10a6d1044186ddaf801d57ab4fdd6991a44b859332fd8e2ae8990f7edd4b3206

Analysis

max time kernel
135s
max time network
136s
platform
windows7_x64
resource
win7v20201028
submitted
31-10-2020 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Badlion Client Web Setup 2.17.0.exe
Size

1.0MB
MD5

edf47633312f964b28dfc3ed91f320c7
SHA1

c9df701aae470466e5b8639328aa0a95c148f2f8
SHA256

10a6d1044186ddaf801d57ab4fdd6991a44b859332fd8e2ae8990f7edd4b3206
SHA512

98e1f0c70fbea5bf684136a976e9e8a8bb9f83c6c9f9625248485772f59f0ef529e5191434ce02fd7448e8c3810dd9450360422b3b1257036da4dc8f05547493

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Badlion Client.exe

pid process

1852 Badlion Client.exe

pid	process
1852	Badlion Client.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Badlion Client.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation	Badlion Client.exe

Loads dropped DLL 21 IoCs

Processes:

Badlion Client Web Setup 2.17.0.exeBadlion Client.exe

pid	process
1904	Badlion Client Web Setup 2.17.0.exe
1904	Badlion Client Web Setup 2.17.0.exe
1904	Badlion Client Web Setup 2.17.0.exe
1904	Badlion Client Web Setup 2.17.0.exe
1904	Badlion Client Web Setup 2.17.0.exe
1904	Badlion Client Web Setup 2.17.0.exe
1904	Badlion Client Web Setup 2.17.0.exe
1904	Badlion Client Web Setup 2.17.0.exe
1904	Badlion Client Web Setup 2.17.0.exe
1904	Badlion Client Web Setup 2.17.0.exe
1904	Badlion Client Web Setup 2.17.0.exe
1904	Badlion Client Web Setup 2.17.0.exe
1304
1304
1304
1304
1904	Badlion Client Web Setup 2.17.0.exe
1904	Badlion Client Web Setup 2.17.0.exe
1852	Badlion Client.exe
1852	Badlion Client.exe
1304

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

JavaScript code in executable 17 IoCs

Processes:

yara_rule
js
\Program Files\Badlion Client\Badlion Client.exe	js
\Program Files\Badlion Client\Badlion Client.exe	js
\Program Files\Badlion Client\Badlion Client.exe	js
\Program Files\Badlion Client\Badlion Client.exe	js
\Program Files\Badlion Client\Badlion Client.exe	js
\Program Files\Badlion Client\Badlion Client.exe	js
\Program Files\Badlion Client\Badlion Client.exe	js
\Program Files\Badlion Client\Badlion Client.exe	js
C:\Program Files\Badlion Client\Badlion Client.exe	js
C:\Program Files\Badlion Client\Badlion Client.exe	js
C:\Program Files\Badlion Client\natives_blob.bin	js
C:\Program Files\Badlion Client\v8_context_snapshot.bin	js
C:\Program Files\Badlion Client\resources.pak	js
C:\Program Files\Badlion Client\resources\electron.asar	js
C:\Program Files\Badlion Client\resources\app.asar	js
\Program Files\Badlion Client\Badlion Client.exe	js

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Badlion Client.exe

pid process

1852 Badlion Client.exe

pid	process
1852	Badlion Client.exe

Drops file in Program Files directory 331 IoCs

Processes:

Badlion Client Web Setup 2.17.0.exe

description	ioc	process
File created	C:\Program Files\Badlion Client\locales\hu.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\tr.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\libEGL.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\licenses\lunatriuscore.license.txt	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\native-modules\launcher.node	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-core-file-l2-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\api-ms-win-crt-environment-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\native-modules\freetype-jni.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\lib	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\locales\fi.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-core-localization-l1-2-0.dll	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\licenses\xxhash.license.txt	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\ml.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\locales\ms.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-crt-convert-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\resources\elevate.exe	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\locales\gu.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\vcruntime140.dll	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\debug-log4j2.xml	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\licenses\lz4-java.license.txt	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\hi.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\nb.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\VMProtectSDK32.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\LICENSES.chromium.html	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\it.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\ro.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\licenses\slim.license.txt	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\d3dcompiler_47.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\licenses\flag-icon-css-license.txt	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\locales\en-GB.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\id.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\vi.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-crt-filesystem-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\chrome_200_percent.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\licenses\replaystudio.license.txt	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\sw.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\resources.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\icudtl.dat	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\licenses\aperature.license.txt	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\licenses\ffmpeg.license.txt	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\es.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\v8_context_snapshot.bin	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\VMProtectSDK64.dll	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\licenses\grpc.license.txt	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\locales\mr.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\locales\ro.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\ru.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\licenses\licenses.dependencies.txt	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\bg.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\locales\en-US.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-core-file-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\licenses\schematica.license.txt	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\locales\cs.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\locales\de.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\locales\fa.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\sv.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\api-ms-win-crt-environment-l1-1-0.dll	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\licenses\mclib.license.txt	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\licenses\xxhash.license.txt	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\de.pak	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\et.pak	Badlion Client Web Setup 2.17.0.exe
File created	C:\Program Files\Badlion Client\ffmpeg.dll	Badlion Client Web Setup 2.17.0.exe
File opened for modification	C:\Program Files\Badlion Client\licenses\grpc.license.txt	Badlion Client Web Setup 2.17.0.exe

Drops file in Windows directory 4 IoCs

Processes:

wusa.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Badlion Client.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Badlion Client.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Badlion Client.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Badlion Client.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Badlion Client.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Badlion Client Web Setup 2.17.0.exeBadlion Client.exe

pid	process
1904	Badlion Client Web Setup 2.17.0.exe
1904	Badlion Client Web Setup 2.17.0.exe
1904	Badlion Client Web Setup 2.17.0.exe
1904	Badlion Client Web Setup 2.17.0.exe
1852	Badlion Client.exe
1852	Badlion Client.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Badlion Client Web Setup 2.17.0.exe

description pid process

Token: SeSecurityPrivilege 1904 Badlion Client Web Setup 2.17.0.exe

description	pid	process
Token: SeSecurityPrivilege	1904	Badlion Client Web Setup 2.17.0.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Badlion Client Web Setup 2.17.0.execmd.exe

description	pid	process	target process
PID 1904 wrote to memory of 616	1904	Badlion Client Web Setup 2.17.0.exe	cmd.exe
PID 1904 wrote to memory of 616	1904	Badlion Client Web Setup 2.17.0.exe	cmd.exe
PID 1904 wrote to memory of 616	1904	Badlion Client Web Setup 2.17.0.exe	cmd.exe
PID 1904 wrote to memory of 616	1904	Badlion Client Web Setup 2.17.0.exe	cmd.exe
PID 616 wrote to memory of 1836	616	cmd.exe	wusa.exe
PID 616 wrote to memory of 1836	616	cmd.exe	wusa.exe
PID 616 wrote to memory of 1836	616	cmd.exe	wusa.exe
PID 616 wrote to memory of 1836	616	cmd.exe	wusa.exe
PID 616 wrote to memory of 1836	616	cmd.exe	wusa.exe
PID 616 wrote to memory of 1836	616	cmd.exe	wusa.exe
PID 616 wrote to memory of 1836	616	cmd.exe	wusa.exe

C:\Users\Admin\AppData\Local\Temp\Badlion Client Web Setup 2.17.0.exe
"C:\Users\Admin\AppData\Local\Temp\Badlion Client Web Setup 2.17.0.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RunMSU.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\wusa.exe
wusa "C:\Users\Admin\AppData\Local\Temp\Windows6.1-KB3033929.msu"
3⤵
- Drops file in Windows directory
PID:1836

C:\Program Files\Badlion Client\Badlion Client.exe
"C:\Program Files\Badlion Client\Badlion Client.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Badlion Client\Badlion Client.exe

MD5
fdbca799d3d61ec981249afd30b2e8a0

SHA1
eb0cd62c7b2e6c22b5b0db353be945cae54c5f1d

SHA256
d2a616741267b2a93756da11dfb2673d515ebba54b5a92d0c6240d6c63dd9653

SHA512
85f1359e5169e4053bf2e5c924f19b4535f198af8c920919639576981c8e54cae1582a6e78f35f4352e96b4ce706434aaf34986cc4b7ad7e1075333ccee8b289

