Overview

overview

10

Static

static

3

750c447d6e...9c.exe

windows7-x64

10

750c447d6e...9c.exe

windows10-2004-x64

10

AudioManag...le.exe

windows7-x64

10

AudioManag...le.exe

windows10-2004-x64

10

Microsoft....ns.dll

windows7-x64

1

Microsoft....ns.dll

windows10-2004-x64

1

PocoInitializer.dll

windows7-x64

1

PocoInitializer.dll

windows10-2004-x64

1

System.Win...ty.dll

windows7-x64

1

System.Win...ty.dll

windows10-2004-x64

1

bass.dll

windows7-x64

1

bass.dll

windows10-2004-x64

1

bzip2.dll

windows7-x64

3

bzip2.dll

windows10-2004-x64

3

d3d10core.dll

windows10-2004-x64

1

iconv.dll

windows7-x64

3

iconv.dll

windows10-2004-x64

3

libgthread-2.0-0.dll

windows7-x64

1

libgthread-2.0-0.dll

windows10-2004-x64

1

wxwidgetsforms2.dll

windows7-x64

10

wxwidgetsforms2.dll

windows10-2004-x64

10

xmlparse.dll

windows7-x64

1

xmlparse.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    125s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-04-2024 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe

  • Size

    4.0MB

  • MD5

    fd0ed9f5ffa9c912ba8d677687776448

  • SHA1

    b7abe535dccf587c80cbcd2d4cc0c30e330b3a54

  • SHA256

    750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c

  • SHA512

    dc40402b2f77a3148a2ce3d86561b67c9c64a5a5492d7e6591c1bd2cd25de5d5a7e999637802b530b684d230b904a38b97ed95614ed5069f7d3293ca87bcf219

  • SSDEEP

    98304:E+CmYXmNfbqCePyvG02XIlnHNZvQkMkWmpWQ2Ga:EmumvGs/QVara

Score
10/10
babadedaoutsteelcrypterloaderspywarestealer

Malware Config

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    loadercrypterbabadeda
  • Babadeda Crypter 3 IoCs
  • OutSteel

    OutSteel is a file uploader and document stealer written in AutoIT.

    stealeroutsteel
  • OutSteel batch script 1 IoCs

    Detects batch script dropped by OutSteel

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe
    "C:\Users\Admin\AppData\Local\Temp\750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\Tools\ICUAudioSoftware\AudioManagementConsole.exe
      C:\Users\Admin\Tools\ICUAudioSoftware\AudioManagementConsole.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
        3⤵
          PID:2148
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
          3⤵
            PID:2788
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
            3⤵
              PID:2908
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
              3⤵
                PID:664
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
                3⤵
                  PID:2956
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
                  3⤵
                    PID:1648
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
                    3⤵
                      PID:1612
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
                      3⤵
                        PID:2612
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
                        3⤵
                          PID:1084
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
                          3⤵
                            PID:2632
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
                            3⤵
                              PID:1104
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
                              3⤵
                                PID:1112
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
                                3⤵
                                  PID:2724
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
                                  3⤵
                                    PID:1356
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
                                    3⤵
                                      PID:1344
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
                                      3⤵
                                        PID:2236
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
                                        3⤵
                                          PID:2252
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /U /C DIR "f:\*.doc" /S /B /A
                                          3⤵
                                            PID:1164
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /U /C DIR "f:\*.pdf" /S /B /A
                                            3⤵
                                              PID:1744
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /U /C DIR "f:\*.ppt" /S /B /A
                                              3⤵
                                                PID:872
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /U /C DIR "f:\*.dot" /S /B /A
                                                3⤵
                                                  PID:624
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /U /C DIR "f:\*.xl" /S /B /A
                                                  3⤵
                                                    PID:1064
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /U /C DIR "f:\*.csv" /S /B /A
                                                    3⤵
                                                      PID:800
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /U /C DIR "f:\*.rtf" /S /B /A
                                                      3⤵
                                                        PID:2164
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /U /C DIR "f:\*.dot" /S /B /A
                                                        3⤵
                                                          PID:1808
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /U /C DIR "f:\*.mdb" /S /B /A
                                                          3⤵
                                                            PID:2808
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /U /C DIR "f:\*.accdb" /S /B /A
                                                            3⤵
                                                              PID:1832
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /U /C DIR "f:\*.pot" /S /B /A
                                                              3⤵
                                                                PID:2928
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /U /C DIR "f:\*.pps" /S /B /A
                                                                3⤵
                                                                  PID:2108
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /U /C DIR "f:\*.ppa" /S /B /A
                                                                  3⤵
                                                                    PID:2688
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /U /C DIR "f:\*.rar" /S /B /A
                                                                    3⤵
                                                                      PID:2508
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /U /C DIR "f:\*.zip" /S /B /A
                                                                      3⤵
                                                                        PID:1792
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /U /C DIR "f:\*.tar" /S /B /A
                                                                        3⤵
                                                                          PID:2076
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /U /C DIR "f:\*.7z" /S /B /A
                                                                          3⤵
                                                                            PID:1824
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            cmd /c start /min r.bat
                                                                            3⤵
                                                                              PID:2032
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /K r.bat
                                                                                4⤵
                                                                                  PID:2620
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    cmd /min /c del "C:\Users\Admin\Tools\ICUAudioSoftware\r.bat"
                                                                                    5⤵
                                                                                      PID:2804
                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                      Taskkill /IM cmd.exe /F
                                                                                      5⤵
                                                                                      • Kills process with taskkill
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2924

                                                                            Network

                                                                            MITRE ATT&CK Enterprise v15

                                                                            Replay Monitor

                                                                            Loading Replay Monitor...

