babadeda | fad9151bdf6b42b534a4eca9c0fa331970fc0596e1ffd4fcba245b2a1cfc936b

Resubmissions

09-04-2024 10:33

240409-mls8racg53 10

14-11-2022 09:44

221114-lqqgzsbf6y 10

Analysis

max time kernel
215s
max time network
228s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe
Size

10.7MB
MD5

60bce89d8df5caa28d3d73ee4c94313a
SHA1

878e237aeb528a1e4c6c3fe53cb4ffd1c420231e
SHA256

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d
SHA512

963629759df10731e7b49a113fd4eb462286d26d4b394bab89bea35f4515cc907d803b01313764b973ebd4876a40e2fff820ad6b10f7a142e74a31a836010665
SSDEEP

196608:yxthehwzf4soekmmf7zADj75xtw0QkyPAm2VxdG1P5K5S2njugWR:meCBoeq7adK7JonCxC7juR

Score

10^/10

babadeda fickerstealer crypter infostealer loader

Malware Config

Extracted

Family

fickerstealer

prunerflowershop.com:80

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda
Babadeda Crypter 1 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\FAQ.pdf family_babadeda
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\FAQ.pdf	family_babadeda

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmpcf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

Executes dropped EXE 3 IoCs

Processes:

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmpcf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmpalcodec.exe

pid process

4508 cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
532 cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
4772 alcodec.exe
Loads dropped DLL 1 IoCs

Processes:

alcodec.exe

pid process

4772 alcodec.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

pid process

532 cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
532 cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

pid process

532 cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

pid	process
4508	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
532	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
4772	alcodec.exe

pid	process
4772	alcodec.exe

flow	ioc
42	api.ipify.org

pid	process
532	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
532	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

pid	process
532	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.execf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmpcf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.execf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp

description	pid	process	target process
PID 748 wrote to memory of 4508	748	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
PID 748 wrote to memory of 4508	748	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
PID 748 wrote to memory of 4508	748	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
PID 4508 wrote to memory of 1452	4508	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe
PID 4508 wrote to memory of 1452	4508	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe
PID 4508 wrote to memory of 1452	4508	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe
PID 1452 wrote to memory of 532	1452	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
PID 1452 wrote to memory of 532	1452	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
PID 1452 wrote to memory of 532	1452	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
PID 532 wrote to memory of 4772	532	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	alcodec.exe
PID 532 wrote to memory of 4772	532	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	alcodec.exe
PID 532 wrote to memory of 4772	532	cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp	alcodec.exe

C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe
"C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\is-3IRV5.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3IRV5.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp" /SL5="$301D2,10301284,798720,C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508

C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe
"C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe" /VERYSILENT
3⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Local\Temp\is-U45CR.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U45CR.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp" /SL5="$401D4,10301284,798720,C:\Users\Admin\AppData\Local\Temp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.exe" /VERYSILENT
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:532

C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\alcodec.exe
"C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\alcodec.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kaosdma.txt
Filesize
14B

MD5
1207bc197a1ebd72a77f1a771cad9e52

SHA1
8ed121ff66d407150d7390b9276fe690dd213b27

SHA256
260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476

SHA512
d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3IRV5.tmp\cf88923b7d0287884870af999a8d64f90c7deeb4c4d09feed406472ff259b30d.tmp
Filesize
3.0MB

MD5
e0058e78c38cdc18f30f3b2e508f7f82

SHA1
fea2c5bcf045677de140a66f69a1ce471fcd3592

SHA256
e952f410d2b4ad999407961619973f658b3fd7362e79becbb647b7e673b213b0

SHA512
c584594551132787fe1d428e6751187a4d6e5a9bc7c42b87b1d9a4f9c3f152673735f50b4114f61a6509bceebe4d777021bcc06dce20a2d0839325bc93cdb63d

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\FAQ.pdf
Filesize
859KB

MD5
7d48ba5bfc96796ab7dc48f6764aec44

SHA1
bec9f2d46ad903fdbf66a92aeb95c6da1d29441a

SHA256
4d8fa3c825223e76c1ec3a002ff10208a3d3a91366de8472d3afa61fdf3e0ab8

SHA512
71914f9266aca04de7e01d04fc7c213a82bb082968e4b8e88cc0e9bf765cb5e1d40a89cc994c03569533ec1355497e853a21a1ac22ae098de8a686241235ce1f

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\alcodec.exe
Filesize
3.5MB

MD5
f387a40e95f63b5647beecdd9c4bf80e

SHA1
6d3e94f983eb4260e828048f464febfe80fdc5cb

SHA256
f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118

SHA512
49ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Creative Labs OpenAl Codec\libftype-5.dll
Filesize
17.1MB

MD5
3399513c46e46661a9d6c59ec92aefe7

SHA1
696d40c6c74d5fdffe60880a454dfe69fd5400cb

SHA256
a545d9fdff40e69b99b5f4a118b43666ce6c4f63aec5ca6316b8749c68286eb3

SHA512
f3d3eb2491ff640830773dc2e536a8ad196f06a89075c7cd041467a1d08860232a35fcc2da8a20420f4003eb68ca06a66128d73ebd3dbf4a371e5deb4de54ce9

Download Submit
memory/532-467-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/532-17-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/748-12-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/748-0-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1452-464-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1452-469-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1452-8-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4508-10-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/4508-5-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/4772-470-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download
memory/4772-479-0x0000000000400000-0x0000000000A63000-memory.dmp

Filesize
6.4MB

Download