babadeda | 750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c

Analysis

max time kernel
154s
max time network
163s
platform
windows7_x64
resource
win7-en-20211208
submitted
28-02-2022 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe
Size

4.0MB
MD5

fd0ed9f5ffa9c912ba8d677687776448
SHA1

b7abe535dccf587c80cbcd2d4cc0c30e330b3a54
SHA256

750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c
SHA512

dc40402b2f77a3148a2ce3d86561b67c9c64a5a5492d7e6591c1bd2cd25de5d5a7e999637802b530b684d230b904a38b97ed95614ed5069f7d3293ca87bcf219

Score

10^/10

babadeda crypter loader spyware stealer

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000012624-60.dat	family_babadeda
behavioral1/memory/1556-61-0x0000000002680000-0x0000000004780000-memory.dmp	family_babadeda

Executes dropped EXE 1 IoCs

pid	Process
1556	AudioManagementConsole.exe

Loads dropped DLL 2 IoCs

pid	Process
1184	750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe
1556	AudioManagementConsole.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\p:	AudioManagementConsole.exe
File opened (read-only)	\??\t:	AudioManagementConsole.exe
File opened (read-only)	\??\v:	AudioManagementConsole.exe
File opened (read-only)	\??\w:	AudioManagementConsole.exe
File opened (read-only)	\??\b:	AudioManagementConsole.exe
File opened (read-only)	\??\g:	AudioManagementConsole.exe
File opened (read-only)	\??\l:	AudioManagementConsole.exe
File opened (read-only)	\??\m:	AudioManagementConsole.exe
File opened (read-only)	\??\x:	AudioManagementConsole.exe
File opened (read-only)	\??\y:	AudioManagementConsole.exe
File opened (read-only)	\??\z:	AudioManagementConsole.exe
File opened (read-only)	\??\k:	AudioManagementConsole.exe
File opened (read-only)	\??\n:	AudioManagementConsole.exe
File opened (read-only)	\??\o:	AudioManagementConsole.exe
File opened (read-only)	\??\u:	AudioManagementConsole.exe
File opened (read-only)	\??\a:	AudioManagementConsole.exe
File opened (read-only)	\??\e:	AudioManagementConsole.exe
File opened (read-only)	\??\f:	AudioManagementConsole.exe
File opened (read-only)	\??\s:	AudioManagementConsole.exe
File opened (read-only)	\??\r:	AudioManagementConsole.exe
File opened (read-only)	\??\h:	AudioManagementConsole.exe
File opened (read-only)	\??\i:	AudioManagementConsole.exe
File opened (read-only)	\??\j:	AudioManagementConsole.exe
File opened (read-only)	\??\q:	AudioManagementConsole.exe

autoit_exe 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1556-63-0x0000000000300000-0x00000000005F7000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1556	1184	750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe	27
PID 1184 wrote to memory of 1556	1184	750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe	27
PID 1184 wrote to memory of 1556	1184	750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe	27
PID 1184 wrote to memory of 1556	1184	750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe	27
PID 1556 wrote to memory of 1660	1556	AudioManagementConsole.exe	30
PID 1556 wrote to memory of 1660	1556	AudioManagementConsole.exe	30
PID 1556 wrote to memory of 1660	1556	AudioManagementConsole.exe	30
PID 1556 wrote to memory of 1660	1556	AudioManagementConsole.exe	30
PID 1556 wrote to memory of 1108	1556	AudioManagementConsole.exe	32
PID 1556 wrote to memory of 1108	1556	AudioManagementConsole.exe	32
PID 1556 wrote to memory of 1108	1556	AudioManagementConsole.exe	32
PID 1556 wrote to memory of 1108	1556	AudioManagementConsole.exe	32
PID 1556 wrote to memory of 1528	1556	AudioManagementConsole.exe	34
PID 1556 wrote to memory of 1528	1556	AudioManagementConsole.exe	34
PID 1556 wrote to memory of 1528	1556	AudioManagementConsole.exe	34
PID 1556 wrote to memory of 1528	1556	AudioManagementConsole.exe	34
PID 1556 wrote to memory of 1520	1556	AudioManagementConsole.exe	36
PID 1556 wrote to memory of 1520	1556	AudioManagementConsole.exe	36
PID 1556 wrote to memory of 1520	1556	AudioManagementConsole.exe	36
PID 1556 wrote to memory of 1520	1556	AudioManagementConsole.exe	36
PID 1556 wrote to memory of 1208	1556	AudioManagementConsole.exe	38
PID 1556 wrote to memory of 1208	1556	AudioManagementConsole.exe	38
PID 1556 wrote to memory of 1208	1556	AudioManagementConsole.exe	38
PID 1556 wrote to memory of 1208	1556	AudioManagementConsole.exe	38
PID 1556 wrote to memory of 1120	1556	AudioManagementConsole.exe	40
PID 1556 wrote to memory of 1120	1556	AudioManagementConsole.exe	40
PID 1556 wrote to memory of 1120	1556	AudioManagementConsole.exe	40
PID 1556 wrote to memory of 1120	1556	AudioManagementConsole.exe	40
PID 1556 wrote to memory of 1760	1556	AudioManagementConsole.exe	42
PID 1556 wrote to memory of 1760	1556	AudioManagementConsole.exe	42
PID 1556 wrote to memory of 1760	1556	AudioManagementConsole.exe	42
PID 1556 wrote to memory of 1760	1556	AudioManagementConsole.exe	42
PID 1556 wrote to memory of 1112	1556	AudioManagementConsole.exe	44
PID 1556 wrote to memory of 1112	1556	AudioManagementConsole.exe	44
PID 1556 wrote to memory of 1112	1556	AudioManagementConsole.exe	44
PID 1556 wrote to memory of 1112	1556	AudioManagementConsole.exe	44
PID 1556 wrote to memory of 2028	1556	AudioManagementConsole.exe	46
PID 1556 wrote to memory of 2028	1556	AudioManagementConsole.exe	46
PID 1556 wrote to memory of 2028	1556	AudioManagementConsole.exe	46
PID 1556 wrote to memory of 2028	1556	AudioManagementConsole.exe	46
PID 1556 wrote to memory of 468	1556	AudioManagementConsole.exe	48
PID 1556 wrote to memory of 468	1556	AudioManagementConsole.exe	48
PID 1556 wrote to memory of 468	1556	AudioManagementConsole.exe	48
PID 1556 wrote to memory of 468	1556	AudioManagementConsole.exe	48
PID 1556 wrote to memory of 928	1556	AudioManagementConsole.exe	50
PID 1556 wrote to memory of 928	1556	AudioManagementConsole.exe	50
PID 1556 wrote to memory of 928	1556	AudioManagementConsole.exe	50
PID 1556 wrote to memory of 928	1556	AudioManagementConsole.exe	50
PID 1556 wrote to memory of 580	1556	AudioManagementConsole.exe	52
PID 1556 wrote to memory of 580	1556	AudioManagementConsole.exe	52
PID 1556 wrote to memory of 580	1556	AudioManagementConsole.exe	52
PID 1556 wrote to memory of 580	1556	AudioManagementConsole.exe	52
PID 1556 wrote to memory of 1604	1556	AudioManagementConsole.exe	54
PID 1556 wrote to memory of 1604	1556	AudioManagementConsole.exe	54
PID 1556 wrote to memory of 1604	1556	AudioManagementConsole.exe	54
PID 1556 wrote to memory of 1604	1556	AudioManagementConsole.exe	54
PID 1556 wrote to memory of 768	1556	AudioManagementConsole.exe	56
PID 1556 wrote to memory of 768	1556	AudioManagementConsole.exe	56
PID 1556 wrote to memory of 768	1556	AudioManagementConsole.exe	56
PID 1556 wrote to memory of 768	1556	AudioManagementConsole.exe	56
PID 1556 wrote to memory of 432	1556	AudioManagementConsole.exe	58
PID 1556 wrote to memory of 432	1556	AudioManagementConsole.exe	58
PID 1556 wrote to memory of 432	1556	AudioManagementConsole.exe	58
PID 1556 wrote to memory of 432	1556	AudioManagementConsole.exe	58

C:\Users\Admin\AppData\Local\Temp\750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe
"C:\Users\Admin\AppData\Local\Temp\750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\Tools\ICUAudioSoftware\AudioManagementConsole.exe
  C:\Users\Admin\Tools\ICUAudioSoftware\AudioManagementConsole.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
    3⤵
    PID:468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
    3⤵
    PID:928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
    3⤵
    PID:580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
    3⤵
    PID:768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
    3⤵
    PID:432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
    3⤵
    PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1184-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1556-61-0x0000000002680000-0x0000000004780000-memory.dmp

Filesize
33.0MB

Download
memory/1556-63-0x0000000000300000-0x00000000005F7000-memory.dmp

Filesize
3.0MB

Download