                                                                            Downloads

                                                                            • C:\Users\Admin\Tools\ICUAudioSoftware\r.bat
                                                                              Filesize

                                                                              172B

                                                                              MD5

                                                                              f6a86f75a098305a18cafbe90984fdb8

                                                                              SHA1

                                                                              0b2b5145b221487c975fb8a37894539f8af096b0

                                                                              SHA256

                                                                              a28ad4e445a5069bb621efc516147c60248369f5fc100ee935974a9b556fb273

                                                                              SHA512

                                                                              bee4c243f3a60f1778c5051d0a023afde678979a5da8db23f8811654afe468a06af6181c8338fc02d755dc223c52c653baa7abab8e941aac4cf335b7fabaac47

                                                                              Download Submit

                                                                            • C:\Users\Admin\Tools\ICUAudioSoftware\settings.ini
                                                                              Filesize

                                                                              1.7MB

                                                                              MD5

                                                                              b226fcb1d5fc245b5ad372151ea33ed8

                                                                              SHA1

                                                                              ac6941c5234179a2bc8306b238413a1c740fdcfa

                                                                              SHA256

                                                                              daa273100ae0fdfa7aae5c6687c0e8130a68a7abae55c8380b38b9278e2c18a9

                                                                              SHA512

                                                                              786f2398e114e02dac925c088774a2ed895546978f1b3cb6cc944efdeabf1ec5458136caf09c3932014fbfdf0ab43fae11c11aad35f53dcbcec4b408efc8017f

                                                                              Download Submit

                                                                            • C:\Users\Admin\Tools\ICUAudioSoftware\wxwidgetsforms2.dll
                                                                              Filesize

                                                                              2.0MB

                                                                              MD5

                                                                              9e11ac70407744bea597411f505d16b8

                                                                              SHA1

                                                                              90fddf31c2def7b655742a0f98181ee47b2835c8

                                                                              SHA256

                                                                              69977ef94e7abde5e40ebb1b2d639e3ae396c831a0b8671bdcd141f5f101a344

                                                                              SHA512

                                                                              fb68fa59897d95d1a909fcb32876efcc53880fbb804ad3ebbc97fbd4eee0cf4364f43517e92245754975a1c00ecca032b06efa03791d7179f1eb6d08620cde64

                                                                              Download Submit

                                                                            • \Users\Admin\Tools\ICUAudioSoftware\AudioManagementConsole.exe
                                                                              Filesize

                                                                              2.6MB

                                                                              MD5

                                                                              54716603e1b2d01a507d5d0a3a3a104c

                                                                              SHA1

                                                                              93b0407a05891fb797e3083c374af2e0dfb30634

                                                                              SHA256

                                                                              595017621ccc2b26e23d39c720c6bfaf29aa17997b59a8ba7e4506eea252b8ed

                                                                              SHA512

                                                                              b3ea1beef7f4b05afc5405877282f5d9c3588fb2bd0cdaa5616b82cbd752dec471e6d87a5ea16a478e3a26500c764a2bd38fd0e02a354029dee4e023d261aff0

                                                                              Download Submit

                                                                            • memory/2672-33-0x0000000001120000-0x0000000001417000-memory.dmp

                                                                              Filesize

                                                                              3.0MB

                                                                              Download

                                                                            • memory/2672-32-0x0000000001120000-0x0000000001417000-memory.dmp

                                                                              Filesize

                                                                              3.0MB

                                                                              Download

                                                                            • memory/2672-27-0x0000000001120000-0x0000000001417000-memory.dmp

                                                                              Filesize

                                                                              3.0MB

                                                                              Download

                                                                            • memory/2672-34-0x0000000002820000-0x0000000004920000-memory.dmp

                                                                              Filesize

                                                                              33.0MB

                                                                              Download

                                                                            • memory/2672-35-0x0000000001120000-0x0000000001417000-memory.dmp

                                                                              Filesize

                                                                              3.0MB

                                                                              Download

                                                                            • memory/2672-36-0x0000000001120000-0x0000000001417000-memory.dmp

                                                                              Filesize

                                                                              3.0MB

                                                                              Download

                                                                            • memory/2672-37-0x0000000001120000-0x0000000001417000-memory.dmp

                                                                              Filesize

                                                                              3.0MB

                                                                              Download

                                                                            • memory/2672-38-0x0000000001120000-0x0000000001417000-memory.dmp

                                                                              Filesize

                                                                              3.0MB

                                                                              Download

                                                                            • memory/2672-39-0x0000000001120000-0x0000000001417000-memory.dmp

                                                                              Filesize

                                                                              3.0MB

                                                                              Download

                                                                            • memory/2672-41-0x0000000001120000-0x0000000001417000-memory.dmp

                                                                              Filesize

                                                                              3.0MB

                                                                              Download

                                                                            • memory/2672-26-0x0000000002820000-0x0000000004920000-memory.dmp

                                                                              Filesize

                                                                              33.0MB

                                                                              Download