babadeda | 561a27e811aa3a61afc77e1b4497c1d33aca7afd1adca5edbe4b5efa5bc38cd0

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2024 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

814e4e665cbfbb465b3a779f790155c8.exe
Size

7.3MB
MD5

814e4e665cbfbb465b3a779f790155c8
SHA1

d4dd6edb535396bdfe4d1c21af4f9ea2a1ef3111
SHA256

561a27e811aa3a61afc77e1b4497c1d33aca7afd1adca5edbe4b5efa5bc38cd0
SHA512

0eced049e36574fcca36b09b75d59e85d1698ae2dbbf045e32205fbdb1b7bca1cc02776e0fce4f27e2fc166c8d966b2379f7ce5ab0c0aa1ebfe51df2f238eefb
SSDEEP

196608:6PGZKb8ENPo31FLd33n5D0U79EcnSPcoBXSciwxiRfDEC7:joNQFFLxGyKMGCcbsj7

Score

10^/10

babadeda crypter discovery loader upx

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\LittleCMS engine\ui.xml	family_babadeda

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

814e4e665cbfbb465b3a779f790155c8.exeirsetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	814e4e665cbfbb465b3a779f790155c8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	irsetup.exe

Executes dropped EXE 2 IoCs

Processes:

irsetup.execmsengine.exe

pid process

1388 irsetup.exe
3248 cmsengine.exe
Loads dropped DLL 2 IoCs

Processes:

irsetup.execmsengine.exe

pid process

1388 irsetup.exe
3248 cmsengine.exe

pid	process
1388	irsetup.exe
3248	cmsengine.exe

pid	process
1388	irsetup.exe
3248	cmsengine.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral2/memory/1388-11-0x0000000000140000-0x0000000000528000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral2/memory/1388-613-0x0000000000140000-0x0000000000528000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

irsetup.exe

pid process

1388 irsetup.exe
1388 irsetup.exe

pid	process
1388	irsetup.exe
1388	irsetup.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

814e4e665cbfbb465b3a779f790155c8.exeirsetup.exe

description	pid	process	target process
PID 3560 wrote to memory of 1388	3560	814e4e665cbfbb465b3a779f790155c8.exe	irsetup.exe
PID 3560 wrote to memory of 1388	3560	814e4e665cbfbb465b3a779f790155c8.exe	irsetup.exe
PID 3560 wrote to memory of 1388	3560	814e4e665cbfbb465b3a779f790155c8.exe	irsetup.exe
PID 1388 wrote to memory of 3248	1388	irsetup.exe	cmsengine.exe
PID 1388 wrote to memory of 3248	1388	irsetup.exe	cmsengine.exe
PID 1388 wrote to memory of 3248	1388	irsetup.exe	cmsengine.exe

C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe
"C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3560

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\814e4e665cbfbb465b3a779f790155c8.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-1232405761-1209240240-3206092754-1000"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
"C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\152112324057
Filesize
77KB

MD5
784f0ed4feb5d62613a656ae9b2dba7a

SHA1
5c501f52e533931a140fb9bc9a11352f1964fbde

SHA256
0682749d042feb6a50386f251e36b17fb62490b6a4c52395d358721be7919990

SHA512
74dbd037e28df47c1659184921187270018e201d00d8b4f41d3a5270452db97f99ca6a641d3eeaf7c7bc23ed44b3b1701a73e124d17b1ce04c8ce750ecc210b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG
Filesize
2KB

MD5
3220a6aefb4fc719cc8849f060859169

SHA1
85f624debcefd45fdfdf559ac2510a7d1501b412

SHA256
988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765

SHA512
5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
289KB

MD5
7342c49823b223d309d701c2b8bc2be7

SHA1
74b316dd680af56ff610e8920a888c7dae35ad6b

SHA256
8d662e87a181a5bb76fbb7fa2062f5878aca38189d9fd3b7002ea810117ba612

SHA512
54cdc44370e45690e077b2d46f33a10f5e9cb8e44444bda9be0535bafa596a0cbe25c9af92b16a5aaffd80b57e06fa91486e3e6555c47605794f64cbf77b071f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
143KB

MD5
cf1b42b098f31157070f6cbf67f609aa

SHA1
dc47fd664b81834e7386647e462766061189bbfe

SHA256
76b38a9e0e430094bf6113de89a5d267de451e8b9d1b1c151d8001f236dd122e

SHA512
f88dd02c234e0e35091fce32cf2a228d2171ba4504c89709006ef623ec7e77d2e57b3cc43e293728d460faf2ef41d9cfdfc51ebf0bf46517a4069915e4d74daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
669KB