Download Submit
C:\Program Files\Badlion Client\Badlion Client.exe

MD5
fdbca799d3d61ec981249afd30b2e8a0

SHA1
eb0cd62c7b2e6c22b5b0db353be945cae54c5f1d

SHA256
d2a616741267b2a93756da11dfb2673d515ebba54b5a92d0c6240d6c63dd9653

SHA512
85f1359e5169e4053bf2e5c924f19b4535f198af8c920919639576981c8e54cae1582a6e78f35f4352e96b4ce706434aaf34986cc4b7ad7e1075333ccee8b289

Download Submit
C:\Program Files\Badlion Client\chrome_100_percent.pak

MD5
8d56d44c318d122f7931d03ba435f00b

SHA1
387f530e06f79a2a9f7fbf4446c71c31db08e7e0

SHA256
fcb4faaa82d13d90c42dfa0669f67391b3124d30310d0f4c510f31412974cab2

SHA512
03bd2f56f73ad06fe22ebd94fb0de4e37d1771f8a9d82a47ea93002ba4696d906b59d0e25db63e98af10a169a8c3dc9d047cfcbca01030924bf93abe7bce1590

Download Submit
C:\Program Files\Badlion Client\chrome_200_percent.pak

MD5
879f88cafa5714994744bde20e7bd2c2

SHA1
d63b55f9f7c0e40f9585cac8a5cb28c0ea9f32ee

SHA256
76126341d0dc2b4b6ddccf30559709e6a856cd47148107808bd18ceb16ed1df3

SHA512
4d70ae16c2656cf3a8aaad00e2ce0ddcc030bf1ad29bbb1d0e90c03f866c413f893b273b8b03aa12c9ea5ae01537ad1d2d1b2c52b35bf7773278121a09a3af9c

Download Submit
C:\Program Files\Badlion Client\ffmpeg.dll

MD5
cb752ba8c738ede3d3de71c32a6c0c41

SHA1
a7f6614c7632bd06c25d4740aa169e572e8f389c

SHA256
da751890905cc57fadeec813bae33fdcb4817ee526ae5f45fd10d1172f971597

SHA512
9b0b71578b3023e2a065ca60e5fd69819f77f025fad57a1cd3ebb921e9c8f7445e9a64e46b632fa53b36817e61aa96c06d83c825161aa75629239e23c08512cd

Download Submit
C:\Program Files\Badlion Client\icudtl.dat

MD5
4c8a9e9c260dc5a6fee2a3c37520f5bf

SHA1
5a9883dbeb5314a98e7ab5326f9868e78ba387dc

SHA256
8c2df1f6e2ea8df2e5fc5e4b016b0cddd64a7ce6985189ca45be3c0ec99472c2

SHA512
c0da0b08a0b0eaa898f96c6e6c6fb65bc7f773f5814fc0d612a40e2fcaea4049c67cd2812716a564dbc16d609677ee62eaa9f9747d2a7bc5c9bce43cd2208aa7

Download Submit
C:\Program Files\Badlion Client\locales\en-US.pak

MD5
15e8556f737d17bd4d645513ee190990

SHA1
a24844d68fe3e9f4c57d14e6091a06f5e6b5f327

SHA256
12e4fd083a49e038578ea2993e6c88239083c8d098231527eee861299a4e1c99

SHA512
4e5c423b2b14def0e6ebb9c7844bdc050198064c9db69d3a880c1444314211995b1f0dec6fcbb12c6d5e59f690c3ffc893c2265bf7168d1ecbc8d83dfa5e1465

Download Submit
C:\Program Files\Badlion Client\native-modules\launcher.node

MD5
bdeb8dedacd0887989be988a446028fa

SHA1
9497f0fdd63863a74821e2f4082789df748dc065

SHA256
74abcf460c0d12f16abda28ad9dc82c29818328efc66062e21b38fc115aa03df

SHA512
23980ab0413dd22779b6567d6e01b209216163006afe82be9050839790874bc33ea1470f556f0700de38418f2e3673b3b343b264d0ea4c5261afa50a92f1e966

