babadeda | 750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c

Analysis

max time kernel
90s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe
Size

4.0MB
MD5

fd0ed9f5ffa9c912ba8d677687776448
SHA1

b7abe535dccf587c80cbcd2d4cc0c30e330b3a54
SHA256

750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c
SHA512

dc40402b2f77a3148a2ce3d86561b67c9c64a5a5492d7e6591c1bd2cd25de5d5a7e999637802b530b684d230b904a38b97ed95614ed5069f7d3293ca87bcf219
SSDEEP

98304:E+CmYXmNfbqCePyvG02XIlnHNZvQkMkWmpWQ2Ga:EmumvGs/QVara

Score

10^/10

babadeda outsteel crypter loader spyware stealer

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Tools\ICUAudioSoftware\settings.ini	family_babadeda
behavioral2/memory/4976-25-0x0000000003480000-0x0000000005580000-memory.dmp	family_babadeda
behavioral2/memory/4976-33-0x0000000003480000-0x0000000005580000-memory.dmp	family_babadeda

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel

OutSteel batch script 1 IoCs

Detects batch script dropped by OutSteel

Processes:

resource	yara_rule
C:\Users\Admin\Tools\ICUAudioSoftware\r.bat	outsteel_batch_script

Executes dropped EXE 1 IoCs

Processes:

AudioManagementConsole.exe

pid process

4976 AudioManagementConsole.exe
Loads dropped DLL 1 IoCs

Processes:

AudioManagementConsole.exe

pid process

4976 AudioManagementConsole.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4976	AudioManagementConsole.exe

pid	process
4976	AudioManagementConsole.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AudioManagementConsole.exe

description	ioc	process
File opened (read-only)	\??\w:	AudioManagementConsole.exe
File opened (read-only)	\??\a:	AudioManagementConsole.exe
File opened (read-only)	\??\b:	AudioManagementConsole.exe
File opened (read-only)	\??\g:	AudioManagementConsole.exe
File opened (read-only)	\??\h:	AudioManagementConsole.exe
File opened (read-only)	\??\z:	AudioManagementConsole.exe
File opened (read-only)	\??\k:	AudioManagementConsole.exe
File opened (read-only)	\??\o:	AudioManagementConsole.exe
File opened (read-only)	\??\p:	AudioManagementConsole.exe
File opened (read-only)	\??\y:	AudioManagementConsole.exe
File opened (read-only)	\??\v:	AudioManagementConsole.exe
File opened (read-only)	\??\x:	AudioManagementConsole.exe
File opened (read-only)	\??\i:	AudioManagementConsole.exe
File opened (read-only)	\??\l:	AudioManagementConsole.exe
File opened (read-only)	\??\t:	AudioManagementConsole.exe
File opened (read-only)	\??\u:	AudioManagementConsole.exe
File opened (read-only)	\??\q:	AudioManagementConsole.exe
File opened (read-only)	\??\r:	AudioManagementConsole.exe
File opened (read-only)	\??\s:	AudioManagementConsole.exe
File opened (read-only)	\??\e:	AudioManagementConsole.exe
File opened (read-only)	\??\j:	AudioManagementConsole.exe
File opened (read-only)	\??\m:	AudioManagementConsole.exe
File opened (read-only)	\??\n:	AudioManagementConsole.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4976-26-0x0000000000A60000-0x0000000000D57000-memory.dmp	autoit_exe
behavioral2/memory/4976-31-0x0000000000A60000-0x0000000000D57000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2492 taskkill.exe

pid	process
2492	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exeAudioManagementConsole.exe

description	pid	process	target process
PID 2144 wrote to memory of 4976	2144	750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe	AudioManagementConsole.exe
PID 2144 wrote to memory of 4976	2144	750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe	AudioManagementConsole.exe
PID 2144 wrote to memory of 4976	2144	750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe	AudioManagementConsole.exe
PID 4976 wrote to memory of 2800	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 2800	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 2800	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 620	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 620	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 620	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4792	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4792	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4792	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4980	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4980	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4980	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 1204	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 1204	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 1204	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4488	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4488	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4488	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 3144	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 3144	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 3144	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 2076	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 2076	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 2076	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 1420	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 1420	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 1420	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 1384	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 1384	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 1384	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4176	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4176	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4176	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 3712	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 3712	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 3712	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4692	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4692	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4692	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 892	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 892	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 892	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 2032	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 2032	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 2032	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4520	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4520	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 4520	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 228	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 228	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 228	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 1040	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 1040	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 1040	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 3056	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 3056	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 3056	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 3216	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 3216	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 3216	4976	AudioManagementConsole.exe	cmd.exe
PID 4976 wrote to memory of 2364	4976	AudioManagementConsole.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe
"C:\Users\Admin\AppData\Local\Temp\750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\Tools\ICUAudioSoftware\AudioManagementConsole.exe
C:\Users\Admin\Tools\ICUAudioSoftware\AudioManagementConsole.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
3⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
3⤵
PID:620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
3⤵
PID:4792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
3⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
3⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
3⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
3⤵
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
3⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
3⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
3⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
3⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
3⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
3⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
3⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
3⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
3⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
3⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.doc" /S /B /A
3⤵
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.pdf" /S /B /A
3⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.ppt" /S /B /A
3⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.dot" /S /B /A
3⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.xl" /S /B /A
3⤵
PID:3736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.csv" /S /B /A
3⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.rtf" /S /B /A
3⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.dot" /S /B /A
3⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.mdb" /S /B /A
3⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.accdb" /S /B /A
3⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.pot" /S /B /A
3⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.pps" /S /B /A
3⤵
PID:672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.ppa" /S /B /A
3⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.rar" /S /B /A
3⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.zip" /S /B /A
3⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.tar" /S /B /A
3⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "f:\*.7z" /S /B /A
3⤵
PID:3748

C:\Windows\SysWOW64\cmd.exe
cmd /c start /min r.bat
3⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K r.bat
4⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd /min /c del "C:\Users\Admin\Tools\ICUAudioSoftware\r.bat"
5⤵
PID:4316

C:\Windows\SysWOW64\taskkill.exe
Taskkill /IM cmd.exe /F
5⤵
- Kills process with taskkill
PID:2492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Tools\ICUAudioSoftware\AudioManagementConsole.exe
Filesize
2.6MB

MD5
54716603e1b2d01a507d5d0a3a3a104c

SHA1
93b0407a05891fb797e3083c374af2e0dfb30634

SHA256
595017621ccc2b26e23d39c720c6bfaf29aa17997b59a8ba7e4506eea252b8ed

SHA512
b3ea1beef7f4b05afc5405877282f5d9c3588fb2bd0cdaa5616b82cbd752dec471e6d87a5ea16a478e3a26500c764a2bd38fd0e02a354029dee4e023d261aff0

Download Submit
C:\Users\Admin\Tools\ICUAudioSoftware\r.bat
Filesize
172B

MD5
f6a86f75a098305a18cafbe90984fdb8

SHA1
0b2b5145b221487c975fb8a37894539f8af096b0

SHA256
a28ad4e445a5069bb621efc516147c60248369f5fc100ee935974a9b556fb273

SHA512
bee4c243f3a60f1778c5051d0a023afde678979a5da8db23f8811654afe468a06af6181c8338fc02d755dc223c52c653baa7abab8e941aac4cf335b7fabaac47

Download Submit
C:\Users\Admin\Tools\ICUAudioSoftware\settings.ini
Filesize
1.7MB

MD5
b226fcb1d5fc245b5ad372151ea33ed8

SHA1
ac6941c5234179a2bc8306b238413a1c740fdcfa

SHA256
daa273100ae0fdfa7aae5c6687c0e8130a68a7abae55c8380b38b9278e2c18a9

SHA512
786f2398e114e02dac925c088774a2ed895546978f1b3cb6cc944efdeabf1ec5458136caf09c3932014fbfdf0ab43fae11c11aad35f53dcbcec4b408efc8017f

Download Submit
C:\Users\Admin\Tools\ICUAudioSoftware\wxwidgetsforms2.dll
Filesize
2.0MB

MD5
9e11ac70407744bea597411f505d16b8

SHA1
90fddf31c2def7b655742a0f98181ee47b2835c8

SHA256
69977ef94e7abde5e40ebb1b2d639e3ae396c831a0b8671bdcd141f5f101a344

SHA512
fb68fa59897d95d1a909fcb32876efcc53880fbb804ad3ebbc97fbd4eee0cf4364f43517e92245754975a1c00ecca032b06efa03791d7179f1eb6d08620cde64

Download Submit
memory/4976-25-0x0000000003480000-0x0000000005580000-memory.dmp

Filesize
33.0MB

Download
memory/4976-26-0x0000000000A60000-0x0000000000D57000-memory.dmp

Filesize
3.0MB

Download
memory/4976-31-0x0000000000A60000-0x0000000000D57000-memory.dmp

Filesize
3.0MB

Download
memory/4976-33-0x0000000003480000-0x0000000005580000-memory.dmp

Filesize
33.0MB

Download