Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
02-02-2024 01:34
General
-
Target
ClipPlusCommunitySetup_ns.msi
-
Size
17.1MB
-
MD5
b82ada91e8742234257d9cad38deebfe
-
SHA1
d1278efa9729f955de1dbfcfe53550e67212ff9b
-
SHA256
3c8a05c5e2b599db85700ff9334a778efd2a99f6b4a1852aa0c129ba6039f834
-
SHA512
676d29697382b1375c7da26fcd6af20a7c5fb9f0f506c951c7280c7da12778d40fcfb1ef50653628123edf6cba8308d43a4945489a5f6b58e67dcc61d6fd373b
-
SSDEEP
393216:bnEbwdw5PBbXDqPiHNTS3ByWhGhz3iQw0FHufQMfh1GD6QGhNgqx9OPNQNI62vhp:wbwdwnBtcFhG1w0MVZ1GD6QGhNpwsIn/
Malware Config
Signatures
-
Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
-
Babadeda Crypter 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 10 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 18 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ClipPlusCommunitySetup_ns.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe"C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005BC" "000000000000055C"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f762a4d.rbsFilesize
12KB
MD5bfd88a74dda85618213e19ce6d80b2e2
SHA178aac4ad59f8abe75c91d0f7b512360c30992229
SHA25687b7592f5e112fc0cb95811e3797b3dc9ead95ac6c9e3fb36677927fcc6c5c28
SHA51247596ae3e0eb729734300f17639247ab2d12ce9653b4847b5d1b6e85c5af8eebbcbef47afd6e637950bf67d7932252436a0be10ed26d5bf3f045d646fb661afc
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dllFilesize
93KB
MD5290f2720961e73fd2335eecd7266256e
SHA1d36959ef5b433f430336da17b1662d145d483b36
SHA256fe073449d29745d2755022feb0d7e366e18cb8dc4f09c1ad57776974fd1d7930
SHA51219d1b3ab8d6ebffd44b2cacd8c95be53ebd2d115903ced219f5a89b610a5df09af483aa6f1e04aa2bcf57cd3020d0e41a520fc757bd9f680afc19f30ec57e41a
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\Fluent.dllFilesize
100KB
MD5c2c069dfca0017a8c66a1d2b508bc139
SHA16b6e91396d1ec99106e632a1447491f4d7d2264d
SHA2566225cccbc8ed767909eb0c637f9b066ead3ff692dec625bc04a921fb0b8ebdab
SHA5129d073733b8ebaac71f3433df79f3e04f7f068b0925f150fc48c3460dd7d3c1e25076667a1e9e47e71cc7de66b5190120e909646e67fe28dc5c56a9e3c96ea086
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dllFilesize
186KB
MD5377752cd24ac17669a2604f69febdba1
SHA15c3a132270b87a04c533a30ec7700cee69c1a9e3
SHA256314a4fd29b291a0d6155248ca2d3c2dd320d41d6544f70db3a442de1e312cae1
SHA512d61b962ce0a5460a0b1847e826c35be7e471dfdb1008a066a4fa1243f140c222cb26ab556f0dd4f4207389632410461e4cadf2a834cf2a4bd16d36185b5fe492
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dllFilesize
140KB
MD5ac2f0fe88ecba8cb3ae56b8be3601648
SHA1942a79027fc9535d19d54a6a6c4442b041752368
SHA2569e227d35510cc6b4ed2f396e2a8856ec710b50b4fffe288c3e91057501a38a38
SHA51253fe5c737d618f666667d6ee42d45e556e6497ccd3e120f88b6c7a3decbec66f16844f14bb566f034358937fa693de4f4a221c423a42990d5adfb2a24faaeb6c
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dllFilesize
254KB
MD5d3a84dfa3ab1f689988a70b5e8005bf9
SHA19b53991fb2902004264a96d392de7dd84e203db0
SHA25667b5ad943611870c27d59db705c179f882b3dd0ffc431f727d50fa5953341037
SHA5124dae2855644e9c1715ef4afc2326439fcac88fa73982bcb406cced6f56ba00582acfd53f8b7b411f8610cc3c423bba76715504a80990e6e1111d5694ffaadc0f
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\WinSparkle.dllFilesize
121KB
MD53621a8d82b5fd9540a8301d8ee551b68
SHA1eed2053d6a6ea8b3f11326dabed953b63bfedc9f
SHA256ea2b626cbfb644328a190d8371306f9a63322bda263a09dcec6e6af1ead77992
SHA5120124177003d0ac6849d67446bf2c7b869c87f99cc3e11c481fa3d16624a585352e6587f5280656db716af735e5f228bb50ac7dc888498de8f790c865ed67090e
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_vst.dllFilesize
27KB
MD55efb2702c0b3d8eeac563372a33a6ed0
SHA1c7f969ea2e53b1bd5dbeba7dd56bff0cc4c9ea99
SHA25640545a369fa7b72d23a58050d32dc524b6905e9b0229719022dbda0d2fa8765b
SHA5128119526f8573ea6e5bed16a57d56084260afee511c9aad3d542388a783548e5b32ed8fb568d5b97deed791162bcd5577fcc3c76abf4d147ea13bea5c2a6ea794
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exeFilesize
1.3MB
MD5cefd423df7a299b9cf378a8995dd5ad9
SHA1abc8dea81cf74783bd6d016a3e2feb3839390dc4
SHA25627944c044a4dcd975420e8b15560016602f83f4069520789628f81caa14a6dce
SHA5124104609d770fdc3cc581b4699d86203ac3004989870d3a782eb400a012ce5bb2e4fb3ef8bbe3d48d551083b1530fcb7179bad8839c17d8c843a645cd75367473
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dllFilesize
365KB
MD5a56c36a7dd238d72672a57573bdb1833
SHA12a7db7c8e4b80e1bc9b384159d056c6b5cfc9a38
SHA256c6138784ca37688e93932f4cdaeebac98522b974fed2d5109844e3c46448dd60
SHA512a14a1f88f888223af231eda6bbca74449aac21aa5f46e8f2f4b34175d9b115656122e123e667ad70b7f7f8c7d7a338177a111afffa8c38e7f96e740fb4d7d46f
-
C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\tutorial.wavFilesize
135KB
MD5a4c63effcc46eaad8dd1a53e39b1f87d
SHA19a2a507b07ae859d74fd7777325439c09decc792
SHA256a3cf1f0f880ea30aa4f9d8ecf767d86c0a8898e0f50c833dbb76a170c37eca13
SHA5121c2cfcba081ba1d365cacb8406341d3255d300a8149487ad16d4a2c2213c7de5d8c22c118d8bf23e34cc8f9dea459e82da0b3f24e97cdc693dd531020e4a3ffa
-
C:\Windows\Installer\f762a4b.msiFilesize
314KB
MD5f4237bd332d6a528a1a9f0fb3ae16679
SHA1bed1b16e0da7ced0ba716ee0a81b5c6331e54c0e
SHA256b5d9b9baa29b4d508675ca62dcba6da0468cd6999240cc02b0851f19a6959f3d
SHA5120706aa13232cec87f360cf7421a75fc623d82ab1409dbef9848f06a2f9317fb06f042ea7f30126ef59af500699c8c147c4ae69c2f1f21135b220fa70f5c06076
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\FilesystemDialogs.dllFilesize
89KB
MD5f20602c73f1ef3af1d4bc548bd9b0742
SHA11264b76d0618e49350393c8fff9bb2b909b452bf
SHA2562a74e26525d0c7501babee140f9ecaa3e71fbe993c1dedbe4b8bb3391a516911
SHA512c13053eae9eca1750169ed03f7900ac8263bf9672c08f059a07489821cbcf4a773add635aa0a616b1fc16913147a9726ac4ce10615e575df51317ce2390e18c9
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\Fluent.dllFilesize
179KB
MD5b8eb4b304bb2caf1b488abdd98d09aa7
SHA134c8ba442caa17c756cbdfead8e9b1d3b4640502
SHA256d83be5ada79acd47c19ccf777a94886458e7a15cd04041f49ab273bec3cb1bfb
SHA51297171a55679ebf4e3fc04a35d270c7ace822e92d9b97c5970df500a28a98ab70ae78eb285b1922ca97c6ddff213ae5361fb0abe7ae32f6b3e80e40a0d5d4679c
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\FreeImage.dllFilesize
107KB
MD5f0cadf8548cff266e741a19219f447c0
SHA17cd4b19a5bb350487893b1bfde05965beebc83b9
SHA256474d296b39086a5680a8fda9dd895cf4e1f5817b7538a813855e39210a3ec5ef
SHA5126c059f5037311ac2b82d508d58bc6d8b4ce95b67e4dedc39437d1135e2e0bdc9e87a3f3e2307e80c27036288679ec5f0f6c2f587940aff4b181e4f55160fdf19
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\MediaInfo.dllFilesize
160KB
MD5eed4c6521bcb41b4e109782b8a24410d
SHA1a9ee67f0e2c372a244520774e7252c88a4272cad
SHA25655f92e3d92d9d4a5df61f26365da4246ce427985a8c355baf3a8ae40ae4cc91f
SHA5125779c548a21e0af32e0ddd6472a34fed385991ed3bec54395549eb315ea080404e8c6429a9bd59fff594e65b9597df02ced67f35eca09c8806116f0238c5a318
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dllFilesize
