Malware Analysis Report

2024-09-22 16:41

Sample ID 240101-vg83eaghb8
Target 3d632bd26d3b9e97523dc8c9ea8c7aa5
SHA256 29c9cf0b382b8b55e5eca9051e1a848f94fffce83c6061911c3790c80a4ae86d
Tags
babadeda crypter discovery loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29c9cf0b382b8b55e5eca9051e1a848f94fffce83c6061911c3790c80a4ae86d

Threat Level: Known bad

The file 3d632bd26d3b9e97523dc8c9ea8c7aa5 was found to be: Known bad.

Malicious Activity Summary

babadeda crypter discovery loader

Babadeda Crypter

Babadeda

Babadeda family

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-01-01 16:59

Signatures

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Babadeda family

babadeda

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-01 16:58

Reported

2024-01-01 17:03

Platform

win7-20231215-en

Max time kernel

188s

Max time network

237s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d632bd26d3b9e97523dc8c9ea8c7aa5.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AudioGenie\audiogenie.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\AudioGenie\audiogenie.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\AudioGenie\audiogenie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3d632bd26d3b9e97523dc8c9ea8c7aa5.exe

"C:\Users\Admin\AppData\Local\Temp\3d632bd26d3b9e97523dc8c9ea8c7aa5.exe"

C:\Users\Admin\AppData\Roaming\AudioGenie\audiogenie.exe

"C:\Users\Admin\AppData\Roaming\AudioGenie\audiogenie.exe"

Network

Country Destination Domain Proto
DE 185.140.53.142:8282 tcp
DE 185.140.53.142:8282 tcp
DE 185.140.53.142:8282 tcp

Files

C:\Users\Admin\AppData\Roaming\AudioGenie\Lang\en\Phototheca EULA.rtf

MD5 9325aee138a4d9a15d651920fb403ffc
SHA1 19eb57cd989571fa8cd426cbd680430c0e006408
SHA256 9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35
SHA512 d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

C:\Users\Admin\AppData\Roaming\AudioGenie\Lang\fr\searchhelp.rtf

MD5 520077fd6d03c64c735258d4d87921d8
SHA1 1b8d82d7da2d85527ce91e72f179fb8a418d47de
SHA256 6faf5a4f8a729dbdc4082a7f33ffde3e72ef34acbf0875932b3e4427bfd9b598
SHA512 8ccd614aaf7cee74a0ed8b34267db004f240ed51d41dd80caeef12fe29a785d4e109b2526acf4c04ff30edc025c1e4afd7e9e11b32ca08ecc3ced7435514d4de

\Users\Admin\AppData\Roaming\AudioGenie\audiogenie.exe

MD5 12ff195ad8516ecf0418dbe0bdbcbd9b
SHA1 47ff8e1b2034737ef402ac7eaa62f11e3508d671
SHA256 98105bbff730442f6b37f926437ef74ea573e1cfd0e738694d80408c62480513
SHA512 168424dc2795b6f131db5ebc727f71220d703228331f7ea6776516a1b03c4e9dbee87e32d2c55e4d53e06701ca69c72d8e213424d0c880739d36afe3ea96da49

C:\Users\Admin\AppData\Roaming\AudioGenie\audiogenie.exe

MD5 16c81e1284aa4ca6675c35c8b32997c0
SHA1 80db6617a288dff9b207581bf7457a61f8656d88
SHA256 1badbbeb160d367177340fe4185ea5ae681401670946116765a75b9aa900dd77
SHA512 f524ddb029f1147028f7611d66557c53b038af9bf08c57000cdd997cafd125cc7af749b0372578b5c5d64bc338dfb8ce2dade1a848de34c7057e632958a8c96d

memory/2788-263-0x00000000031B0000-0x0000000003A31000-memory.dmp

C:\Users\Admin\AppData\Roaming\AudioGenie\audiogenie.exe

MD5 3fc09c89d130cf2379d9e59fdcec8260
SHA1 bab8c10d26e1dae59adecb8a9efe3959c98cb7c5
SHA256 e9330b165b7ba44ba60ee56719be98750bd02e8f0f3a098f26118a56d8eddcac
SHA512 48c4311735c8823b768b886a9723e0c0103a0e7c00224999280a7d29f6c204e6dde44b91c282f0a406add863650de2ad328fce1bc55e93f41321088078ced3ea

memory/2788-261-0x0000000000400000-0x0000000000433000-memory.dmp

memory/892-264-0x0000000000DB0000-0x0000000001631000-memory.dmp

C:\Users\Admin\AppData\Roaming\AudioGenie\JdbcOdbc.dll

MD5 baac49411faed65f293b3d54625ae70c
SHA1 6d85b8f025815e4271e0ea71621f1ecd30b9f165
SHA256 8908bc55c3c1fba84d81760e01325f8fe1eb57e73bee730a0412137487b2e818
SHA512 f2f68d8fc2ce6e83f7d56155b83330e3150070d31f88e70d09cd89f7dead3882bf5cddd5802ac32656b07e90b5763e519398d05a219518abaa182ed188982515

C:\Users\Admin\AppData\Roaming\AudioGenie\menu.xml

MD5 d7cc61e7a215eab6da6a79f45f73c043
SHA1 8bff39555b42a2a5815c717817094eaee7401951
SHA256 c68910ff72d6dfc2803fcd8a8f94f1d963c6614bc609599de989841c10c51c06
SHA512 945e29bf3df81ec1e90949d7281612292a0ea60cedfc8fa8ec691c1c58e7da217f81e99d8a2fed868e3ba6768faef4de747a3552b93f90e479d660ca6424b085

\Users\Admin\AppData\Roaming\AudioGenie\JdbcOdbc.dll

MD5 dfb30117da58f31d0e5a321bdd89971f
SHA1 0f1a990d3a5719fe8acc7c5f2656f5d65601dc11
SHA256 b1aec36de4b723744a21a9fd19f8764a04508264eba57b8b98c2e04e42d67c2d
SHA512 bf7688685898a35bcace6a2ea09b95bf1304330034c1b16526cb33674552015f16394ac4fc181c8669b8b6d5e7a50299496c5cc44b21c3f1b576ca2aa5e2de68

memory/2788-268-0x00000000031B0000-0x0000000003A31000-memory.dmp

memory/892-269-0x0000000000DB0000-0x0000000001631000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-01 16:58

Reported

2024-01-01 17:02

Platform

win10v2004-20231222-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A