Analysis Overview
SHA256
dda791ae03a40c12c7f67a0398be23a9334766aa82fd49145cf62072b922b9f8
Threat Level: Known bad
The file 085b11ab52a6865e3b14734f517cac42 was found to be: Known bad.
Malicious Activity Summary
RedLine
Babadeda
SectopRAT payload
Babadeda Crypter
RedLine payload
SectopRAT
Executes dropped EXE
Loads dropped DLL
UPX packed file
Checks installed software on the system
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-12-30 00:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 00:21
Reported
2023-12-30 20:38
Platform
win7-20231215-en
Max time kernel
138s
Max time network
152s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe
"C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\085b11ab52a6865e3b14734f517cac42.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3427588347-1492276948-3422228430-1000"
C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe
"C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 185.140.53.142:82 | tcp | |
| DE | 185.140.53.142:82 | tcp | |
| DE | 185.140.53.142:82 | tcp | |
| DE | 185.140.53.142:82 | tcp |
Files
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | ac23d03c4b8d531016a3c1ebfa2bc91c |
| SHA1 | 11383627d5515ed2257f594db7fbce3a4b9106f8 |
| SHA256 | 0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06 |
| SHA512 | bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1 |
memory/2220-5-0x0000000002D60000-0x0000000003148000-memory.dmp
memory/2220-15-0x0000000002D60000-0x0000000003148000-memory.dmp
memory/2772-17-0x0000000001350000-0x0000000001738000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | e7a789232ef503dcb4929791673009a3 |
| SHA1 | 8bc28bce4c9d8b4a6e360100441ba54a878de4c1 |
| SHA256 | 89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1 |
| SHA512 | 6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87 |
C:\Users\Admin\AppData\Roaming\Network WinSparkle\Lang\en\Phototheca EULA.rtf
| MD5 | 9325aee138a4d9a15d651920fb403ffc |
| SHA1 | 19eb57cd989571fa8cd426cbd680430c0e006408 |
| SHA256 | 9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35 |
| SHA512 | d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8 |
C:\Users\Admin\AppData\Roaming\Network WinSparkle\Lang\fr\searchhelp.rtf
| MD5 | 520077fd6d03c64c735258d4d87921d8 |
| SHA1 | 1b8d82d7da2d85527ce91e72f179fb8a418d47de |
| SHA256 | 6faf5a4f8a729dbdc4082a7f33ffde3e72ef34acbf0875932b3e4427bfd9b598 |
| SHA512 | 8ccd614aaf7cee74a0ed8b34267db004f240ed51d41dd80caeef12fe29a785d4e109b2526acf4c04ff30edc025c1e4afd7e9e11b32ca08ecc3ced7435514d4de |
C:\Users\Admin\AppData\Roaming\Network WinSparkle\COPYING.txt
| MD5 | cedef94f5701b0f14e5d358caf023480 |
| SHA1 | fc717140a9dd390068bad40a70f55e502f7c66e8 |
| SHA256 | 54327b2950ffac8999f869515d44b8c6fbbe6a3764c7573518f920b8988cbf9a |
| SHA512 | bd22f9e0f008468232529c2da1639efaddca041e61e511ea0bad2a2b7ae43c43513ea7caf5371f7f0cc88bce43ed2f8ff44f053db381545398f9e03660c453f5 |
C:\Users\Admin\AppData\Roaming\Network WinSparkle\RELEASE_NOTES.html
| MD5 | 77db64e395175649374d32e386fd1033 |
| SHA1 | 1e26bbd5055d3717e7f57219f2b7c1a305f84678 |
| SHA256 | 7d841eedf45ff8a6e61e9e3bd8e03414fff2dd650eef9b8d5b9102949e2fa163 |
| SHA512 | 238ef2258060e4ff43184dfc42d523dfed7301f5f3bef4a217827059da70ec59ec173d1550b633156824c010970f95574dd62f91e72c139bd40c083527b124a0 |
C:\Users\Admin\AppData\Roaming\Network WinSparkle\Uninstall\uninstall.xml
| MD5 | 6bb017fd0eb36d878eeb2b517dbdd2d4 |
| SHA1 | a19baf92c23af80461f9d3df65c631e77033b6fa |
| SHA256 | ec8b1f09f5bdc681a517c3d456c6def4f96e22306ad32e4e498df3da90cbc34a |
| SHA512 | 357caf2c863aeda03a1dd230479205f697fade1f760805ee63f3e909820fb9528be2e7a99e73321f4d91a0f3b6bca1a4eefce4d64ddc68ad1ef659b46464492a |
C:\Users\Admin\AppData\Roaming\Network WinSparkle\Uninstall\uninstall.xml
| MD5 | 8b1be6fd7fd378c367d148dfd467ecc7 |
| SHA1 | e443c97169c255b8ce210cebd170031b002a65a3 |
| SHA256 | 99bc31b06fc1855a98cf0b0a39e2b338ddb3209ee199d014747f72f588c97cf2 |
