babadeda | deb121bac1823d2de090b6816cbaffe8739600299b69789c109ac97a9477d5aa

Analysis

max time kernel
143s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a17eb22c96dfbefb792493dac7618c0.exe
Size

6.7MB
MD5

5a17eb22c96dfbefb792493dac7618c0
SHA1

178b7b1b0894ad100992f75b9529ae00d63a633c
SHA256

deb121bac1823d2de090b6816cbaffe8739600299b69789c109ac97a9477d5aa
SHA512

0c9d63c1f321df671e35463e9ad62b4ed1e6a6c2cb2cbc58cc652fde48bbde7f06a9325fc21f3c4c90c2aff62b402af75886962698781a885998932da164a297
SSDEEP

196608:Dt29v7XLTPmNbF6n1O4zGuY7gdDoqH9s7uHFsDKEz:yXwF6FSuMgFoy9s7uHFGR

Score

10^/10

babadeda darkvnc crypter discovery loader rat

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\base.xml	family_babadeda

DarkVNC
DarkVNC is a malicious version of the famous VNC software.
rat darkvnc

DarkVNC payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4700-509-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp	darkvnc
behavioral2/memory/4700-508-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp	darkvnc
behavioral2/memory/4700-513-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp	darkvnc
behavioral2/memory/4700-516-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp	darkvnc
behavioral2/memory/4700-515-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp	darkvnc
behavioral2/memory/4700-514-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp	darkvnc
behavioral2/memory/4572-517-0x0000000000DC0000-0x00000000015F6000-memory.dmp	darkvnc
behavioral2/memory/4700-518-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp	darkvnc

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5a17eb22c96dfbefb792493dac7618c0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	5a17eb22c96dfbefb792493dac7618c0.exe

Executes dropped EXE 1 IoCs

Processes:

smart-reports.exe

pid process

4572 smart-reports.exe
Loads dropped DLL 1 IoCs

Processes:

smart-reports.exe

pid process

4572 smart-reports.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

smart-reports.exe

description pid process target process

PID 4572 set thread context of 4700 4572 smart-reports.exe WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1512 4572 WerFault.exe smart-reports.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

smart-reports.exe

pid process

4572 smart-reports.exe

pid	process
4572	smart-reports.exe

pid	process
4572	smart-reports.exe

description	pid	process	target process
PID 4572 set thread context of 4700	4572	smart-reports.exe	WerFault.exe

pid	pid_target	process	target process
1512	4572	WerFault.exe	smart-reports.exe

pid	process
4572	smart-reports.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5a17eb22c96dfbefb792493dac7618c0.exesmart-reports.exe

description	pid	process	target process
PID 4204 wrote to memory of 4572	4204	5a17eb22c96dfbefb792493dac7618c0.exe	smart-reports.exe
PID 4204 wrote to memory of 4572	4204	5a17eb22c96dfbefb792493dac7618c0.exe	smart-reports.exe
PID 4204 wrote to memory of 4572	4204	5a17eb22c96dfbefb792493dac7618c0.exe	smart-reports.exe
PID 4572 wrote to memory of 4700	4572	smart-reports.exe	WerFault.exe
PID 4572 wrote to memory of 4700	4572	smart-reports.exe	WerFault.exe
PID 4572 wrote to memory of 4700	4572	smart-reports.exe	WerFault.exe
PID 4572 wrote to memory of 4700	4572	smart-reports.exe	WerFault.exe
PID 4572 wrote to memory of 4700	4572	smart-reports.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe
"C:\Users\Admin\AppData\Local\Temp\5a17eb22c96dfbefb792493dac7618c0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe
  "C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 552
    3⤵
    - Program crash
    PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4572 -ip 4572
1⤵
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\base.xml

Filesize
153KB

MD5
e5ec46902cefd0660100572c6579d99e

SHA1
32f8085a1f929915ef2d5499986aa78a9714aab8

SHA256
c4dcc2efea6830ff42324c0036fd42ff63570c2ac5ef1eb165b1f6e8d9b7f6f7

SHA512
f5e3bd515a963e9994ec073f680e598e32b67effcf02c7b0dd105d3e1118b92bfc8a911329205a89a9e3d28b16d774305344e360724423ef62e04fbd290e1022

Download Submit
C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\gtk-2.0\gtkrc.default

Filesize
79B

MD5
ddd31f8fc20ab0835c1e135f80d6db51

SHA1
2d598c52c17bbf076ee4c3b9e58e4fff6144ab6d

SHA256
fb749ac4812ba307bbb4c1e0b30175a88668fcb2eed702f780bd7da5987f9004

SHA512
d514da7b2f68096cd6bd258d28ac5948a594c9cca4cd9ff79364b50c85641f2e11befaf81508e42841373459647cbe7e7e7f9daa675bcdf4c93ea85dea0c1a42

Download Submit
C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\libftype-5.dll

Filesize
620KB

MD5
922cbda9db03264d92b763a1f56d3513

SHA1
28361496a5c0a5bcef95e3eba252a2a751cef011

SHA256
38c08cd6ab92f1ec985772028c4c86b2ed23446be256f18720c65036f8f18965

SHA512
8718358ac42c2959653b610580a63e4bf2cd97f0798ebb82f5238fefd7e683d0a17ea4c6c4103ee5610107745dfbf34717fbb8482c363d2d4aaed619b112189e

