Analysis Overview
SHA256
700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901
Threat Level: Known bad
The file 700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901 was found to be: Known bad.
Malicious Activity Summary
Babadeda
OutSteel
Babadeda Crypter
Babadeda family
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Enumerates connected drives
Checks installed software on the system
AutoIT Executable
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-10 11:48
Signatures
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Babadeda family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 11:48
Reported
2024-04-10 11:51
Platform
win7-20240221-en
Max time kernel
159s
Max time network
173s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OutSteel
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Enumerates connected drives
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901.exe
"C:\Users\Admin\AppData\Local\Temp\700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901.exe"
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe
"C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
Network
| Country | Destination | Domain | Proto |
| RU | 45.146.165.91:8080 | tcp | |
| RU | 45.146.165.91:8080 | tcp | |
| RU | 45.146.165.91:8080 | tcp | |
| RU | 45.146.165.91:8080 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | 44018e1779270b083ad90da3dffe9b15 |
| SHA1 | e09c06b564abe26bcf91ecb7632d761c3234b30d |
| SHA256 | 71bacaee2c9e1fbe6a7184aaf9d3f8e24d6390ca62298c5da425bf060cd2bc4c |
| SHA512 | ece1fde07753a160735d2c09272410a473c7cbf18972005baa36480d363e87a47f02b7b83efb893b88e334e7f49d645d85f802246e7508623d20c04adb6cbb7b |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | b3c74bb5250effad46ce11a96c9468c2 |
| SHA1 | 3a339e244a29fe41d13fa4cc951a7e0a2862e299 |
| SHA256 | 5a9479caa4024731d61172652a67021f4973a03548516d36a4865ec161a57825 |
| SHA512 | a5f8499a39972341740f46f96f90feb6cab15610fd9e7d25eeae139236fe115874806a6554c8fe180dee097088f8d4802a20b0ebc7de0c04486c7dbce36116c3 |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | 3272be2da53b6d5271111431f7d90d28 |
| SHA1 | 7ec382eee6282454d5b0b03751f3d14c568bbfa5 |
| SHA256 | 4e2a12a194e0db12de874ad8c9a5288b5a56285b426883bd0e3cef1866569982 |
| SHA512 | 45dbfa8dd5aa0bd1e2dd042a716f00bad44142b98bcffedb7c30403b6132b50e72db64909d3873ca3a154d4a2e90433093c4f040454bca005b8274130c827b26 |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | 228d4bd899577ed16ad3ac74b592a0e6 |
| SHA1 | baf99e34e126d6c41b7aa39caabc2376358bab70 |
| SHA256 | fe87e02e797a143042bd7f10fa57c6e2a53028b5d5ab4c3da2a1e4affd1c86d5 |
| SHA512 | 285b2057d2bce4086859d76ad7c57f029946106e5bf31525a92450714b790bc77fb982e6e1edfedfbb4335a791911e057caf01ea801868ae196a8775a78adebc |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | 2719683b8dba819f2e6bd9e9b7307f1c |
| SHA1 | 6cbac17ebf8b56489ad8b8c458dd618b2788512a |
| SHA256 | 316b67841dba6c73097d0d50d1b454fd80b6aac86fa0fe15f9b514d65a5bb66a |
| SHA512 | 96ffe07ea87dae0bcf92a2d06dbfc8604526e77afd8f1bae1bc3ef17261463a214a54d91e7f672a5b8455ed4c7bba8fbe19e12255c6d5b2bbd26dda5c8b6ccee |
\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe
| MD5 | f5de326683df44d71ed1b986fd836e0b |
| SHA1 | 33bc899da6afd2b82b27d59acd0844b521e57079 |
| SHA256 | 17c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f |
| SHA512 | 12ae60cec6bd90c6bf4f8bb5196f79811bc03f4208c9c1148190551854a04f3b61732d3cb7f99feea019cc1f5c05c37b5ad24e24de39763acfc663b31434f15a |
memory/2148-889-0x0000000000400000-0x000000000045C000-memory.dmp
memory/1172-892-0x00000000011A0000-0x00000000018DF000-memory.dmp
memory/2148-891-0x00000000032E0000-0x0000000003A1F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Guide.pdf
| MD5 | 349a1d8bb00ae11bbf535cd909838c65 |
| SHA1 | c7b9d73580d6c733fbd5875bbccfbf3b792018e2 |
| SHA256 | 93e4d8628b80b495625844695be857f62353c5b95a1ed85f262fb8681a2cbae4 |
| SHA512 | f1911c2071628fcbf4d18640d50808d2c23c22594c71e380d3f8cb6d90ae3c75019c4210ff6f6f54a918ec346694bdf821757cc4f174ed48a7a11d28a4aced51 |
\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\libfreetype-4.dll
| MD5 | 1bf457ea201a3374f7c37f43d5c3ffdb |
| SHA1 | bf693ad6b3070cfb60902eeeb3a290bad531bbd0 |
| SHA256 | 9107ca00ea91640e2498b2d7c1529d7eaaa731907bb9a3732a6895fbca9aaf08 |
| SHA512 | c6657ffbcefb3e5ae704fb4712520b3ff705c23a206628b3f348cb11fa0e55e5c2ac54172d98a79470c15413e7f526fbc12ac700c7ae83052f888c241d530074 |
memory/1172-896-0x00000000011A0000-0x00000000018DF000-memory.dmp
memory/1172-898-0x00000000011A0000-0x00000000018DF000-memory.dmp
memory/1172-900-0x00000000011A0000-0x00000000018DF000-memory.dmp
memory/1172-902-0x00000000011A0000-0x00000000018DF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 11:48
Reported
2024-04-10 11:51
Platform
win10v2004-20240319-en
Max time kernel
151s
Max time network
168s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
OutSteel
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Enumerates connected drives
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901.exe
"C:\Users\Admin\AppData\Local\Temp\700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901.exe"
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe
"C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4572 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| RU | 45.146.165.91:8080 | tcp | |
| RU | 45.146.165.91:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
| RU | 45.146.165.91:8080 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | 228d4bd899577ed16ad3ac74b592a0e6 |
| SHA1 | baf99e34e126d6c41b7aa39caabc2376358bab70 |
| SHA256 | fe87e02e797a143042bd7f10fa57c6e2a53028b5d5ab4c3da2a1e4affd1c86d5 |
| SHA512 | 285b2057d2bce4086859d76ad7c57f029946106e5bf31525a92450714b790bc77fb982e6e1edfedfbb4335a791911e057caf01ea801868ae196a8775a78adebc |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | 3272be2da53b6d5271111431f7d90d28 |
| SHA1 | 7ec382eee6282454d5b0b03751f3d14c568bbfa5 |
| SHA256 | 4e2a12a194e0db12de874ad8c9a5288b5a56285b426883bd0e3cef1866569982 |
| SHA512 | 45dbfa8dd5aa0bd1e2dd042a716f00bad44142b98bcffedb7c30403b6132b50e72db64909d3873ca3a154d4a2e90433093c4f040454bca005b8274130c827b26 |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | 44018e1779270b083ad90da3dffe9b15 |
| SHA1 | e09c06b564abe26bcf91ecb7632d761c3234b30d |
| SHA256 | 71bacaee2c9e1fbe6a7184aaf9d3f8e24d6390ca62298c5da425bf060cd2bc4c |
| SHA512 | ece1fde07753a160735d2c09272410a473c7cbf18972005baa36480d363e87a47f02b7b83efb893b88e334e7f49d645d85f802246e7508623d20c04adb6cbb7b |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\PagerBackL.png
| MD5 | b3c74bb5250effad46ce11a96c9468c2 |
| SHA1 | 3a339e244a29fe41d13fa4cc951a7e0a2862e299 |
| SHA256 | 5a9479caa4024731d61172652a67021f4973a03548516d36a4865ec161a57825 |
| SHA512 | a5f8499a39972341740f46f96f90feb6cab15610fd9e7d25eeae139236fe115874806a6554c8fe180dee097088f8d4802a20b0ebc7de0c04486c7dbce36116c3 |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Images\[email protected]
| MD5 | 2719683b8dba819f2e6bd9e9b7307f1c |
| SHA1 | 6cbac17ebf8b56489ad8b8c458dd618b2788512a |
| SHA256 | 316b67841dba6c73097d0d50d1b454fd80b6aac86fa0fe15f9b514d65a5bb66a |
| SHA512 | 96ffe07ea87dae0bcf92a2d06dbfc8604526e77afd8f1bae1bc3ef17261463a214a54d91e7f672a5b8455ed4c7bba8fbe19e12255c6d5b2bbd26dda5c8b6ccee |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\csvhelper.exe
| MD5 | f5de326683df44d71ed1b986fd836e0b |
| SHA1 | 33bc899da6afd2b82b27d59acd0844b521e57079 |
| SHA256 | 17c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f |
| SHA512 | 12ae60cec6bd90c6bf4f8bb5196f79811bc03f4208c9c1148190551854a04f3b61732d3cb7f99feea019cc1f5c05c37b5ad24e24de39763acfc663b31434f15a |
memory/3572-894-0x0000000000400000-0x000000000045C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\libfreetype-4.dll
| MD5 | 1bf457ea201a3374f7c37f43d5c3ffdb |
| SHA1 | bf693ad6b3070cfb60902eeeb3a290bad531bbd0 |
| SHA256 | 9107ca00ea91640e2498b2d7c1529d7eaaa731907bb9a3732a6895fbca9aaf08 |
| SHA512 | c6657ffbcefb3e5ae704fb4712520b3ff705c23a206628b3f348cb11fa0e55e5c2ac54172d98a79470c15413e7f526fbc12ac700c7ae83052f888c241d530074 |
C:\Users\Admin\AppData\Roaming\Josh Close\CsvHelper\Guide.pdf
| MD5 | 349a1d8bb00ae11bbf535cd909838c65 |
| SHA1 | c7b9d73580d6c733fbd5875bbccfbf3b792018e2 |
| SHA256 | 93e4d8628b80b495625844695be857f62353c5b95a1ed85f262fb8681a2cbae4 |
| SHA512 | f1911c2071628fcbf4d18640d50808d2c23c22594c71e380d3f8cb6d90ae3c75019c4210ff6f6f54a918ec346694bdf821757cc4f174ed48a7a11d28a4aced51 |
memory/5084-898-0x0000000000AD0000-0x000000000120F000-memory.dmp
memory/5084-899-0x0000000000AD0000-0x000000000120F000-memory.dmp
memory/5084-900-0x0000000000AD0000-0x000000000120F000-memory.dmp
memory/5084-903-0x0000000000AD0000-0x000000000120F000-memory.dmp
memory/5084-905-0x0000000000AD0000-0x000000000120F000-memory.dmp