babadeda | fad9151bdf6b42b534a4eca9c0fa331970fc0596e1ffd4fcba245b2a1cfc936b

General

Target

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe
Size

10.7MB
MD5

60bce89d8df5caa28d3d73ee4c94313a
SHA1

878e237aeb528a1e4c6c3fe53cb4ffd1c420231e
SHA256

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d
SHA512

963629759df10731e7b49a113fd4eb462286d26d4b394bab89bea35f4515cc907d803b01313764b973ebd4876a40e2fff820ad6b10f7a142e74a31a836010665
SSDEEP

196608:yxthehwzf4soekmmf7zADj75xtw0QkyPAm2VxdG1P5K5S2njugWR:meCBoeq7adK7JonCxC7juR

Score

10^/10

babadeda fickerstealer crypter infostealer loader

Malware Config

Extracted

Family

fickerstealer

C2

prunerflowershop.com:80

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0007000000022e22-151.dat	family_babadeda

Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Executes dropped EXE 3 IoCs

Processes:

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmpcf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmpalcodec.exe

pid	Process
2252	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
2964	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
4928	alcodec.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmpcf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

Loads dropped DLL 1 IoCs

Processes:

alcodec.exe

pid	Process
4928	alcodec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
12	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

pid	Process
2964	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
2964	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

pid	Process
2964	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.execf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmpcf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.execf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

description	pid	Process	procid_target
PID 1800 wrote to memory of 2252	1800	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	79
PID 1800 wrote to memory of 2252	1800	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	79
PID 1800 wrote to memory of 2252	1800	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	79
PID 2252 wrote to memory of 1132	2252	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	80
PID 2252 wrote to memory of 1132	2252	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	80
PID 2252 wrote to memory of 1132	2252	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	80
PID 1132 wrote to memory of 2964	1132	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	81
PID 1132 wrote to memory of 2964	1132	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	81
PID 1132 wrote to memory of 2964	1132	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	81
PID 2964 wrote to memory of 4928	2964	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	82
PID 2964 wrote to memory of 4928	2964	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	82
PID 2964 wrote to memory of 4928	2964	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	82

C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe
"C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\is-SKKPF.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SKKPF.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp" /SL5="$D0066,10301284,798720,C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe
    "C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\is-A76OI.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-A76OI.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp" /SL5="$A01C4,10301284,798720,C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\alcodec.exe
        
        "C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\alcodec.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-A76OI.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

Filesize
3.0MB

MD5
e0058e78c38cdc18f30f3b2e508f7f82

SHA1
fea2c5bcf045677de140a66f69a1ce471fcd3592

SHA256
e952f410d2b4ad999407961619973f658b3fd7362e79becbb647b7e673b213b0

SHA512
c584594551132787fe1d428e6751187a4d6e5a9bc7c42b87b1d9a4f9c3f152673735f50b4114f61a6509bceebe4d777021bcc06dce20a2d0839325bc93cdb63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SKKPF.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

Filesize
3.0MB

MD5
e0058e78c38cdc18f30f3b2e508f7f82

SHA1
fea2c5bcf045677de140a66f69a1ce471fcd3592

SHA256
e952f410d2b4ad999407961619973f658b3fd7362e79becbb647b7e673b213b0

SHA512
c584594551132787fe1d428e6751187a4d6e5a9bc7c42b87b1d9a4f9c3f152673735f50b4114f61a6509bceebe4d777021bcc06dce20a2d0839325bc93cdb63d

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\FAQ.pdf

Filesize
859KB

MD5
7d48ba5bfc96796ab7dc48f6764aec44

SHA1
bec9f2d46ad903fdbf66a92aeb95c6da1d29441a

SHA256
4d8fa3c825223e76c1ec3a002ff10208a3d3a91366de8472d3afa61fdf3e0ab8

SHA512
71914f9266aca04de7e01d04fc7c213a82bb082968e4b8e88cc0e9bf765cb5e1d40a89cc994c03569533ec1355497e853a21a1ac22ae098de8a686241235ce1f

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\alcodec.exe

Filesize
3.5MB

MD5
f387a40e95f63b5647beecdd9c4bf80e

SHA1
6d3e94f983eb4260e828048f464febfe80fdc5cb

SHA256
f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118

SHA512
49ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\alcodec.exe

Filesize
3.5MB

MD5
f387a40e95f63b5647beecdd9c4bf80e

SHA1
6d3e94f983eb4260e828048f464febfe80fdc5cb

SHA256
f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118

SHA512
49ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\libftype-5.dll

Filesize
17.1MB

MD5
3399513c46e46661a9d6c59ec92aefe7

SHA1
696d40c6c74d5fdffe60880a454dfe69fd5400cb

SHA256
a545d9fdff40e69b99b5f4a118b43666ce6c4f63aec5ca6316b8749c68286eb3

SHA512
f3d3eb2491ff640830773dc2e536a8ad196f06a89075c7cd041467a1d08860232a35fcc2da8a20420f4003eb68ca06a66128d73ebd3dbf4a371e5deb4de54ce9

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\libftype-5.dll

Filesize
17.1MB

MD5
3399513c46e46661a9d6c59ec92aefe7

SHA1
696d40c6c74d5fdffe60880a454dfe69fd5400cb

SHA256
a545d9fdff40e69b99b5f4a118b43666ce6c4f63aec5ca6316b8749c68286eb3

SHA512
f3d3eb2491ff640830773dc2e536a8ad196f06a89075c7cd041467a1d08860232a35fcc2da8a20420f4003eb68ca06a66128d73ebd3dbf4a371e5deb4de54ce9

Download Submit
memory/1132-137-0x0000000000000000-mapping.dmp

Download
memory/1132-143-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1132-138-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1132-147-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1800-140-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1800-132-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1800-136-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2252-134-0x0000000000000000-mapping.dmp

Download
memory/2964-141-0x0000000000000000-mapping.dmp

Download
memory/4928-144-0x0000000000000000-mapping.dmp

Download
memory/4928-148-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download
memory/4928-152-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads