Overview

overview

10

Static

static

1

98110cbc28...3c.exe

windows7-x64

10

98110cbc28...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    39s
  • max time network
    62s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    24-12-2024 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    98110cbc2802dc27b9d9fe5ba5ceeece06cf3ed93974dfeb1ce26f2b5c43e23c.exe

  • Size

    6.6MB

  • MD5

    f1844dddcce9f1ebc415a46c0c9dbcb3

  • SHA1

    150eb90cf1886e1065b4057ec0d144a39345d25d

  • SHA256

    98110cbc2802dc27b9d9fe5ba5ceeece06cf3ed93974dfeb1ce26f2b5c43e23c

  • SHA512

    b2b3d45aee7316d41a0a85daa3d700329d76eead3288268402728b44c201cf1779722d16dc2a89a3e2143005f452111e7a1e029c89416d283dcb5c57e122ef9a

  • SSDEEP

    98304:uPdx/6o/EJ6N6ExIxrnumYqQ2LTihx2rds1Uq2T/flOgbBkvBbmvdY78CD+Lv4sC:uL6ocnT1GhkYgbBk5SvW8CjQvNm

Score
10/10
babadedacryptbotcrypterdiscoveryloaderspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

veogrm54.top

mornoi05.top

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    loadercrypterbabadeda
  • Babadeda Crypter 1 IoCs
  • Babadeda family
    babadeda
  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98110cbc2802dc27b9d9fe5ba5ceeece06cf3ed93974dfeb1ce26f2b5c43e23c.exe
    "C:\Users\Admin\AppData\Local\Temp\98110cbc2802dc27b9d9fe5ba5ceeece06cf3ed93974dfeb1ce26f2b5c43e23c.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\adv1.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\98110cbc2802dc27b9d9fe5ba5ceeece06cf3ed93974dfeb1ce26f2b5c43e23c.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1734807294 " AI_EUIMSI=""
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      PID:1344
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding AD272EF8A522DD760F5157F45FDC9FC9 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1732
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F347CED7C231878DDF20533386002414
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2288
    • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker\gtlev.exe
      "C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker\gtlev.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\edpSMEdNDYLVk & timeout 4 & del /f /q "C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker\gtlev.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1784
        • C:\Windows\SysWOW64\timeout.exe
          timeout 4
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f77add0.rbs
    Filesize

    3KB

    MD5

    6290b5c30083548d7fcc8d2bdf685f28

    SHA1

    b0b5cd885f236fa5de2b21a1cffa19eec41764a7

    SHA256

    0766634bf39ad822595e54aebf2aab2833e4ad7df2db5415e36001e52bcf2294

    SHA512

    99a190cd57f7329031df5677461f42306097d5e381072a6d1a75251ddceb7304e39cb2ed8044949292b885cd2ffcf51d8083b4bf7bbb19a0ab7ff8eccadc47b5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    93c8e4e9fee56afc517a959df11efe9a

    SHA1

    e5da64ac3dc30e2f89493eeeb449fecf554a520c

    SHA256

    66d9c1aa95c855b412d7e5c3740da14f76ee3b127ac56471f866ec8995f1b80f

    SHA512

    70753472a6e7a08a89cfb86378f10caa40dfa1a916077030d48a900567fadf454e0d9e6f7dde72887811ef6bddfcf418fab976eca4cee924d515c32787d61d11

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d4059d26dd5bd27e4919fc005ce8d072

    SHA1

    9a7d17c977ddcdbc4dbfae1c321508f4ae876c75

    SHA256

    a6bdb1fedac390e7a4f03b9a0d4ceb16a1ab82875eeb3d9ac69a8e402de834bf

    SHA512

    e7b4a53c7b41cffa64aa3aa9d33512dbd356cc019a1a0e47ee4ec4646360e0d500ab1114ff206fd99d5670c750ec9d7c18be943d609f26111b50913b6c3b9b62

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabA9C9.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSIAB96.tmp
    Filesize

    866KB

    MD5

    0be6e02d01013e6140e38571a4da2545

    SHA1

    9149608d60ca5941010e33e01d4fdc7b6c791bea

    SHA256

    3c5db91ef77b947a0924675fc1ec647d6512287aa891040b6ade3663aa1fd3a3

    SHA512

    f419a5a95f7440623edb6400f9adbfb9ba987a65f3b47996a8bb374d89ff53e8638357285485142f76758bffcb9520771e38e193d89c82c3a9733ed98ae24fcb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarA9EB.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\LICENSE.electron.txt
    Filesize

    1KB

    MD5

    f8436f54558748146ec7ebd61ca6ac38

    SHA1

    ef226e5b023d458efcdc59dc653694d89802f81c

    SHA256

    34f6f27c26d1bb8682ebb42ae401f558228fd608455bd7c6561d5fd500b7d05b

    SHA512

    5b310b48bbee286f03e645e4bfad0ec870a7c68c445d54f46f3eaaa9c427f9de6cd0561d451838bd53c78a5289e9f0bda19cda4257a4657580afa6c357913050

