Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
10-04-2024 14:44
General
-
Target
e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909.msi
-
Size
6.5MB
-
MD5
9e2b456c62b027c89b36dc9109e50f01
-
SHA1
617fddb80de29bc455c0ecfd4b64d194fe911541
-
SHA256
e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909
-
SHA512
18ee2debeac010286291d3af38b46cb29d2503e8056b5ab74120e6934e4b16396d894e323dc11eb5cd1902ea0c30fbac75f03dbda74ea670d3828d7b6318bf59
-
SSDEEP
98304:5p4wd88KSX2ylsm84rfq/03ZUVaxNv3DiPF1D/lAd3YR77vhBLAbRGH1oVda3WHx:Iwe8B21mNfq/0+IxgP5sE77vfLe04rs
Malware Config
Signatures
-
Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
-
Babadeda Crypter 2 IoCs
-
OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
-
Modifies file permissions 1 TTPs 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 13 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 43 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 57 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C15203D9BA38D081398EBB2EB6C75E742⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\files\se1.exe"C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\files\se1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe"C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe"4⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A5⤵
-
-
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-35b19c36-2ebf-4c21-b7bf-34c2f33a7652\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A4" "00000000000005B8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.2MB
MD56f7c8bbe4e94980ca7c1b878c048be94
SHA12ee86ce71bd986ff8e92f5a2b876098ccbab42dc
SHA256f7d0e68a4513d8de00698dda1aecfb5ca4efa1871c9141764ce641a0d1d034ae
SHA5124c811c848621873d871246ac654257954d569747653dbfaad40b434be155435590573699cd4b89eac5de1cab446571b8ac1ea1ec0d068b04bb769f983913983b
-
Filesize
16.5MB
MD5e3ffe9b1db336ca7f34e0f26215d4ee4
SHA13ec434df80529311342401ac7a7acd066e19c90f
SHA256700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901
SHA51271168c55f1c159d48b11f951fae2c8686fc66e4e1ba57f5bc2904cc06af71d096ebc60220745133c83c5a06682621736c6f73261658af5ab086b5831f91c9a8b
-
Filesize
370B
MD51f828ebcc6e5cd2a5ac53647f113e3f0
SHA1d4d09f5b27806593c40f9946d667fef15fc62e05
SHA256b91602781fd052150b933f821d3dcc1f3aa54292ce2992ebd230ba923cdc9b1c
SHA51278b47da3343d3a0b64f37af9cefcf4b7d3a8c3665fcc9a429a77d1113408dcd53351472a69adf1060376b7b88b7bf2af91980031df4dd95cc887da403bbae2cd
-
Filesize
1012B
MD54ae0d5ecdb522602d02203df3669c86e
SHA117e78aa3fa85c88eed1520b64a27495bff0954d5
SHA25644ad1bb81f49b29e1f6ad0c984cde640eb84b05b1ea3a3230f5cdb9c8acc1353
SHA5125acaea126ee04a594e04285241461a2d16ebc5eee411950da8da6e2d3ed6bd11f7baf14f3bc8fe2ddd2b3c8b3e09f19773dc23d5089d186a12e4e705bb1de1b7
-
Filesize
1KB
MD59691b94a172d1a85cd7c0480374dce8d
SHA17876e66e3b7fe6a0901702701783322f256d9f47
SHA256e4af041724a180d517ca7b892d8754c9d8df263d355dd7ab6e166e50a5670a4a
SHA5121bb2b2061f977254dec7eed5803c49863e0b05a81e57aaa6c3eed7ba947234e16f773837ab0eb5d2e1ec4b4c5bab9e9fc9adcbbf08cd20d3f7652f605815e75e
-
Filesize
1KB
MD51a3bda6748819be0f045d7cada621b26
SHA16beaa019acc9aa0739154d8cf8f1d8110140ad82
SHA25653b40697ca818f8bbe75579027cd7e805dfc1f9e762dc874bd2727d8479e0e53
SHA512b0d246f846348bcab9f22591d25fbb9c79bd6f788ee72e6655232960aa3f459ba62755984fcd1e678ab0e2e2c2bec934ae74d3000eba7a83a21a03c268fd8827
-
Filesize
2.0MB
MD5349a1d8bb00ae11bbf535cd909838c65
SHA1c7b9d73580d6c733fbd5875bbccfbf3b792018e2
SHA25693e4d8628b80b495625844695be857f62353c5b95a1ed85f262fb8681a2cbae4
SHA512f1911c2071628fcbf4d18640d50808d2c23c22594c71e380d3f8cb6d90ae3c75019c4210ff6f6f54a918ec346694bdf821757cc4f174ed48a7a11d28a4aced51
-
Filesize
2KB
MD544018e1779270b083ad90da3dffe9b15
SHA1e09c06b564abe26bcf91ecb7632d761c3234b30d
SHA25671bacaee2c9e1fbe6a7184aaf9d3f8e24d6390ca62298c5da425bf060cd2bc4c
SHA512ece1fde07753a160735d2c09272410a473c7cbf18972005baa36480d363e87a47f02b7b83efb893b88e334e7f49d645d85f802246e7508623d20c04adb6cbb7b
-
Filesize
4KB
MD5b3c74bb5250effad46ce11a96c9468c2
SHA13a339e244a29fe41d13fa4cc951a7e0a2862e299
SHA2565a9479caa4024731d61172652a67021f4973a03548516d36a4865ec161a57825
SHA512a5f8499a39972341740f46f96f90feb6cab15610fd9e7d25eeae139236fe115874806a6554c8fe180dee097088f8d4802a20b0ebc7de0c04486c7dbce36116c3
-
Filesize
4KB
MD53272be2da53b6d5271111431f7d90d28
SHA17ec382eee6282454d5b0b03751f3d14c568bbfa5
SHA2564e2a12a194e0db12de874ad8c9a5288b5a56285b426883bd0e3cef1866569982
SHA51245dbfa8dd5aa0bd1e2dd042a716f00bad44142b98bcffedb7c30403b6132b50e72db64909d3873ca3a154d4a2e90433093c4f040454bca005b8274130c827b26
-
Filesize
2KB
MD5228d4bd899577ed16ad3ac74b592a0e6
SHA1baf99e34e126d6c41b7aa39caabc2376358bab70
SHA256fe87e02e797a143042bd7f10fa57c6e2a53028b5d5ab4c3da2a1e4affd1c86d5
SHA512285b2057d2bce4086859d76ad7c57f029946106e5bf31525a92450714b790bc77fb982e6e1edfedfbb4335a791911e057caf01ea801868ae196a8775a78adebc
-
Filesize
2KB
MD52719683b8dba819f2e6bd9e9b7307f1c
SHA16cbac17ebf8b56489ad8b8c458dd618b2788512a
SHA256316b67841dba6c73097d0d50d1b454fd80b6aac86fa0fe15f9b514d65a5bb66a
SHA51296ffe07ea87dae0bcf92a2d06dbfc8604526e77afd8f1bae1bc3ef17261463a214a54d91e7f672a5b8455ed4c7bba8fbe19e12255c6d5b2bbd26dda5c8b6ccee
-
Filesize
6.9MB
MD5f5de326683df44d71ed1b986fd836e0b
SHA133bc899da6afd2b82b27d59acd0844b521e57079
SHA25617c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f
SHA51212ae60cec6bd90c6bf4f8bb5196f79811bc03f4208c9c1148190551854a04f3b61732d3cb7f99feea019cc1f5c05c37b5ad24e24de39763acfc663b31434f15a
-
Filesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34
-
Filesize
3.9MB
MD51bf457ea201a3374f7c37f43d5c3ffdb
SHA1bf693ad6b3070cfb60902eeeb3a290bad531bbd0
SHA2569107ca00ea91640e2498b2d7c1529d7eaaa731907bb9a3732a6895fbca9aaf08
SHA512c6657ffbcefb3e5ae704fb4712520b3ff705c23a206628b3f348cb11fa0e55e5c2ac54172d98a79470c15413e7f526fbc12ac700c7ae83052f888c241d530074
-
Filesize
368KB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
-
Filesize
7.2MB
