Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 00:50
Static task
static1
Behavioral task
behavioral1
Sample
6678549db6974d6962363d8b82ee7be2.exe
Resource
win7-20231215-en
General
-
Target
6678549db6974d6962363d8b82ee7be2.exe
-
Size
4.8MB
-
MD5
6678549db6974d6962363d8b82ee7be2
-
SHA1
b3fc1aca4ff8ad96d48895d7d9bc8e136151b844
-
SHA256
ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc
-
SHA512
39ed85ba147bbfb9625afa993993867676ebfd6efddf43f49a0d838a498c6d6be45501a8f02f3be682b5711c38119899547301bb7a02e13c003614f13a4f13b1
-
SSDEEP
98304:nSibgJW3oGqaFvY9Jp+oyyuMNfyCUFStjqNsNM5NEQ2Z+dnPcMc:1TtY9JpXXuMNzUwANsu5z2Z+1cd
Malware Config
Signatures
-
Babadeda Crypter 1 IoCs
resource yara_rule behavioral2/files/0x0006000000023246-469.dat family_babadeda -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 6678549db6974d6962363d8b82ee7be2.tmp Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 6678549db6974d6962363d8b82ee7be2.tmp -
Executes dropped EXE 3 IoCs
pid Process 4524 6678549db6974d6962363d8b82ee7be2.tmp 3848 6678549db6974d6962363d8b82ee7be2.tmp 3252 volcenter.exe -
Loads dropped DLL 1 IoCs
pid Process 3252 volcenter.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 58 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3848 6678549db6974d6962363d8b82ee7be2.tmp 3848 6678549db6974d6962363d8b82ee7be2.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3848 6678549db6974d6962363d8b82ee7be2.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 400 wrote to memory of 4524 400 6678549db6974d6962363d8b82ee7be2.exe 22 PID 400 wrote to memory of 4524 400 6678549db6974d6962363d8b82ee7be2.exe 22 PID 400 wrote to memory of 4524 400 6678549db6974d6962363d8b82ee7be2.exe 22 PID 4524 wrote to memory of 2620 4524 6678549db6974d6962363d8b82ee7be2.tmp 26 PID 4524 wrote to memory of 2620 4524 6678549db6974d6962363d8b82ee7be2.tmp 26 PID 4524 wrote to memory of 2620 4524 6678549db6974d6962363d8b82ee7be2.tmp 26 PID 2620 wrote to memory of 3848 2620 6678549db6974d6962363d8b82ee7be2.exe 27 PID 2620 wrote to memory of 3848 2620 6678549db6974d6962363d8b82ee7be2.exe 27 PID 2620 wrote to memory of 3848 2620 6678549db6974d6962363d8b82ee7be2.exe 27 PID 3848 wrote to memory of 3252 3848 6678549db6974d6962363d8b82ee7be2.tmp 47 PID 3848 wrote to memory of 3252 3848 6678549db6974d6962363d8b82ee7be2.tmp 47 PID 3848 wrote to memory of 3252 3848 6678549db6974d6962363d8b82ee7be2.tmp 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe"C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp"C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp" /SL5="$70056,4197708,831488,C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe"C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe" /VERYSILENT3⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\is-59RLI.tmp\6678549db6974d6962363d8b82ee7be2.tmp"C:\Users\Admin\AppData\Local\Temp\is-59RLI.tmp\6678549db6974d6962363d8b82ee7be2.tmp" /SL5="$60184,4197708,831488,C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe" /VERYSILENT4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe"C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3252
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12B
MD58cf4dec152a9d79a3d62202b886eda9b
SHA10c1b3d3d02c0b655aa3526a58486b84872f18cc2
SHA256c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01
SHA512a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd
-
Filesize
92KB
MD557a06e07060d585c38dcc166d641e5c1
SHA1c354fd98258370e716e3471b07b845629cce9619
SHA25615121d314f6e6867076ac102ca2484f79a82accd3d10b2474a5249a56a02bb6c
SHA5122ffe8735b69c2a05d52402db56366f11330a1a70820d4ed16a206aba4a896bd8858bbc2936ea0b0d6f42d80c0a537fe77b7c97d75fb8ba93e0962aaa7fbf83b2
-
Filesize
32KB
MD5f7d3204f988639ac885aaf487784eed2
SHA1be29d74eb70d1ffc9331575c546ae8e822fff709
SHA256811c4039afefcf4b9437c90da42667c2465bfdd2e6754361267aa43e88827fc9
SHA51244fbca7efb1e3b6c2b49ca7221d86ce23d308f2e232166fd6f85692dbdd931b67ecae9b40f80b36f18aa38544ecfb13a3183063bcc1fcbac205c79e841ba0182
-
Filesize
196KB
MD5801591ff035ff7d05785157fbf977c31
SHA10f0e2538e622c9ca6f7ad133a4dea929765b01f1
SHA25641871ccefc813203a0661763ab340dcabf449e0d76ff58d46c05f747e96ff4d3
SHA512f6c7bdcf45a07f531ff9841198cee1cf5587acd5bd6223ab62429c755cb1baa217c691f5dd1715435ba4c36b81ab8941a883025e6ac5cc5070679abf208909fd
-
Filesize
92KB
MD52d64bc914fcf5ed3e8e266eedb66b244
SHA1a6bc1dc43e3fa094c01b36a5b5e43068d54e99d5
SHA25611f8d59022e89e27a38367b0665528e01b4d193c6efb02c9941ad66230437ea2
SHA512801a1f8225b757cfa64a1be363b6e86a78d2e65ab4aadfb30fc59c0610ca81949c462e4604c78fd05454603da675efd86c6750e195fe6ab848780a0a50337e5a
-
Filesize
81KB
MD582b3c20f785bc7c3db291a734c2991ea
SHA185b969bebb947c8b8bf86e4315cf93cff288f0c3
SHA2567115e8197092b5b5dae12ef8d12e1d16b58df3d5915fae0040dcf8a9528e88b9
SHA512bd810f9382b98f81a5e92fbacffa26ee46c7316d52899f4306c4ac79788801cf98cb143152ddfff846f249db7d768c54dd63666d063ad2dfdbad3c3c07bdd2bb
-
Filesize
139KB
MD57b2ed4e658885205038a38a55da93dea
SHA1efe839d6b4e95ecd7eb210ccc94e7d4b492788ac
SHA25628e1ae3685afe6a0d0421e1704023cc717ec2bb86b59be9c39ec218698ac4973
SHA5128fac1d598496e907359e773a44567dc96c8d0cbe55cfe4d9e74329e9ecd4427fe71d32c1f7f648310267138cb40887b91269f0965d7ffe959c511a2218636e8e
-
Filesize
121KB
MD59ed28c93a57204a74f55211b8900a1b1
SHA10241e2c2c074dc4097d9441646a66b18938d4324
SHA256b32b321ddf33641ae04f85edd3d3501bd07d6a094e63db668b70d8b4f011a7d9
SHA512c0d8b7bac1618cc21ae826c6eceb3c8223f76c16783e209ea8a3957787372b8ce258c2df68878c8398b3d070cac095baa0db35b07290feb1026a79cd09830d05