Analysis
-
max time kernel
153s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2023 14:34
Behavioral task
behavioral1
Sample
15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64_skip.exe
Resource
win7-20231025-en
General
-
Target
15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64_skip.exe
-
Size
15.5MB
-
MD5
a7859bdb2fe19387a36a5d999680c097
-
SHA1
5de9079cf7414cbab29f0bb982dcead9f1e39325
-
SHA256
15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64
-
SHA512
e5f7cb220e72794c0de8911155ceed2dc74320f3db8b957760ec26fe0f4c5acb4a7db973c13bf578ea2f9499da29b0565f11b865c510d8336e95876bfa3d57c4
-
SSDEEP
196608:/tbnXGZ27DwUH3cQX0KA/m8O8cIYOxHdFS7H8ULk:LDwUH3cQpAAcfxqk
Malware Config
Signatures
-
Babadeda Crypter 1 IoCs
resource yara_rule behavioral2/files/0x0008000000022d85-457.dat family_babadeda -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation 15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64_skip.exe -
Executes dropped EXE 1 IoCs
pid Process 5020 gitlibcontrol.exe -
Loads dropped DLL 1 IoCs
pid Process 5020 gitlibcontrol.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects BABADEDA Crypter 1 IoCs
Detects BABADEDA Crypter.
resource yara_rule behavioral2/files/0x0008000000022d85-457.dat BABADEDA_Crypter -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe 5020 gitlibcontrol.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5020 gitlibcontrol.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3252 wrote to memory of 5020 3252 15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64_skip.exe 87 PID 3252 wrote to memory of 5020 3252 15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64_skip.exe 87 PID 3252 wrote to memory of 5020 3252 15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64_skip.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64_skip.exe"C:\Users\Admin\AppData\Local\Temp\15353549c41681af3e4fdfe145d487807b55f73469989b4c3bd429b699355b64_skip.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe"C:\Users\Admin\AppData\Roaming\System.Data.SQLite\gitlibcontrol.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
863KB
MD5950be22c751d458a2e081045c0b47e10
SHA1090c2f362d8d4fb43d5c5817b388946b49772834
SHA25668e3a6c88bee53a4abd1b4ee126899e89351a3bd1afd02268ba89238b8cb189d
SHA5129bbef5b61f04b06f9a6d478662c8875a4cd0067a4de245188c92054ff5ddfb9702e762052ca51a5d51db65b0b3e14a86ba431e5cb97490034f395ca4d57f1724
-
Filesize
8.7MB
MD51b63eb3f79b113c3ae50c3e490c4d549
SHA125d5360b311c71c11d73f44cb7d9305cb620d5af
SHA25621c153355ae9c52c2f2df42ff1b8db13e99b7c8a56a13d9e71d5f59191747aba
SHA5120412e38faf46e666210344045d79babd808562a5f8dbc99ad617ad4bb7b87ac64b3f7ffe490e1bb9dc2ee804c3fa752da88bf02f2ac661a6d3c0487245cc04cb
-
Filesize
8.7MB
MD51b63eb3f79b113c3ae50c3e490c4d549
SHA125d5360b311c71c11d73f44cb7d9305cb620d5af
SHA25621c153355ae9c52c2f2df42ff1b8db13e99b7c8a56a13d9e71d5f59191747aba
SHA5120412e38faf46e666210344045d79babd808562a5f8dbc99ad617ad4bb7b87ac64b3f7ffe490e1bb9dc2ee804c3fa752da88bf02f2ac661a6d3c0487245cc04cb
-
Filesize
8.7MB
MD51b63eb3f79b113c3ae50c3e490c4d549
SHA125d5360b311c71c11d73f44cb7d9305cb620d5af
SHA25621c153355ae9c52c2f2df42ff1b8db13e99b7c8a56a13d9e71d5f59191747aba
SHA5120412e38faf46e666210344045d79babd808562a5f8dbc99ad617ad4bb7b87ac64b3f7ffe490e1bb9dc2ee804c3fa752da88bf02f2ac661a6d3c0487245cc04cb
-
Filesize
490B
MD55d1f7da1c3d95020a0708118145364d0
SHA102f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA5126bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c
-
C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\html\startpage_connect_to_data_no_mru.html
Filesize1KB
MD520bbd307866f19a5af3ae9ebd5104018
SHA18e03c9b18b9d27e9292ee154b773553493df1157
SHA256e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d
-
C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\html\startpage_connect_to_data_with_mru.html
Filesize1KB
MD5e6bc0d078616dd5d5f72d46ab2216e89
SHA1f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA5126ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a
-
Filesize
720B
MD50a5b47256c14570b80ef77ecfd2129b7
SHA169210a7429c991909c70b6b6b75fe4bc606048ae
SHA2561934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA5125ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2
-
Filesize
659B
MD5eced86c9d5b8952ac5fb817c3ce2b8ba
SHA13ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA2563988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1
-
C:\Users\Admin\AppData\Roaming\System.Data.SQLite\res\public\en\html\startpage_topstrip_with_mru.html
Filesize798B
MD5cc4d8a787ab1950c4e3aac5751c9fcde
SHA1d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA25613683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe
-
Filesize
2KB
MD5f2ab3e5fb61293ae8656413dbb6e5dc3
SHA153b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA25606db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA5122c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c
-
Filesize
282B
MD549617add7303a8fbd24e1ad16ba715d8
SHA131772218ccf51fe5955625346c12e00c0f2e539a
SHA256b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA5129d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e
-
Filesize
2.1MB
MD50b1f0dfd122b188ab703aca852efa0b6
SHA17ebb2903a2358f0c8847120ee054fb7bd00c785f
SHA2561fb9ca1edaf051ee4dfab86ed64e5e0c301970b19a05fd7d37c185becaef0836
SHA5122617c1220e849f20dcb0985688e66cf9da0dbece50af0f0559353eb6c6eb2c475b0c75c525cfad82ee963e17f3e9e5208f9c42c97491ec10b20b85f8e44cb95e
-
Filesize
2.1MB
MD50b1f0dfd122b188ab703aca852efa0b6
SHA17ebb2903a2358f0c8847120ee054fb7bd00c785f
SHA2561fb9ca1edaf051ee4dfab86ed64e5e0c301970b19a05fd7d37c185becaef0836
SHA5122617c1220e849f20dcb0985688e66cf9da0dbece50af0f0559353eb6c6eb2c475b0c75c525cfad82ee963e17f3e9e5208f9c42c97491ec10b20b85f8e44cb95e