Analysis
-
max time kernel
209s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
30-12-2023 09:53
General
-
Target
150857f47c2baeebe41028b415ba30ec.exe
-
Size
6.4MB
-
MD5
150857f47c2baeebe41028b415ba30ec
-
SHA1
04c42c467ecfb1ba1be93ea8d093514581b72c92
-
SHA256
7d580d1416efb8a4475d4d682ca4e53b96482ef437770e66cb2ca8bcfbc075c9
-
SHA512
34e14180c9643c13a41c5c2aba823191cbc6b3d77c355bb0150bb93bca8d8bda40c77b0dde4171a58e4ec7c17d1b1133d9b8603b6534f921d4535b45c6cca30e
-
SSDEEP
196608:nA2vkEyBJxdhAkbGxTmN98gQKba9JmbMPfrI8:5vy+TmfzpbWJUMPfrI8
Malware Config
Signatures
-
Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
-
Babadeda Crypter 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe"C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exeC:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\JdbcOdbc.dllFilesize
2.8MB
MD5ae579e792f697b49ab65ddc49b513041
SHA1ddacc12dbdf3942ebbacb88096668f1300d2c990
SHA25629a8ca5ecce3ec352181e4da596e9d6e8f2405092118ba96749ff61ed8098d84
SHA512315edc8d139396a60da7eb24ae9e3b54fac5b918910d97e97a7be479da9383fa3229e24c87defe1b7fb09f4d8880ab0554bf40e9d3d06a0668191e6f54a2b6f7
-
C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\base.xmlFilesize
863KB
MD551599707dc82f6946f39a87c5ac9fcd7
SHA1f23db51bfe863a3ac1362ce131f5645e9f8b614e
SHA2560be18ef99cfd38e7c43ef01f270778c46b46a43d5b7cdc81e7f83f91729609ca
SHA512ab0669617b3d826a6b45e5fa2a814acb0ef0d2cb4d63dafa6e72156b158334d21af47c423f560cd4fdbb8657c78aa0037383611d06c66745e74873b32c68c69e
-
C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exeFilesize
874KB
MD5846eb78bc7dfaf8b661c3ce529be7f56
SHA101c82f1791611b57f0d704533a91fce4da91c3eb
SHA2560027c2bf63938d8512fd710d1fd0b8cd0d6368ff18df05d9d66f9ef73fb54088
SHA5123d3fb50bc42392987ba042025a4d0c61907044946f500b91fbde1a589d80a4ef0cabea19d5988487830b6d246e09315caa3ebc6b7bec7a1c377e39061a413c71
-
\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\JdbcOdbc.dllFilesize
4.0MB
MD52d74780cb8efdd7038d663f5ea35a38d
SHA1337c81688c22cbf5df03848d5fd617bca25848dc
SHA2569750f93885304887d088e68737827cb970943d000ccd4245e6e7fdb55b0a9606
SHA512ab9e6b9c76e0d10fcbedeba558aa25a3adeb1a3e9107ece02b20e5a25a1d0196b5bd6cf62ebae206ad3c72c1dbf70b0024beff2b64f21d7a83fbe899623bdec8
-
\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exeFilesize
1.1MB
MD50f9210c3a6b12248b281b4b9015491e5
SHA15201fd2f0cf319e8076a7fc693ef2fb3a3c1147a
SHA2566dc84b136a6bdb51cb98f7668f66bc7fac776856797db175435bed73f708555b
SHA512fe2d6ebb5d8a4163857f54e94011b6549f2efc32d76e88c42bf1aa432545280fdb283fcc9922014f115b14e9a7f26411e3d863bc4ad16313317e46adb7dd34dc
-
memory/2340-242-0x0000000000400000-0x0000000000B76000-memory.dmpFilesize
7.5MB
-
memory/2340-246-0x0000000000400000-0x0000000000B76000-memory.dmpFilesize
7.5MB
-
memory/2416-241-0x00000000023B0000-0x0000000002B26000-memory.dmpFilesize
7.5MB