Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
31-01-2024 18:51
General
-
Target
ClipPlusCommunitySetup_ns.msi
-
Size
17.1MB
-
MD5
b82ada91e8742234257d9cad38deebfe
-
SHA1
d1278efa9729f955de1dbfcfe53550e67212ff9b
-
SHA256
3c8a05c5e2b599db85700ff9334a778efd2a99f6b4a1852aa0c129ba6039f834
-
SHA512
676d29697382b1375c7da26fcd6af20a7c5fb9f0f506c951c7280c7da12778d40fcfb1ef50653628123edf6cba8308d43a4945489a5f6b58e67dcc61d6fd373b
-
SSDEEP
393216:bnEbwdw5PBbXDqPiHNTS3ByWhGhz3iQw0FHufQMfh1GD6QGhNgqx9OPNQNI62vhp:wbwdwnBtcFhG1w0MVZ1GD6QGhNpwsIn/
Malware Config
Signatures
-
Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
-
Babadeda Crypter 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 18 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 10 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ClipPlusCommunitySetup_ns.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe"C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B4" "0000000000000554"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f761b40.rbsFilesize
12KB
MD500051be04d5c14f13578807582e404f9
SHA1fce85a9e1239029e79f822d02f10c9ae30414455
SHA256c10f816c392ce376e616f75f87bb504a9ddd3a73a989b6b0c59ffe5b60821797
SHA512453ccf1e135b8e0b208eea8f0814aafc9e9f36037e42b18014a581b2ced04278abfa74f53c6e14719dd6f23b7add44dfa1920bcc04e119a6a25c51097e2b0d83
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dllFilesize
1006KB
MD5f9911a4d1a056c621dbbdc1d36771198
SHA1d59d48ece6cfb711e8904f3b7ab6563cfb64af3e
SHA2565370189b2ad314de53c154882bd15483abf538f7e75f5433d2eb8e813c8f53a7
SHA512dfe42799bc49649591045d7695be6ae2ec21402317e93cbb3cc73f392aca808b957a661af4baa7d362ec92a1820c43d39054f3fa46a9ac8c7099a21e3da83c15
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dllFilesize
1.1MB
MD57f9fe032400155aaacea1b4af6c46e07
SHA1af38169b29c1071b60db456aa7e96d302e12a6df
SHA2568b1512696095e1e1d29f2d91a2d79d32b1be50899baf56ede3a6aa5c2a79810a
SHA5124d4dd63d5604467f58d59ea260eb10719acf05980c9c29ce339085502ee21e6e9b804c486106b1d119fb19190b1246acbb87b280c0f83aae0ffdfd1c6e1bc038
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dllFilesize
1.4MB
MD527eccfac916724fde89be05cbcac9d88
SHA1da75266a674627cc9a5cac6b9c371ebc20c9bdce
SHA25629627dc6709e5f53fd63392ed946ce7d0d569f636226c09330755d9a1a3109fc
SHA512259bc2b047953d360b35368ba8014e356f72e33d37610548c77224139a2a84715d95fec8cdb4366665934f24613a4993c8f858b34302a828cb1ad71596445d24
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dllFilesize
1004KB
MD512a366b12ca1c0cad3ea3ba51c973f37
SHA15293a879d2cbfbcf10bce052125b51a31f647ae1
SHA256be010427aca3f13f48d62c788c236fd9a7f81eaa4cb7e19798b51fae78006b37
SHA5123906b584143d146ebba17ec3d8971410496c7e0ad4d698fb9af1733ac23c27bca40422243035f4126eb6aee8ef8dd810b37e26316889ed18d9c05bac6d149f10
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass.dllFilesize
135KB
MD58e58fcc0672a66c827c6f90fa4b58538
SHA13e807dfd27259ae7548692a05af4fe54f8dd32ed
SHA2566e1bf8ea63f9923687709f4e2f0dac7ff558b2ab923e8c8aa147384746e05b1d
SHA5120e9faf457a278ad4c5dd171f65c24f6a027696d931a9a2a2edd4e467da8b8a9e4ab3b1fd2d758f5744bf84bece88c046cda5f7e4204bead14d7c36a46702b768
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_vst.dllFilesize
27KB
MD55efb2702c0b3d8eeac563372a33a6ed0
SHA1c7f969ea2e53b1bd5dbeba7dd56bff0cc4c9ea99
SHA25640545a369fa7b72d23a58050d32dc524b6905e9b0229719022dbda0d2fa8765b
SHA5128119526f8573ea6e5bed16a57d56084260afee511c9aad3d542388a783548e5b32ed8fb568d5b97deed791162bcd5577fcc3c76abf4d147ea13bea5c2a6ea794
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exeFilesize
1.4MB
MD55ef8c4d3d856e99b366155ac40dbf0ce
SHA19373200841a4ccbb96cac41b33a36997eb2d252b
SHA256189120484b8ba64a3405f8ce693e109c54cfaab8e9e8e854848cfe7900560d26
SHA512a29e7b20051ea64f0ba2cceb743d9ba04c89b30ac73dc0bb1ffd65231ab82a7d0f18a8d5925fa3e7ef3ba625807bb68cbba1469306996b527606ff5002737bfb
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dllFilesize
909KB
MD5d28239a4095f7866dde5cbf630d15e41
SHA12564f81c8e806009c23ef08b9cd802396ea71d58
SHA2569ec35f0b24e8c7b1ee08d86fd250e3e1a9c94e6e83986c85defafdc565153fcb
SHA51299af8c22c745ab6814dba97e3c22cc8fe3dd0984b759ee90dd02a3837604d6e9bb11368cebdf25a33784221236b73af77f8fcbf4b78becb134cacf24ebb1184f
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\tutorial.wavFilesize
1.4MB
MD51898e8f139af3c37c7cb695ebba30dca
SHA14ff0c9a3da840f12ea5479a0ec92f6fe0a01d0f6
SHA25621f44ed011011a676dcc5fbde05580b64153764ebd07a9cc73fef6f35e7d0ee1
SHA512e2ca27b9849e411ff5276b969b29f571149e68e7046745a7acb2c2a666b7dedd0622916867ce4efa3268e5bbb7c408df02a22393f847303f5928da6f4589d413
-
C:\Windows\Installer\f761b3e.msiFilesize
1.4MB
MD57f6db664f58c19e922c3481cfd742b52
SHA1ac286c6a59e109138c0403f3654328d3c2b022b5
SHA25669e1ce56f3990e42ad6b45f86f9c56a822535b7bf73317e566b98367d82ebc68
SHA512f6f29abd4cc5c8becacc411c939116069bf49bb3bc87cda50fd2a9912610987b8202f700742f36d603f4028032f9871975424809b8b8764277e34fa06bfdf95d
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dllFilesize
1.2MB
MD5985196b3967c1940a047ddeb59bafbda
SHA1ea55a92256dfe1631f90fc34b75dbff6b817037d
SHA256642c52c3fa5973b0ce8f6177b5fe0292e7c9335af258df47c174d88473af9770
SHA51260fe0d4c45b194d89b9f36ae54334f5d878e5c25aaeb1fe04c85419f5f97b0d4fb1d15c0c47d4846c1f96eb45273f9a912f1d83393675a1a577f49df7d412b35
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\Fluent.dllFilesize
379KB
MD5e98f595caa5ee23e8a3e46d83211da9d
SHA1a7ef9e7c3eddaa7b82acb7eba7a2c88a70bac017
SHA256df12ced54ee1dd73b230be239fb2ffce141bbf4ff979fb33ebb153a0bda88a1a
SHA512e777a5ace5ecef10ae051df02a443279af5f28a1e996905774f574ef8679363ae78db064ef6eb7c3f77dd87284cc0d070b1fe54b422f9ae0a2240286a9541938
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dllFilesize
1.8MB
MD591b965948bfa25ec7f732d794d8a85e6
SHA1a526be7e7886ef0501c05ab6d7ab20b68e91fc45
SHA2562cd80261c21d29ab2b1f911b34f29603eeec9d55580ba02f140454d50244f414
SHA51255346802503d04600966ec34927ea3dc9fd483351a6353c78e2347747fe92f380667743f0a6f389e35f7a0b5dc2671fd290649a6d575b7c26b04590ebbe46d44
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dllFilesize
1.2MB
MD557229daf7268b85089f61e22760de6cb
SHA10202ee5cb4ad4da9dc5135c8a5fd959cdaecdab2
SHA256373bd73b6742b1415e82a8d20436f4109136d406e6ab2ac6a10a22e17466d98b
SHA51205e6ec80c4d7fd5606afd61e7206a2f46488494bda330d1a4fe9c2057da1a5f59b5a256d61a0da4d1640fb0f75a745c35bce6c5ef44a0a1e182e916bf0a11778
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dllFilesize
1.9MB
MD53ef733c8a41234ac5a79c43f4474df34
SHA1ac076f0a2f24d460ee6aafd931096be69dcf1c6e
SHA256365e8a6c352c8d39e685e220244f8a6d5cd536e04a175e2dc0c8c54426af6efc
SHA512699f173619c00a6790c4896efa4dcb9e124d4b26973a9e288c4ecb5a22ec92ff56117e00726c085c37c30d51011286a1512a9b46782333e811926d491fdd68c7
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\WinSparkle.dllFilesize
1.1MB
MD5658276a6bf6c17511f54254d56cd9022
SHA1b9af3a23d41aa2bc2bf1f269e0deb8749896c584
SHA25619b5b1a7be78f20a509b6283d89498f038a74337b803369cb37077e1ebb5fa2a
SHA5124de906a5637512b40f91d49c798d2c2cea429077b53a7ed6e8eceaa6f0a1f56dbea1085c1a5afeeb689fd0c049d9041064c3d262a43b513f2288967292222fae
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_fx.dllFilesize
67KB
MD5d8ccb4b8235f31a3c73485fde18b0187
SHA1723bd0f39b32aff806a7651ebc0cdbcea494c57e
SHA2567bc733acc1d2b89e5a6546f4ebc321b1c2370e42354ea415bc5fcc6807275eba
SHA5128edafd699f9fbec0db334b9bc96a73a9196895120f3406fff28406fd0565415ac98665c9837a5b1e0c5027162ff26bf3a316ecda6a0b51d92eb5d7002b814713
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassasio.dllFilesize
18KB
MD5ff3d92fe7a1bf86cba27bec4523c2665
SHA1c2184ec182c4c9686c732d9b27928bddac493b90
SHA2569754a64a411e6b1314ae0b364e5e21ccfe2c15df2ed2e2dce2dc06fa10aa41e8
SHA5126e0f021eb7317e021dccb8325bc42f51a0bf2b482521c05a3ff3ca9857035191f8b4b19cbe0d7130d5736f41f8f2efb2568561e9063fa55aaab9f2575afe23db
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc.dllFilesize
31KB
MD5a6f27196423a3d1c0caa4a0caf98893a
SHA158b97697fa349b40071df4272b4efbd1dd295595
SHA256d3b9e4646f7b1cb9123914313cec23ec804bd81c4ff8b09b43c2cde5ee3e4222
SHA5120a84cf847b80b0c2e6df9274a4199db8559757781faec508cd8999bea2c8fb5cd9bed1698144b82b86b2c6938fa8006c482a09c1b46d6bb8d2a2648a2011dea0
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_flac.dllFilesize
76KB
MD55199d6173a6deb45c275ef32af377c3c
SHA1e8989859b917cfa106b4519fefe4655c4325875b
SHA256a36f06cbe60fc1a305bd16cd30b35b9c026fd514df89cd88c9c83d22aefbe8c3
SHA51280b96196f1b3d6640035e8b8632a25ecdb3e4e823e1b64fc658b31aae6c6799aa1d9fd1acffbef6ff9082e0433ac9ab9426d5400d3644db9958940b8bb13f6d8
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_mp3.dllFilesize
75KB
MD546ede9ea58c0ac20baf444750311e3f8
SHA1246c36050419602960fca4ec6d2079ea0d91f46e
SHA2567ea1636182d7520e5d005f3f8c6c1818148824cee4f092e2d2fe4f47c1793236
SHA512d9154430c72cbf78f4f49ec1eee888c0004f30a58a70cee49f5108ded0994ba299ba6bf552a55ffeedb2ab53107172324156e12e2fbae42f8f14f87ec37cc4e7
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_ogg.dllFilesize
164KB
MD589e794bbd022ae1cafbf1516541d6ba5
SHA1a69f496680045e5f30b636e9f17429e0b3dd653e
SHA2567d7eb0bc188fc3a8e7af7e5325d4f5e5eb918c4138aea3de60d6b1afac6863f9
SHA51216455e29a1beece663878e84d91c8e75c34b483b6ff3b5853ced97670a75a9c29cc7a7aa78b0c158eb760cda5d3e44541aae2cc89b57d290e39b427d4c770000
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_opus.dllFilesize
141KB
MD5b6022150de5aeab34849ade53a9ac397
SHA1203d9458c92fc0628a84c483f17043ce468fa62f
SHA256c53b12ebe8ea411d8215c1b81de09adc7f4cf1e84fd85a7afa13f1f4a41f8e9d
SHA5122286399bd1f3576c6ce168e824f4d70c637485fae97d274597d045a894740519512f1865e20562656297072b5625bdd2a5ec4d4f5038176f764eb37e22451ade
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassmix.dllFilesize
31KB
MD5d31da7583083c1370f3c6b9c15f363cc
SHA11ebe7b1faf94c4fe135f34006e7e7cbbc0d8476c
SHA256cff3edc109bc0d186ba8ddf60bc99e48ff3467771e741c7168adbdbe03379506
SHA512a80364384eca446a378e3ae3420a0e3545e1d24426a9e43f3e27381cb09bb4cd1121b66c576e5a981b2e5d661f82590eb0c0fe8d8243ef872f84809ec906e266
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\basswasapi.dllFilesize
21KB
MD5cdfbe254cc64959fc0fc1200f41f34c0
SHA14e0919a8a5c4b23441e51965eaaa77f485584c01
SHA2569513129c0bb417698a60c5e4dd232963605d1c84e01b9f883f63d03b453173a9
SHA51263704a7a4d0cd8b53972e29fcbee71f2c3eb86a0411f90fc8375e67cb4b3bddb36c753f3f5b113c3ca333c381f86a19e2168218cc2074f05ad1143bc118cd610
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dllFilesize
1.2MB
MD5eeb2c9f79926c1074703c378fb27215c
SHA1df632ea453d0986aebb5961a7874c25426e5885b
SHA256ba71994c06091dfdc0f1c51eda9e41be888224d165fc0d62d7d882384569600c
SHA5120ffb563a20b1bf6659ae78d79fe28379e9560c91e4a258dd12046c4659aaf30772b1dcbd426466fee513f42711bc55c70f3f8c8f9ebfc533173b5e9cc3b80406
-
memory/1932-80-0x00000000001C0000-0x00000000001C5000-memory.dmpFilesize
20KB
-
memory/1932-121-0x00000000732E0000-0x0000000074003000-memory.dmpFilesize
13.1MB
-
memory/1932-111-0x0000000000F20000-0x0000000000F21000-memory.dmpFilesize
4KB
-
memory/1932-79-0x0000000075140000-0x000000007514E000-memory.dmpFilesize
56KB
-
memory/1932-113-0x0000000003860000-0x00000000038EB000-memory.dmpFilesize
556KB
-
memory/1932-118-0x0000000000400000-0x0000000000BAB000-memory.dmpFilesize
7.7MB
-
memory/1932-120-0x0000000000BB0000-0x0000000000E93000-memory.dmpFilesize
2.9MB
-
memory/1932-119-0x0000000004490000-0x0000000004491000-memory.dmpFilesize
4KB
-
memory/1932-81-0x0000000075110000-0x0000000075138000-memory.dmpFilesize
160KB
-
memory/1932-99-0x00000000001C0000-0x00000000001CD000-memory.dmpFilesize
52KB
-
memory/1932-124-0x0000000074940000-0x0000000074A65000-memory.dmpFilesize
1.1MB
-
memory/1932-123-0x00000000001C0000-0x00000000001C5000-memory.dmpFilesize
20KB
-
memory/1932-122-0x00000000001C0000-0x00000000001C4000-memory.dmpFilesize
16KB
-
memory/1932-108-0x0000000074940000-0x0000000074A65000-memory.dmpFilesize
1.1MB
-
memory/1932-98-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/1932-97-0x00000000001C0000-0x00000000001C3000-memory.dmpFilesize
12KB
-
memory/1932-95-0x0000000074F20000-0x0000000074F44000-memory.dmpFilesize
144KB
-
memory/1932-93-0x0000000074F50000-0x0000000074F86000-memory.dmpFilesize
216KB
-
memory/1932-92-0x00000000001C0000-0x00000000001C5000-memory.dmpFilesize
20KB
-
memory/1932-91-0x0000000075020000-0x000000007502E000-memory.dmpFilesize
56KB
-
memory/1932-86-0x00000000001C0000-0x00000000001C4000-memory.dmpFilesize
16KB
-
memory/1932-88-0x00000000001C0000-0x00000000001CE000-memory.dmpFilesize
56KB
-
memory/1932-87-0x0000000075030000-0x0000000075063000-memory.dmpFilesize
204KB
-
memory/1932-84-0x0000000075070000-0x000000007510E000-memory.dmpFilesize
632KB
-
memory/1932-82-0x00000000001C0000-0x00000000001C4000-memory.dmpFilesize
16KB
-
memory/1932-78-0x00000000003D0000-0x00000000003ED000-memory.dmpFilesize
116KB
-
memory/1932-75-0x0000000075390000-0x00000000753DD000-memory.dmpFilesize
308KB
-
memory/1932-72-0x0000000000BB0000-0x0000000000E93000-memory.dmpFilesize
2.9MB