Analysis Overview
SHA256
bd8d1264a88d5cdd701a4ee909b70beaec39d216c988b33bfb30f25aee3540ee
Threat Level: Known bad
The file 04befedbe76440e1e24e59ff4244ce6a was found to be: Known bad.
Malicious Activity Summary
Babadeda
Babadeda Crypter
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-12-29 21:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-29 21:44
Reported
2023-12-30 02:38
Platform
win7-20231129-en
Max time kernel
143s
Max time network
145s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3020 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe | C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe |
| PID 3020 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe | C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe |
| PID 3020 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe | C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe |
| PID 3020 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe | C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe
"C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe"
C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe
"C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 173.231.16.77:80 | api.ipify.org | tcp |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp |
Files
memory/3020-0-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1628-557-0x0000000000400000-0x0000000000A0F000-memory.dmp
memory/3020-554-0x0000000004090000-0x000000000469F000-memory.dmp
memory/3020-548-0x0000000002930000-0x0000000002940000-memory.dmp
\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3020-559-0x0000000000400000-0x0000000000701000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-29 21:44
Reported
2023-12-30 02:37
Platform
win10v2004-20231215-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1824 wrote to memory of 1536 | N/A | C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe | C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe |
| PID 1824 wrote to memory of 1536 | N/A | C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe | C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe |
| PID 1824 wrote to memory of 1536 | N/A | C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe | C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe
"C:\Users\Admin\AppData\Local\Temp\04befedbe76440e1e24e59ff4244ce6a.exe"
C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe
"C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 64.185.227.156:80 | api.ipify.org | tcp |
| MD | 45.142.212.149:80 | tcp | |
| US | 8.8.8.8:53 | 156.227.185.64.in-addr.arpa | udp |
| MD | 45.142.212.149:80 | tcp | |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| MD | 45.142.212.149:80 | tcp | |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.134.221.88.in-addr.arpa | udp |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| MD | 45.142.212.149:80 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| MD | 45.142.212.149:80 | tcp | |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| MD | 45.142.212.149:80 | tcp |
Files
memory/1824-0-0x0000000002720000-0x0000000002721000-memory.dmp
C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe
| MD5 | 183f44ca3a4f33e88bf1d80566db603b |
| SHA1 | 87634a0e5b32587088d8d800049c56076db15e47 |
| SHA256 | 5d92455f98253d7bdcd2a57d5cd73f749866794eb7730c2fa296800e45ceebb0 |
| SHA512 | b0cbf29e7dfec29830740cb13bbf11282794f9854bf2ecc574ade9f6d27994c2df1ec66ec22b7f490b45199ab9364abed02610fb120c3473959fed478c8f4299 |
C:\Users\Admin\AppData\Roaming\Smart Cleanup\libGLES-v2.dll
| MD5 | abbf4b4e4aad7213ac3939668e23f852 |
| SHA1 | 1b9d2ad0e5cdde8f3f497cfb07969a05f5047256 |
| SHA256 | 8bbd280dffe1fd7947b54c56c7f57543b35e4b03b35c359599af313dd6877596 |
| SHA512 | 3ebe9a0f17c24fcf83e264291b0a77deaf30e4da13bfc539081375db58b7e38329724847049b8adf77121c0998d95f3a4474b3fbc77c2a17a22c6489f779e4ac |
C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe
| MD5 | 6a375329aacf40e7d3e205b3cce8e806 |
| SHA1 | 6b9750a1f84dbfe3710ab83900d62e79a58a8850 |
| SHA256 | 03bcdf56ded7eaf83402048ed5db72941709bdb486fcc5ad03b06c0488ad3dc3 |
| SHA512 | 74f28e8d92e2579f8262d6c6f2ee77e05001a19a358c8922353efde58e7fd037fc442e0d832df52ff99c3bb9f07b57e484aad771b1afa93f8162f4d475dba009 |
C:\Users\Admin\AppData\Roaming\Smart Cleanup\SmartCleanup.exe
| MD5 | caee23d8e98273df92daabb889dba8a7 |
| SHA1 | fd60bc11426076a1485fbcd71fa26716cc584125 |
| SHA256 | df7cf012ae09f8db1bd8b7c1ea5dc200949d9f85aedcd6c282bc40e1eeeace6a |
| SHA512 | 7d7889e3d77d7406cf72c74789054cf5991323ccf89ed8a04abed091f18f8c007e651160f8014a8d1ca77c56ed0fcef77b624f15c0f9d8615f0dbbc8df38a20c |
memory/1536-557-0x0000000000400000-0x0000000000A0F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Smart Cleanup\libGLES-v2.dll
| MD5 | 5e788e7e416cfaddae77c191e07936c6 |
| SHA1 | b44255d02dcbe89c30cfe57c05621e9872cf1361 |
| SHA256 | ae4f240cb74678005efb11dab65ef82a01b5619ae117b6c9e2a3f9c986a16b4b |
| SHA512 | 2a1b5580dbed340cd508fd0270d23297d69985e2e89a15fda83ee0c4a7a16898414754b4a12136edad8f0e94b1ffa25cb5b6e753a62c6e88ac7521a8c6639fa3 |
C:\Users\Admin\AppData\Roaming\Smart Cleanup\menu.xml
| MD5 | a2ffbe69712106dc778625e3f55076da |
| SHA1 | 010f27681359f09dcce63349e5d7737c9b383eb7 |
| SHA256 | 618ff25fa1dbd690b0fa884238ab12a110821edbd6988c053ac8f64fe002796c |
| SHA512 | 5621258333581ebc20dd40c0331751334cb3536ca4e9dc81b5ac3b4ff1b344f8dd56eb5ca3bcc749e341a22186e93cb4119900ca6e18e0742c145e0c648f61f9 |
memory/1824-561-0x0000000000400000-0x0000000000701000-memory.dmp
C:\ProgramData\kaosdma.txt
| MD5 | 8cf4dec152a9d79a3d62202b886eda9b |
| SHA1 | 0c1b3d3d02c0b655aa3526a58486b84872f18cc2 |
| SHA256 | c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01 |
| SHA512 | a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd |