Analysis
-
max time kernel
76s -
max time network
80s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2023 11:36
Behavioral task
behavioral1
Sample
99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
out.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
out.exe
Resource
win10v2004-20230220-en
General
-
Target
99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe
-
Size
11.7MB
-
MD5
0013ee610f83b401007adbefef051305
-
SHA1
f322e18219aa1abd91640b4d2b47fc1992068d16
-
SHA256
99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff
-
SHA512
27abdf3bd117cd85e18d633ddcb35586791cc7f41caf9797fdbdc726befd140c8dbd2a3a3a032581f1f20e226b6f29327a6f9892255ab6b69c27d1e13719fe5b
-
SSDEEP
196608:f6/ssSAAdFmYR0BwJ6DOlmreNUbR8cTGVqdZtzQ4cXwokT0YETuhtNo2vwDYpmv+:f69sFmYR0CJ6UmCNUbR8uGotzSXjkMud
Malware Config
Extracted
bitrat
1.38
145.239.202.9:4598
-
communication_password
2ff037574f878c384918323c55e52186
-
tor_process
tor
Signatures
-
Babadeda Crypter 1 IoCs
resource yara_rule behavioral2/files/0x0001000000023165-432.dat family_babadeda -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation 99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe -
Executes dropped EXE 1 IoCs
pid Process 1940 difserver.exe -
Loads dropped DLL 1 IoCs
pid Process 1940 difserver.exe -
resource yara_rule behavioral2/memory/1188-133-0x0000000000400000-0x000000000072F000-memory.dmp upx behavioral2/memory/1188-433-0x0000000000400000-0x000000000072F000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1940 difserver.exe 1940 difserver.exe 1940 difserver.exe 1940 difserver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1940 difserver.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1940 difserver.exe 1940 difserver.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1188 wrote to memory of 1940 1188 99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe 82 PID 1188 wrote to memory of 1940 1188 99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe 82 PID 1188 wrote to memory of 1940 1188 99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe"C:\Users\Admin\AppData\Local\Temp\99e6b46a1eba6fd60b9568622a2a27b4ae1ac02e55ab8b13709f38455345aaff.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe"C:\Users\Admin\AppData\Roaming\Diffractor\Virtual Diffractor Server\difserver.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1940
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD59325aee138a4d9a15d651920fb403ffc
SHA119eb57cd989571fa8cd426cbd680430c0e006408
SHA2569c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35
SHA512d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8
-
Filesize
6.2MB
MD5ec538ff191a52b5ca9f67ae5d5d56908
SHA1fb583f5953db1c0397859bb91afd5b0a5f6f366c
SHA256358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1
SHA512ce80b6c4783459da9bead38dd204e5046b046098bf22f4d853a048ed89c20757c7992d4512d83163dcb8f94e0fb45a021b639f5e2323236fece49a7de8c4b787
-
Filesize
6.2MB
MD5ec538ff191a52b5ca9f67ae5d5d56908
SHA1fb583f5953db1c0397859bb91afd5b0a5f6f366c
SHA256358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1
SHA512ce80b6c4783459da9bead38dd204e5046b046098bf22f4d853a048ed89c20757c7992d4512d83163dcb8f94e0fb45a021b639f5e2323236fece49a7de8c4b787
-
Filesize
6.2MB
MD5ec538ff191a52b5ca9f67ae5d5d56908
SHA1fb583f5953db1c0397859bb91afd5b0a5f6f366c
SHA256358211210e0bb34dd77073bb0de64bb80723f3434594caf1a95d0ed164ee87a1
SHA512ce80b6c4783459da9bead38dd204e5046b046098bf22f4d853a048ed89c20757c7992d4512d83163dcb8f94e0fb45a021b639f5e2323236fece49a7de8c4b787
-
Filesize
3.9MB
MD5e653f13bf4b225f1c7dce0e6404fc52a
SHA16e2ba578d8c14967a5ff2abbcce67a0e732c43d9
SHA256ce3758d494132e7bef7ea87bb8379bb9f4b0c82768d65881139e1ec1838f236c
SHA51296ced8dae8fb070cbc0a476d1a0a50233cc47f56e3621603d06e89db8667f3a611037395be729e075b40406860b80cd0fc0eb22603706845a762e9b15ad75efd
-
Filesize
3.9MB
MD5e653f13bf4b225f1c7dce0e6404fc52a
SHA16e2ba578d8c14967a5ff2abbcce67a0e732c43d9
SHA256ce3758d494132e7bef7ea87bb8379bb9f4b0c82768d65881139e1ec1838f236c
SHA51296ced8dae8fb070cbc0a476d1a0a50233cc47f56e3621603d06e89db8667f3a611037395be729e075b40406860b80cd0fc0eb22603706845a762e9b15ad75efd
-
Filesize
7.7MB
MD5bacfa288e5c0f18a8f2c94d208d7c760
SHA1912bd515c26f794cc65fa066ac01216cc7d35893
SHA256080340cb4ced8a16cad2131dc2ac89e1516d0ebe5507d91b3e8fb341bfcfe7d8
SHA512329e88c703ede60b537a94cc4b64e890048552de05a4a26530a770ead698644d38c34ece53ee4027ecc994613465cba76d15a5c560d586b3579465bb2e17637a