Download Submit
C:\Program Files\Badlion Client\natives_blob.bin

MD5
f8ac49858ca8739658ff44c296f8aba6

SHA1
427b4da3bd619d85381c36d61daf2ce392e07909

SHA256
354ff502a0e1ed73df4e5c7b52970356b04777461f6e169f72a8567ab5f4c317

SHA512
52e875aedbdc5dad21e01a42e333ff5aefed9ae6468a00e80f2bb373b871196f9a82bc3f43a6c72c9dd6be0e4fbc591d3ede41ca47b23a806b788db5aa9bf313

Download Submit
C:\Program Files\Badlion Client\resources.pak

MD5
978e8122033961585e14c65949d15e11

SHA1
3097d04bbcdfc6ff9e0bb52c2d38f6395e4bb631

SHA256
a435fa0e07a9124b0d457811de5e2245aeb225ad55ab99186cb665c6ec6e30ef

SHA512
5f6706116b7eaec70213f7343cac44eea2dc735de6262524b5508a659b150d8a5ad7f449fec984b45a2e5c170e1cb4feb927a19530c94841f3e6429a2fcaa1c0

Download Submit
C:\Program Files\Badlion Client\resources\app.asar

MD5
57892a47e06d3d1cb46fce7bb084730b

SHA1
64281fc658e2d624613ad88ab523eea9efb1a9a9

SHA256
c0bae93f4fe1c13eed69de41a8ea98da05db43682ba36fbac473548b23677d76

SHA512
2bcaad62e7dbbf89b64ffb8d42d548dbc6d12e92df8a7576b1065f96517e446bfe3c4e55a49f91aca40ecea8ca9fb83710b2688c22a6acd291929a72fc4c02de

Download Submit
C:\Program Files\Badlion Client\resources\electron.asar

MD5
9217b91b15e400888db98d761f78b310

SHA1
5cb9ba01638a9486a20d4c2e802944b2cc076202

SHA256
8183cc34c7d74689ed776c9c615eeb323c7c2e5886c280ea6d32a0f06e41627c

SHA512
e672bcffe09e5c729707d10ba8ecb25fee4223044de97cc165aed503548ee2a36ee38295dea6544218b08b69076094badd6b0ea9dd6764bfecf34ff6de3b5fff

Download Submit
C:\Program Files\Badlion Client\v8_context_snapshot.bin

MD5
ca7cd9e8812bf3d3af627e2ce32ac9be

SHA1
ae584ef401ec7684128517812e9eebc824098151

SHA256
15135d0f1bf67e01601a01dac865ae49d59eae99bc8967da1b8f0d5c7ada7d84

SHA512
f15ce97f2fe8d1e2230c7754449313f8c5b9a850a1bf2700adf47e95fd93a27c6d41a3435a1cbaf76b99a4ed2465ff5c8c39138239bda07e97b25e4bf377a310

Download Submit
C:\Program Files\Badlion Client\vcruntime140.dll

MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
d0f504141e8422ebbe11532bcb5f97da

SHA1
8f3376b26e80d1dc814db1c9208080ad35d64a96

SHA256
798eecdf912da408a9b19d39b25e446e5bb130517e15c04ebd5f747239d64f51

SHA512
c65e8412ccf8473b085adfb6b09a253603e910689aaf46dcaecc1f41571cff6396eb670a0fcf4f5febff6e76f540b70f64c3644d728c0d4b0142311e0598f928

Download Submit
C:\Users\Admin\AppData\Local\Temp\RunMSU.Bat

MD5
1ecda99ed52bae4cb70edc4b1e37fb63

SHA1
b298ad66a306e2e393dc3499e2c9ac0740c63f1e

SHA256
97c2ac9c0d179a206f3d80bd688a9a2e53acd92b14fc7601cb0f99d85424c4eb

SHA512
109fdb17c8cc57c6b5bd917fc42d2988852ee9b64d3aad9a4dffc6178b38d5b6692b03a99506c08f01250d259d1797574988d9cccc4947fbfa674cad556e8a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows6.1-KB3033929.msu

MD5
87ff18974de76144206910d0d41a8ae5

SHA1
5c56222b0caf43030addc9ad262633fcbddfcd41

SHA256
5318587007edb6c8b29310ff18da479a162b486b9101a7de735f94a70dbc3b31

SHA512
10d9180affd860c26fa4022ab26e8640397f4006bbfd5ac4c50ac0ed9cb72a0e591a71ef071d2087893f3769e83f62f4d45674342653b7d44df421440b15a059

Download Submit
\Program Files\Badlion Client\Badlion Client.exe

MD5
fdbca799d3d61ec981249afd30b2e8a0

SHA1
eb0cd62c7b2e6c22b5b0db353be945cae54c5f1d

SHA256
d2a616741267b2a93756da11dfb2673d515ebba54b5a92d0c6240d6c63dd9653

SHA512
85f1359e5169e4053bf2e5c924f19b4535f198af8c920919639576981c8e54cae1582a6e78f35f4352e96b4ce706434aaf34986cc4b7ad7e1075333ccee8b289

Download Submit
\Program Files\Badlion Client\Badlion Client.exe

MD5
fdbca799d3d61ec981249afd30b2e8a0

SHA1
eb0cd62c7b2e6c22b5b0db353be945cae54c5f1d

SHA256
d2a616741267b2a93756da11dfb2673d515ebba54b5a92d0c6240d6c63dd9653

SHA512
85f1359e5169e4053bf2e5c924f19b4535f198af8c920919639576981c8e54cae1582a6e78f35f4352e96b4ce706434aaf34986cc4b7ad7e1075333ccee8b289

Download Submit
\Program Files\Badlion Client\Badlion Client.exe

MD5
fdbca799d3d61ec981249afd30b2e8a0

SHA1
eb0cd62c7b2e6c22b5b0db353be945cae54c5f1d

SHA256
d2a616741267b2a93756da11dfb2673d515ebba54b5a92d0c6240d6c63dd9653

SHA512
85f1359e5169e4053bf2e5c924f19b4535f198af8c920919639576981c8e54cae1582a6e78f35f4352e96b4ce706434aaf34986cc4b7ad7e1075333ccee8b289

Download Submit
\Program Files\Badlion Client\Badlion Client.exe

MD5
fdbca799d3d61ec981249afd30b2e8a0

SHA1
eb0cd62c7b2e6c22b5b0db353be945cae54c5f1d

SHA256
d2a616741267b2a93756da11dfb2673d515ebba54b5a92d0c6240d6c63dd9653

SHA512
85f1359e5169e4053bf2e5c924f19b4535f198af8c920919639576981c8e54cae1582a6e78f35f4352e96b4ce706434aaf34986cc4b7ad7e1075333ccee8b289

Download Submit
\Program Files\Badlion Client\Badlion Client.exe

MD5
fdbca799d3d61ec981249afd30b2e8a0

SHA1
eb0cd62c7b2e6c22b5b0db353be945cae54c5f1d

SHA256
d2a616741267b2a93756da11dfb2673d515ebba54b5a92d0c6240d6c63dd9653

SHA512
85f1359e5169e4053bf2e5c924f19b4535f198af8c920919639576981c8e54cae1582a6e78f35f4352e96b4ce706434aaf34986cc4b7ad7e1075333ccee8b289

Download Submit
\Program Files\Badlion Client\Badlion Client.exe

MD5
fdbca799d3d61ec981249afd30b2e8a0

SHA1
eb0cd62c7b2e6c22b5b0db353be945cae54c5f1d

SHA256
d2a616741267b2a93756da11dfb2673d515ebba54b5a92d0c6240d6c63dd9653

SHA512
85f1359e5169e4053bf2e5c924f19b4535f198af8c920919639576981c8e54cae1582a6e78f35f4352e96b4ce706434aaf34986cc4b7ad7e1075333ccee8b289

Download Submit
\Program Files\Badlion Client\Badlion Client.exe

MD5
fdbca799d3d61ec981249afd30b2e8a0

SHA1
eb0cd62c7b2e6c22b5b0db353be945cae54c5f1d

SHA256
d2a616741267b2a93756da11dfb2673d515ebba54b5a92d0c6240d6c63dd9653

SHA512
85f1359e5169e4053bf2e5c924f19b4535f198af8c920919639576981c8e54cae1582a6e78f35f4352e96b4ce706434aaf34986cc4b7ad7e1075333ccee8b289

