Overview

overview

10

Static

static

3

5a17eb22c9...c0.exe

windows7-x64

10

5a17eb22c9...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    173s
  • max time network
    208s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 06:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a17eb22c96dfbefb792493dac7618c0.exe

  • Size

    6.7MB

  • MD5

    5a17eb22c96dfbefb792493dac7618c0

  • SHA1

    178b7b1b0894ad100992f75b9529ae00d63a633c

  • SHA256

    deb121bac1823d2de090b6816cbaffe8739600299b69789c109ac97a9477d5aa

  • SHA512

    0c9d63c1f321df671e35463e9ad62b4ed1e6a6c2cb2cbc58cc652fde48bbde7f06a9325fc21f3c4c90c2aff62b402af75886962698781a885998932da164a297

  • SSDEEP

    196608:Dt29v7XLTPmNbF6n1O4zGuY7gdDoqH9s7uHFsDKEz:yXwF6FSuMgFoy9s7uHFGR

Score
10/10
babadedadarkvnccrypterdiscoveryloaderrat

Malware Config

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    loadercrypterbabadeda
  • Babadeda Crypter 1 IoCs
  • DarkVNC

    DarkVNC is a malicious version of the famous VNC software.

    ratdarkvnc
  • DarkVNC payload 7 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe
    "C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe
      "C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe
        3⤵
          PID:816

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\base.xml
      Filesize

      347KB

      MD5

      3e727c84e0f78f84ec0e477e6341b6b3

      SHA1

      57897694f08e0cffc03dd08ca5bac1ddc35c571b

      SHA256

      40c1af3766f164764c52c298773c16b81969e0732f523714dcddea3a33b7caa9

      SHA512

      a80256ffb381cdfe782735bceb6fd75640bc0060b29dd85664d87431f36cfbcf03db260d717dde4eacb5951592d471492e98afb9d82b2f5141932405a45819b4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\gtk-2.0\gtkrc.default
      Filesize

      79B

      MD5

      ddd31f8fc20ab0835c1e135f80d6db51

      SHA1

      2d598c52c17bbf076ee4c3b9e58e4fff6144ab6d

      SHA256

      fb749ac4812ba307bbb4c1e0b30175a88668fcb2eed702f780bd7da5987f9004

      SHA512

      d514da7b2f68096cd6bd258d28ac5948a594c9cca4cd9ff79364b50c85641f2e11befaf81508e42841373459647cbe7e7e7f9daa675bcdf4c93ea85dea0c1a42

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\libftype-5.dll
      Filesize

      1.6MB

      MD5

      7fdcb015518bb4e0418f7b320a77c89f

      SHA1

      034d2bc09c09bb8be4a1bb04a3dbe2595b0d9c07

      SHA256

      395530da14ce2d58b7907560dc650716e8b1a4ff8f2a121bbcdcc8f724967a14

      SHA512

      132d37ed4dd98a2f6eb3c263806e17d0063abbc5e74b0f1c63bb6ffd6d4c027a624f19f9a0ef53769a7ee40f1e85176a4403f7c4a87a888699e231afd27f4133

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_banner.html
      Filesize

      490B

      MD5

      5d1f7da1c3d95020a0708118145364d0

      SHA1

      02f630e7ac8b8d400af219bd8811aa3a22f7186e

      SHA256

      d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a

      SHA512

      6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_connect_to_data_no_mru.html
      Filesize

      1KB

      MD5

      20bbd307866f19a5af3ae9ebd5104018

      SHA1

      8e03c9b18b9d27e9292ee154b773553493df1157

      SHA256

      e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7

      SHA512

      420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_connect_to_data_with_mru.html
      Filesize

      1KB

      MD5

      e6bc0d078616dd5d5f72d46ab2216e89

      SHA1

      f70534bb999bcb8f1db0cf25a7279757e794499f

      SHA256

      e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54

      SHA512

      6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_landing.html
      Filesize

      720B

      MD5

      0a5b47256c14570b80ef77ecfd2129b7

      SHA1

      69210a7429c991909c70b6b6b75fe4bc606048ae

      SHA256

      1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d

      SHA512

      5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_topstrip_no_mru.html
      Filesize

      659B

      MD5

      eced86c9d5b8952ac5fb817c3ce2b8ba

      SHA1

      3ca24e69df7a4b81f799527a97282799fcd3f1e2

      SHA256

      3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d

      SHA512

      a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_topstrip_with_mru.html
      Filesize

      798B

      MD5

      cc4d8a787ab1950c4e3aac5751c9fcde

      SHA1

      d026a156723a52c34927b5a951a2bb7d23aa2c45

      SHA256

      13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee

      SHA512

      e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\stylesheets\start_page.css
      Filesize

      2KB

      MD5

      f2ab3e5fb61293ae8656413dbb6e5dc3

      SHA1

      53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5

      SHA256

      06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192

      SHA512

      2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\stylesheets\start_page_landing.css
      Filesize

      282B

      MD5

      49617add7303a8fbd24e1ad16ba715d8

      SHA1

      31772218ccf51fe5955625346c12e00c0f2e539a

      SHA256

      b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907

      SHA512

      9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe
      Filesize

      1.7MB

      MD5

      f3fc32fb2b08da41962750825fa79eeb

      SHA1

      69a25923917c41662e7a4023b2b1ddef68324246

      SHA256

      6973c3db338a2960072e08b5b5d44bba07231bdf0c08461816b6d0048fc9a048

      SHA512

      cc26d61b3fbfaa790565fa1b13b594a2f10ca544bed8b19898ac5230e4a89d87b4f3c31df5c620a77f20e9871c83f1c6859039f4f84b4e7e1affe98644533c74

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe
      Filesize

      846KB

      MD5

      bf4c00b49346792d6bdc397085b94842

      SHA1

      9f1dbebe27df4159e4cb76f25f4bbd485fbf8967

      SHA256

      28d383ea679bbb7c70ed5d563cc831e993f2381c619ede9bc15cec93d7e4cd17

      SHA512

      1ef37752f9913b964eccd14971432ddfb165a4383b3ca846f86aa06aa36240f9c7ebd9c968c2b7a7d9f8d49232b4d948c248e41830210b08f2231c897859e01a

      Download Submit

    • \Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\libftype-5.dll
      Filesize

      1.4MB

      MD5

      0fe43849709adc3a846f83d3389ef90a

      SHA1

      153e238922f71cc89222dd7bbd204332b452fe55

      SHA256

      189dcc7b0ef4e9cd344a081485218d483e8967be6fc872a7bde95433ef12dede

      SHA512

      ed95add653cc3440b30168e5609e2ed05c861f841e0f9ae63a34c88525094cee418004ee3b55a2647ee01d0715b9478f5be30ba6281bb574c83cf779779c4928

      Download Submit

    • \Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe
      Filesize

      1.8MB

      MD5

      3ef8dbd491817f18ddf5747cd7480abd

      SHA1

      48ff4ac1ed283d689365cae47f1c89c14fe03f4f

      SHA256

      afab6e0479bf8f0a5e9c3bae5978bab546bccab841e90a42261498e2e2ad7528

      SHA512

      c72c90104db1159160f3d7279e9547464d4bac8e5ae11dc7541e67393a81eb07dc265077e12965bedbcb7a0010110fd731628d76d05235493b83c1656e135299

      Download Submit

    • memory/816-502-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

      Filesize

      4KB

      Download

    • memory/816-505-0x0000000000170000-0x0000000000171000-memory.dmp

      Filesize

      4KB

      Download

    • memory/816-503-0x0000000001BD0000-0x0000000001C9A000-memory.dmp

      Filesize

      808KB

      Download

    • memory/816-508-0x0000000001BD0000-0x0000000001C9A000-memory.dmp

      Filesize

      808KB

      Download

    • memory/816-509-0x0000000001BD0000-0x0000000001C9A000-memory.dmp

      Filesize

      808KB

      Download

    • memory/816-510-0x0000000001BD0000-0x0000000001C9A000-memory.dmp

      Filesize

      808KB

      Download

    • memory/816-511-0x0000000001BD0000-0x0000000001C9A000-memory.dmp

      Filesize

      808KB

      Download

    • memory/816-513-0x0000000001BD0000-0x0000000001C9A000-memory.dmp

      Filesize

      808KB

      Download

    • memory/1728-500-0x00000000009C0000-0x00000000011F6000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/1728-512-0x00000000009C0000-0x00000000011F6000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2788-497-0x0000000003220000-0x0000000003A56000-memory.dmp

      Filesize

      8.2MB

      Download

    • memory/2788-494-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download