Analysis
-
max time kernel
46s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 09:21
Static task
static1
Behavioral task
behavioral1
Sample
30a64c61e75d116f706c23f451abaca5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
30a64c61e75d116f706c23f451abaca5.exe
Resource
win10v2004-20231215-en
General
-
Target
30a64c61e75d116f706c23f451abaca5.exe
-
Size
5.9MB
-
MD5
30a64c61e75d116f706c23f451abaca5
-
SHA1
ed161a6087975bc583349e5109e2e425a20c11a4
-
SHA256
4af4a3e76358c3a932e5fa2bd23af3f73880a0f24d0841c299bea7f35dec8283
-
SHA512
785c4080092b8d2082d9439c2f3d15564f03f003d4b1831f6c975229c13be671a33c216c2f7d93d93601c375980aa999d030d3bb69032157792f7fbddd1f2765
-
SSDEEP
98304:gAI+vDWbKaXOp1dFotsOfp8/+xBerRpHXaptins5mXj88ZlW7Xtj7sqXJN6zKT2T:HtCew+2sOfp6+rMKptOHXj88Z0PsqN6N
Malware Config
Signatures
-
Babadeda Crypter 1 IoCs
resource yara_rule behavioral1/files/0x00050000000196ca-316.dat family_babadeda -
Executes dropped EXE 1 IoCs
pid Process 1588 sqlite3drv.exe -
Loads dropped DLL 2 IoCs
pid Process 2108 30a64c61e75d116f706c23f451abaca5.exe 1588 sqlite3drv.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2108 wrote to memory of 1588 2108 30a64c61e75d116f706c23f451abaca5.exe 25 PID 2108 wrote to memory of 1588 2108 30a64c61e75d116f706c23f451abaca5.exe 25 PID 2108 wrote to memory of 1588 2108 30a64c61e75d116f706c23f451abaca5.exe 25 PID 2108 wrote to memory of 1588 2108 30a64c61e75d116f706c23f451abaca5.exe 25
Processes
-
C:\Users\Admin\AppData\Local\Temp\30a64c61e75d116f706c23f451abaca5.exe"C:\Users\Admin\AppData\Local\Temp\30a64c61e75d116f706c23f451abaca5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe"C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD577b59e607a7befb44f6ba01c4225b38d
SHA12ce8fef8e47678a56f64132e25c45192dace88ad
SHA2569f65636963deb701cd044b50aa795970aea0175c0bdbd3b95e8b35f3af5f3bf6
SHA512b67df5e3335a4e0a8d158ab597fb8a7e17f586ddd593316615b72b1ff7f8a7ae68eff9ec4ab0ed01d928baba56e322bb9dbde3b87c3009cf9ee27a95493b4108
-
Filesize
17KB
MD59c8aa70e91dbdcf789657e35eb982924
SHA17d453a137bff431cfcd579080f955e7e4ab516cc
SHA256ec27ffa1e04b10cd8f3a089ee4649ffb38a1c9e7341510ad9fa3167e36b9237b
SHA5123446c311fc82ebc7f86b25e2410c1867c914faca998cd956fbc4709ee9722225d13984cdf22460ac6d508b8e1a140d9cdd9d20bd7695563e06ac9d4472806779
-
Filesize
37KB
MD585cdc4d7df0d4fb0e4e0bc3636608f6d
SHA1dd747b71599752505b728f69e6eca6875e185b62
SHA256370724bf5c51597effc8e9a49b6d0cf13ac0b237a7b11e02051d17a973ff8e6c
SHA512f1f92a42473d3668969c4b7801273dcf9386504d67846328f7b0ebd73fd13fd1c080b52266ae0070586976a1f275f15cc164c77545b0afcec66f9118e2722209
-
Filesize
119KB
MD5fd00771af3ab0eabf852f9be957e5366
SHA1a5512ea201d5b88c947bc12b947938bf466af870
SHA256266ac671513198a7d0692fd922ff66131e6b58a9025119492da449a4ec16bd53
SHA5125a5507ff2ee7bc51d6d1ba426081e23c2c980fa8951690420ff2b2cd51aa9859d615d44b8fa4a9958abae4876e39301e27546da6f5b2262a8c7c72138d57a120
-
Filesize
7KB
MD5d12741d09587b9fa64d7a1eb3a963783
SHA12f6ee591f5b768c2063c749b509bcf0ff19d70f8
SHA2565d993d667ce5c54651fa305dd36b6a849fb860a1d5502f72c8bae45d57c4415a
SHA51236d15705518432e3fd6e9e7e44a6bf868a80a79fa9edd2f94fbc76711219300fc6b0667ff333c65a7be358e2986dd33dadfd3eb5519933e0aee8a464ded11fd4
-
Filesize
25KB
MD5c8880b114430be25faa55750eeeeed9c
SHA1d150a1f14a09e08cdcbac35339b136adbbc10d14
SHA2562d2186b2c002701a00853f0102c14693c20a3dc9300785b07b17cb9f7ce26104
SHA5124c6ae5f549f11c46b4155a123f912637002801351207bccb1ffc32759064e3e12829168342863fa7bdb6b9a3524d2996a92f91b672cc1b2283bf1ec191ea9b72
-
Filesize
14KB
MD5a91631ac1406c5622968a55d26ad44de
SHA11717cbfd6f0e70e337ef6c5060e216e5be825d4f
SHA256496b71236ad5d0a3bfce18c30d54d44692a5b43ae4d1d5f33ed01462668df4e9
SHA512d68a483835087d434479da212414d723cb629dbd1fbe8da6affdf139db86cc5c042c18684d03b8ed8fc4806a37d98915c7779101b5d23fcb6357468a4dcbc8d3
-
Filesize
81KB
MD5816be3cc25e44ce12257f51daf0cf92e
SHA1a5b81497d0f29aac7bb52d17a4e7a7f8e6d55649
SHA256b3f839f211dd83448ee17952d775837d108143aca664cc6a31c86ccad044c40d
SHA512968d63baec21b957fc0eb78c1cd92637b66a110c17feb0c22108e7d1a80d3d2387f67ab9b007b4f983607ed7ce9c7283342db7a750e8d88b46698f62bcba756d
-
Filesize
50KB
MD57b351b01d5bcad78d584cfa5b33f250a
SHA1dc012f34b65d2e0cab0ae56f9f0ad2cac52a6d75
SHA2562609c15a8d9816b652c41d6b6ceb3fb0fa8f33a6890c3909ee17a5f967b92abe
SHA512f3103b6e52b1913f87c00c5459be43ba67816f93ac1d6b836e15df744443a3ef2e1c85e031e4e5753f0568b093e9fc982f646cf395d2b1aed729d265a89c33a4
-
Filesize
41KB
MD5d757c706b4b1c74257a9bddb8d47cc3c
SHA1e8575f46a0135d09b6f00b76cd8d6e4498a9db24
SHA256ee0003f39b905829c1a12e1336c58bbab2cde8318a73e9ce30e0dc1c9bd832b4
SHA512d831f0c65a7114bad18231467f302786eda5d17fb45bda7113e06d5c41b1eed5e1ef8b00cc8b336709a4302b6fc36476eabc1b2d0fa832123207d46c7ffc83ba
-
Filesize
45KB
MD50433f58300126e6d479b86aab2e071bc
SHA153ffc13b3b4de8267a8bfb67daf483b39058146f
SHA25669ef034f8a1856e7005b9bc424cf4db2b64de2c84d547143eb9fbf70c472dc51
SHA51227e82df8d4a324bc63900bc46e4c1d48794b0ce6e41e7fbdcc8dcc3e3567e5705ad1cada1f67db36ffe6a2f3ca70921cbd865f232b221cd9ebe80c3fab4ddea7
-
Filesize
36KB
MD5d8cfb4060ce7dc7a3653b4c44ea1628a
SHA1d8b74c77097b44f4ca8b18da642301ab16ecc329
SHA256fa06ecbe97aebe109546e37fa05fe507d648d3261f943beb6622a20a3ea7907e
SHA5122ad471c3a97ead1d6b677aa93311390308cd65d08bffd64d637408eff059e2965307fc3bc858e5708dd32aec3df136120c7b38db0918a46b57eff3a385250896
-
Filesize
39KB
MD546f2b501f9364eb37a3a70ff9a592e03
SHA19a7270006ac2602dabed32e2056e116d88bdc702
SHA2568ca684a00cf34b77da0222e364abb9a4536eb303817cd4646d368a4653699139
SHA5123b42129c89d5cd6e503fbcde0193fb59891260cdce24c840471837a455744cff292b7694d2d9b1f00caa97196162a2f0de7a33d6168aecd2bcb8741c7447f472