babadeda | ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc

General

Target

6678549db6974d6962363d8b82ee7be2.exe
Size

4.8MB
MD5

6678549db6974d6962363d8b82ee7be2
SHA1

b3fc1aca4ff8ad96d48895d7d9bc8e136151b844
SHA256

ad90d436c3465d6ae2f4bee7f0aafb828f150eff6a0a6c76fdd83c895b2070dc
SHA512

39ed85ba147bbfb9625afa993993867676ebfd6efddf43f49a0d838a498c6d6be45501a8f02f3be682b5711c38119899547301bb7a02e13c003614f13a4f13b1
SSDEEP

98304:nSibgJW3oGqaFvY9Jp+oyyuMNfyCUFStjqNsNM5NEQ2Z+dnPcMc:1TtY9JpXXuMNzUwANsu5z2Z+1cd

Score

10^/10

babadeda crypter loader

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\SharpShell Configurator\menu.xml	family_babadeda

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6678549db6974d6962363d8b82ee7be2.tmp6678549db6974d6962363d8b82ee7be2.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	6678549db6974d6962363d8b82ee7be2.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	6678549db6974d6962363d8b82ee7be2.tmp

Executes dropped EXE 3 IoCs

Processes:

6678549db6974d6962363d8b82ee7be2.tmp6678549db6974d6962363d8b82ee7be2.tmpvolcenter.exe

pid process

4524 6678549db6974d6962363d8b82ee7be2.tmp
3848 6678549db6974d6962363d8b82ee7be2.tmp
3252 volcenter.exe
Loads dropped DLL 1 IoCs

Processes:

volcenter.exe

pid process

3252 volcenter.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

58 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6678549db6974d6962363d8b82ee7be2.tmp

pid process

3848 6678549db6974d6962363d8b82ee7be2.tmp
3848 6678549db6974d6962363d8b82ee7be2.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

6678549db6974d6962363d8b82ee7be2.tmp

pid process

3848 6678549db6974d6962363d8b82ee7be2.tmp

pid	process
4524	6678549db6974d6962363d8b82ee7be2.tmp
3848	6678549db6974d6962363d8b82ee7be2.tmp
3252	volcenter.exe

pid	process
3252	volcenter.exe

flow	ioc
58	api.ipify.org

pid	process
3848	6678549db6974d6962363d8b82ee7be2.tmp
3848	6678549db6974d6962363d8b82ee7be2.tmp

pid	process
3848	6678549db6974d6962363d8b82ee7be2.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6678549db6974d6962363d8b82ee7be2.exe6678549db6974d6962363d8b82ee7be2.tmp6678549db6974d6962363d8b82ee7be2.exe6678549db6974d6962363d8b82ee7be2.tmp

description	pid	process	target process
PID 400 wrote to memory of 4524	400	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 400 wrote to memory of 4524	400	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 400 wrote to memory of 4524	400	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 4524 wrote to memory of 2620	4524	6678549db6974d6962363d8b82ee7be2.tmp	6678549db6974d6962363d8b82ee7be2.exe
PID 4524 wrote to memory of 2620	4524	6678549db6974d6962363d8b82ee7be2.tmp	6678549db6974d6962363d8b82ee7be2.exe
PID 4524 wrote to memory of 2620	4524	6678549db6974d6962363d8b82ee7be2.tmp	6678549db6974d6962363d8b82ee7be2.exe
PID 2620 wrote to memory of 3848	2620	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 2620 wrote to memory of 3848	2620	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 2620 wrote to memory of 3848	2620	6678549db6974d6962363d8b82ee7be2.exe	6678549db6974d6962363d8b82ee7be2.tmp
PID 3848 wrote to memory of 3252	3848	6678549db6974d6962363d8b82ee7be2.tmp	volcenter.exe
PID 3848 wrote to memory of 3252	3848	6678549db6974d6962363d8b82ee7be2.tmp	volcenter.exe
PID 3848 wrote to memory of 3252	3848	6678549db6974d6962363d8b82ee7be2.tmp	volcenter.exe

C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe
"C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:400

C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp" /SL5="$70056,4197708,831488,C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524

C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe
"C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe" /VERYSILENT
3⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Local\Temp\is-59RLI.tmp\6678549db6974d6962363d8b82ee7be2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-59RLI.tmp\6678549db6974d6962363d8b82ee7be2.tmp" /SL5="$60184,4197708,831488,C:\Users\Admin\AppData\Local\Temp\6678549db6974d6962363d8b82ee7be2.exe" /VERYSILENT
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3848

C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe
"C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3252

