Analysis

  • max time kernel
    139s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 00:50

General

  • Target

    6678549db6974d6962363d8b82ee7be2.exe

  • Size

    4.8MB

  • MD5

    6678549db6974d6962363d8b82ee7be2

  • SHA1

    b3fc1aca4ff8ad96d48895d7d9bc8e136151b844

  • SHA256

    ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc

  • SHA512

    39ed85ba147bbfb9625afa993993867676ebfd6efddf43f49a0d838a498c6d6be45501a8f02f3be682b5711c38119899547301bb7a02e13c003614f13a4f13b1

  • SSDEEP

    98304:nSibgJW3oGqaFvY9Jp+oyyuMNfyCUFStjqNsNM5NEQ2Z+dnPcMc:1TtY9JpXXuMNzUwANsu5z2Z+1cd

Score
10/10

Malware Config

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

  • Babadeda Crypter 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe
    "C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp" /SL5="$70056,4197708,831488,C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe
        "C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe" /VERYSILENT
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Users\Admin\AppData\Local\Temp\is-59RLI.tmp\6678549db6974d6962363d8b82ee7be2.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-59RLI.tmp\6678549db6974d6962363d8b82ee7be2.tmp" /SL5="$60184,4197708,831488,C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe" /VERYSILENT
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3848
          • C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe
            "C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:3252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\kaosdma.txt

    Filesize

    12B

    MD5

    8cf4dec152a9d79a3d62202b886eda9b

    SHA1

    0c1b3d3d02c0b655aa3526a58486b84872f18cc2

    SHA256

    c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01

    SHA512

    a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd

  • C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp

    Filesize

    92KB

    MD5

    57a06e07060d585c38dcc166d641e5c1

    SHA1

    c354fd98258370e716e3471b07b845629cce9619

    SHA256

    15121d314f6e6867076ac102ca2484f79a82accd3d10b2474a5249a56a02bb6c

    SHA512

    2ffe8735b69c2a05d52402db56366f11330a1a70820d4ed16a206aba4a896bd8858bbc2936ea0b0d6f42d80c0a537fe77b7c97d75fb8ba93e0962aaa7fbf83b2

  • C:\Users\Admin\AppData\Roaming\SharpShell Configurator\menu.xml

    Filesize

    32KB

    MD5

    f7d3204f988639ac885aaf487784eed2

    SHA1

    be29d74eb70d1ffc9331575c546ae8e822fff709

    SHA256

    811c4039afefcf4b9437c90da42667c2465bfdd2e6754361267aa43e88827fc9

    SHA512

    44fbca7efb1e3b6c2b49ca7221d86ce23d308f2e232166fd6f85692dbdd931b67ecae9b40f80b36f18aa38544ecfb13a3183063bcc1fcbac205c79e841ba0182

  • C:\Users\Admin\AppData\Roaming\SharpShell Configurator\qclp.dll

    Filesize

    196KB

    MD5

    801591ff035ff7d05785157fbf977c31

    SHA1

    0f0e2538e622c9ca6f7ad133a4dea929765b01f1

    SHA256

    41871ccefc813203a0661763ab340dcabf449e0d76ff58d46c05f747e96ff4d3

    SHA512

    f6c7bdcf45a07f531ff9841198cee1cf5587acd5bd6223ab62429c755cb1baa217c691f5dd1715435ba4c36b81ab8941a883025e6ac5cc5070679abf208909fd

  • C:\Users\Admin\AppData\Roaming\SharpShell Configurator\qclp.dll

    Filesize

    92KB

    MD5

    2d64bc914fcf5ed3e8e266eedb66b244

    SHA1

    a6bc1dc43e3fa094c01b36a5b5e43068d54e99d5

    SHA256

    11f8d59022e89e27a38367b0665528e01b4d193c6efb02c9941ad66230437ea2

    SHA512

    801a1f8225b757cfa64a1be363b6e86a78d2e65ab4aadfb30fc59c0610ca81949c462e4604c78fd05454603da675efd86c6750e195fe6ab848780a0a50337e5a

  • C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe

    Filesize

    81KB

    MD5

    82b3c20f785bc7c3db291a734c2991ea

    SHA1

    85b969bebb947c8b8bf86e4315cf93cff288f0c3

    SHA256

    7115e8197092b5b5dae12ef8d12e1d16b58df3d5915fae0040dcf8a9528e88b9

    SHA512

    bd810f9382b98f81a5e92fbacffa26ee46c7316d52899f4306c4ac79788801cf98cb143152ddfff846f249db7d768c54dd63666d063ad2dfdbad3c3c07bdd2bb

  • C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe

    Filesize

    139KB

    MD5

    7b2ed4e658885205038a38a55da93dea

    SHA1

    efe839d6b4e95ecd7eb210ccc94e7d4b492788ac

    SHA256

    28e1ae3685afe6a0d0421e1704023cc717ec2bb86b59be9c39ec218698ac4973

    SHA512

    8fac1d598496e907359e773a44567dc96c8d0cbe55cfe4d9e74329e9ecd4427fe71d32c1f7f648310267138cb40887b91269f0965d7ffe959c511a2218636e8e

  • C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe

    Filesize

    121KB

    MD5

    9ed28c93a57204a74f55211b8900a1b1

    SHA1

    0241e2c2c074dc4097d9441646a66b18938d4324

    SHA256

    b32b321ddf33641ae04f85edd3d3501bd07d6a094e63db668b70d8b4f011a7d9

    SHA512

    c0d8b7bac1618cc21ae826c6eceb3c8223f76c16783e209ea8a3957787372b8ce258c2df68878c8398b3d070cac095baa0db35b07290feb1026a79cd09830d05

  • memory/400-0-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

  • memory/400-13-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

  • memory/400-2-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

  • memory/2620-9-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

  • memory/2620-473-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

  • memory/3252-467-0x0000000000400000-0x00000000008D2000-memory.dmp

    Filesize

    4.8MB

  • memory/3848-17-0x00000000025E0000-0x00000000025E1000-memory.dmp

    Filesize

    4KB

  • memory/3848-471-0x0000000000400000-0x000000000071A000-memory.dmp

    Filesize

    3.1MB

  • memory/4524-11-0x0000000000400000-0x000000000071A000-memory.dmp

    Filesize

    3.1MB

  • memory/4524-6-0x0000000002820000-0x0000000002821000-memory.dmp

    Filesize

    4KB