290KB
MD5444ad68918251b4cc32f07219a5a6c31
SHA114b6572c4fc075ad5164ace11f098b7f735a6a17
SHA256deb374d90eec719785c54576422fd28acad8e98544a1deec4d29c03506db638b
SHA512dda97c60eadab52b249d5c470d446d05d8b8f6fdc758bfe659143b272d18373d54521fb0eef1a6cc3654af0aeb9e7a51471baa1aa57c54c066121159ae0c7b3a
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\WinSparkle.dllFilesize
158KB
MD5a7d2119242e0e6ad2717030d4b62068b
SHA15702896034230cd88141b4ec551a97aa6be16e66
SHA25663514bd2ac28db14736d4c33b3da92fbec3d3ef068af61f34a4acfdd2fb3266b
SHA5124729a375b99d5fbe49657adb4c617f48b8fb9f068aa9452acdbe0f04b0635405716692cd6848a1f1dbb3e2a0f241246438d9c321b2568675efc9ea2e782ca711
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass.dllFilesize
135KB
MD58e58fcc0672a66c827c6f90fa4b58538
SHA13e807dfd27259ae7548692a05af4fe54f8dd32ed
SHA2566e1bf8ea63f9923687709f4e2f0dac7ff558b2ab923e8c8aa147384746e05b1d
SHA5120e9faf457a278ad4c5dd171f65c24f6a027696d931a9a2a2edd4e467da8b8a9e4ab3b1fd2d758f5744bf84bece88c046cda5f7e4204bead14d7c36a46702b768
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_fx.dllFilesize
67KB
MD5d8ccb4b8235f31a3c73485fde18b0187
SHA1723bd0f39b32aff806a7651ebc0cdbcea494c57e
SHA2567bc733acc1d2b89e5a6546f4ebc321b1c2370e42354ea415bc5fcc6807275eba
SHA5128edafd699f9fbec0db334b9bc96a73a9196895120f3406fff28406fd0565415ac98665c9837a5b1e0c5027162ff26bf3a316ecda6a0b51d92eb5d7002b814713
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassasio.dllFilesize
18KB
MD5ff3d92fe7a1bf86cba27bec4523c2665
SHA1c2184ec182c4c9686c732d9b27928bddac493b90
SHA2569754a64a411e6b1314ae0b364e5e21ccfe2c15df2ed2e2dce2dc06fa10aa41e8
SHA5126e0f021eb7317e021dccb8325bc42f51a0bf2b482521c05a3ff3ca9857035191f8b4b19cbe0d7130d5736f41f8f2efb2568561e9063fa55aaab9f2575afe23db
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc.dllFilesize
31KB
MD5a6f27196423a3d1c0caa4a0caf98893a
SHA158b97697fa349b40071df4272b4efbd1dd295595
SHA256d3b9e4646f7b1cb9123914313cec23ec804bd81c4ff8b09b43c2cde5ee3e4222
SHA5120a84cf847b80b0c2e6df9274a4199db8559757781faec508cd8999bea2c8fb5cd9bed1698144b82b86b2c6938fa8006c482a09c1b46d6bb8d2a2648a2011dea0
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_flac.dllFilesize
76KB
MD55199d6173a6deb45c275ef32af377c3c
SHA1e8989859b917cfa106b4519fefe4655c4325875b
SHA256a36f06cbe60fc1a305bd16cd30b35b9c026fd514df89cd88c9c83d22aefbe8c3
SHA51280b96196f1b3d6640035e8b8632a25ecdb3e4e823e1b64fc658b31aae6c6799aa1d9fd1acffbef6ff9082e0433ac9ab9426d5400d3644db9958940b8bb13f6d8
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_mp3.dllFilesize
75KB
MD546ede9ea58c0ac20baf444750311e3f8
SHA1246c36050419602960fca4ec6d2079ea0d91f46e
SHA2567ea1636182d7520e5d005f3f8c6c1818148824cee4f092e2d2fe4f47c1793236
SHA512d9154430c72cbf78f4f49ec1eee888c0004f30a58a70cee49f5108ded0994ba299ba6bf552a55ffeedb2ab53107172324156e12e2fbae42f8f14f87ec37cc4e7
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_ogg.dllFilesize
164KB
MD589e794bbd022ae1cafbf1516541d6ba5
SHA1a69f496680045e5f30b636e9f17429e0b3dd653e
SHA2567d7eb0bc188fc3a8e7af7e5325d4f5e5eb918c4138aea3de60d6b1afac6863f9
SHA51216455e29a1beece663878e84d91c8e75c34b483b6ff3b5853ced97670a75a9c29cc7a7aa78b0c158eb760cda5d3e44541aae2cc89b57d290e39b427d4c770000
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_opus.dllFilesize
141KB
MD5b6022150de5aeab34849ade53a9ac397
SHA1203d9458c92fc0628a84c483f17043ce468fa62f
SHA256c53b12ebe8ea411d8215c1b81de09adc7f4cf1e84fd85a7afa13f1f4a41f8e9d
SHA5122286399bd1f3576c6ce168e824f4d70c637485fae97d274597d045a894740519512f1865e20562656297072b5625bdd2a5ec4d4f5038176f764eb37e22451ade
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassmix.dllFilesize
31KB
MD5d31da7583083c1370f3c6b9c15f363cc
SHA11ebe7b1faf94c4fe135f34006e7e7cbbc0d8476c
SHA256cff3edc109bc0d186ba8ddf60bc99e48ff3467771e741c7168adbdbe03379506
SHA512a80364384eca446a378e3ae3420a0e3545e1d24426a9e43f3e27381cb09bb4cd1121b66c576e5a981b2e5d661f82590eb0c0fe8d8243ef872f84809ec906e266
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\basswasapi.dllFilesize
21KB
MD5cdfbe254cc64959fc0fc1200f41f34c0
SHA14e0919a8a5c4b23441e51965eaaa77f485584c01
SHA2569513129c0bb417698a60c5e4dd232963605d1c84e01b9f883f63d03b453173a9
SHA51263704a7a4d0cd8b53972e29fcbee71f2c3eb86a0411f90fc8375e67cb4b3bddb36c753f3f5b113c3ca333c381f86a19e2168218cc2074f05ad1143bc118cd610
-
\Users\Admin\AppData\Local\Programs\Clip Plus Community\irender.dllFilesize
331KB
MD54cfdd136b31e84bd1a9c178580715dbe
SHA138ede7f1729a1f56c9e17edd5dd7fde670f18a59
SHA2568205002164f8f617cbba4baad7fd4a6af22d2c8adf7ec53c98c403dc648ccdc0
SHA5122a65256eb784e3c598fba5f3686da310ef10b4101df6f27002e781faea53967807dd6eb5c3239d1768bcf6e6ff81a88c0bd7d442f118b945a8c50df9c79db24a
-
memory/2644-87-0x0000000074550000-0x0000000074583000-memory.dmpFilesize
204KB
-
memory/2644-107-0x0000000073E20000-0x0000000073F45000-memory.dmpFilesize
1.1MB
-
memory/2644-109-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/2644-75-0x00000000748B0000-0x00000000748FD000-memory.dmpFilesize
308KB
-
memory/2644-79-0x0000000074660000-0x000000007466E000-memory.dmpFilesize
56KB
-
memory/2644-80-0x0000000074630000-0x0000000074658000-memory.dmpFilesize
160KB
-
memory/2644-99-0x0000000000230000-0x000000000023D000-memory.dmpFilesize
52KB
-
memory/2644-113-0x0000000003780000-0x000000000380B000-memory.dmpFilesize
556KB
-
memory/2644-118-0x0000000000400000-0x0000000000BAB000-memory.dmpFilesize
7.7MB
-
memory/2644-120-0x0000000004530000-0x0000000004531000-memory.dmpFilesize
4KB
-
memory/2644-121-0x0000000072800000-0x0000000073523000-memory.dmpFilesize
13.1MB
-
memory/2644-119-0x0000000000E00000-0x00000000010E3000-memory.dmpFilesize
2.9MB
-
memory/2644-122-0x0000000000230000-0x0000000000235000-memory.dmpFilesize
20KB
-
memory/2644-123-0x0000000073E20000-0x0000000073F45000-memory.dmpFilesize
1.1MB
-
memory/2644-98-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/2644-97-0x0000000000230000-0x0000000000233000-memory.dmpFilesize
12KB
-
memory/2644-95-0x0000000074440000-0x0000000074464000-memory.dmpFilesize
144KB
-
memory/2644-93-0x0000000074470000-0x00000000744A6000-memory.dmpFilesize
216KB
-
memory/2644-92-0x0000000000230000-0x0000000000235000-memory.dmpFilesize
20KB
-
memory/2644-91-0x0000000074540000-0x000000007454E000-memory.dmpFilesize
56KB
-
memory/2644-89-0x0000000000230000-0x000000000023E000-memory.dmpFilesize
56KB
-
memory/2644-82-0x0000000000230000-0x000000000024D000-memory.dmpFilesize
116KB
-
memory/2644-86-0x0000000000260000-0x000000000027E000-memory.dmpFilesize
120KB
-
memory/2644-84-0x0000000000230000-0x000000000024D000-memory.dmpFilesize
116KB
-
memory/2644-83-0x0000000074590000-0x000000007462E000-memory.dmpFilesize
632KB
-
memory/2644-77-0x0000000000230000-0x000000000024D000-memory.dmpFilesize
116KB
-
memory/2644-72-0x0000000000E00000-0x00000000010E3000-memory.dmpFilesize
2.9MB