babadeda | 29c9cf0b382b8b55e5eca9051e1a848f94fffce83c6061911c3790c80a4ae86d

General

Target

3d632bd26d3b9e97523dc8c9ea8c7aa5.exe
Size

22.1MB
MD5

3d632bd26d3b9e97523dc8c9ea8c7aa5
SHA1

837138c671370019337b7b75a98fdca4e93999e4
SHA256

29c9cf0b382b8b55e5eca9051e1a848f94fffce83c6061911c3790c80a4ae86d
SHA512

83734dbf5dcf8d6eed8b188eb0ab93030ee53c0b47dcce2f52a5680b3f1e3b625312745ab5c13fe32dc36d5963e378356ce7813c0a8389f54c08c583ca0353bc
SSDEEP

196608:GttgK19TxXaLttdCjwDhqTgcxx1gAIrJuHEUtFtLdTAfrJBPdYZ3r5kYA8YhW:4gKvlXaLttdC0w0cH1WuzjE2cT8YhW

Score

10^/10

babadeda crypter discovery loader

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\AudioGenie\menu.xml	family_babadeda

Executes dropped EXE 1 IoCs

Processes:

audiogenie.exe

pid process

892 audiogenie.exe
Loads dropped DLL 2 IoCs

Processes:

3d632bd26d3b9e97523dc8c9ea8c7aa5.exeaudiogenie.exe

pid process

2788 3d632bd26d3b9e97523dc8c9ea8c7aa5.exe
892 audiogenie.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

audiogenie.exe

pid process

892 audiogenie.exe
892 audiogenie.exe
892 audiogenie.exe
892 audiogenie.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

audiogenie.exe

description pid process

Token: SeDebugPrivilege 892 audiogenie.exe
Token: SeShutdownPrivilege 892 audiogenie.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

audiogenie.exe

pid process

892 audiogenie.exe
892 audiogenie.exe
892 audiogenie.exe

pid	process
892	audiogenie.exe

pid	process
2788	3d632bd26d3b9e97523dc8c9ea8c7aa5.exe
892	audiogenie.exe

pid	process
892	audiogenie.exe
892	audiogenie.exe
892	audiogenie.exe
892	audiogenie.exe

description	pid	process
Token: SeDebugPrivilege	892	audiogenie.exe
Token: SeShutdownPrivilege	892	audiogenie.exe

pid	process
892	audiogenie.exe
892	audiogenie.exe
892	audiogenie.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3d632bd26d3b9e97523dc8c9ea8c7aa5.exe

description	pid	process	target process
PID 2788 wrote to memory of 892	2788	3d632bd26d3b9e97523dc8c9ea8c7aa5.exe	audiogenie.exe
PID 2788 wrote to memory of 892	2788	3d632bd26d3b9e97523dc8c9ea8c7aa5.exe	audiogenie.exe
PID 2788 wrote to memory of 892	2788	3d632bd26d3b9e97523dc8c9ea8c7aa5.exe	audiogenie.exe
PID 2788 wrote to memory of 892	2788	3d632bd26d3b9e97523dc8c9ea8c7aa5.exe	audiogenie.exe

C:\Users\Admin\AppData\Local\Temp\3d632bd26d3b9e97523dc8c9ea8c7aa5.exe
"C:\Users\Admin\AppData\Local\Temp\3d632bd26d3b9e97523dc8c9ea8c7aa5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788

C:\Users\Admin\AppData\Roaming\AudioGenie\audiogenie.exe
"C:\Users\Admin\AppData\Roaming\AudioGenie\audiogenie.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:892

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AudioGenie\JdbcOdbc.dll
Filesize
362KB

MD5
baac49411faed65f293b3d54625ae70c

SHA1
6d85b8f025815e4271e0ea71621f1ecd30b9f165

SHA256
8908bc55c3c1fba84d81760e01325f8fe1eb57e73bee730a0412137487b2e818

SHA512
f2f68d8fc2ce6e83f7d56155b83330e3150070d31f88e70d09cd89f7dead3882bf5cddd5802ac32656b07e90b5763e519398d05a219518abaa182ed188982515

Download Submit
C:\Users\Admin\AppData\Roaming\AudioGenie\Lang\en\Phototheca EULA.rtf
Filesize
5KB

MD5
9325aee138a4d9a15d651920fb403ffc

SHA1
19eb57cd989571fa8cd426cbd680430c0e006408

SHA256
9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35

SHA512
d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

Download Submit
C:\Users\Admin\AppData\Roaming\AudioGenie\Lang\fr\searchhelp.rtf
Filesize
56KB

MD5
520077fd6d03c64c735258d4d87921d8

SHA1
1b8d82d7da2d85527ce91e72f179fb8a418d47de

SHA256
6faf5a4f8a729dbdc4082a7f33ffde3e72ef34acbf0875932b3e4427bfd9b598

SHA512
8ccd614aaf7cee74a0ed8b34267db004f240ed51d41dd80caeef12fe29a785d4e109b2526acf4c04ff30edc025c1e4afd7e9e11b32ca08ecc3ced7435514d4de

Download Submit
C:\Users\Admin\AppData\Roaming\AudioGenie\audiogenie.exe
Filesize
1.2MB

MD5
16c81e1284aa4ca6675c35c8b32997c0

SHA1
80db6617a288dff9b207581bf7457a61f8656d88

SHA256
1badbbeb160d367177340fe4185ea5ae681401670946116765a75b9aa900dd77

SHA512
f524ddb029f1147028f7611d66557c53b038af9bf08c57000cdd997cafd125cc7af749b0372578b5c5d64bc338dfb8ce2dade1a848de34c7057e632958a8c96d

Download Submit
C:\Users\Admin\AppData\Roaming\AudioGenie\audiogenie.exe
Filesize
593KB

MD5
3fc09c89d130cf2379d9e59fdcec8260

SHA1
bab8c10d26e1dae59adecb8a9efe3959c98cb7c5

SHA256
e9330b165b7ba44ba60ee56719be98750bd02e8f0f3a098f26118a56d8eddcac

SHA512
48c4311735c8823b768b886a9723e0c0103a0e7c00224999280a7d29f6c204e6dde44b91c282f0a406add863650de2ad328fce1bc55e93f41321088078ced3ea

Download Submit
C:\Users\Admin\AppData\Roaming\AudioGenie\menu.xml
Filesize
268KB

MD5
d7cc61e7a215eab6da6a79f45f73c043

SHA1
8bff39555b42a2a5815c717817094eaee7401951

SHA256
c68910ff72d6dfc2803fcd8a8f94f1d963c6614bc609599de989841c10c51c06

SHA512
945e29bf3df81ec1e90949d7281612292a0ea60cedfc8fa8ec691c1c58e7da217f81e99d8a2fed868e3ba6768faef4de747a3552b93f90e479d660ca6424b085

Download Submit
\Users\Admin\AppData\Roaming\AudioGenie\JdbcOdbc.dll
Filesize
346KB

MD5
dfb30117da58f31d0e5a321bdd89971f

SHA1
0f1a990d3a5719fe8acc7c5f2656f5d65601dc11

SHA256
b1aec36de4b723744a21a9fd19f8764a04508264eba57b8b98c2e04e42d67c2d

SHA512
bf7688685898a35bcace6a2ea09b95bf1304330034c1b16526cb33674552015f16394ac4fc181c8669b8b6d5e7a50299496c5cc44b21c3f1b576ca2aa5e2de68

Download Submit
\Users\Admin\AppData\Roaming\AudioGenie\audiogenie.exe
Filesize
1.8MB

MD5
12ff195ad8516ecf0418dbe0bdbcbd9b

SHA1
47ff8e1b2034737ef402ac7eaa62f11e3508d671

SHA256
98105bbff730442f6b37f926437ef74ea573e1cfd0e738694d80408c62480513

SHA512
168424dc2795b6f131db5ebc727f71220d703228331f7ea6776516a1b03c4e9dbee87e32d2c55e4d53e06701ca69c72d8e213424d0c880739d36afe3ea96da49

Download Submit
memory/892-264-0x0000000000DB0000-0x0000000001631000-memory.dmp

Filesize
8.5MB

Download
memory/892-269-0x0000000000DB0000-0x0000000001631000-memory.dmp

Filesize
8.5MB

Download
memory/2788-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-263-0x00000000031B0000-0x0000000003A31000-memory.dmp

Filesize
8.5MB

Download
memory/2788-268-0x00000000031B0000-0x0000000003A31000-memory.dmp

Filesize
8.5MB

Download

Analysis

Sharing