of 1752	1688	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	29
PID 1688 wrote to memory of 1752	1688	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	29
PID 1688 wrote to memory of 1752	1688	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	29
PID 1688 wrote to memory of 1752	1688	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	29
PID 1752 wrote to memory of 2020	1752	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	30
PID 1752 wrote to memory of 2020	1752	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	30
PID 1752 wrote to memory of 2020	1752	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	30
PID 1752 wrote to memory of 2020	1752	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	30
PID 1752 wrote to memory of 2020	1752	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	30
PID 1752 wrote to memory of 2020	1752	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	30
PID 1752 wrote to memory of 2020	1752	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	30
PID 2020 wrote to memory of 1588	2020	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	31
PID 2020 wrote to memory of 1588	2020	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	31
PID 2020 wrote to memory of 1588	2020	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	31
PID 2020 wrote to memory of 1588	2020	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	31

C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe
"C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\is-0EPTD.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0EPTD.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp" /SL5="$60126,10301284,798720,C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe
    "C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\is-QBL12.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-QBL12.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp" /SL5="$70126,10301284,798720,C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\alcodec.exe
        
        "C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\alcodec.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-0EPTD.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

Filesize
3.0MB

MD5
e0058e78c38cdc18f30f3b2e508f7f82

SHA1
fea2c5bcf045677de140a66f69a1ce471fcd3592

SHA256
e952f410d2b4ad999407961619973f658b3fd7362e79becbb647b7e673b213b0

SHA512
c584594551132787fe1d428e6751187a4d6e5a9bc7c42b87b1d9a4f9c3f152673735f50b4114f61a6509bceebe4d777021bcc06dce20a2d0839325bc93cdb63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QBL12.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

Filesize
3.0MB

MD5
e0058e78c38cdc18f30f3b2e508f7f82

SHA1
fea2c5bcf045677de140a66f69a1ce471fcd3592

SHA256
e952f410d2b4ad999407961619973f658b3fd7362e79becbb647b7e673b213b0

SHA512
c584594551132787fe1d428e6751187a4d6e5a9bc7c42b87b1d9a4f9c3f152673735f50b4114f61a6509bceebe4d777021bcc06dce20a2d0839325bc93cdb63d

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\FAQ.pdf

Filesize
859KB

MD5
7d48ba5bfc96796ab7dc48f6764aec44

SHA1
bec9f2d46ad903fdbf66a92aeb95c6da1d29441a

SHA256
4d8fa3c825223e76c1ec3a002ff10208a3d3a91366de8472d3afa61fdf3e0ab8

SHA512
71914f9266aca04de7e01d04fc7c213a82bb082968e4b8e88cc0e9bf765cb5e1d40a89cc994c03569533ec1355497e853a21a1ac22ae098de8a686241235ce1f

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\alcodec.exe

Filesize
3.5MB

MD5
f387a40e95f63b5647beecdd9c4bf80e

SHA1
6d3e94f983eb4260e828048f464febfe80fdc5cb

SHA256
f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118

SHA512
49ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\libftype-5.dll

Filesize
17.1MB

MD5
3399513c46e46661a9d6c59ec92aefe7

SHA1
696d40c6c74d5fdffe60880a454dfe69fd5400cb

SHA256
a545d9fdff40e69b99b5f4a118b43666ce6c4f63aec5ca6316b8749c68286eb3

SHA512
f3d3eb2491ff640830773dc2e536a8ad196f06a89075c7cd041467a1d08860232a35fcc2da8a20420f4003eb68ca06a66128d73ebd3dbf4a371e5deb4de54ce9

Download Submit
\Users\Admin\AppData\Local\Temp\is-0EPTD.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

Filesize
3.0MB

MD5
e0058e78c38cdc18f30f3b2e508f7f82

SHA1
fea2c5bcf045677de140a66f69a1ce471fcd3592

SHA256
e952f410d2b4ad999407961619973f658b3fd7362e79becbb647b7e673b213b0

SHA512
c584594551132787fe1d428e6751187a4d6e5a9bc7c42b87b1d9a4f9c3f152673735f50b4114f61a6509bceebe4d777021bcc06dce20a2d0839325bc93cdb63d

Download Submit
\Users\Admin\AppData\Local\Temp\is-QBL12.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

Filesize
3.0MB

MD5
e0058e78c38cdc18f30f3b2e508f7f82

SHA1
fea2c5bcf045677de140a66f69a1ce471fcd3592

SHA256
e952f410d2b4ad999407961619973f658b3fd7362e79becbb647b7e673b213b0

SHA512
c584594551132787fe1d428e6751187a4d6e5a9bc7c42b87b1d9a4f9c3f152673735f50b4114f61a6509bceebe4d777021bcc06dce20a2d0839325bc93cdb63d

Download Submit
\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\alcodec.exe

Filesize
3.5MB

MD5
f387a40e95f63b5647beecdd9c4bf80e

SHA1
6d3e94f983eb4260e828048f464febfe80fdc5cb

SHA256
f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118

SHA512
49ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b

Download Submit
\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\alcodec.exe

Filesize
3.5MB

MD5
f387a40e95f63b5647beecdd9c4bf80e

SHA1
6d3e94f983eb4260e828048f464febfe80fdc5cb

SHA256
f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118

SHA512
49ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b

Download Submit
\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\libftype-5.dll

Filesize
17.1MB

MD5
3399513c46e46661a9d6c59ec92aefe7

SHA1
696d40c6c74d5fdffe60880a454dfe69fd5400cb

SHA256
a545d9fdff40e69b99b5f4a118b43666ce6c4f63aec5ca6316b8749c68286eb3

SHA512
f3d3eb2491ff640830773dc2e536a8ad196f06a89075c7cd041467a1d08860232a35fcc2da8a20420f4003eb68ca06a66128d73ebd3dbf4a371e5deb4de54ce9

Download Submit
memory/1100-55-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1100-63-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1100-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/1588-82-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download
memory/1588-77-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download
memory/1588-74-0x0000000000000000-mapping.dmp

Download
memory/1688-58-0x0000000000000000-mapping.dmp

Download
memory/1752-61-0x0000000000000000-mapping.dmp

Download
memory/1752-76-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1752-66-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1752-64-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2020-71-0x0000000074CA1000-0x0000000074CA3000-memory.dmp

Filesize
8KB

Download
memory/2020-68-0x0000000000000000-mapping.dmp

Download