MD5
a132e44e438da2c9e9d8c725026d25b3

SHA1
113effeac99b044d62a9f6746a6532600de695ac

SHA256
71a6a5de86a758b28a7f02ebe14804fc7fb1311220edd7616550c8cac956a5ea

SHA512
5e6bc45d0589572e53ec5a653105626c4c8eb87c8ebd8cda22cdf0a8b43ce8408dffa13a45dafd5c6f075a253f8923f762126e4755615e744db1f78bf3129ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
95KB

MD5
cb93f1e129e84ddd62ac202d804d7a4b

SHA1
1cfe018d4ceeb6003ff5139aab6de7ec2ce3f54d

SHA256
2fcf0af68e08f52d15a8ed455bfdf0060608261b353e6a8fad9cb36dca6ed48a

SHA512
9013d4634244e1629e5ce24368fa54657563a7c9f8cae3a913877efab24d1084688fd5608dce32e8f7df5a5fbd434b3783c70242c2f7f1f2bf831aeb2efe20bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
137KB

MD5
a2eacda9d529addeff750280e8a6ecde

SHA1
045d2d3b57d2709175628f74540818c2a846fc03

SHA256
902c93b5a69c72d9999e922af19bd34c6222043be5e7baf75f034fcd8433af65

SHA512
da6ac993fa45896fac6cf99a631f968ea4273ef3956c35a4ffab8d6dba7323048471d60fc9983a156ea8f7212184d2e81b4c0cb26fe03bd6f00848e7dfd5b584

Download Submit
C:\Users\Admin\AppData\Roaming\LittleCMS engine\Uninstall\uninstall.xml
Filesize
79KB

MD5
85889f4d7bebe3425502ed65424880d5

SHA1
6c2b30dff6608be4a9f24c05c02fac2177360c87

SHA256
d806c452be87903d4c624288371ab1ed886dd0a644bac63e8efc6375805360d3

SHA512
b15eb381b1c5398488d53d260b24f5f4f49ea23c7c516267e94adae4ed5889cb3e1ec452b4dfc8d0e1f9945cd24247569609218623130a811e98b8b592cfb256

Download Submit
C:\Users\Admin\AppData\Roaming\LittleCMS engine\Uninstall\uninstall.xml
Filesize
79KB

MD5
7f473f739d5afc986d1ba661cafa2bb9

SHA1
0788df9d3ca2e31e375a83485162859b949c2058

SHA256
dba90f415643cbf77dc8ad4d761e8481016918a4b6f39da4f414539c6d130b55

SHA512
2757e5280aa07eb83fed0442d43e197b5e91522d5b7820e5c50790dc294baffb9a6bd12a4759d5809af82d5d072ee299dc30f11439e56ebba9f03e411cf586b5

Download Submit
C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
Filesize
582KB

MD5
d017bc780b3efe2ae3b01986b3d2d48d

SHA1
cb8544e47038b34f5e98ecf0774791aac77d078a

SHA256
1e7ef3846cdf9fc517a6021f74a5979d54de16a3d2a2eb377d62d5ac56e67ffe

SHA512
eaa73227b482d7c1948c777192fe0a0edc13b98313243ee2a726933d4e1ca0d1fd2ea66a572b8700b13d7756dab23d37e877c16765dc142a8db02a2ca1859e98

Download Submit
C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
Filesize
457KB

MD5
f77b819e4559f406317ae26c31688e2d

SHA1
0e8421e32ae4fa0effbdf2cdfed62377f3a93450

SHA256
5fc271234ea11a33b4152974bae430d41d7ec193e602640a9c9b607bc69722c8

SHA512
cfdc6e0568f30f0dd8962b0e3544e6cb095df198eb63c4f2f429ceb1d67258923eeb963c3d5c7a834399ac34ed9dd6af436b66368cbc0747b1b6372e2bcc2043

Download Submit
C:\Users\Admin\AppData\Roaming\LittleCMS engine\cmsengine.exe
Filesize
394KB

MD5
b4cd9408d001da78feb0f366c0a747a3

SHA1
aba0dfcf0f6e694af6c6da8e1e8a6ff0fa2dadc1

SHA256
478b9a637f55676e987e8fe5d577b7dc1a32d6b86c4e22ebb9893365e0714a2b

SHA512
fb60a3de4ea39366a548ba8a74e094985a5af66901f0f64f1832e864423e96cae2f0977f33b6dc575681b4056dac935a42c0e11766225b1c6f254701b513bda3

Download Submit
C:\Users\Admin\AppData\Roaming\LittleCMS engine\libintl-8.dll
Filesize
511KB

MD5
3f8e79e0485268234f42c97c18b0c917

SHA1
00492f969889a9b9ca0ef9ba05f5ca49fe78e07c

SHA256
706aad3366e057e0cb6effa9a4278c09f6bd25d82d5ddb4db9f1c29c740adfa3

SHA512
6e750b646d9c86b10a6852401d6fc7075cab8fe28d59b27876ec23b0007ce8acb84bb32a6bab65f2d2924d122b6ff8383fd54c7ff2092ad17ec72e4f7b4944be

Download Submit
C:\Users\Admin\AppData\Roaming\LittleCMS engine\libintl-8.dll
Filesize
476KB

MD5
7dd6d7846f93a0ddc5c8dd71df71dfcd

SHA1
64e66ec1b7f5303c1ebf2fa51b697af0c76e2489

SHA256
9c633d3f1f74d2bca837661d290150b3b04b6303fcea096a26210483f2f9af15

SHA512
62b783eb3c7660f7ca3fecddda5f2f662740feccc8677edbe217fed93261e8b6c18a37e46fb551d100b9a9786b0edf40fcf96059790478fc5f29b63c20d8b77c

Download Submit
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_banner.html
Filesize
490B

MD5
5d1f7da1c3d95020a0708118145364d0

SHA1
02f630e7ac8b8d400af219bd8811aa3a22f7186e

SHA256
d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a

SHA512
6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

Download Submit
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_connect_to_data_no_mru.html
Filesize
1KB

MD5
20bbd307866f19a5af3ae9ebd5104018

SHA1
8e03c9b18b9d27e9292ee154b773553493df1157

SHA256
e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7

SHA512
420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

Download Submit
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_connect_to_data_with_mru.html
Filesize
1KB

MD5
e6bc0d078616dd5d5f72d46ab2216e89

SHA1
f70534bb999bcb8f1db0cf25a7279757e794499f

SHA256
e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54

SHA512
6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

Download Submit
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_landing.html
Filesize
720B

MD5
0a5b47256c14570b80ef77ecfd2129b7

SHA1
69210a7429c991909c70b6b6b75fe4bc606048ae

SHA256
1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d

SHA512
5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

Download Submit
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_topstrip_no_mru.html
Filesize
659B

MD5
eced86c9d5b8952ac5fb817c3ce2b8ba

SHA1
3ca24e69df7a4b81f799527a97282799fcd3f1e2

SHA256
3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d

SHA512
a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

Download Submit
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\html\startpage_topstrip_with_mru.html
Filesize
798B

MD5
cc4d8a787ab1950c4e3aac5751c9fcde

SHA1
d026a156723a52c34927b5a951a2bb7d23aa2c45

SHA256
13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee

SHA512
e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

Download Submit
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\stylesheets\start_page.css
Filesize
2KB

MD5
f2ab3e5fb61293ae8656413dbb6e5dc3

SHA1
53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5

SHA256
06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192

SHA512
2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

Download Submit
C:\Users\Admin\AppData\Roaming\LittleCMS engine\res\public\en_GB\stylesheets\start_page_landing.css
Filesize
282B

MD5
49617add7303a8fbd24e1ad16ba715d8

SHA1
31772218ccf51fe5955625346c12e00c0f2e539a

SHA256
b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907

SHA512
9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

Download Submit
C:\Users\Admin\AppData\Roaming\LittleCMS engine\ui.xml
Filesize
417KB

MD5
2e79233b3ad881df35237c30ee2eeda9

SHA1
72d2d617bfb5322915fae6ada090a85d037e5ad2

SHA256
d8530c0e05387ae70687ef470616a72240c4b38bfd5cc459b2601c3eca68c864

SHA512
d8126c0882ecd7553301788b8ee7cdf6d91a7f38a322dea43de4aac5ceed57ade0937469858c19dfb36f1340efbe3101ba83bc2352fa05de41d91a2fe152eb02

Download Submit
memory/1388-613-0x0000000000140000-0x0000000000528000-memory.dmp

Filesize
3.9MB

Download
memory/1388-11-0x0000000000140000-0x0000000000528000-memory.dmp

Filesize
3.9MB

Download
memory/3248-614-0x0000000000C90000-0x00000000014C0000-memory.dmp

Filesize
8.2MB

Download