Malware Analysis Report

2024-09-22 16:47

Sample ID 240313-tgdqtsba67
Target c64aa0d81a6955ae443268663d734dc4
SHA256 d655c80b18e92e48821998ff99afdbaac96ab2c940b70c5b2c0e7770ad1e16c2
Tags
babadeda cobaltstrike 305419776 backdoor crypter discovery loader trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d655c80b18e92e48821998ff99afdbaac96ab2c940b70c5b2c0e7770ad1e16c2

Threat Level: Known bad

The file c64aa0d81a6955ae443268663d734dc4 was found to be: Known bad.

Malicious Activity Summary

babadeda cobaltstrike 305419776 backdoor crypter discovery loader trojan

Babadeda Crypter

Babadeda

Cobaltstrike

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-13 16:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 16:01

Reported

2024-03-13 16:03

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c64aa0d81a6955ae443268663d734dc4.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\c64aa0d81a6955ae443268663d734dc4.exe

"C:\Users\Admin\AppData\Local\Temp\c64aa0d81a6955ae443268663d734dc4.exe"

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe

"C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 unattended-upgrades.net udp

Files

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_banner.html

MD5 5d1f7da1c3d95020a0708118145364d0
SHA1 02f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256 d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA512 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_connect_to_data_no_mru.html

MD5 20bbd307866f19a5af3ae9ebd5104018
SHA1 8e03c9b18b9d27e9292ee154b773553493df1157
SHA256 e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_topstrip_no_mru.html

MD5 eced86c9d5b8952ac5fb817c3ce2b8ba
SHA1 3ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA256 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512 a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_landing.html

MD5 0a5b47256c14570b80ef77ecfd2129b7
SHA1 69210a7429c991909c70b6b6b75fe4bc606048ae
SHA256 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA512 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_connect_to_data_with_mru.html

MD5 e6bc0d078616dd5d5f72d46ab2216e89
SHA1 f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256 e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA512 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_topstrip_with_mru.html

MD5 cc4d8a787ab1950c4e3aac5751c9fcde
SHA1 d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA256 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512 e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\stylesheets\start_page.css

MD5 f2ab3e5fb61293ae8656413dbb6e5dc3
SHA1 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA256 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA512 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\stylesheets\start_page_landing.css

MD5 49617add7303a8fbd24e1ad16ba715d8
SHA1 31772218ccf51fe5955625346c12e00c0f2e539a
SHA256 b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA512 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

memory/2176-471-0x0000000000400000-0x0000000000463000-memory.dmp

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe

MD5 f79662b3256ab52078605a7213a5afc5
SHA1 3321705ff38f80c18054be3718831ef150c3b8eb
SHA256 0471877ad1829203bfbbd6fb1b7b8b7eb9373ff66fa06d2f664dce551bdcc599
SHA512 b65da67990efcd9d4eb95c22adf4c0594599cc4f7d7d2cb19cdc491026e2ebdfae962bb3c73e3d795cbebb7e591fb5f57be31ae60925e49489156892034a5700

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\librsvg-2-0.dll

MD5 96de71f234bc6ca8cd1d0b708db17451
SHA1 56e826961265444af1c863833150fef9a6462d6e
SHA256 e5c7a991fcc7e6c416678f30dbb1759b4bfcf3552c29ddf66117987fe48f2e86
SHA512 87cdb4af50a3ea07eee30f3a0ff931621366720f898da8eb102d65cffa38af91f46e615bcde35efa42c6ef16cb7bf5f5e0aae00e3ac0f8a7cc7ab7f05f885253

memory/2176-472-0x0000000003B00000-0x00000000042EC000-memory.dmp

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe

MD5 1203f7ae6d5b85ab2532aac0d5d45616
SHA1 8d6cdb874b1783f16a4697623f298c63614ba1af
SHA256 5163874830b2003578414c840765ff81887588a4fa42abaf32176cddb8cf6e20
SHA512 97e676b41102cc57882e20e2cb2f15b18b2f5f4624cc915b45dac3d71cad0f1c23ee1ceebf7ffb5d5f58149a646c97d7bca9800c60cbe47b79e0c2f905b0fa0b

\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe

MD5 6bda7b4185c1ed811b4321bb6cbc77aa
SHA1 a8199036a09f453fe2ab8d68b3c2a5295525040f
SHA256 a957c6b9aba690defaa9639634815712b1f747eed8bfe46c5c4f262593505715
SHA512 21697418d075aabb92013028e74a99c0e125d4b18f083f8d63e55219a5f5c2df8159e50d7b82d7eed5b3496086b63d1c6def634a6b17920ae7e418aa791ddb6e

memory/2556-474-0x0000000000400000-0x0000000000BEC000-memory.dmp

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\usage.pdf

MD5 94d53a5a99df728359716acb35c7befd
SHA1 38d9a132d5df4751ff0dc8a5782591c61375c045
SHA256 125820b942b34f7e7082041a72ddda3e51b372d734cc1c59dc8c7d89931947c4
SHA512 e141d89cbb7acceb5e78c56ecd110e0847cb859c12337af0758ee4603646870814d7c59005c4dd564708140f4fbe24a00153ec4b839354dc594e71309667aa1b

\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\librsvg-2-0.dll

MD5 418fc41e4e647d099860e857f06f8f14
SHA1 aed3238f2c7f043e9947622a77aca702107454f9
SHA256 d110288b97f5cb0fb848790de6727fde311e843138bf6df065ec00f31a509c47
SHA512 607e434820bab611590c2455c2843e243bdc11e9a0468c841f8c23322f259c7fc8cddfe663ba6c12190113a828d9d968be2099893cbf2ad83ef6665c42b66871

memory/2556-477-0x0000000000240000-0x0000000000273000-memory.dmp

memory/2556-478-0x0000000002900000-0x000000000298D000-memory.dmp

memory/2556-479-0x0000000002900000-0x000000000298D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 16:01

Reported

2024-03-13 16:04

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c64aa0d81a6955ae443268663d734dc4.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Cobaltstrike

trojan backdoor cobaltstrike

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c64aa0d81a6955ae443268663d734dc4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\c64aa0d81a6955ae443268663d734dc4.exe

"C:\Users\Admin\AppData\Local\Temp\c64aa0d81a6955ae443268663d734dc4.exe"

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe

"C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 unattended-upgrades.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 unattended-upgrades.net udp

Files

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_connect_to_data_no_mru.html

MD5 20bbd307866f19a5af3ae9ebd5104018
SHA1 8e03c9b18b9d27e9292ee154b773553493df1157
SHA256 e4fe51c170e02a01f30a4db8b458fb9b8dee13a7740f17765ba4873fac62c5f7
SHA512 420a132ad4ba3a67f5b66a3e463c4fa495b7941d58d6d669a8c984380607a03f0afa1c92bcf1f8d1fc5d93838ea611f7f9cf439bb3ada0142431b119ddfad40d

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_banner.html

MD5 5d1f7da1c3d95020a0708118145364d0
SHA1 02f630e7ac8b8d400af219bd8811aa3a22f7186e
SHA256 d2d828c2c459b72ee378db6c5ac295315b8a783b7049032f92ed4fcb2a89684a
SHA512 6bbdaaef1478ffd9e9d3a95d300f35b9ac6f3ce6564e80734445a827ad8761233db36c679fac117f363bae27918983520f0e2f408205d3549b001fc4ae4c920c

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_landing.html

MD5 0a5b47256c14570b80ef77ecfd2129b7
SHA1 69210a7429c991909c70b6b6b75fe4bc606048ae
SHA256 1934657d800997dedba9f4753150f7d8f96dd5903a9c47ed6885aabf563bf73d
SHA512 5ca22260d26ec5bb1d65c4af3e2f05356d7b144836790ac656bf8c1687dd5c7d67a8a46c7bde374ec9e59a1bedc0298a4609f229d997409a0cc5453ef102ecb2

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_topstrip_no_mru.html

MD5 eced86c9d5b8952ac5fb817c3ce2b8ba
SHA1 3ca24e69df7a4b81f799527a97282799fcd3f1e2
SHA256 3988afa43d3c716ecbe4e261ff13c32fe67baaaf1718eac790040cff2aa4e44d
SHA512 a21e88968c30f14363a73dfd7801cea34255acb968160fad59d813bb64352583c8c4f6cd9d45811676ca5ca90a4250601a53e80b6f41d6727465f3a57e7423a1

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\stylesheets\start_page.css

MD5 f2ab3e5fb61293ae8656413dbb6e5dc3
SHA1 53b3c3c4b57c3d5e2d9a36272b27786cd60f0eb5
SHA256 06db4d53adf4a1ecbc03ed9962af7f46fd3a54668d45907dc1737125e38ec192
SHA512 2c31cad868e1e5149a4308a149104ac3d88907894699fb0413860c8f578de32f6814b08d518de7a7fe3782f0cea173cb1766da7c25f2bcdddaffae7bc0da927c

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\stylesheets\start_page_landing.css

MD5 49617add7303a8fbd24e1ad16ba715d8
SHA1 31772218ccf51fe5955625346c12e00c0f2e539a
SHA256 b3a99eea19c469dab3b727d1324ed87d10999133d3268ed0fadd5a5c8d182907
SHA512 9d1198ca13a0c1f745b01aabc23b60b8e0df4f12d7fdf17e87e750f021fc3800ea808af6c875848b3850061070dfd54c2e34d92cea4e8a2bf4736fbcfd129d1e

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_topstrip_with_mru.html

MD5 cc4d8a787ab1950c4e3aac5751c9fcde
SHA1 d026a156723a52c34927b5a951a2bb7d23aa2c45
SHA256 13683e06e737e83ca94505b1cd1cd70f4f8b2cc5e7560f121a6e02ed1a06e7ee
SHA512 e0b01f5ee4da60e35a4eb94490bed815aea00382f3b9822b7c29294cf86a2fe480dba704f086a38f9d7aaf39e8160f49cf806b6b6c44651de56e290249dd9ebe

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\res\public\en\html\startpage_connect_to_data_with_mru.html

MD5 e6bc0d078616dd5d5f72d46ab2216e89
SHA1 f70534bb999bcb8f1db0cf25a7279757e794499f
SHA256 e8f50f17c994f394239350951a40c3454e9b52b0ca95cf342f2577828f390a54
SHA512 6ccd6e19ec63f20c86a28ccaffa609a2d0de7991a8eb2d6ea016bcc5d0e9f2fc28c33a15c4af891f28a9e1e4131f38f84f8e1a8859e020d6f267977075f7c66a

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe

MD5 fdde7f35a3828c786a31764a89001105
SHA1 b2be94ed57c6f28343b23c9461f6da1ead202cfa
SHA256 03337888c04ecbdb9e72437c72450f1cbaacb7a659af9195f74d117f82cf4608
SHA512 14c6c6d63c019b4f408fef2cdb885be01adf6211f14cfe046060017b326210ef348b4d1921d1508def0544c0ee31d44357f88b2d6149927c554b4ee74edecaed

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe

MD5 9baa972dd972271c3b44c8d55689f698
SHA1 20dcffea3a85b1ff8087b5ad2b49c41c6fd6e786
SHA256 4a3109b08b199b40228cdca3829476da4fe3d3e5c5b845231fe5077fe7af2505
SHA512 ad2a9985fdf7cb14b29cafaf2cbb30716e4bbedd00a750f4dac9c352c06a84de0b349b0a0dea3a466804833b8b7e23a6ef21860b49ae10c1e4496f9da7bd5661

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\reporteng.exe

MD5 919dd0c40ce03a97cb5180e6f492f648
SHA1 66bb8b4a3ce3c685b2b9f0b169128efb76345b7a
SHA256 3ab3d48c1895cf8fa8246691702426038ebc7d29da9970ba1b8782a04a0a621e
SHA512 2a3a2101fccad1b99a802bcff999bf1f2dcbd1face4c8305f1c74d1ddc782318f32ee6e078dae2007717528fa9317b4b61766a770d4de5393fb87b9eec6a30bd

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\librsvg-2-0.dll

MD5 0c9ffc11536519e7aae0904b996b7b8b
SHA1 ad96920ec62c429ed53e565dbe13c010d58b4881
SHA256 8dc28c5db4dd373b587cbff789d87112c8319732b58e89cd3f97ffcad18e0904
SHA512 8bc8a3a78a76057206b62eb5765e5c9162229e4cfc6046ce26443bd3b92c0d26105513730edfa1cc50020190b904ab83f5dc0bd800bd33250d8afb7efe4c22a5

memory/5124-480-0x0000000000400000-0x0000000000BEC000-memory.dmp

memory/1108-476-0x0000000000400000-0x0000000000463000-memory.dmp

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\usage.pdf

MD5 94d53a5a99df728359716acb35c7befd
SHA1 38d9a132d5df4751ff0dc8a5782591c61375c045
SHA256 125820b942b34f7e7082041a72ddda3e51b372d734cc1c59dc8c7d89931947c4
SHA512 e141d89cbb7acceb5e78c56ecd110e0847cb859c12337af0758ee4603646870814d7c59005c4dd564708140f4fbe24a00153ec4b839354dc594e71309667aa1b

C:\Users\Admin\AppData\Roaming\MLtek\Reporting Engine\librsvg-2-0.dll

MD5 f0b877873803ee472f25c60546a99eee
SHA1 9ca1602eddb321804bf1e3c1925914d20d6e8b71
SHA256 56c8c0e01bbcd6d7ac4e11cfb72941047d58a511c12f6668320909b19b171830
SHA512 c0d89a9bd38259178bc341b8266b54f4bb5d567f53dc63ff182b7dfa5292ef57d84151d408411cb0f24cb9952e361c0d0ca62f4f6d1085af1e522c91f947176c

memory/5124-481-0x0000000000C30000-0x0000000000C63000-memory.dmp

memory/5124-482-0x0000000002830000-0x00000000028BD000-memory.dmp

memory/5124-483-0x0000000002830000-0x00000000028BD000-memory.dmp