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\License.txt
    Filesize

    3KB

    MD5

    cbd32695674dcfba5c4609defcafdf55

    SHA1

    6f5c934cb49845af6b59683544a95a7e4b515dce

    SHA256

    2568688dd3418b21fd0d4cd416c1a759de9dae759e192bccf834d3ec2e1e7f2c

    SHA512

    ae430b2fee5864bb4130c44c26a90a2053b098c4e783ad0ad9c587b3e4fd1a38e7ad5d87c5af6e598ed7d1a6a766f104b4c07599fcd282248e655ffbac2c2668

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\ReadMe.txt
    Filesize

    19KB

    MD5

    8eb0d56c86da3080cfe2f9bab6d6318c

    SHA1

    a63256c40d34b844d2db2f2dfb2a6c068f2f1e19

    SHA256

    091cba047a79b4be6a10ff265153d44c8474cc24fbc0b9c17775f481738ae8dd

    SHA512

    12e15de204c2edf2ab4d57e2a35d96dc2d6296079ec1c86ceaaa7510336f9c57cc833c10ee50f592797c700dd729d3076065523ffb83b0deba5b872bd4eed249

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\SQLitePCLRaw.batteries_v2.dll
    Filesize

    5KB

    MD5

    e3ddbe5680fad01d0e5b7b963181bc06

    SHA1

    becce75cda9222511e9f8d480b145ce6c24a6ccf

    SHA256

    07a2736df9434b0fbbc5c441a76726ca66eb21554622b5f09d797ea01df9f0c7

    SHA512

    055e2ae9079b2cb8de58f01ca19c8561c21349406186a1e884765aa074c57740e7e6c4a43c3e4a939f1316f4d8114671032d76f61deb9b0c7beb9c1d10076579

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\SQLitePCLRaw.core.dll
    Filesize

    49KB

    MD5

    358bf09045a59a1b85acd9bc0a592904

    SHA1

    53cf59d7b192f570d528b4d5c72dfa7ac25e1d7b

    SHA256

    6be5d612830990f4185dea66b4baabe191d641a3a97e081a2f62fbadf2af5b0f

    SHA512

    8e99956faedd57e83fb46cc2de6d241be9ed6b0a6967b00f7518ff461d28dbb67a3b00cb8ed22981a635e0688b53c79a507f4d92af88f9f290980aa0bef5b555

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\SQLitePCLRaw.provider.dynamic_cdecl.dll
    Filesize

    60KB

    MD5

    6a5e8f425d04f3bc66360f2bf07688a4

    SHA1

    e7627232fd39730d90f11d979f1dac6356a5244a

    SHA256

    2a45581e2ed65cae497a199a56f311fa08b3d8c1b777e936f15d04d0b96923d1

    SHA512

    06fc1c49b40edd398ab81505e906065d3c9b52782f7e310a71cb17ff27e5521249a6ca81e18e1a546186308cc872eb4a28acb120d055a04b31850bec1642d8e6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\SQLitePCLRaw.provider.e_sqlcipher.dll
    Filesize

    38KB

    MD5

    b7102f54d13af5f4b66b12692dde2d51

    SHA1

    8a5619c2aa731aacf9d83eaff3133fe0c63659db

    SHA256

    c6cb095cea1a39307a0579e9ec7c7d7161d04e88a245476417fe0c7d12a9b85e

    SHA512

    3577b57ca1656d0d939bf7a03f0d7d0a86c8797b57900f42690f83704681c7fdda0919158011c29ebea1aa66e53a28252cefa15c84a8e32df9e2ec41c128c433

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\Typography.GlyphLayout.dll
    Filesize

    27KB

    MD5

    3301fd842ac418cf18bc96fa52d2d497

    SHA1

    80b32039df1c2439046dfcb30120d7be8faceaab

    SHA256

    91ca98a59ce9b3347f6f23a0c52c714c4e56ae862956d9465e12e6d07ef87cd6

    SHA512

    051f218d9120f2e3d3e19301b73bf3d4fa0582456c032d6a3c2a05435754907092c41352b3ea9b2228a599081efd87bf7d32633d87adfebb197d5a1b265bc15f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\adv1.msi
    Filesize

    2.1MB

    MD5

    8657c28e9f944a3bcba1cf0cd42321c2

    SHA1

    c34d6c347f470f7a41f85a071dce9f8cdbcc3df5

    SHA256

    8102380bcead93c904a3fa33f982876ec45c8399b02d3933e653d574aed75b21

    SHA512

    1ea6533be362c67b695dc09a255bbb50dab98dd8405b1e5ddc913af8ddb650a31ad9c991744a66e74868a23faede2cb75222c3e3c9b9f1a840c2ff4b7799aa54

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\assets\goal_achieved.png
    Filesize

