babadeda | ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc

Analysis

max time kernel
141s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-01-2024 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6678549db6974d6962363d8b82ee7be2.exe
Size

4.8MB
MD5

6678549db6974d6962363d8b82ee7be2
SHA1

b3fc1aca4ff8ad96d48895d7d9bc8e136151b844
SHA256

ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc
SHA512

39ed85ba147bbfb9625afa993993867676ebfd6efddf43f49a0d838a498c6d6be45501a8f02f3be682b5711c38119899547301bb7a02e13c003614f13a4f13b1
SSDEEP

98304:nSibgJW3oGqaFvY9Jp+oyyuMNfyCUFStjqNsNM5NEQ2Z+dnPcMc:1TtY9JpXXuMNzUwANsu5z2Z+1cd

Score

10^/10

babadeda crypter loader

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\SharpShell Configurator\menu.xml	family_babadeda

Executes dropped EXE 3 IoCs

Processes:

6678549db6974d6962363d8b82ee7be2.tmp6678549db6974d6962363d8b82ee7be2.tmpvolcenter.exe

pid process

2336 6678549db6974d6962363d8b82ee7be2.tmp
2956 6678549db6974d6962363d8b82ee7be2.tmp
1092 volcenter.exe

pid	process
2336	6678549db6974d6962363d8b82ee7be2.tmp
2956	6678549db6974d6962363d8b82ee7be2.tmp
1092	volcenter.exe

Loads dropped DLL 5 IoCs

Processes:

6678549db6974d6962363d8b82ee7be2.exe6678549db6974d6962363d8b82ee7be2.exe6678549db6974d6962363d8b82ee7be2.tmpvolcenter.exe

pid	process
2388	6678549db6974d6962363d8b82ee7be2.exe
2676	6678549db6974d6962363d8b82ee7be2.exe
2956	6678549db6974d6962363d8b82ee7be2.tmp
2956	6678549db6974d6962363d8b82ee7be2.tmp
1092	volcenter.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6678549db6974d6962363d8b82ee7be2.tmp

pid process

2956 6678549db6974d6962363d8b82ee7be2.tmp
2956 6678549db6974d6962363d8b82ee7be2.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

6678549db6974d6962363d8b82ee7be2.tmp

pid process

2956 6678549db6974d6962363d8b82ee7be2.tmp

flow	ioc
3	api.ipify.org

pid	process
2956	6678549db6974d6962363d8b82ee7be2.tmp
2956	6678549db6974d6962363d8b82ee7be2.tmp

pid	process
2956	6678549db6974d6962363d8b82ee7be2.tmp

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

6678549db6974d6962363d8b82ee7be2.exe6678549db6974d6962363d8b82ee7be2.tmp6678549db6974d6962363d8b82ee7be2.exe6678549db6974d6962363d8b82ee7be2.tmp

description	pid	process	target process
PID 2388 wrote to memory of 2336	2388	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 2388 wrote to memory of 2336	2388	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 2388 wrote to memory of 2336	2388	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 2388 wrote to memory of 2336	2388	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 2388 wrote to memory of 2336	2388	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 2388 wrote to memory of 2336	2388	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 2388 wrote to memory of 2336	2388	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 2336 wrote to memory of 2676	2336	6678549db6974d6962363d8b82ee7be2.tmp	6678549db6974d6962363d8b82ee7be2.exe
PID 2336 wrote to memory of 2676	2336	6678549db6974d6962363d8b82ee7be2.tmp	6678549db6974d6962363d8b82ee7be2.exe
PID 2336 wrote to memory of 2676	2336	6678549db6974d6962363d8b82ee7be2.tmp	6678549db6974d6962363d8b82ee7be2.exe
PID 2336 wrote to memory of 2676	2336	6678549db6974d6962363d8b82ee7be2.tmp	6678549db6974d6962363d8b82ee7be2.exe
PID 2336 wrote to memory of 2676	2336	6678549db6974d6962363d8b82ee7be2.tmp	6678549db6974d6962363d8b82ee7be2.exe
PID 2336 wrote to memory of 2676	2336	6678549db6974d6962363d8b82ee7be2.tmp	6678549db6974d6962363d8b82ee7be2.exe
PID 2336 wrote to memory of 2676	2336	6678549db6974d6962363d8b82ee7be2.tmp	6678549db6974d6962363d8b82ee7be2.exe
PID 2676 wrote to memory of 2956	2676	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 2676 wrote to memory of 2956	2676	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 2676 wrote to memory of 2956	2676	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 2676 wrote to memory of 2956	2676	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 2676 wrote to memory of 2956	2676	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 2676 wrote to memory of 2956	2676	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 2676 wrote to memory of 2956	2676	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 2956 wrote to memory of 1092	2956	6678549db6974d6962363d8b82ee7be2.tmp	volcenter.exe
PID 2956 wrote to memory of 1092	2956	6678549db6974d6962363d8b82ee7be2.tmp	volcenter.exe
PID 2956 wrote to memory of 1092	2956	6678549db6974d6962363d8b82ee7be2.tmp	volcenter.exe
PID 2956 wrote to memory of 1092	2956	6678549db6974d6962363d8b82ee7be2.tmp	volcenter.exe

C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe
"C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp" /SL5="$400F4,4197708,831488,C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe
"C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe" /VERYSILENT
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp" /SL5="$70120,4197708,831488,C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2956

C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe
"C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kaosdma.txt
Filesize
12B

MD5
8cf4dec152a9d79a3d62202b886eda9b

SHA1
0c1b3d3d02c0b655aa3526a58486b84872f18cc2

SHA256
c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01

SHA512
a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D5MU8.tmp\6678549db6974d6962363d8b82ee7be2.tmp
Filesize
3.0MB

MD5
e1f761cde120ab5fb715eaa71bfdf516

SHA1
b56561aa0cbcd55eafeec32d6e88a9b3c503dfc2

SHA256
98a177df49a0e70e73202e033ed2e2a4e7e4d55f3a0824eff90b057ba34c3c90

SHA512
4bd1c4fdcc83c34ab89b7c68c926019c291d85e99fb16031ccf582215bb305635fff29a74c7b3306dcf8d13aa14901ed7a7ace59b55ec8d1b9e0e553ae94b591

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp
Filesize
1.4MB

MD5
688580aee28364e47054759d00d5deb3

SHA1
d04e840dc6fbfd17ebde15b4f99555ea70e58dac

SHA256
fc287c98cfdcb42402750f949be8b0d391241925cc4debd3bd2ac37567c5b6c9

SHA512
56c26d4924d46966a6783a4b69e9f7ebb211a8309f846d9649c397f6c80556f8fdd43a551cd7879043b0ba59c15972f881dd0bd17d6930f129da63e90a15c8ff

Download Submit
C:\Users\Admin\AppData\Roaming\SharpShell Configurator\menu.xml
Filesize
863KB

MD5
cb2d543f6b9936599848824ddb769661

SHA1
707c7bf30bc47aab26780c70accaaa6824395aa1

SHA256
b3f91f360c775655a7c22acb7f81905c9f2b1217c456f0542418e2460c998191

SHA512
61e621aa47bacca92aafa8765c494871d3409b807427479fe6ab5cbc87f37310621710b7cd180ba894b7eee643ce9467fcdc625ecfa5c837480b4de845d23346

Download Submit
C:\Users\Admin\AppData\Roaming\SharpShell Configurator\qclp.dll
Filesize
2.2MB

MD5
9f87dd2c42e20f2ddda8945e37797cdf

SHA1
065b4f901eb52404fd1c87f2ec80d8cc1d55b30e

SHA256
301ca38c72885d3dfa043d7f2ce8bb0b06b6519dd691992fcc3841d0cc7a88c1

SHA512
ad6098b4cfb49c1aadaf6b1496a7430ec5cafd0e9e0886af1bbe9468eba27172d7b8f7eb62edf3025f319a18b82e2f8141b35a3b2e70dda23a837a6ba6d48479

