babadeda | 3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133

General

Target

3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe
Size

18.6MB
MD5

3855b55599f63e6ea548f4f67db30337
SHA1

020f554ff1e5609ce093b74e840a6cb1890d22da
SHA256

3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133
SHA512

cf72283103c55a68ebc9da25446c1a5d0c2111610901b11bbfae13f707b08a9a24eee9772c6b5e045d001d5248d535352debc7d37ed096590737f0e42a9189a8

Score

10^/10

babadeda crypter loader

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

resource	yara_rule
behavioral2/files/0x000500000001ac4c-209.dat	family_babadeda
behavioral2/memory/368-260-0x0000000007100000-0x000000000C300000-memory.dmp	family_babadeda

Executes dropped EXE 4 IoCs

pid	Process
4316	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp
4548	RdrVmpUninstall32.exe
368	topoedit.exe
852	accevent.exe

Loads dropped DLL 6 IoCs

pid	Process
368	topoedit.exe
852	accevent.exe
368	topoedit.exe
852	accevent.exe
852	accevent.exe
368	topoedit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Detects BABADEDA Crypter 2 IoCs

Detects BABADEDA Crypter.

resource	yara_rule
behavioral2/files/0x000500000001ac4c-209.dat	BABADEDA_Crypter
behavioral2/memory/368-260-0x0000000007100000-0x000000000C300000-memory.dmp	BABADEDA_Crypter

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Accessibility\Blind Access\On = "1"	accevent.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
852	accevent.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4316	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp
4316	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4316	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
368	topoedit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 4316	3580	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe	69
PID 3580 wrote to memory of 4316	3580	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe	69
PID 3580 wrote to memory of 4316	3580	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe	69
PID 4316 wrote to memory of 4548	4316	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	70
PID 4316 wrote to memory of 4548	4316	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	70
PID 4316 wrote to memory of 4548	4316	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	70
PID 4316 wrote to memory of 368	4316	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	72
PID 4316 wrote to memory of 368	4316	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	72
PID 4316 wrote to memory of 368	4316	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	72
PID 4316 wrote to memory of 852	4316	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	73
PID 4316 wrote to memory of 852	4316	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	73
PID 4316 wrote to memory of 852	4316	3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp	73

C:\Users\Admin\AppData\Local\Temp\3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe
"C:\Users\Admin\AppData\Local\Temp\3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Users\Admin\AppData\Local\Temp\is-DO2D1.tmp\3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DO2D1.tmp\3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.tmp" /SL5="$30032,18615131,780800,C:\Users\Admin\AppData\Local\Temp\3ef991023da10580bfcb950599155dd3cd38dbf944728176ac61ced79a8aa133.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Users\Admin\AppData\Roaming\GSA Search Engine Ranker\RdrVmpUninstall32.exe
    "C:\Users\Admin\AppData\Roaming\GSA Search Engine Ranker\RdrVmpUninstall32.exe"
    3⤵
    - Executes dropped EXE
    PID:4548
- - C:\Users\Admin\AppData\Roaming\GSA Search Engine Ranker\topoedit.exe
    "C:\Users\Admin\AppData\Roaming\GSA Search Engine Ranker\topoedit.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:368
- - C:\Users\Admin\AppData\Roaming\GSA Search Engine Ranker\accevent.exe
    "C:\Users\Admin\AppData\Roaming\GSA Search Engine Ranker\accevent.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Control Panel
    - Suspicious behavior: AddClipboardFormatListener
    PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/368-260-0x0000000007100000-0x000000000C300000-memory.dmp

Filesize
82.0MB

Download
memory/3580-115-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4316-118-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing