babadeda | 750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c

Analysis

max time kernel
134s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
28-02-2022 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe
Size

4.0MB
MD5

fd0ed9f5ffa9c912ba8d677687776448
SHA1

b7abe535dccf587c80cbcd2d4cc0c30e330b3a54
SHA256

750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c
SHA512

dc40402b2f77a3148a2ce3d86561b67c9c64a5a5492d7e6591c1bd2cd25de5d5a7e999637802b530b684d230b904a38b97ed95614ed5069f7d3293ca87bcf219

Score

10^/10

babadeda crypter loader spyware stealer

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e464-134.dat	family_babadeda
behavioral2/memory/2668-139-0x00000000036E0000-0x00000000057E0000-memory.dmp	family_babadeda

Executes dropped EXE 1 IoCs

pid	Process
2668	AudioManagementConsole.exe

Loads dropped DLL 1 IoCs

pid	Process
2668	AudioManagementConsole.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\f:	AudioManagementConsole.exe
File opened (read-only)	\??\n:	AudioManagementConsole.exe
File opened (read-only)	\??\w:	AudioManagementConsole.exe
File opened (read-only)	\??\q:	AudioManagementConsole.exe
File opened (read-only)	\??\s:	AudioManagementConsole.exe
File opened (read-only)	\??\x:	AudioManagementConsole.exe
File opened (read-only)	\??\a:	AudioManagementConsole.exe
File opened (read-only)	\??\g:	AudioManagementConsole.exe
File opened (read-only)	\??\i:	AudioManagementConsole.exe
File opened (read-only)	\??\j:	AudioManagementConsole.exe
File opened (read-only)	\??\p:	AudioManagementConsole.exe
File opened (read-only)	\??\h:	AudioManagementConsole.exe
File opened (read-only)	\??\k:	AudioManagementConsole.exe
File opened (read-only)	\??\t:	AudioManagementConsole.exe
File opened (read-only)	\??\z:	AudioManagementConsole.exe
File opened (read-only)	\??\r:	AudioManagementConsole.exe
File opened (read-only)	\??\u:	AudioManagementConsole.exe
File opened (read-only)	\??\v:	AudioManagementConsole.exe
File opened (read-only)	\??\b:	AudioManagementConsole.exe
File opened (read-only)	\??\e:	AudioManagementConsole.exe
File opened (read-only)	\??\l:	AudioManagementConsole.exe
File opened (read-only)	\??\m:	AudioManagementConsole.exe
File opened (read-only)	\??\o:	AudioManagementConsole.exe
File opened (read-only)	\??\y:	AudioManagementConsole.exe

autoit_exe 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2668-135-0x00000000008F0000-0x0000000000BE7000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
3348	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3348	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2668	1660	750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe	80
PID 1660 wrote to memory of 2668	1660	750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe	80
PID 1660 wrote to memory of 2668	1660	750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe	80
PID 2668 wrote to memory of 4756	2668	AudioManagementConsole.exe	91
PID 2668 wrote to memory of 4756	2668	AudioManagementConsole.exe	91
PID 2668 wrote to memory of 4756	2668	AudioManagementConsole.exe	91
PID 2668 wrote to memory of 2300	2668	AudioManagementConsole.exe	93
PID 2668 wrote to memory of 2300	2668	AudioManagementConsole.exe	93
PID 2668 wrote to memory of 2300	2668	AudioManagementConsole.exe	93
PID 2668 wrote to memory of 2928	2668	AudioManagementConsole.exe	95
PID 2668 wrote to memory of 2928	2668	AudioManagementConsole.exe	95
PID 2668 wrote to memory of 2928	2668	AudioManagementConsole.exe	95
PID 2668 wrote to memory of 3880	2668	AudioManagementConsole.exe	97
PID 2668 wrote to memory of 3880	2668	AudioManagementConsole.exe	97
PID 2668 wrote to memory of 3880	2668	AudioManagementConsole.exe	97
PID 2668 wrote to memory of 228	2668	AudioManagementConsole.exe	99
PID 2668 wrote to memory of 228	2668	AudioManagementConsole.exe	99
PID 2668 wrote to memory of 228	2668	AudioManagementConsole.exe	99
PID 2668 wrote to memory of 2920	2668	AudioManagementConsole.exe	101
PID 2668 wrote to memory of 2920	2668	AudioManagementConsole.exe	101
PID 2668 wrote to memory of 2920	2668	AudioManagementConsole.exe	101
PID 2668 wrote to memory of 4092	2668	AudioManagementConsole.exe	103
PID 2668 wrote to memory of 4092	2668	AudioManagementConsole.exe	103
PID 2668 wrote to memory of 4092	2668	AudioManagementConsole.exe	103
PID 2668 wrote to memory of 3476	2668	AudioManagementConsole.exe	105
PID 2668 wrote to memory of 3476	2668	AudioManagementConsole.exe	105
PID 2668 wrote to memory of 3476	2668	AudioManagementConsole.exe	105
PID 2668 wrote to memory of 2768	2668	AudioManagementConsole.exe	107
PID 2668 wrote to memory of 2768	2668	AudioManagementConsole.exe	107
PID 2668 wrote to memory of 2768	2668	AudioManagementConsole.exe	107
PID 2668 wrote to memory of 3652	2668	AudioManagementConsole.exe	109
PID 2668 wrote to memory of 3652	2668	AudioManagementConsole.exe	109
PID 2668 wrote to memory of 3652	2668	AudioManagementConsole.exe	109
PID 2668 wrote to memory of 3712	2668	AudioManagementConsole.exe	111
PID 2668 wrote to memory of 3712	2668	AudioManagementConsole.exe	111
PID 2668 wrote to memory of 3712	2668	AudioManagementConsole.exe	111
PID 2668 wrote to memory of 1832	2668	AudioManagementConsole.exe	113
PID 2668 wrote to memory of 1832	2668	AudioManagementConsole.exe	113
PID 2668 wrote to memory of 1832	2668	AudioManagementConsole.exe	113
PID 2668 wrote to memory of 388	2668	AudioManagementConsole.exe	115
PID 2668 wrote to memory of 388	2668	AudioManagementConsole.exe	115
PID 2668 wrote to memory of 388	2668	AudioManagementConsole.exe	115
PID 2668 wrote to memory of 2168	2668	AudioManagementConsole.exe	117
PID 2668 wrote to memory of 2168	2668	AudioManagementConsole.exe	117
PID 2668 wrote to memory of 2168	2668	AudioManagementConsole.exe	117
PID 2668 wrote to memory of 1756	2668	AudioManagementConsole.exe	119
PID 2668 wrote to memory of 1756	2668	AudioManagementConsole.exe	119
PID 2668 wrote to memory of 1756	2668	AudioManagementConsole.exe	119
PID 2668 wrote to memory of 4440	2668	AudioManagementConsole.exe	121
PID 2668 wrote to memory of 4440	2668	AudioManagementConsole.exe	121
PID 2668 wrote to memory of 4440	2668	AudioManagementConsole.exe	121
PID 2668 wrote to memory of 2160	2668	AudioManagementConsole.exe	123
PID 2668 wrote to memory of 2160	2668	AudioManagementConsole.exe	123
PID 2668 wrote to memory of 2160	2668	AudioManagementConsole.exe	123
PID 2668 wrote to memory of 4700	2668	AudioManagementConsole.exe	125
PID 2668 wrote to memory of 4700	2668	AudioManagementConsole.exe	125
PID 2668 wrote to memory of 4700	2668	AudioManagementConsole.exe	125
PID 4700 wrote to memory of 4208	4700	cmd.exe	127
PID 4700 wrote to memory of 4208	4700	cmd.exe	127
PID 4700 wrote to memory of 4208	4700	cmd.exe	127
PID 4208 wrote to memory of 3084	4208	cmd.exe	129
PID 4208 wrote to memory of 3084	4208	cmd.exe	129
PID 4208 wrote to memory of 3084	4208	cmd.exe	129
PID 4208 wrote to memory of 3348	4208	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe
"C:\Users\Admin\AppData\Local\Temp\750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\Tools\ICUAudioSoftware\AudioManagementConsole.exe
  C:\Users\Admin\Tools\ICUAudioSoftware\AudioManagementConsole.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
    3⤵
    PID:4756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
    3⤵
    PID:228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
    3⤵
    PID:3476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
    3⤵
    PID:3712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
    3⤵
    PID:388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c start /min r.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K r.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4208
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /min /c del "C:\Users\Admin\Tools\ICUAudioSoftware\r.bat"
        5⤵
        
        PID:3084
    - - C:\Windows\SysWOW64\taskkill.exe
        
        Taskkill /IM cmd.exe /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2668-135-0x00000000008F0000-0x0000000000BE7000-memory.dmp

Filesize
3.0MB

Download
memory/2668-139-0x00000000036E0000-0x00000000057E0000-memory.dmp

Filesize
33.0MB

Download