    102KB

    MD5

    a2b879334ed0ded12343695e26e30554

    SHA1

    581dcf49f959f35b13a71705b917a61658bd7836

    SHA256

    ecdbdf4a3a32936e79327fd7ca276340e89960ccb6caa665a27bbb8ea774c83d

    SHA512

    2050065d7d4eadebd7814e76a18039fecf6c93ae5d145777761caa452cbe3c7c4d7122ec709f60990254d2a4f4cff3dd0774a9fdca08c5aa8bd4c40d7a087ff0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\assets\goal_progress.png
    Filesize

    64KB

    MD5

    3559215a74e795f065a0eba888fab63e

    SHA1

    78834c228b2bcef9a2d22d8b407bff1901955043

    SHA256

    8eb9852560a3e6ed0790a8b40cedeeeff8a39d6f2985738ec81dfe9445f61d8a

    SHA512

    9e5fd39bb5e420f2172b25e15b75ed988fba1343925ad019d8636932dda9b20090e2f14ba48f3e1b003eb499910e43fd5870cd122188fc8eb39684e3253a8f2b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\gtlev.exe
    Filesize

    5.9MB

    MD5

    af3b4b796d3c7881b7422efc2373a218

    SHA1

    da90e86a22f9efdbd5b2c432c43b68748942f6ac

    SHA256

    6a011f69c225f5d61be0d47ec2115e5cd947e619c25dc2e8d300d835ed660168

    SHA512

    667a3f3a0730843d2b0486d4006b1ef4c9dce4d347a3eec37545ae87d3eb5fa2631e0ace3d5c9061f21650eeecee6ee7052f44774d09ee1cb7be1fc80253c22e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\libEGL.dll
    Filesize

    106KB

    MD5

    e4b0061bfc552111aa9f6a63ac61b1b9

    SHA1

    2f4f9a0e179eb17ff077c3bba30c09e1ea0e0c0f

    SHA256

    17c8685f54efd76ae5c3171f146910772b49a3d733cda66e2fbc5c64ce800214

    SHA512

    978d41141967fdbd509d081f1fb107f13c61eabb4e13712d7d4fef51997ad0273f211901ad46e0a352770fd849f15b878aff1b02b3600880160d1213dc9b53a4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\libGLES-v2.dll
    Filesize

    3.8MB

    MD5

    29932e03a19a2b989dad28988e6c6923

    SHA1

    d4466d0bb1934aa9595ee10cb8ccf779261cf292

    SHA256

    7ac9064ac42922e046c312527f87d0aad695147edec080e1aa9891d688962858

    SHA512

    d21e287dff7abe24f34b80fab2cc4e314f371e649ee8c809eb2908ca06b8d63304cd062f6bfeb9de3863cd84d8d3a96f82e06a9a75a4956de2448d9aeb14d0c7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\086FC1F\upd
    Filesize

    491KB

    MD5

    774b9fccb9d4832146800d65c765a8c1

    SHA1

    5478bd36d960a4ebfcf9f571ee21df9f9d4a3b00

    SHA256

    db87f2e28c29cca546be18fc5883bf4ab42c00aeb21e24e09fd92e226a4493cd

    SHA512

    cd641177bd25d98f7eec66854ee8fe24357a345c7dcc5db623ab032e782a1a40874772eda596b23fdafe37d96030accd3e3426abd26626a5c47288687eba2f19

    Download Submit

  • C:\Windows\Installer\MSIB0FF.tmp
    Filesize

    573KB

    MD5

    2a6c81882b2db41f634b48416c8c8450

    SHA1

    f36f3a30a43d4b6ee4be4ea3760587056428cac6

    SHA256

    245d57afb74796e0a0b0a68d6a81be407c7617ec6789840a50f080542dace805

    SHA512

    e9ef1154e856d45c5c37f08cf466a4b10dee6cf71da47dd740f2247a7eb8216524d5b37ff06bb2372c31f6b15c38101c19a1cf7185af12a17083207208c6ccbd

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MSIAB09.tmp
    Filesize

    393KB

    MD5

    3d24a2af1fb93f9960a17d6394484802

    SHA1

    ee74a6ceea0853c47e12802961a7a8869f7f0d69

    SHA256

    8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

    SHA512

    f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

    Download Submit

  • \Users\Admin\AppData\Roaming\Johannes Passing\GRBackPro Maker 1.3.1.4\install\decoder.dll
    Filesize

    202KB

    MD5

    454418ebd68a4e905dc2b9b2e5e1b28c

    SHA1

    a54cb6a80d9b95451e2224b6d95de809c12c9957

    SHA256

    73d5f96a6a30bbd42752bffc7f20db61c8422579bf8a53741488be34b73e1409

    SHA512

    171f85d6f6c44acc90d80ba4e6220d747e1f4ff4c49a6e8121738e8260f4fceb01ff2c97172f8a3b20e40e6f6ed29a0397d0c6e5870a9ebff7b7fb6faf20c647

    Download Submit

  • memory/1192-184-0x0000000000FB0000-0x0000000001607000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1192-189-0x0000000000FB0000-0x0000000001607000-memory.dmp

    Filesize

    6.3MB

    Download