Overview

overview

10

Static

static

108cfca886...61.exe

windows7-x64

10

108cfca886...61.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61

  • Size

    14.1MB

  • Sample

    230127-kg362saa66

  • MD5

    aaa058858261d7c0e73fa1b8264a9a3d

  • SHA1

    1233af8c8377567b2b8ebf7642f0036c9797596b

  • SHA256

    108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61

  • SHA512

    4ed1d39dad64f0b79f080d15101ad54b6859b5f71911edb112bb10e860baaf4715d01f9241f5bf60a22da950b0deeddde2bb798710162b151781f4310a80059c

  • SSDEEP

    196608:Unri5hStOZV3jIIZruRDm+09gJGzYvj/N2igdkC3qVa+Pa9k8qCgcr+7hQJ/RYyk:7lTLZD+YG8elEkna+iwCNrUhQHYM4Fdb

Score
10/10
babadedaphoboscrypterevasionloaderpersistenceransomwarespywarestealertrojan

Malware Config

Targets

    • Target

      108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61

    • Size

      14.1MB

    • MD5

      aaa058858261d7c0e73fa1b8264a9a3d

    • SHA1

      1233af8c8377567b2b8ebf7642f0036c9797596b

    • SHA256

      108cfca8867eb4f94082cddacf63fbdd8369b0991873a20afc3210f2d5e4ec61

    • SHA512

      4ed1d39dad64f0b79f080d15101ad54b6859b5f71911edb112bb10e860baaf4715d01f9241f5bf60a22da950b0deeddde2bb798710162b151781f4310a80059c

    • SSDEEP

      196608:Unri5hStOZV3jIIZruRDm+09gJGzYvj/N2igdkC3qVa+Pa9k8qCgcr+7hQJ/RYyk:7lTLZD+YG8elEkna+iwCNrUhQHYM4Fdb

    Score
    10/10
    babadedaphoboscrypterevasionloaderpersistenceransomwarespywarestealertrojan

    • Babadeda

      Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

      loadercrypterbabadeda

    • Babadeda Crypter

    • Phobos

      Phobos ransomware appeared at the beginning of 2019.

      ransomwarephobos

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks