Overview

overview

10

Static

static

1

3c8a05c5e2...34.msi

windows7-x64

10

3c8a05c5e2...34.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2024 01:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c8a05c5e2b599db85700ff9334a778efd2a99f6b4a1852aa0c129ba6039f834.msi

  • Size

    17.1MB

  • MD5

    b82ada91e8742234257d9cad38deebfe

  • SHA1

    d1278efa9729f955de1dbfcfe53550e67212ff9b

  • SHA256

    3c8a05c5e2b599db85700ff9334a778efd2a99f6b4a1852aa0c129ba6039f834

  • SHA512

    676d29697382b1375c7da26fcd6af20a7c5fb9f0f506c951c7280c7da12778d40fcfb1ef50653628123edf6cba8308d43a4945489a5f6b58e67dcc61d6fd373b

  • SSDEEP

    393216:bnEbwdw5PBbXDqPiHNTS3ByWhGhz3iQw0FHufQMfh1GD6QGhNgqx9OPNQNI62vhp:wbwdwnBtcFhG1w0MVZ1GD6QGhNpwsIn/

Score
10/10
babadedacrypterloader

Malware Config

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    loadercrypterbabadeda
  • Babadeda Crypter 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3c8a05c5e2b599db85700ff9334a778efd2a99f6b4a1852aa0c129ba6039f834.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1820
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe
      "C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:1928
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1628
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000038C" "0000000000000554"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2644

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76236a.rbs
    Filesize

    12KB

    MD5

    f05cb15b922c9ea4b7fe63ec8dfa276c

    SHA1

    1892550bd52c9c0cfce7fe54f54f84fde65164f8

    SHA256

    23cd115804e508e62614757b902d1d58677df351f49764ed82bc7b867e99ef08

    SHA512

    5711036ab9dab77433c0a50b887c56425dd41771dcdf06edf55ac735d2503219fad2fddcd7053e033c1fc3499202cd4351a41bad729e5f94b7c26a28dcaade06

    Download Submit
  • C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dll
    Filesize

    2.3MB

    MD5

    25ccafba34985d46d9e360db0e8b9e72

    SHA1

    6c059ab9e433a13903bda41533a473aa35a13106

    SHA256

    390729457316c2f908263361cad0abca1d663e470d9f159e262059487ff27ece

    SHA512

    c649c98b3d74310e4a745cc4d22a4efa44cb5b05db13b104df004f6720f107d202243f4b346e7ee782caac615b36206fcc253c4a02e4f2b07ff2e8941289c47e

    Download Submit
  • C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\Fluent.dll
    Filesize

    379KB

    MD5

    e98f595caa5ee23e8a3e46d83211da9d

    SHA1

    a7ef9e7c3eddaa7b82acb7eba7a2c88a70bac017

    SHA256

    df12ced54ee1dd73b230be239fb2ffce141bbf4ff979fb33ebb153a0bda88a1a

    SHA512

    e777a5ace5ecef10ae051df02a443279af5f28a1e996905774f574ef8679363ae78db064ef6eb7c3f77dd87284cc0d070b1fe54b422f9ae0a2240286a9541938

    Download Submit
  • C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dll
    Filesize

    2.0MB

    MD5

    cb1817950cc3bdd9c92a456fa9e916f0

    SHA1

    9cc288ca58c49d045b95cc158481c169e1d741d7

    SHA256

    7e0c783362e1f1b8b050c66b79df7f44b897fd9e3e587c4de779d67b973d48a6

    SHA512

    4e7cdaaadceebd541fecdb5c000e1d759e80426891c70dbd6db105411f149e9b799063c3a01ce7a9b1b0c4c07465aea330db269db4c6b5a22ab0b5e53cf4ee95

    Download Submit
  • C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dll
    Filesize

    1.9MB

    MD5

    e151093a653ef47adc95f84100fb8d4d

    SHA1

    bc44b1e79b6cd81da91bf82c1d3ed8a11d622666

    SHA256

    bf80b723f8652bb210122bc697c2db2c2bcc09b5d818ff9704d1d87ad6b373f3

    SHA512

    21e58f3e742349ce06f1bfa7e091962862d1664f94b780bf5eacbf7bd308b929a9482666946107a836b2dc804e0bb9b899008cfe014bb194d7adccb95684cb04

    Download Submit
  • C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll
    Filesize

    2.2MB

    MD5

    316e131300e0213b2cb5c2e6ab4adfec

    SHA1

    9a19d080aba110e56ddfb3b8ad73c54979ad5d51

    SHA256

    039102fd6e00e4df31f2855a4aa5dcb58ff8e4c6528f015bc5cb77ba0cd749e6

    SHA512

    fbf837c0ef42a5d6b7a9df83fe05f50d21b98f5d7b49c9f3b7e05cd14102a4afbd319442a770034827c9a091ea78341f4cf436e4c86d0d31d9d650cd2fe80239

    Download Submit
  • C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_mp3.dll
    Filesize

    75KB

    MD5

    46ede9ea58c0ac20baf444750311e3f8

    SHA1

    246c36050419602960fca4ec6d2079ea0d91f46e

    SHA256

    7ea1636182d7520e5d005f3f8c6c1818148824cee4f092e2d2fe4f47c1793236

    SHA512

    d9154430c72cbf78f4f49ec1eee888c0004f30a58a70cee49f5108ded0994ba299ba6bf552a55ffeedb2ab53107172324156e12e2fbae42f8f14f87ec37cc4e7

    Download Submit
  • C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_ogg.dll
    Filesize

    164KB

    MD5

    89e794bbd022ae1cafbf1516541d6ba5

    SHA1

    a69f496680045e5f30b636e9f17429e0b3dd653e

    SHA256

    7d7eb0bc188fc3a8e7af7e5325d4f5e5eb918c4138aea3de60d6b1afac6863f9

    SHA512

    16455e29a1beece663878e84d91c8e75c34b483b6ff3b5853ced97670a75a9c29cc7a7aa78b0c158eb760cda5d3e44541aae2cc89b57d290e39b427d4c770000

    Download Submit
  • C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassmix.dll
    Filesize

    31KB

    MD5

    d31da7583083c1370f3c6b9c15f363cc

    SHA1

    1ebe7b1faf94c4fe135f34006e7e7cbbc0d8476c

    SHA256

    cff3edc109bc0d186ba8ddf60bc99e48ff3467771e741c7168adbdbe03379506

    SHA512

    a80364384eca446a378e3ae3420a0e3545e1d24426a9e43f3e27381cb09bb4cd1121b66c576e5a981b2e5d661f82590eb0c0fe8d8243ef872f84809ec906e266

    Download Submit
  • C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe
    Filesize

    3.1MB

    MD5

    bda15158e43345f45479a8d238a469c3

    SHA1

    07a6d9f663644687acc546eaebc7e24951ecf2c7

    SHA256

    33cab888684b171cf7ebc2bd4a60beca626ea693483409e77ec200f0e81966da

    SHA512

    c5e046b569549716fa9301fda5728a8c07ce83264627d7dc22657dddc6ca6ff6a5682687e96afd0e1ec272564d83abfc062c0d8fc0a9a1f5bc3d7a23691193f4

    Download Submit
  • C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\tutorial.wav
    Filesize

    1.8MB

    MD5

    3978c2550c1e450c0b817854b69b3b82

    SHA1

    e0db6cb3d7182d16374db7fe6ce15ae7db3346db

    SHA256

    05a61eb335bf99882924caa6bff364811fda63efb3b76d23665e09b50835f1f6

    SHA512

    164e3c8922fd8fe2b8be0313e89c17840130946c1d73c7ebf3c7267f944b1a0cbe1517baa0f0e9daf0cf5f802caab6a231c9c412ebcb3111da8fa7f540622a08

    Download Submit
  • C:\Windows\Installer\f762368.msi
    Filesize

    1.9MB

    MD5

    0ad8482b2e34635b22b7370fe952b2d7

    SHA1

    9ee3a884e43238dbe67e4be800df242a15355bbf

    SHA256

    eb6bb730719103350d9f197c0060ee0dddfb9ea3fc09b6074dae38dad56df76c

    SHA512

    abbb37e3dbcd1b86c012acb531f32d68c6e915c567a3d76f8409815d6925d54ffab198412340e2ba54a9c4ea87c6069968334c2c2360d8be4b2c5d9271e6172c

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dll
    Filesize

    2.6MB

    MD5

    55ee605f0b4cd2bd10c762df987cb74e

    SHA1

    13fe4d24b58160d0be11ab94470f0da0b1d2595b

    SHA256

    8a9af16b2876f37d28b5a8d21aaf9d93dc6f16f3759f2321505707086b8b3b7c

    SHA512

    28336ebb97296a1b422efda4360b21380f61b19fc79bd6851df2960d894024bfc8f60a91a8a48a141256d8e48a20a4b129c4c751f2ee5fa374bf04388f5aecc7

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dll
    Filesize

    2.1MB

    MD5

    c4c378218fb9d136a67a300219a8cb95

    SHA1

    a8fd2a1cc9cb996646ed9e79baaa342c16d3b163

    SHA256

    c8341f8a3a3a410607b7a364e0317bb21d9b158ac55abbe2b3425b27649b3149

    SHA512

    26e8361cee243a8a6f4879c1608b29b713f725487d320833560140418e73027fa92def0790bb8465293d240e0e237a015ac45112b1a4153afbacb4fddb3f9b8e

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dll
    Filesize

    2.5MB

    MD5

    6b61ba46a95b859672f97031e5eb9f8c

    SHA1

    99d9cbfd335ab1153f72e2b0a917db13eda885ed

    SHA256

    392f0aaaad77c702a40421c3b008083750249e4fa69009c47858c1d9826edebe

    SHA512

    5c1f820fdc9997fd0e59d54b0f2009c86809ccf0fdb5a4e2deafa6e05cdd31c055a37532560a2cad9db20fe537cd30cd4a43e50cdeb0a6821e8e00b4b964d6e2

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll
    Filesize

    2.6MB

    MD5

    7eca0aeb9b81a172f256edfc8f34623b

    SHA1

    6642b2f67e110f9abf6b980b49ff5f19e1340bff

    SHA256

    12eaf5865f4e6b7067c50c0a133bbe8b1222fac3c8e8bebed777c25ed739dc2f

    SHA512

    f43e66f1ecf6db9e6550b6d995639025e69a784a0d287b1f12d25180f42870c069f155d8c20334bf6ef4f7a38d8f4dffa7ec921b580654afecb608b6da946778

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\WinSparkle.dll
    Filesize

    1.1MB

    MD5

    658276a6bf6c17511f54254d56cd9022

    SHA1

    b9af3a23d41aa2bc2bf1f269e0deb8749896c584

    SHA256

    19b5b1a7be78f20a509b6283d89498f038a74337b803369cb37077e1ebb5fa2a

    SHA512

    4de906a5637512b40f91d49c798d2c2cea429077b53a7ed6e8eceaa6f0a1f56dbea1085c1a5afeeb689fd0c049d9041064c3d262a43b513f2288967292222fae

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\bass.dll
    Filesize

    135KB

    MD5

    8e58fcc0672a66c827c6f90fa4b58538

    SHA1

    3e807dfd27259ae7548692a05af4fe54f8dd32ed

    SHA256

    6e1bf8ea63f9923687709f4e2f0dac7ff558b2ab923e8c8aa147384746e05b1d

    SHA512

    0e9faf457a278ad4c5dd171f65c24f6a027696d931a9a2a2edd4e467da8b8a9e4ab3b1fd2d758f5744bf84bece88c046cda5f7e4204bead14d7c36a46702b768

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_fx.dll
    Filesize

    67KB

    MD5

    d8ccb4b8235f31a3c73485fde18b0187

    SHA1

    723bd0f39b32aff806a7651ebc0cdbcea494c57e

    SHA256

    7bc733acc1d2b89e5a6546f4ebc321b1c2370e42354ea415bc5fcc6807275eba

    SHA512

    8edafd699f9fbec0db334b9bc96a73a9196895120f3406fff28406fd0565415ac98665c9837a5b1e0c5027162ff26bf3a316ecda6a0b51d92eb5d7002b814713

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_vst.dll
    Filesize

    27KB

    MD5

    5efb2702c0b3d8eeac563372a33a6ed0

    SHA1

    c7f969ea2e53b1bd5dbeba7dd56bff0cc4c9ea99

    SHA256

    40545a369fa7b72d23a58050d32dc524b6905e9b0229719022dbda0d2fa8765b

    SHA512

    8119526f8573ea6e5bed16a57d56084260afee511c9aad3d542388a783548e5b32ed8fb568d5b97deed791162bcd5577fcc3c76abf4d147ea13bea5c2a6ea794

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\bassasio.dll
    Filesize

    18KB

    MD5

    ff3d92fe7a1bf86cba27bec4523c2665

    SHA1

    c2184ec182c4c9686c732d9b27928bddac493b90

    SHA256

    9754a64a411e6b1314ae0b364e5e21ccfe2c15df2ed2e2dce2dc06fa10aa41e8

    SHA512

    6e0f021eb7317e021dccb8325bc42f51a0bf2b482521c05a3ff3ca9857035191f8b4b19cbe0d7130d5736f41f8f2efb2568561e9063fa55aaab9f2575afe23db

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc.dll
    Filesize

    31KB

    MD5

    a6f27196423a3d1c0caa4a0caf98893a

    SHA1

    58b97697fa349b40071df4272b4efbd1dd295595

    SHA256

    d3b9e4646f7b1cb9123914313cec23ec804bd81c4ff8b09b43c2cde5ee3e4222

    SHA512

    0a84cf847b80b0c2e6df9274a4199db8559757781faec508cd8999bea2c8fb5cd9bed1698144b82b86b2c6938fa8006c482a09c1b46d6bb8d2a2648a2011dea0

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_flac.dll
    Filesize

    76KB

    MD5

    5199d6173a6deb45c275ef32af377c3c

    SHA1

    e8989859b917cfa106b4519fefe4655c4325875b

    SHA256

    a36f06cbe60fc1a305bd16cd30b35b9c026fd514df89cd88c9c83d22aefbe8c3

    SHA512

    80b96196f1b3d6640035e8b8632a25ecdb3e4e823e1b64fc658b31aae6c6799aa1d9fd1acffbef6ff9082e0433ac9ab9426d5400d3644db9958940b8bb13f6d8

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_opus.dll
    Filesize

    141KB

    MD5

    b6022150de5aeab34849ade53a9ac397

    SHA1

    203d9458c92fc0628a84c483f17043ce468fa62f

    SHA256

    c53b12ebe8ea411d8215c1b81de09adc7f4cf1e84fd85a7afa13f1f4a41f8e9d

    SHA512

    2286399bd1f3576c6ce168e824f4d70c637485fae97d274597d045a894740519512f1865e20562656297072b5625bdd2a5ec4d4f5038176f764eb37e22451ade

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\basswasapi.dll
    Filesize

    21KB

    MD5

    cdfbe254cc64959fc0fc1200f41f34c0

    SHA1

    4e0919a8a5c4b23441e51965eaaa77f485584c01

    SHA256

    9513129c0bb417698a60c5e4dd232963605d1c84e01b9f883f63d03b453173a9

    SHA512

    63704a7a4d0cd8b53972e29fcbee71f2c3eb86a0411f90fc8375e67cb4b3bddb36c753f3f5b113c3ca333c381f86a19e2168218cc2074f05ad1143bc118cd610

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dll
    Filesize

    1.2MB

    MD5

    eeb2c9f79926c1074703c378fb27215c

    SHA1

    df632ea453d0986aebb5961a7874c25426e5885b

    SHA256

    ba71994c06091dfdc0f1c51eda9e41be888224d165fc0d62d7d882384569600c

    SHA512

    0ffb563a20b1bf6659ae78d79fe28379e9560c91e4a258dd12046c4659aaf30772b1dcbd426466fee513f42711bc55c70f3f8c8f9ebfc533173b5e9cc3b80406

    Download Submit
  • memory/1928-84-0x0000000074920000-0x00000000749BE000-memory.dmp
    Filesize

    632KB

    Download
  • memory/1928-75-0x0000000074C40000-0x0000000074C8D000-memory.dmp
    Filesize

    308KB

    Download
  • memory/1928-95-0x00000000747D0000-0x00000000747F4000-memory.dmp
    Filesize

    144KB

    Download
  • memory/1928-97-0x0000000000240000-0x0000000000243000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1928-93-0x0000000074800000-0x0000000074836000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1928-92-0x0000000000240000-0x000000000024E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1928-91-0x00000000748D0000-0x00000000748DE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1928-103-0x0000000000D50000-0x0000000000D51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1928-78-0x0000000000240000-0x000000000025D000-memory.dmp
    Filesize

    116KB

    Download
  • memory/1928-89-0x0000000000240000-0x000000000024E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1928-86-0x0000000000240000-0x0000000000244000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1928-87-0x00000000748E0000-0x0000000074913000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1928-98-0x0000000000240000-0x0000000000247000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1928-99-0x0000000000240000-0x000000000024D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/1928-120-0x0000000000E60000-0x0000000001143000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/1928-81-0x00000000749C0000-0x00000000749E8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1928-79-0x00000000749F0000-0x00000000749FE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1928-112-0x0000000071780000-0x00000000718A5000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1928-72-0x0000000000E60000-0x0000000001143000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/1928-118-0x0000000005870000-0x0000000005871000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1928-119-0x0000000000400000-0x0000000000BAB000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1928-82-0x0000000000240000-0x0000000000244000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1928-121-0x0000000072B90000-0x00000000738B3000-memory.dmp
    Filesize

    13.1MB

    Download
  • memory/1928-122-0x0000000000240000-0x0000000000244000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1928-123-0x0000000071780000-0x00000000718A5000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1928-113-0x0000000005160000-0x00000000051EB000-memory.dmp
    Filesize

    556KB

    Download
  • memory/1928-80-0x0000000000240000-0x0000000000244000-memory.dmp
    Filesize

    16KB

    Download