Download Submit
C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\libftype-5.dll

Filesize
489KB

MD5
064fd0c14fcdc05fd21b8865897c61f0

SHA1
5351a1247c3a4c2736f948300116330cdc0e9071

SHA256
4cdd4644908bc246a337e6a2d7456cd785864ba8d67d948eb3f1706d06955889

SHA512
e7c564cdd21b48722cecf7a9448aa305697c18b024e3d38a9d822cab9a9d3b6463d8a7bfdf80a70a0e9c757126725693d3738b09a365c3cf98c770698aaf2bef

Download Submit
C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_banner.html

Filesize
490B

MD5
5d1f7da1c3d95020a0708118145364d0

SHA1
02f630e7ac8b8d400af219bd8811aa3a22f7186e

SHA256
d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a

SHA512
6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

Download Submit
C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_connect_to_data_no_mru.html

Filesize
1KB

MD5
20bbd307866f19a5af3ae9ebd5104018

SHA1
8e03c9b18b9d27e9292ee154b773553493df1157

SHA256
e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7

SHA512
420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

Download Submit
C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_connect_to_data_with_mru.html

Filesize
1KB

MD5
e6bc0d078616dd5d5f72d46ab2216e89

SHA1
f70534bb999bcb8f1db0cf25a7279757e794499f

SHA256
e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54

SHA512
6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

Download Submit
C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_landing.html

Filesize
720B

MD5
0a5b47256c14570b80ef77ecfd2129b7

SHA1
69210a7429c991909c70b6b6b75fe4bc606048ae

SHA256
1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d

SHA512
5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

Download Submit
C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_topstrip_no_mru.html

Filesize
659B

MD5
eced86c9d5b8952ac5fb817c3ce2b8ba

SHA1
3ca24e69df7a4b81f799527a97282799fcd3f1e2

SHA256
3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d

SHA512
a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

Download Submit
C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\html\startpage_topstrip_with_mru.html

Filesize
798B

MD5
cc4d8a787ab1950c4e3aac5751c9fcde

SHA1
d026a156723a52c34927b5a951a2bb7d23aa2c45

SHA256
13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee

SHA512
e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

Download Submit
C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\stylesheets\start_page.css

Filesize
2KB

MD5
f2ab3e5fb61293ae8656413dbb6e5dc3

SHA1
53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5

SHA256
06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192

SHA512
2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

Download Submit
C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\res\public\en\stylesheets\start_page_landing.css

Filesize
282B

MD5
49617add7303a8fbd24e1ad16ba715d8

SHA1
31772218ccf51fe5955625346c12e00c0f2e539a

SHA256
b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907

SHA512
9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

Download Submit
C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

Filesize
2.9MB

MD5
91d96e9aad9f40a8758ed4300695dc53

SHA1
50ddf7f958766e134bd9f90a0b3c4daec71aa5b9

SHA256
d7e250b8cbfdf16407a12bd77640bb67db698eca2015d03f02de756e5e8d8bc7

SHA512
bcac09bd834de8036ff6c51ebc2f5050e1aa5167a5765fb2f40ef47faac64028ccc97e09456b91b64b50a4f80569992f227cb6e98eaecfaf2c37cbf3643c6bb0

Download Submit
C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

Filesize
569KB

MD5
6f1a77632d71176e5861409d6c734a7e

SHA1
955ccd6f4958aae88c269ef86bc8bf7f4592bf8a

SHA256
04dd04b396efaadfd0fba5c07087b131622488d5db4fcbeb2c4c1428d1344afe

SHA512
d7752fccb762ffab622b6f0ded15b344e9c382cbc2fb2c9058ddf356f9e758436e728a41e4131f982ee10b0e1d3e060a7a74f13cfab21e7ab9dd83bdd11053a1

Download Submit
C:\Users\Admin\AppData\Roaming\SAP BusinessObjects\SBOP Crystal Reports\smart-reports.exe

Filesize
269KB

MD5
d80eb5893062c5dc7a733643e41265f8

SHA1
7700adf6d7f8a4c51b72eed49f2a7361c66b600d

SHA256
4da2d6e573a6694bcdd9dd830a13f0afa88781448920ba1702291591868450a4

SHA512
2fef0f8c5fa7666003fd23fca5628637258a52eabcf82a829ad8325ad14a662d4dea680a2cdb4725664f57ebb14cde06b54779c4f2bff9131d742717109bc266

Download Submit
memory/4204-500-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4572-504-0x0000000000DC0000-0x00000000015F6000-memory.dmp

Filesize
8.2MB

Download
memory/4572-517-0x0000000000DC0000-0x00000000015F6000-memory.dmp

Filesize
8.2MB

Download
memory/4700-509-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp

Filesize
808KB

Download
memory/4700-508-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp

Filesize
808KB

Download
memory/4700-513-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp

Filesize
808KB

Download
memory/4700-516-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp

Filesize
808KB

Download
memory/4700-515-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp

Filesize
808KB

Download
memory/4700-514-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp

Filesize
808KB

Download
memory/4700-507-0x000001F7DFBF0000-0x000001F7DFBF1000-memory.dmp

Filesize
4KB

Download
memory/4700-518-0x000001F7DFD10000-0x000001F7DFDDA000-memory.dmp

Filesize
808KB

Download