Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 15:04
Static task
static1
Behavioral task
behavioral1
Sample
fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe
Resource
win7-20240221-en
General
-
Target
fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe
-
Size
8.2MB
-
MD5
bafdcdfdac4e0d5a835c1048af2a3815
-
SHA1
8ed85a4739ab5945ee21e05947eb204ef04bcc02
-
SHA256
fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3
-
SHA512
cebd84cc2763126fb041bfb2bde31447c3bc09af08bbd6087bbc7640d7a64a5edc158916db639f590e74439eb7b9e057bf70b98d74aff8f27c2c2ffc7e69a743
-
SSDEEP
196608:oPGZKb8E61MymPXM+MnOLEntvs+qfR4NQU/qsnZuv7:Jo61Vq6nOgteYQU/1uj
Malware Config
Signatures
-
Babadeda Crypter 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023473-652.dat family_babadeda -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation irsetup.exe -
Executes dropped EXE 2 IoCs
pid Process 1888 irsetup.exe 2132 csvhelper.exe -
Loads dropped DLL 3 IoCs
pid Process 1888 irsetup.exe 1888 irsetup.exe 2132 csvhelper.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000800000002333d-5.dat upx behavioral2/memory/1888-11-0x0000000000AF0000-0x0000000000ED8000-memory.dmp upx behavioral2/memory/1888-653-0x0000000000AF0000-0x0000000000ED8000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\z: csvhelper.exe File opened (read-only) \??\b: csvhelper.exe File opened (read-only) \??\e: csvhelper.exe File opened (read-only) \??\g: csvhelper.exe File opened (read-only) \??\h: csvhelper.exe File opened (read-only) \??\j: csvhelper.exe File opened (read-only) \??\k: csvhelper.exe File opened (read-only) \??\m: csvhelper.exe File opened (read-only) \??\n: csvhelper.exe File opened (read-only) \??\o: csvhelper.exe File opened (read-only) \??\t: csvhelper.exe File opened (read-only) \??\v: csvhelper.exe File opened (read-only) \??\x: csvhelper.exe File opened (read-only) \??\a: csvhelper.exe File opened (read-only) \??\i: csvhelper.exe File opened (read-only) \??\l: csvhelper.exe File opened (read-only) \??\q: csvhelper.exe File opened (read-only) \??\w: csvhelper.exe File opened (read-only) \??\p: csvhelper.exe File opened (read-only) \??\r: csvhelper.exe File opened (read-only) \??\s: csvhelper.exe File opened (read-only) \??\u: csvhelper.exe File opened (read-only) \??\y: csvhelper.exe -
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2132-655-0x0000000000900000-0x000000000103F000-memory.dmp autoit_exe behavioral2/memory/2132-656-0x0000000000900000-0x000000000103F000-memory.dmp autoit_exe behavioral2/memory/2132-658-0x0000000000900000-0x000000000103F000-memory.dmp autoit_exe behavioral2/memory/2132-660-0x0000000000900000-0x000000000103F000-memory.dmp autoit_exe behavioral2/memory/2132-662-0x0000000000900000-0x000000000103F000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} irsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" irsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 irsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\CsvHelper\\7-zip.dll" irsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" irsetup.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1888 irsetup.exe 1888 irsetup.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2352 wrote to memory of 1888 2352 fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe 98 PID 2352 wrote to memory of 1888 2352 fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe 98 PID 2352 wrote to memory of 1888 2352 fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe 98 PID 1888 wrote to memory of 2132 1888 irsetup.exe 105 PID 1888 wrote to memory of 2132 1888 irsetup.exe 105 PID 1888 wrote to memory of 2132 1888 irsetup.exe 105 PID 2132 wrote to memory of 3084 2132 csvhelper.exe 113 PID 2132 wrote to memory of 3084 2132 csvhelper.exe 113 PID 2132 wrote to memory of 3084 2132 csvhelper.exe 113 PID 2132 wrote to memory of 1640 2132 csvhelper.exe 115 PID 2132 wrote to memory of 1640 2132 csvhelper.exe 115 PID 2132 wrote to memory of 1640 2132 csvhelper.exe 115 PID 2132 wrote to memory of 180 2132 csvhelper.exe 117 PID 2132 wrote to memory of 180 2132 csvhelper.exe 117 PID 2132 wrote to memory of 180 2132 csvhelper.exe 117 PID 2132 wrote to memory of 3312 2132 csvhelper.exe 119 PID 2132 wrote to memory of 3312 2132 csvhelper.exe 119 PID 2132 wrote to memory of 3312 2132 csvhelper.exe 119 PID 2132 wrote to memory of 3724 2132 csvhelper.exe 121 PID 2132 wrote to memory of 3724 2132 csvhelper.exe 121 PID 2132 wrote to memory of 3724 2132 csvhelper.exe 121 PID 2132 wrote to memory of 2484 2132 csvhelper.exe 123 PID 2132 wrote to memory of 2484 2132 csvhelper.exe 123 PID 2132 wrote to memory of 2484 2132 csvhelper.exe 123 PID 2132 wrote to memory of 1500 2132 csvhelper.exe 125 PID 2132 wrote to memory of 1500 2132 csvhelper.exe 125 PID 2132 wrote to memory of 1500 2132 csvhelper.exe 125 PID 2132 wrote to memory of 1752 2132 csvhelper.exe 128 PID 2132 wrote to memory of 1752 2132 csvhelper.exe 128 PID 2132 wrote to memory of 1752 2132 csvhelper.exe 128 PID 2132 wrote to memory of 3012 2132 csvhelper.exe 130 PID 2132 wrote to memory of 3012 2132 csvhelper.exe 130 PID 2132 wrote to memory of 3012 2132 csvhelper.exe 130 PID 2132 wrote to memory of 4652 2132 csvhelper.exe 132 PID 2132 wrote to memory of 4652 2132 csvhelper.exe 132 PID 2132 wrote to memory of 4652 2132 csvhelper.exe 132 PID 2132 wrote to memory of 1256 2132 csvhelper.exe 134 PID 2132 wrote to memory of 1256 2132 csvhelper.exe 134 PID 2132 wrote to memory of 1256 2132 csvhelper.exe 134 PID 2132 wrote to memory of 1052 2132 csvhelper.exe 136 PID 2132 wrote to memory of 1052 2132 csvhelper.exe 136 PID 2132 wrote to memory of 1052 2132 csvhelper.exe 136 PID 2132 wrote to memory of 4212 2132 csvhelper.exe 138 PID 2132 wrote to memory of 4212 2132 csvhelper.exe 138 PID 2132 wrote to memory of 4212 2132 csvhelper.exe 138 PID 2132 wrote to memory of 4708 2132 csvhelper.exe 140 PID 2132 wrote to memory of 4708 2132 csvhelper.exe 140 PID 2132 wrote to memory of 4708 2132 csvhelper.exe 140 PID 2132 wrote to memory of 1424 2132 csvhelper.exe 142 PID 2132 wrote to memory of 1424 2132 csvhelper.exe 142 PID 2132 wrote to memory of 1424 2132 csvhelper.exe 142 PID 2132 wrote to memory of 1560 2132 csvhelper.exe 144 PID 2132 wrote to memory of 1560 2132 csvhelper.exe 144 PID 2132 wrote to memory of 1560 2132 csvhelper.exe 144 PID 2132 wrote to memory of 3356 2132 csvhelper.exe 146 PID 2132 wrote to memory of 3356 2132 csvhelper.exe 146 PID 2132 wrote to memory of 3356 2132 csvhelper.exe 146 PID 2132 wrote to memory of 3736 2132 csvhelper.exe 148 PID 2132 wrote to memory of 3736 2132 csvhelper.exe 148 PID 2132 wrote to memory of 3736 2132 csvhelper.exe 148
Processes
-
C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe"C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\fad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-817259280-2658881748-983986378-1000"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe"C:\Users\Admin\AppData\Roaming\CsvHelper\csvhelper.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A4⤵PID:3084
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A4⤵PID:1640
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A4⤵PID:180