Download Submit
\Program Files\Badlion Client\Badlion Client.exe

MD5
fdbca799d3d61ec981249afd30b2e8a0

SHA1
eb0cd62c7b2e6c22b5b0db353be945cae54c5f1d

SHA256
d2a616741267b2a93756da11dfb2673d515ebba54b5a92d0c6240d6c63dd9653

SHA512
85f1359e5169e4053bf2e5c924f19b4535f198af8c920919639576981c8e54cae1582a6e78f35f4352e96b4ce706434aaf34986cc4b7ad7e1075333ccee8b289

Download Submit
\Program Files\Badlion Client\Badlion Client.exe

MD5
fdbca799d3d61ec981249afd30b2e8a0

SHA1
eb0cd62c7b2e6c22b5b0db353be945cae54c5f1d

SHA256
d2a616741267b2a93756da11dfb2673d515ebba54b5a92d0c6240d6c63dd9653

SHA512
85f1359e5169e4053bf2e5c924f19b4535f198af8c920919639576981c8e54cae1582a6e78f35f4352e96b4ce706434aaf34986cc4b7ad7e1075333ccee8b289

Download Submit
\Program Files\Badlion Client\ffmpeg.dll

MD5
cb752ba8c738ede3d3de71c32a6c0c41

SHA1
a7f6614c7632bd06c25d4740aa169e572e8f389c

SHA256
da751890905cc57fadeec813bae33fdcb4817ee526ae5f45fd10d1172f971597

SHA512
9b0b71578b3023e2a065ca60e5fd69819f77f025fad57a1cd3ebb921e9c8f7445e9a64e46b632fa53b36817e61aa96c06d83c825161aa75629239e23c08512cd

Download Submit
\Program Files\Badlion Client\native-modules\launcher.node

MD5
bdeb8dedacd0887989be988a446028fa

SHA1
9497f0fdd63863a74821e2f4082789df748dc065

SHA256
74abcf460c0d12f16abda28ad9dc82c29818328efc66062e21b38fc115aa03df

SHA512
23980ab0413dd22779b6567d6e01b209216163006afe82be9050839790874bc33ea1470f556f0700de38418f2e3673b3b343b264d0ea4c5261afa50a92f1e966

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3322.tmp\INetC.dll

MD5
38caa11a462b16538e0a3daeb2fc0eaf

SHA1
c22a190b83f4b6dc0d6a44b98eac1a89a78de55c

SHA256
ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a

SHA512
777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3322.tmp\NSISdl.dll

MD5
49e7c5d0cee4e570efe79923c83ee10d

SHA1
75491a8a2bd849f62529b4227736c274dc5f5d3f

SHA256
08fde15b4be408a1fae1fb3de9cd13121dc0a416cf13ac6543c57a61216bdc59

SHA512
c861b68d3dbca4b68abb0224d039a2f5d149ed61a44bebb54c5ad304627469a074c9c28e57808bd16fd7eb984a788825e8cfb499ff8e96fa2b9f345abb579ab6

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3322.tmp\StdUtils.dll

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3322.tmp\System.dll

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3322.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3322.tmp\WinShell.dll

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3322.tmp\WinShell.dll

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3322.tmp\nsDialogs.dll

MD5
ca95c9da8cef7062813b989ab9486201

SHA1
c555af25df3de51aa18d487d47408d5245dba2d1

SHA256
feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

SHA512
a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3322.tmp\nsProcess.dll

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsx3322.tmp\nsis7z.dll

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/616-18-0x0000000000000000-mapping.dmp

Download
memory/1836-21-0x0000000000000000-mapping.dmp

Download
memory/1836-20-0x0000000000000000-mapping.dmp

Download
memory/1852-35-0x000001879DB00000-0x000001879DB01000-memory.dmp

Filesize
4KB

Download
memory/1932-5-0x000007FEF5D50000-0x000007FEF5FCA000-memory.dmp

Filesize
2.5MB

Download