| SHA512 | 7ccc65eb2280231ffaa3cd869889443d2a0fa7399b3cd807158bc42f3549823864498fbe7cbf7bd05cca6f397142fd67c8038cdbe8a2f54a4af0e3f0a47a8bef |
memory/2772-531-0x00000000004C0000-0x00000000004D0000-memory.dmp
\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe
| MD5 | 4a4b365835f66abd4384f34f20b05388 |
| SHA1 | 2044b61947e2b1ca7985af5b5dec38bca64959e6 |
| SHA256 | 2d659d7401e8a8ad797bb0dd67d54c7f2b6107d76b67771c8deae3901f7dbce2 |
| SHA512 | 007e030767a1b12019a630ecdda8a01e4617e6993fcf1387eb412fe045e0d2a8d2a1d11327c5771c1892da35a12df52671e7b4f6e1b68ba2f2bd72f0b7f5f854 |
\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe
| MD5 | b77eb61d1c2ac930a29181721d826c15 |
| SHA1 | 67a902ea14f29d2b9cff3e9db5c9175ba94a3301 |
| SHA256 | 0eee7d66cc0e2f307e4887797438037deb6b8f79364fc2b1d8c348a2847726aa |
| SHA512 | dabba7fe84b768ca3fa7af52721d528bbc8b8269f8eab24cda401270aadf6d405847e80f8036d7aba2b97e4af7e2cf45ca9b5741183e4d3015bb1bd40274c1ef |
\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe
| MD5 | 3989192312e7c6f4c092b24edee547f7 |
| SHA1 | e6964ed839a155faa8989395f9693a7583981a79 |
| SHA256 | 987298b1b45ccc87ce319fa6b0fb7b1216dc3302563a4c660202ddddac5f7e51 |
| SHA512 | 23d84b1ce2c60ab950de4e4a83fbd0d1d4feebb2f44f8d325c0a615e73e00c28b71d7e4ef5f731bcaa8f2429a7dd828d19a9e800bae673dc178511e4aa9bcdcf |
C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe
| MD5 | b3618a806089c54e05511e7708201842 |
| SHA1 | 970e5cb2d1bc00fc8f8453b3ea5cd5a00d412a97 |
| SHA256 | 13d70fd4e7d28dad80e25308f32f034b4053dfff737b8f336f872f68ae33669b |
| SHA512 | f6d805092b966c4837c9d8b692ff046d9992a15ee42f9c5862b4e3ee0f54a81c0d49fb34f64405444e982a7f53f1259edc575e236e52fbd0535bd675e339d41a |
C:\Users\Admin\AppData\Roaming\Network WinSparkle\lunassets.exe
| MD5 | 67e3de63a83fe58f1d7b83197324d071 |
| SHA1 | a2fbe5b95f4428c585ad718d4e983ba36111a495 |
| SHA256 | f3f5880ac2058ba3730ef5920118b05d6feb2e0af5411daff3bb50fbaf885a7a |
| SHA512 | 52dcfc054ea9d9386bea1f8298d58f851c436a11ea211de81a016925420bdc18197f00840cd9519578051677b5ca8dfc8228a74a03edd5301bef3ca643a828c8 |
C:\Users\Admin\AppData\Roaming\Network WinSparkle\libGLES-v2.dll
| MD5 | 232a9b18e9d2bffdd1fb5f636331d936 |
| SHA1 | 8d0770c54a3d0a05735c36fe1b879bd7de0bb8dc |
| SHA256 | f94f936883a8ea7c4c49e136eea16a22f5354ef58689b0cfcc138918b05960cb |
| SHA512 | ea30653033ce37719bb42019f8f284b9e289f376ddf2334cd0b45b06e71f281f636eebb82eaa1d16d1212b67861511eaa9c6f250bdd62ae1b20c31fbf56e8926 |
memory/2772-548-0x0000000001350000-0x0000000001738000-memory.dmp
\Users\Admin\AppData\Roaming\Network WinSparkle\libGLES-v2.dll
| MD5 | cd5f7a36c869ec4c3beb68777b1c1c84 |
| SHA1 | e6eaea2763e5409e2289d42beb5c891ca978b403 |
| SHA256 | 073d93ff0e38aad002d697d3a3cf494f0bd69ee6a1827b40321e31b9fac3484f |
| SHA512 | 6edaf5c17334cb353019d20ae8954e498709429f9e7b6570e53a12703df25acee4f2292f4f702d06362e097531dadceab8d50312cb86089518503593eb58da00 |
C:\Users\Admin\AppData\Roaming\Network WinSparkle\manual.pdf
| MD5 | 5d67aa7bae8d8e7e18c7dcf36a1c676c |
| SHA1 | 6a07aa8262bb378a8a643b191bd3a1deb0c6c461 |
| SHA256 | a28e1667ef79438cd9ad0bdafa495727c8a67eddf48f8c99c20e75f3c35ad1c9 |
| SHA512 | f45395b1a3495eaf4c74c01c76f24d159ed9792b273b2d44ea12806391d3adc6756ed2348aa43e7a2e178d39ceba5419ea9cb16912b283737803602dae459302 |
memory/2788-552-0x0000000002950000-0x0000000005950000-memory.dmp
memory/2788-553-0x0000000000370000-0x000000000038E000-memory.dmp
memory/2788-554-0x0000000073350000-0x0000000073A3E000-memory.dmp
memory/2788-555-0x00000000082A0000-0x00000000082E0000-memory.dmp
memory/2788-556-0x00000000082A0000-0x00000000082E0000-memory.dmp
memory/2788-557-0x0000000002950000-0x0000000005950000-memory.dmp
memory/2788-558-0x0000000073350000-0x0000000073A3E000-memory.dmp
memory/2788-559-0x00000000082A0000-0x00000000082E0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 00:21
Reported
2023-12-30 20:38
Platform
win10v2004-20231215-en