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A4⤵PID:3312
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A4⤵PID:3724
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A4⤵PID:2484
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A4⤵PID:1500
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A4⤵PID:1752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A4⤵PID:3012
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A4⤵PID:4652
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A4⤵PID:1256
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A4⤵PID:1052
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A4⤵PID:4212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A4⤵PID:4708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A4⤵PID:1424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A4⤵PID:1560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A4⤵PID:3356
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A4⤵PID:3736
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=2844,i,5640589924128028832,7963280732661142908,262144 --variations-seed-version /prefetch:81⤵PID:4532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53220a6aefb4fc719cc8849f060859169
SHA185f624debcefd45fdfdf559ac2510a7d1501b412
SHA256988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765
SHA5125c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d
-
Filesize
1.3MB
MD5ac23d03c4b8d531016a3c1ebfa2bc91c
SHA111383627d5515ed2257f594db7fbce3a4b9106f8
SHA2560ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1
-
Filesize
326KB
MD5e7a789232ef503dcb4929791673009a3
SHA18bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA25689daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA5126439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87
-
Filesize
48KB
MD523c651b2ace76d42fec3989bcba3ce7b
SHA1378776d20133f20a4c42476bdcb0a408ef1dce1c
SHA2561b8410f839283a9483369dacdb22290b065ece6f00c026d953024666761532e2
SHA512e47ae720b9ee4388dacfdbf2ba1e2dc546cc01fdb25a6c82ceeeda03801e449f660e97b3bbb6f65b791bfc1566f21187053472022c6c7c0d68f8cf1187326ec8
-
Filesize
2.0MB
MD5349a1d8bb00ae11bbf535cd909838c65
SHA1c7b9d73580d6c733fbd5875bbccfbf3b792018e2
SHA25693e4d8628b80b495625844695be857f62353c5b95a1ed85f262fb8681a2cbae4
SHA512f1911c2071628fcbf4d18640d50808d2c23c22594c71e380d3f8cb6d90ae3c75019c4210ff6f6f54a918ec346694bdf821757cc4f174ed48a7a11d28a4aced51
-
Filesize
71KB
MD51059dc8eb23ef7cb4da1e1011c2c1802
SHA186ed8ef0d6cc9d9285bbb941905e06fbcda01dbe
SHA256f0b08ca9be07067d8c75eb11f0b2a38703e1038f40a3c2e06a992986d5622371
SHA512890a3e16db18f965e9ac6bf99bd351adf2dda3c927c75229244cbd93c8db3c1fcef251886e64ca8dbe6ebb5c4d1d71bcd1413b9b1e1927dc90ca1c708e85e5ec
-
Filesize
77KB
MD5add9f9f7c84af52fdcca1fadec989365
SHA15fe1a339ea598b455860f2e2cc98d3885de27b04
SHA256902df7bdccbf1fcb9a18be5926b589aaea1fe84c8f6646ca9c605b633ce428fc
SHA512be9ef0279be69b9c4c2d132aaba72e88469e89df5118b5e98fc4402ffbe8b7550d7db972aba2b8531117004e71b4a82574f78850ae4f9383d187f07b5a8dd375
-
Filesize
6.9MB
MD5f5de326683df44d71ed1b986fd836e0b
SHA133bc899da6afd2b82b27d59acd0844b521e57079
SHA25617c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f
SHA51212ae60cec6bd90c6bf4f8bb5196f79811bc03f4208c9c1148190551854a04f3b61732d3cb7f99feea019cc1f5c05c37b5ad24e24de39763acfc663b31434f15a
-
Filesize
3.9MB
MD51bf457ea201a3374f7c37f43d5c3ffdb
SHA1bf693ad6b3070cfb60902eeeb3a290bad531bbd0
SHA2569107ca00ea91640e2498b2d7c1529d7eaaa731907bb9a3732a6895fbca9aaf08
SHA512c6657ffbcefb3e5ae704fb4712520b3ff705c23a206628b3f348cb11fa0e55e5c2ac54172d98a79470c15413e7f526fbc12ac700c7ae83052f888c241d530074