Analysis Overview
SHA256
7d580d1416efb8a4475d4d682ca4e53b96482ef437770e66cb2ca8bcfbc075c9
Threat Level: Known bad
The file 150857f47c2baeebe41028b415ba30ec was found to be: Known bad.
Malicious Activity Summary
Babadeda
Babadeda Crypter
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Drops desktop.ini file(s)
Enumerates physical storage devices
NSIS installer
Checks processor information in registry
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-12-30 09:53
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 09:53
Reported
2023-12-31 11:25
Platform
win7-20231215-en
Max time kernel
209s
Max time network
49s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2416 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe | C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe |
| PID 2416 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe | C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe |
| PID 2416 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe | C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe |
| PID 2416 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe | C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe
"C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe"
C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe
C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe
Network
Files
\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe
| MD5 | 0f9210c3a6b12248b281b4b9015491e5 |
| SHA1 | 5201fd2f0cf319e8076a7fc693ef2fb3a3c1147a |
| SHA256 | 6dc84b136a6bdb51cb98f7668f66bc7fac776856797db175435bed73f708555b |
| SHA512 | fe2d6ebb5d8a4163857f54e94011b6549f2efc32d76e88c42bf1aa432545280fdb283fcc9922014f115b14e9a7f26411e3d863bc4ad16313317e46adb7dd34dc |
C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe
| MD5 | 846eb78bc7dfaf8b661c3ce529be7f56 |
| SHA1 | 01c82f1791611b57f0d704533a91fce4da91c3eb |
| SHA256 | 0027c2bf63938d8512fd710d1fd0b8cd0d6368ff18df05d9d66f9ef73fb54088 |
| SHA512 | 3d3fb50bc42392987ba042025a4d0c61907044946f500b91fbde1a589d80a4ef0cabea19d5988487830b6d246e09315caa3ebc6b7bec7a1c377e39061a413c71 |
memory/2416-241-0x00000000023B0000-0x0000000002B26000-memory.dmp
memory/2340-242-0x0000000000400000-0x0000000000B76000-memory.dmp
C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\JdbcOdbc.dll
| MD5 | ae579e792f697b49ab65ddc49b513041 |
| SHA1 | ddacc12dbdf3942ebbacb88096668f1300d2c990 |
| SHA256 | 29a8ca5ecce3ec352181e4da596e9d6e8f2405092118ba96749ff61ed8098d84 |
| SHA512 | 315edc8d139396a60da7eb24ae9e3b54fac5b918910d97e97a7be479da9383fa3229e24c87defe1b7fb09f4d8880ab0554bf40e9d3d06a0668191e6f54a2b6f7 |
\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\JdbcOdbc.dll
| MD5 | 2d74780cb8efdd7038d663f5ea35a38d |
| SHA1 | 337c81688c22cbf5df03848d5fd617bca25848dc |
| SHA256 | 9750f93885304887d088e68737827cb970943d000ccd4245e6e7fdb55b0a9606 |
| SHA512 | ab9e6b9c76e0d10fcbedeba558aa25a3adeb1a3e9107ece02b20e5a25a1d0196b5bd6cf62ebae206ad3c72c1dbf70b0024beff2b64f21d7a83fbe899623bdec8 |
C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\base.xml
| MD5 | 51599707dc82f6946f39a87c5ac9fcd7 |
| SHA1 | f23db51bfe863a3ac1362ce131f5645e9f8b614e |
| SHA256 | 0be18ef99cfd38e7c43ef01f270778c46b46a43d5b7cdc81e7f83f91729609ca |
| SHA512 | ab0669617b3d826a6b45e5fa2a814acb0ef0d2cb4d63dafa6e72156b158334d21af47c423f560cd4fdbb8657c78aa0037383611d06c66745e74873b32c68c69e |
memory/2340-246-0x0000000000400000-0x0000000000B76000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 09:53
Reported
2023-12-31 11:22
Platform
win10v2004-20231222-en
Max time kernel
79s
Max time network
151s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Videos\Captures\desktop.ini | C:\Windows\system32\svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3803511929-1339359695-2191195476-1000\{22EFD199-3459-4B67-88D9-89DB3B9BF5C6} | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3803511929-1339359695-2191195476-1000\{2E9A8C2B-033F-4D11-AA0C-63F03AA951B4} | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4720 wrote to memory of 4732 | N/A | C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe | C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe |
| PID 4720 wrote to memory of 4732 | N/A | C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe | C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe |
| PID 4720 wrote to memory of 4732 | N/A | C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe | C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe
"C:\Users\Admin\AppData\Local\Temp\150857f47c2baeebe41028b415ba30ec.exe"
C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe
C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 173.231.16.77:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | prunerflowershop.com | udp |
| US | 8.8.8.8:53 | 77.16.231.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prunerflowershop.com | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prunerflowershop.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | prunerflowershop.com | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | prunerflowershop.com | udp |
| US | 8.8.8.8:53 | prunerflowershop.com | udp |
| US | 8.8.8.8:53 | prunerflowershop.com | udp |
| US | 8.8.8.8:53 | prunerflowershop.com | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prunerflowershop.com | udp |
Files
C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe
| MD5 | 6f12f9ee72e6e02c79e48404f049d2d0 |
| SHA1 | 8508169aaff7fd03ec7de7bac2d4f02c7784989f |
| SHA256 | c270e35ecd93ce0bf3490d3bbf0e318547d440e6171ff746fdca5bb62824e16b |
| SHA512 | 89281ec882f91f03e145663a5a40b715393b7ac88af92777f3bb483ba08b4ff91ad173a6045fa14cf1fe6eec6f7886dbc8bcc01c0357f4761772fb0a7de197b2 |
C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\xrengine.exe
| MD5 | 9d393a02d1b792d938217bad1f0d0173 |
| SHA1 | e786056d4de8e022ff9bf85af2ef019d3f991917 |
| SHA256 | 176f2daee944217c70dd83c76018679dd3a9bb37f44363538c97264134cad9b0 |
| SHA512 | dd8d15a2d8ac21f2ca6633cecf9b08efcde8cf95dd6d787594ed3df9c5f30a9a9767d26b831279bcb6cbdc9656e0abfbb5aac94f778ba43d27b3993d9b825c70 |
memory/4732-240-0x0000000000400000-0x0000000000B76000-memory.dmp
C:\Users\Admin\Videos\Captures\desktop.ini
| MD5 | b0d27eaec71f1cd73b015f5ceeb15f9d |
| SHA1 | 62264f8b5c2f5034a1e4143df6e8c787165fbc2f |
| SHA256 | 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2 |
| SHA512 | 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c |
C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\JdbcOdbc.dll
| MD5 | aaa3bfdf7c3d9d8a0f9d40ab64454665 |
| SHA1 | f13fa60b6c95d30c67cec3e73ce928356bdb8d6e |
| SHA256 | c0db73f3003d1daf0e33643c75e1e3e407c884e287795c0bf8a42f834097d83b |
| SHA512 | 24048ca7af7fcc122ed5d6d006016ef6fba6725687b8b9a1853bbf1a588d4a946edaa0fba359c519cc1a4ee201f8e3c7f7018211d2e213ee9bc79e82596b9418 |
C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\JdbcOdbc.dll
| MD5 | 62cebb1d9556e26ee20da12d37a34cac |
| SHA1 | 414b05d363c122b47e1f01ac8502d003de7d6c48 |
| SHA256 | c9ebb75e6b5e7bb23d9ae6f5457643fbfacc7a2ad28e4d24f6dac1d4c1187e0b |
| SHA512 | 63b4e7e64457cbebf05ad024141cd3efb241f3fbcf3872fbd97c322261abfb03040cb342f655cdd3718efb41ac3e138269699503047f33c89019be484fe4ad99 |
C:\Users\Admin\AppData\Roaming\Colasoft\Capsa11Free\base.xml
| MD5 | 51599707dc82f6946f39a87c5ac9fcd7 |
| SHA1 | f23db51bfe863a3ac1362ce131f5645e9f8b614e |
| SHA256 | 0be18ef99cfd38e7c43ef01f270778c46b46a43d5b7cdc81e7f83f91729609ca |
| SHA512 | ab0669617b3d826a6b45e5fa2a814acb0ef0d2cb4d63dafa6e72156b158334d21af47c423f560cd4fdbb8657c78aa0037383611d06c66745e74873b32c68c69e |
C:\ProgramData\kaosdma.txt
| MD5 | 8cf4dec152a9d79a3d62202b886eda9b |
| SHA1 | 0c1b3d3d02c0b655aa3526a58486b84872f18cc2 |
| SHA256 | c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01 |
| SHA512 | a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd |