Analysis

  • max time kernel
    46s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 09:21

General

  • Target

    30a64c61e75d116f706c23f451abaca5.exe

  • Size

    5.9MB

  • MD5

    30a64c61e75d116f706c23f451abaca5

  • SHA1

    ed161a6087975bc583349e5109e2e425a20c11a4

  • SHA256

    4af4a3e76358c3a932e5fa2bd23af3f73880a0f24d0841c299bea7f35dec8283

  • SHA512

    785c4080092b8d2082d9439c2f3d15564f03f003d4b1831f6c975229c13be671a33c216c2f7d93d93601c375980aa999d030d3bb69032157792f7fbddd1f2765

  • SSDEEP

    98304:gAI+vDWbKaXOp1dFotsOfp8/+xBerRpHXaptins5mXj88ZlW7Xtj7sqXJN6zKT2T:HtCew+2sOfp6+rMKptOHXj88Z0PsqN6N

Malware Config

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

  • Babadeda Crypter 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30a64c61e75d116f706c23f451abaca5.exe
    "C:\Users\Admin\AppData\Local\Temp\30a64c61e75d116f706c23f451abaca5.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe
      "C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    77b59e607a7befb44f6ba01c4225b38d

    SHA1

    2ce8fef8e47678a56f64132e25c45192dace88ad

    SHA256

    9f65636963deb701cd044b50aa795970aea0175c0bdbd3b95e8b35f3af5f3bf6

    SHA512

    b67df5e3335a4e0a8d158ab597fb8a7e17f586ddd593316615b72b1ff7f8a7ae68eff9ec4ab0ed01d928baba56e322bb9dbde3b87c3009cf9ee27a95493b4108

  • C:\Users\Admin\AppData\Local\Temp\CabCFEE.tmp

    Filesize

    17KB

    MD5

    9c8aa70e91dbdcf789657e35eb982924

    SHA1

    7d453a137bff431cfcd579080f955e7e4ab516cc

    SHA256

    ec27ffa1e04b10cd8f3a089ee4649ffb38a1c9e7341510ad9fa3167e36b9237b

    SHA512

    3446c311fc82ebc7f86b25e2410c1867c914faca998cd956fbc4709ee9722225d13984cdf22460ac6d508b8e1a140d9cdd9d20bd7695563e06ac9d4472806779

  • C:\Users\Admin\AppData\Local\Temp\TarD1B6.tmp

    Filesize

    37KB

    MD5

    85cdc4d7df0d4fb0e4e0bc3636608f6d

    SHA1

    dd747b71599752505b728f69e6eca6875e185b62

    SHA256

    370724bf5c51597effc8e9a49b6d0cf13ac0b237a7b11e02051d17a973ff8e6c

    SHA512

    f1f92a42473d3668969c4b7801273dcf9386504d67846328f7b0ebd73fd13fd1c080b52266ae0070586976a1f275f15cc164c77545b0afcec66f9118e2722209

  • C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\libpsl-5.dll

    Filesize

    119KB

    MD5

    fd00771af3ab0eabf852f9be957e5366

    SHA1

    a5512ea201d5b88c947bc12b947938bf466af870

    SHA256

    266ac671513198a7d0692fd922ff66131e6b58a9025119492da449a4ec16bd53

    SHA512

    5a5507ff2ee7bc51d6d1ba426081e23c2c980fa8951690420ff2b2cd51aa9859d615d44b8fa4a9958abae4876e39301e27546da6f5b2262a8c7c72138d57a120

  • C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\libqml2.dll

    Filesize

    7KB

    MD5

    d12741d09587b9fa64d7a1eb3a963783

    SHA1

    2f6ee591f5b768c2063c749b509bcf0ff19d70f8

    SHA256

    5d993d667ce5c54651fa305dd36b6a849fb860a1d5502f72c8bae45d57c4415a

    SHA512

    36d15705518432e3fd6e9e7e44a6bf868a80a79fa9edd2f94fbc76711219300fc6b0667ff333c65a7be358e2986dd33dadfd3eb5519933e0aee8a464ded11fd4

  • C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe

    Filesize

    25KB

    MD5

    c8880b114430be25faa55750eeeeed9c

    SHA1

    d150a1f14a09e08cdcbac35339b136adbbc10d14

    SHA256

    2d2186b2c002701a00853f0102c14693c20a3dc9300785b07b17cb9f7ce26104

    SHA512

    4c6ae5f549f11c46b4155a123f912637002801351207bccb1ffc32759064e3e12829168342863fa7bdb6b9a3524d2996a92f91b672cc1b2283bf1ec191ea9b72

  • C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe

    Filesize

    14KB

    MD5

    a91631ac1406c5622968a55d26ad44de

    SHA1

    1717cbfd6f0e70e337ef6c5060e216e5be825d4f

    SHA256

    496b71236ad5d0a3bfce18c30d54d44692a5b43ae4d1d5f33ed01462668df4e9

    SHA512

    d68a483835087d434479da212414d723cb629dbd1fbe8da6affdf139db86cc5c042c18684d03b8ed8fc4806a37d98915c7779101b5d23fcb6357468a4dcbc8d3

  • C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe

    Filesize

    81KB

    MD5

    816be3cc25e44ce12257f51daf0cf92e

    SHA1

    a5b81497d0f29aac7bb52d17a4e7a7f8e6d55649

    SHA256

    b3f839f211dd83448ee17952d775837d108143aca664cc6a31c86ccad044c40d

    SHA512

    968d63baec21b957fc0eb78c1cd92637b66a110c17feb0c22108e7d1a80d3d2387f67ab9b007b4f983607ed7ce9c7283342db7a750e8d88b46698f62bcba756d

  • C:\Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\ui.xml

    Filesize

    50KB

    MD5

    7b351b01d5bcad78d584cfa5b33f250a

    SHA1

    dc012f34b65d2e0cab0ae56f9f0ad2cac52a6d75

    SHA256

    2609c15a8d9816b652c41d6b6ceb3fb0fa8f33a6890c3909ee17a5f967b92abe

    SHA512

    f3103b6e52b1913f87c00c5459be43ba67816f93ac1d6b836e15df744443a3ef2e1c85e031e4e5753f0568b093e9fc982f646cf395d2b1aed729d265a89c33a4

  • \Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\libpsl-5.dll

    Filesize

    41KB

    MD5

    d757c706b4b1c74257a9bddb8d47cc3c

    SHA1

    e8575f46a0135d09b6f00b76cd8d6e4498a9db24

    SHA256

    ee0003f39b905829c1a12e1336c58bbab2cde8318a73e9ce30e0dc1c9bd832b4

    SHA512

    d831f0c65a7114bad18231467f302786eda5d17fb45bda7113e06d5c41b1eed5e1ef8b00cc8b336709a4302b6fc36476eabc1b2d0fa832123207d46c7ffc83ba

  • \Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\libqml2.dll

    Filesize

    45KB

    MD5

    0433f58300126e6d479b86aab2e071bc

    SHA1

    53ffc13b3b4de8267a8bfb67daf483b39058146f

    SHA256

    69ef034f8a1856e7005b9bc424cf4db2b64de2c84d547143eb9fbf70c472dc51

    SHA512

    27e82df8d4a324bc63900bc46e4c1d48794b0ce6e41e7fbdcc8dcc3e3567e5705ad1cada1f67db36ffe6a2f3ca70921cbd865f232b221cd9ebe80c3fab4ddea7

  • \Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe

    Filesize

    36KB

    MD5

    d8cfb4060ce7dc7a3653b4c44ea1628a

    SHA1

    d8b74c77097b44f4ca8b18da642301ab16ecc329

    SHA256

    fa06ecbe97aebe109546e37fa05fe507d648d3261f943beb6622a20a3ea7907e

    SHA512

    2ad471c3a97ead1d6b677aa93311390308cd65d08bffd64d637408eff059e2965307fc3bc858e5708dd32aec3df136120c7b38db0918a46b57eff3a385250896

  • \Users\Admin\AppData\Roaming\SQLite Development Team\SQLite Reporter Tool\sqlite3drv.exe

    Filesize

    39KB

    MD5

    46f2b501f9364eb37a3a70ff9a592e03

    SHA1

    9a7270006ac2602dabed32e2056e116d88bdc702

    SHA256

    8ca684a00cf34b77da0222e364abb9a4536eb303817cd4646d368a4653699139

    SHA512

    3b42129c89d5cd6e503fbcde0193fb59891260cdce24c840471837a455744cff292b7694d2d9b1f00caa97196162a2f0de7a33d6168aecd2bcb8741c7447f472

  • memory/1588-441-0x0000000000A50000-0x0000000000A60000-memory.dmp

    Filesize

    64KB

  • memory/1588-317-0x0000000000240000-0x0000000000783000-memory.dmp

    Filesize

    5.3MB

  • memory/2108-312-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2108-313-0x0000000003A70000-0x0000000003FB3000-memory.dmp

    Filesize

    5.3MB