babadeda | fa059ce2f6d88b5904965f6958d3ae4c6159bd788fb24debf2e463055ef77a1b

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

448166ffa55d2d5fbf0cfaefb21826f6.exe
Size

118.6MB
MD5

448166ffa55d2d5fbf0cfaefb21826f6
SHA1

e946af3ab6614f0b20515a3fa8b5a73210e8932d
SHA256

a69ac6cbe1ce50215d3f6df173f38bb3f9de174d32c87afbb7146662214b570b
SHA512

d9147720d3e691091c8a376776429eee992ab7a1b656109b091892483200b71606242dff085ca705807f081703ac7d182150f631a657c6a2d568b67b9bb32d55
SSDEEP

1572864:6ruifSIvT79HWXIIbgpGB+GrqxVb0al/VlK8vlQO:6fpTwWGBGdPvZ

Score

10^/10

babadeda remcos sys32 crypter discovery loader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Sys32

157.90.1.54:4783

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Logs
keylog_path
%AppData%
mouse_option
false
mutex
Sys-PVUZ63
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ca1-99.dat	family_babadeda

Babadeda family
babadeda
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	448166ffa55d2d5fbf0cfaefb21826f6.tmp

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cplinker.lnk	link.exe

Executes dropped EXE 3 IoCs

pid	Process
2556	448166ffa55d2d5fbf0cfaefb21826f6.tmp
3260	makecat.exe
1940	link.exe

Loads dropped DLL 6 IoCs

pid	Process
1940	link.exe
1940	link.exe
1940	link.exe
1940	link.exe
1940	link.exe
1940	link.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cross Platform Linker = "C:\\Users\\Admin\\AppData\\Roaming\\MiPony Installer\\link.exe"	link.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	448166ffa55d2d5fbf0cfaefb21826f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	448166ffa55d2d5fbf0cfaefb21826f6.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	makecat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	link.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2556	448166ffa55d2d5fbf0cfaefb21826f6.tmp
2556	448166ffa55d2d5fbf0cfaefb21826f6.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4176	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4176	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2556	448166ffa55d2d5fbf0cfaefb21826f6.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1940	link.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 2556	4620	448166ffa55d2d5fbf0cfaefb21826f6.exe	82
PID 4620 wrote to memory of 2556	4620	448166ffa55d2d5fbf0cfaefb21826f6.exe	82
PID 4620 wrote to memory of 2556	4620	448166ffa55d2d5fbf0cfaefb21826f6.exe	82
PID 2556 wrote to memory of 3260	2556	448166ffa55d2d5fbf0cfaefb21826f6.tmp	84
PID 2556 wrote to memory of 3260	2556	448166ffa55d2d5fbf0cfaefb21826f6.tmp	84
PID 2556 wrote to memory of 3260	2556	448166ffa55d2d5fbf0cfaefb21826f6.tmp	84
PID 2556 wrote to memory of 1940	2556	448166ffa55d2d5fbf0cfaefb21826f6.tmp	86
PID 2556 wrote to memory of 1940	2556	448166ffa55d2d5fbf0cfaefb21826f6.tmp	86
PID 2556 wrote to memory of 1940	2556	448166ffa55d2d5fbf0cfaefb21826f6.tmp	86

C:\Users\Admin\AppData\Local\Temp\448166ffa55d2d5fbf0cfaefb21826f6.exe
"C:\Users\Admin\AppData\Local\Temp\448166ffa55d2d5fbf0cfaefb21826f6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Local\Temp\is-VPKLN.tmp\448166ffa55d2d5fbf0cfaefb21826f6.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-VPKLN.tmp\448166ffa55d2d5fbf0cfaefb21826f6.tmp" /SL5="$90116,123570416,887296,C:\Users\Admin\AppData\Local\Temp\448166ffa55d2d5fbf0cfaefb21826f6.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Roaming\MiPony Installer\makecat.exe
    "C:\Users\Admin\AppData\Roaming\MiPony Installer\makecat.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3260
- - C:\Users\Admin\AppData\Roaming\MiPony Installer\link.exe
    "C:\Users\Admin\AppData\Roaming\MiPony Installer\link.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1940

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4cc 0x510
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-VPKLN.tmp\448166ffa55d2d5fbf0cfaefb21826f6.tmp

Filesize
3.1MB

MD5
186f049568c683c2597f94ac445d054f

SHA1
b66903ea56214a05ede4f5228813028ba208041a

SHA256
55d0d8353358de375f54cdc67dc1226d809f34771f4b728e2a52a9c22744312c

SHA512
0b9d47c34fddbd7e2d021760ba562971948892a419151e56a5d081f0488b552577e824ce15a625247260da743937d38ccce1df3cc73489c35ecb8c5c0b97297a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\logs.dat

Filesize
266B

MD5
291884998124bda8c4cf31cf241b6d33

SHA1
a4f48937eeb6883812748331cd7389df3741500e

SHA256
3713b0754175000fac5415c54e239c221c2284b6da7165b9bcbbe30916760818

SHA512
158ec8e1934d244718b7f3ab9d936ef23a3e5c9c29f9a04a064b8fd393e2ea42586169064ea73106168352d872b0dc46c04bb1586fd7119a5bb4e1de1907e46d

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\cmswrite.dll

Filesize
1.5MB

MD5
3aa620a3832249894026a7bcef141947

SHA1
465efee181f8d8288c4a34b0a80e7070f3aa48f7

SHA256
568e680c3ecaa84a76e111054a138d867813b9f65bbdc967c98304d6a0b4cf69

SHA512
a788cdb4cdafbd7b96f5b9e88b72cb57fd18d8ab70e0e166fcdcdd553e1de559a6017535274e09e30d6183c7c9baae58d711820f927a8ed3c3811c6f994809a7

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\libwmf2.dll

Filesize
33.1MB

MD5
830c6fdda9cd0cee12dba51f793eecf8

SHA1
1923f3fb75e5d81a40e0aa3ffe613138fe9402c6

SHA256
695ac459ba83bb3dfeb45294b2d7669b7b032a10c20be8acee337017a62f2099

SHA512
34d2ec03224cca7dc9f77c0ff1d5a9f535944c3f83ac0a8562f467b3099db83ebf678f80c77c5d888a96a1efee65ff8a69ca49e649d2013d7e318662c9fbedd4

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\link.exe

Filesize
1.8MB

MD5
e1e23f21b223a052c39e8c67acd38105

SHA1
7f0e0baf554412a45fb10b04b0b159394f0cf3ab

SHA256
f1261751289ad124a521bad5bcab76826f70b9d4686a48b9f5b3523415004cf1

SHA512
d6191bdaecefe06589676c2fe54bbb2ed68e79b62f931fd3d2257e2fe1089c89508e6c09c88257f039c581200dc1b709bfff85e9de767ab5f7555765e2ca6958

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\makecat.exe

Filesize
27KB

MD5
8fa639e29c7d1e7a1bd0d493354df226

SHA1
3ad3203b18dec68815f084f28bb956f0e1f8b9fe

SHA256
9177d32598d86cbe839d9a64e7654a76c2f33a91fb01186ecaed1f9e98292438

SHA512
4d0bb6ccbc53bd4c9fca04bac51814a6064df2d954bf260ec24eadad61226fbea4ab569b0c2f9ba3c046284e12051a653be534aa6556d6849bff172e2c73f626

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\msvcp140.dll

Filesize
429KB

MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\pg

Filesize
1.1MB

MD5
d759799c9fab5a28a2c8b5eda93c5546

SHA1
aeefd53b64901005cd5fb6d3be7c8192fa505772

SHA256
8e6ae6f2c0c1dbe9b9fa315206b824ba9d72c337fec6d22763beb5d15c68c7d1

SHA512
8aa394ca09ba9e9893d29e44ee709042b207ba025bc8b5b102f53d74e48c806213dda8ef74ea8085ad69deec712db34b107ab448d2eb0d80fa43723ac5718c34

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\tbbmalloc.dll

Filesize
172KB

MD5
b61a9ee5a6c3c7a4d8b2944bee989250

SHA1
b3268110ebe8d565847a34340987465c7394989b

SHA256
c51fc91e9b7c855b691217dea5bc72fdf0c567f76deb204a80a0f7f50a885694

SHA512
83224db6dbf8c7e1a2939126f3bdd8c110d9efde08e2243d22dcbed30d58c3730c319cc8424fd155728236cf0d4cf4d0f7c79e713df9eb840dad1a4013aac1bf

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\vcruntime140.dll

Filesize
83KB

MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\wmfobserve.dll

Filesize
83KB

MD5
5eb5c4fcc56dacb39450926293183153

SHA1
eb9558f47af92c962e10f8a43b6e4e8b87c1be24

SHA256
b819b42c75a35760c8ac5cd8dbfe0814c440098ca0b891a2e2f415f0b61ce844

SHA512
840962c61768d4e62b3d5bcb4c29039d455cb41c8bfcc1651306f12d3dce42735adfeacde7d7f97c501b3276042bd645f4a81a9f1779a81d1b147149898bd5ac

Download Submit
memory/1940-107-0x0000000004130000-0x00000000041A7000-memory.dmp

Filesize
476KB

Download
memory/1940-117-0x0000000004130000-0x00000000041A7000-memory.dmp

Filesize
476KB

Download
memory/1940-152-0x0000000004130000-0x00000000041A7000-memory.dmp

Filesize
476KB

Download
memory/1940-151-0x0000000004130000-0x00000000041A7000-memory.dmp

Filesize
476KB

Download
memory/1940-143-0x0000000004130000-0x00000000041A7000-memory.dmp

Filesize
476KB

Download
memory/1940-141-0x0000000004130000-0x00000000041A7000-memory.dmp

Filesize
476KB

Download
memory/1940-109-0x0000000004130000-0x00000000041A7000-memory.dmp

Filesize
476KB

Download
memory/1940-110-0x0000000004130000-0x00000000041A7000-memory.dmp

Filesize
476KB

Download
memory/1940-101-0x0000000004130000-0x00000000041A7000-memory.dmp

Filesize
476KB

Download
memory/1940-136-0x0000000004130000-0x00000000041A7000-memory.dmp

Filesize
476KB

Download
memory/1940-116-0x0000000004130000-0x00000000041A7000-memory.dmp

Filesize
476KB

Download
memory/1940-135-0x0000000004130000-0x00000000041A7000-memory.dmp

Filesize
476KB

Download
memory/1940-122-0x0000000004130000-0x00000000041A7000-memory.dmp

Filesize
476KB

Download
memory/1940-123-0x0000000004130000-0x00000000041A7000-memory.dmp

Filesize
476KB

Download
memory/1940-129-0x0000000004130000-0x00000000041A7000-memory.dmp

Filesize
476KB

Download
memory/1940-130-0x0000000004130000-0x00000000041A7000-memory.dmp

Filesize
476KB

Download
memory/2556-94-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2556-6-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2556-8-0x0000000002510000-0x0000000002650000-memory.dmp

Filesize
1.2MB

Download
memory/2556-9-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/4620-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4620-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4620-96-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download