Download Submit
C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe
Filesize
697KB

MD5
20d63e4d1d3d46658ad8190d12ce226f

SHA1
fa85ac197fa74a86e7148fbbd970409dcfabc91f

SHA256
4e9b60406f83f95c951bc5e8ebec7f2a11fa7a8d60324ae991f87829252abc96

SHA512
857b877af96b9659b7e94ec4583c1d0fd285979f26d54d5cd0abab4ff48ae7426de5c5faadc2c846134331c108b221f7c649b949e80ea56af639cf4edce9841c

Download Submit
C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe
Filesize
3.2MB

MD5
b27961b9dbd41f562f0243aa5ad527e1

SHA1
e154419c584057be1024892c918406b5ed128f79

SHA256
f72cfdc607db3acbfe90bca1ea74856419f41f8e3634e4ad2c62f421f771cb1a

SHA512
df80b8c4a033ca6a5754fe271b324faee6646676a3855e8dc179986a14d1a1a99672f6a4deee0c38ae71d45e01816b5de1d921ac415bf71b9bc44a006104d01b

Download Submit
\Users\Admin\AppData\Local\Temp\is-VHFJB.tmp\6678549db6974d6962363d8b82ee7be2.tmp
Filesize
2.4MB

MD5
c072361ac82755ffda80f067bb88ce3d

SHA1
6d7612ea450d83ec19b1fbee417ba988398fa379

SHA256
5c463d6e08109507f2bdf3738e6187061e3375a5d6b25cca367abc1b35f1e551

SHA512
e0860a24b74e77f7139415ce2a3ffeffb184176a596bfd3b6a33207a2eaeed5c243800cb02945674e7b12d63f530cc2c15ea8c1e29ed61b79bbe95a4d69a0fa7

Download Submit
\Users\Admin\AppData\Roaming\SharpShell Configurator\qclp.dll
Filesize
2.0MB

MD5
35a2e37dcaf6c1afbe1060840bdd11df

SHA1
ce5436b9cde7734a0b7026fde6c04acb0a062869

SHA256
15c35537fdb4359a27f8ed4d6fcc464288601730b40d40ca5591bc301c3a39b7

SHA512
12a0fe0410f06ec7ad86eae6cf7fe710bfafcbd17c7827c6e6a5b7cff653f7161aba814af4b30f525c83d40ff633f90bf72bdc887ae2fbb0a8a3d7892bbf4765

Download Submit
\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe
Filesize
1.5MB

MD5
7a02ce6b522ba864109b8b45725be181

SHA1
8de711069679063678d23b053615a4174f83f278

SHA256
afd8679dacd4859db26d3557fe1fac43350eea39e0001865158e1a1cea02a9f1

SHA512
ca5694b0a9ab1591081e577feb9601108d5593a668667bdb5fb0e6398c528afb5d921f1c12ff4a92fcf2dabbe561fe4ce7ebad588de2d296a55fad699469c565

Download Submit
\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe
Filesize
1.4MB

MD5
5e2280b28757d342699e94953ecc6477

SHA1
8250222a4e90607205c7c96f4018a078db7836bc

SHA256
9dff030919c8f7c5cc221aab5c05307bfaf35a266a7ae58f9cdc11cf5a55ad5c

SHA512
27f72a7a147f613b6fee562960a3b096cd6817861a47d02056728a7d6cca449fcce61e18ab66f0434bfc890214f0ed52d80093d3f1a133648fd5705cc48619eb

Download Submit
memory/1092-470-0x0000000000400000-0x00000000008D2000-memory.dmp

Filesize
4.8MB

Download
memory/2336-11-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2336-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2388-17-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2388-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2676-10-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2676-474-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2956-466-0x00000000044F0000-0x00000000049C2000-memory.dmp

Filesize
4.8MB

Download
memory/2956-460-0x0000000003F00000-0x0000000003F10000-memory.dmp

Filesize
64KB

Download
memory/2956-472-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2956-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download