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kaosdma.txt
Filesize
12B

MD5
8cf4dec152a9d79a3d62202b886eda9b

SHA1
0c1b3d3d02c0b655aa3526a58486b84872f18cc2

SHA256
c30e56c9c8fe30ffa4a4ff712cf2fa1808ee82ca258cd4c8ebefcc82250b6c01

SHA512
a5a65f0604f8553d0be07bd5214db52d3f167e7511d29cb64e3fa9d8c510cc79976ff2a5acb9b8c09b666f306ac8e4ad389f9a2de3ca46d57b1e91060a4c50fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KB11R.tmp\6678549db6974d6962363d8b82ee7be2.tmp
Filesize
92KB

MD5
57a06e07060d585c38dcc166d641e5c1

SHA1
c354fd98258370e716e3471b07b845629cce9619

SHA256
15121d314f6e6867076ac102ca2484f79a82accd3d10b2474a5249a56a02bb6c

SHA512
2ffe8735b69c2a05d52402db56366f11330a1a70820d4ed16a206aba4a896bd8858bbc2936ea0b0d6f42d80c0a537fe77b7c97d75fb8ba93e0962aaa7fbf83b2

Download Submit
C:\Users\Admin\AppData\Roaming\SharpShell Configurator\menu.xml
Filesize
32KB

MD5
f7d3204f988639ac885aaf487784eed2

SHA1
be29d74eb70d1ffc9331575c546ae8e822fff709

SHA256
811c4039afefcf4b9437c90da42667c2465bfdd2e6754361267aa43e88827fc9

SHA512
44fbca7efb1e3b6c2b49ca7221d86ce23d308f2e232166fd6f85692dbdd931b67ecae9b40f80b36f18aa38544ecfb13a3183063bcc1fcbac205c79e841ba0182

Download Submit
C:\Users\Admin\AppData\Roaming\SharpShell Configurator\qclp.dll
Filesize
196KB

MD5
801591ff035ff7d05785157fbf977c31

SHA1
0f0e2538e622c9ca6f7ad133a4dea929765b01f1

SHA256
41871ccefc813203a0661763ab340dcabf449e0d76ff58d46c05f747e96ff4d3

SHA512
f6c7bdcf45a07f531ff9841198cee1cf5587acd5bd6223ab62429c755cb1baa217c691f5dd1715435ba4c36b81ab8941a883025e6ac5cc5070679abf208909fd

Download Submit
C:\Users\Admin\AppData\Roaming\SharpShell Configurator\qclp.dll
Filesize
92KB

MD5
2d64bc914fcf5ed3e8e266eedb66b244

SHA1
a6bc1dc43e3fa094c01b36a5b5e43068d54e99d5

SHA256
11f8d59022e89e27a38367b0665528e01b4d193c6efb02c9941ad66230437ea2

SHA512
801a1f8225b757cfa64a1be363b6e86a78d2e65ab4aadfb30fc59c0610ca81949c462e4604c78fd05454603da675efd86c6750e195fe6ab848780a0a50337e5a

Download Submit
C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe
Filesize
81KB

MD5
82b3c20f785bc7c3db291a734c2991ea

SHA1
85b969bebb947c8b8bf86e4315cf93cff288f0c3

SHA256
7115e8197092b5b5dae12ef8d12e1d16b58df3d5915fae0040dcf8a9528e88b9

SHA512
bd810f9382b98f81a5e92fbacffa26ee46c7316d52899f4306c4ac79788801cf98cb143152ddfff846f249db7d768c54dd63666d063ad2dfdbad3c3c07bdd2bb

Download Submit
C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe
Filesize
139KB

MD5
7b2ed4e658885205038a38a55da93dea

SHA1
efe839d6b4e95ecd7eb210ccc94e7d4b492788ac

SHA256
28e1ae3685afe6a0d0421e1704023cc717ec2bb86b59be9c39ec218698ac4973

SHA512
8fac1d598496e907359e773a44567dc96c8d0cbe55cfe4d9e74329e9ecd4427fe71d32c1f7f648310267138cb40887b91269f0965d7ffe959c511a2218636e8e

Download Submit
C:\Users\Admin\AppData\Roaming\SharpShell Configurator\volcenter.exe
Filesize
121KB

MD5
9ed28c93a57204a74f55211b8900a1b1

SHA1
0241e2c2c074dc4097d9441646a66b18938d4324

SHA256
b32b321ddf33641ae04f85edd3d3501bd07d6a094e63db668b70d8b4f011a7d9

SHA512
c0d8b7bac1618cc21ae826c6eceb3c8223f76c16783e209ea8a3957787372b8ce258c2df68878c8398b3d070cac095baa0db35b07290feb1026a79cd09830d05

Download Submit
memory/400-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/400-13-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/400-2-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2620-9-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2620-473-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3252-467-0x0000000000400000-0x00000000008D2000-memory.dmp

Filesize
4.8MB

Download
memory/3848-17-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/3848-471-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4524-11-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/4524-6-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads