Analysis
-
max time kernel
172s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2022, 17:58
Behavioral task
behavioral1
Sample
183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
Resource
win7-20220901-en
General
-
Target
183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
-
Size
823KB
-
MD5
076c3938e44746d45b53dc741336f4a6
-
SHA1
04fbc31d81d7837e12a07e91509ea4a18dd38cf0
-
SHA256
183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1
-
SHA512
28633efdb11812af58bd84bfaef9c6a6c2a64f86b307cceb2cee191f1ce39bfd45b464f9effc5b8abd6194effffbec9796058b068dc15c437c623004512d017f
-
SSDEEP
12288:sEPbH3cp66Ojdo1zUxSm6CSq4Vt779pxppwRgFN4AL63aSs5XNPlhsu/B+dT2uJg:xbH3k66WuzdESf/9pD2RUfn195ZQfy88
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 3388 created 3364 3388 svchost.exe 84 PID 3388 created 2420 3388 svchost.exe 89 -
Executes dropped EXE 3 IoCs
pid Process 1104 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe 3364 Setup.exe 2420 Setup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe -
Loads dropped DLL 5 IoCs
pid Process 3916 rundll32.exe 3364 Setup.exe 2420 Setup.exe 3888 rundll32.exe 2420 Setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Setup.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync Setup.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync Setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Setup.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap Setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3364 Setup.exe 3364 Setup.exe 3364 Setup.exe 3364 Setup.exe 3364 Setup.exe 3364 Setup.exe 3364 Setup.exe 3364 Setup.exe 2420 Setup.exe 2420 Setup.exe 2420 Setup.exe 2420 Setup.exe 2420 Setup.exe 2420 Setup.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3364 Setup.exe Token: SeTakeOwnershipPrivilege 3364 Setup.exe Token: SeTcbPrivilege 3388 svchost.exe Token: SeTcbPrivilege 3388 svchost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3364 Setup.exe 3364 Setup.exe 2420 Setup.exe 2420 Setup.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1344 wrote to memory of 1104 1344 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe 83 PID 1344 wrote to memory of 1104 1344 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe 83 PID 1344 wrote to memory of 1104 1344 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe 83 PID 1104 wrote to memory of 3364 1104 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe 84 PID 1104 wrote to memory of 3364 1104 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe 84 PID 1104 wrote to memory of 3364 1104 183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe 84 PID 3388 wrote to memory of 3916 3388 svchost.exe 86 PID 3388 wrote to memory of 3916 3388 svchost.exe 86 PID 3388 wrote to memory of 3916 3388 svchost.exe 86 PID 3364 wrote to memory of 2420 3364 Setup.exe 89 PID 3364 wrote to memory of 2420 3364 Setup.exe 89 PID 3364 wrote to memory of 2420 3364 Setup.exe 89 PID 3388 wrote to memory of 3888 3388 svchost.exe 90 PID 3388 wrote to memory of 3888 3388 svchost.exe 90 PID 3388 wrote to memory of 3888 3388 svchost.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"C:\Users\Admin\AppData\Local\Temp\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe"C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Setup.exe" -uiname=babylonO1 /brwsr=dnl -trkInfo=[spt:1] -490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\61BF3E~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com4⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:3916
-
-
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exeC:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\Setup.exe -latest -tsp=8310 -uiname=babylonO1 /brwsr=dnl -trkInfo=[spt:1] -490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2420 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\61BF3E~1\Latest\IECOOK~1.DLL,UpdateProtectedModeCookieCache affilID|http://babylon-software.com5⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:3888
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3388
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
Filesize783KB
MD51aee40c0cd0ece0f8dc23c920ad695d5
SHA1222941e777fccba46b0e14ec3686dc6146976a23
SHA2561e1a9ec50975eca76f12a83b6be8d0107bdaf0015fb60aa9318c8f7b6e6f5b1b
SHA5121958751b5e350442b3ab8ec16835c9054d56ba3f66f9efcad4c300dd1820552a9d753b4fe4d813b2e31b1800150e4c4f0ebe8ee1490fbb0297e31be64afe1748
-
C:\Users\Admin\AppData\Local\Temp\3582-490\183d5e97e83f9b6789f65685c57e2106a805f95103edbbd8aeca062c35b1f4a1.exe
Filesize783KB
MD51aee40c0cd0ece0f8dc23c920ad695d5
SHA1222941e777fccba46b0e14ec3686dc6146976a23
SHA2561e1a9ec50975eca76f12a83b6be8d0107bdaf0015fb60aa9318c8f7b6e6f5b1b
SHA5121958751b5e350442b3ab8ec16835c9054d56ba3f66f9efcad4c300dd1820552a9d753b4fe4d813b2e31b1800150e4c4f0ebe8ee1490fbb0297e31be64afe1748
-
Filesize
129KB
MD5b212865e7e478a28a97268f960079a8d
SHA1ded201ae02fb9ea3646489afeda49270c4620d9c
SHA256d6138aef3f7674e2442add75013c86ca8fda3d5ba69737a9b881e7f7bbc730e6
SHA512d973f9cb45d2035a8546bbdf77fa1b239a3f1e4ba2b17d32195a1cfed13fe06aaf48b91a133cebd7e53481ab5a5e9166329b730587b46a154b193779da6ad737
-
Filesize
12KB
MD5825e5733974586a0a1229a53361ed13e
SHA19ec5b8944c6727fda6fdc3c18856884554cf6b31
SHA2560a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96
SHA512ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e
-
Filesize
644B
MD5f50fa4673555652289652753183fd1ee
SHA1f496797f0d34eb866d6328d2fd1492b485f74d0a
SHA256afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812
SHA5126e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da
-
Filesize
926B
MD50c464e407c81764ebc09eacbe41f0b3e
SHA1245afe550a05215e5873d8f5f21c22d12aa46b6a
SHA256770a302bc58b513472aa603ae44a365a6f4f8cbddc13d2692f71b09f143f8a26
SHA51271070fcd243cbb3e4452874ecaf8e20e13cbbbad0009ce543ca49601facc1ab1906c298849d3b8fb5747df1109f8e85946243ec7bfa0ead97ca0aed9ec8d3dfc
-
Filesize
3KB
MD526621cb27bbc94f6bab3561791ac013b
SHA14010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA5129a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6
-
Filesize
6KB
MD5a21de5067618d4f2df261416315ed120
SHA17759a3318de2abc3755ebb7f50322c6d586b5286
SHA2566d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca
SHA5126b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a
-
Filesize
12KB
MD5825e5733974586a0a1229a53361ed13e
SHA19ec5b8944c6727fda6fdc3c18856884554cf6b31
SHA2560a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96
SHA512ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e
-
Filesize
190B
MD5c7cefa16289de8830edbe5a693386f74
SHA1393cff22ff616d03e2623b42c49d163fd3548536
SHA256794d60dfd8d3652d914f6210113657a552c39f8a972c58236f172a6d57bffe2e
SHA512d6eb73a2c8daf679961017567a712eca709c27640825d736e748fafc5341d3e82bf7e959d02032a018d1dad1337cd880dd651bb95e2b12144a0df9aa14e4b157
-
Filesize
86B
MD51408225f8c6c919c3f7fdc3a0a70d9c4
SHA16ae23a3d57d0d09d182dd3fa24c8173c311aaf64
SHA2564b91c539986a1083986741a3472b1b2e91ffa06d57f3916c82b0ec731ac568d4
SHA512df359c41ad452c5833cb3693f829b95c2d4466b74dd655fd622f2f040912cd1debbe402a407e12ce1189e92449080286ea1290fc2797a3844eccd3107e53d295
-
Filesize
8KB
MD5595c8260fada99d2a213c0892ba58bcf
SHA1f7046823d34d0517a9b852dc5fcc6e470950aafb
SHA256feb13da19d6926764514d15cdebec16c06d1cc1f8c1a0ac6bcd48877d1ce1f57
SHA51273ba9c1e848edaf7c208d5b9f3f997356e033e234de23cecf47114218c453b62655eca659689027214db3b07d74d377ffaff61be5bddfe6f3153e68d406e047b
-
Filesize
8KB
MD5595c8260fada99d2a213c0892ba58bcf
SHA1f7046823d34d0517a9b852dc5fcc6e470950aafb
SHA256feb13da19d6926764514d15cdebec16c06d1cc1f8c1a0ac6bcd48877d1ce1f57
SHA51273ba9c1e848edaf7c208d5b9f3f997356e033e234de23cecf47114218c453b62655eca659689027214db3b07d74d377ffaff61be5bddfe6f3153e68d406e047b
-
C:\Users\Admin\AppData\Local\Temp\61BF3ECC-BAB0-7891-A104-B4628747E71A\Latest\HtmlScreens\loading.html
Filesize644B
MD5f50fa4673555652289652753183fd1ee
SHA1f496797f0d34eb866d6328d2fd1492b485f74d0a
SHA256afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812
SHA5126e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da
-
Filesize
3KB
MD526621cb27bbc94f6bab3561791ac013b
SHA14010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA5129a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6
-
Filesize
9KB
MD5275596dec9cfad85401b803630d7e6c5
SHA1a0abe06d091fc974c363329d968182528e9bd74c
SHA2568b1cd85c1a3878e7d48be4be267eba73c14160cf05a19b0d45bbbc308855d531
SHA512a82c59b2785deff5844db361b6c95d1a2a4b5c7762b501aa4b250c93cc37985ebaa6ce152aeb488fbdd6d648a7d2a64ffbd4b050bf63c1d3e2fa0ff43e0ab391
-
Filesize
1.1MB
MD5d41b0dae45b7b7059416783055082dca
SHA1ef6d0caeeab23f2cb6e4a65cd46e6ba34e842a29
SHA256a4729fdaec10a4335e6f13f7fc4d5cd0c1eb4dbda1820be3ca3095f3440fa515
SHA5125118306be917afcc2aecff1544907d17d3f8d951cdcea472c78f5685b7524cd6a68cc367ca36ce14caa7592422df4a8ec597dcab97d9ed64ab76d48b82618d32
-
Filesize
1.1MB
MD5d41b0dae45b7b7059416783055082dca
SHA1ef6d0caeeab23f2cb6e4a65cd46e6ba34e842a29
SHA256a4729fdaec10a4335e6f13f7fc4d5cd0c1eb4dbda1820be3ca3095f3440fa515
SHA5125118306be917afcc2aecff1544907d17d3f8d951cdcea472c78f5685b7524cd6a68cc367ca36ce14caa7592422df4a8ec597dcab97d9ed64ab76d48b82618d32
-
Filesize
35KB
MD587b19ef4ae23d80f7cdccc16dc633e7e
SHA139f49c3896911c401aa168628df97ab3c214c6dd
SHA256ca1fd6a93359601754dcd7be92c04930365793cf75f7bdacb4619844a3471ce1
SHA5128a849679ff0e95eca41cb08deaa7c748e4ff65c18c2653e47ef2e10d19946caaddfb5ed71340e2cf256e95e5033028024877edc1213b08e328e786a7360c55f1
-
Filesize
16KB
MD529f499560e54ace4ac6d95c20f7a5e85
SHA1d6e99033ecede912fb0403ae02d60141e1e6c67b
SHA2561a13997c37bed6159085726f844de6455172cda3812be9b557422e3c6ef789d6
SHA512cf71be7260776c84389a9ac34689a7f456ab3f806bfd9e04201ab068bb83c0bff890c7c7b4a644c061a30092a2554b9861058bd60293d3cd3fc1304ab06762c8
-
Filesize
508KB
MD50f66e8e2340569fb17e774dac2010e31
SHA1406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA51239275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05
-
Filesize
508KB
MD50f66e8e2340569fb17e774dac2010e31
SHA1406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA51239275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05
-
Filesize
277B
MD54682606995e6f849c53e1dceb038d52e
SHA162906101dd4beb380d982ff05c47ed3c7d6d1b42
SHA256f6753e0521958250cad68dacce1b31e1ccb3be47b59e0c5f4aa9bf2477a313b5
SHA512ccecb874b8a64f154c4bb25a2ed4692f12abbfaa00cb2636bf418d64b0df748212b0c4b5edcecf530a18c2d3c5710844abfeccec5fd7457730a192f9ce810a65
-
Filesize
1.8MB
MD51e77f6bea1e30db75604efc90f82f4b0
SHA16030676abef280ffa08743a19c88a8237b9ec335
SHA25613d8a6592e0dd66d7f83831298cc8f0650e69e1519b329c2d064f4324830406a
SHA5120c8b42d5596357a928985ddc915cbd531b8908fca609094070e62b5a2855238197ce361f32defcfa0a8c33caf1df96336be3251e611ad4ee0ac3934fdc93dc77
-
Filesize
1.8MB
MD51e77f6bea1e30db75604efc90f82f4b0
SHA16030676abef280ffa08743a19c88a8237b9ec335
SHA25613d8a6592e0dd66d7f83831298cc8f0650e69e1519b329c2d064f4324830406a
SHA5120c8b42d5596357a928985ddc915cbd531b8908fca609094070e62b5a2855238197ce361f32defcfa0a8c33caf1df96336be3251e611ad4ee0ac3934fdc93dc77
-
Filesize
89KB
MD5407846797c5ba247abeb5fa7c0c0ba05
SHA144386455eed8e74d75e95e9e81e96a19f0b27884
SHA2560147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3
SHA5127399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af
-
Filesize
189B
MD5f391c791cddef78f3b258b875374e3ca
SHA15957844d36896195e470e505323b3bd8205a622e
SHA2568cab66a3318de4e2a6d3e2266a9aa4fb51c20a8e8017845c8d01df5514c4a98e
SHA5127b04e102aaa0befaa8717f9131b140eda51948fc9396694dac4db8f497efa889911bdef783e08a8f81d7a6e8ca9847e72e6e509c93a975a03fbb0372bbecfb0e
-
Filesize
193B
MD5cc1b681ed072bcef4df4113dee901459
SHA1bcd524a7d217d17ef4ad3ccf3941a73da10fd8bd
SHA25698945e42eb5a93adb8af326ea90fb320b5ab8bac947f39267c41503103dd2522
SHA5125c02d58114ac3c499985388b9c378ccc6cb11a39b7ddd2e0a3549300441cf6aa9223b6d9b4109032c16a207301fb7c55823561e5c0e29dd4190c29e429b1ce02
-
Filesize
2KB
MD52f32e22bc344cb74c5dc6d965620b65a
SHA18c3c0fc770ca136631fb5961a26def2b18229bda
SHA256fa3685a284892283a70ea3b414fd7049fe97fcb8cbdad323a226e89383aca0b5
SHA5121c78c40d28baeb81bf085a9912d5d63820753a7d319472dd9540710fba6431965f7a7a0381199da06685faf8b4c1bd9b222a5959b1aca0cd63c115e7698517ac
-
Filesize
297B
MD50199a430416761529f0b218726bf626a
SHA10b32e84def910fbd5dec04a3d9aa1f8eb4b9ec26
SHA2568c06f34ed1271caa22a23ca9346a9631939b7e386f494cca82b2631c2874022a
SHA51205f0d5628128bc141e704a1ce4f772463a975d965a0a90bc450bf44a004cf7945b869ecf330f0909acd73759ebeec8f30937258bbbb03ac50130bfc645b5ddba
-
Filesize
178B
MD50b7be9c4b72c2c5166bfd61ca5ebbfed
SHA1aea0aa4e8226c1b4efce92e909da773744baa6d4
SHA256673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd
SHA5124dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8
-
Filesize
35KB
MD587b19ef4ae23d80f7cdccc16dc633e7e
SHA139f49c3896911c401aa168628df97ab3c214c6dd
SHA256ca1fd6a93359601754dcd7be92c04930365793cf75f7bdacb4619844a3471ce1
SHA5128a849679ff0e95eca41cb08deaa7c748e4ff65c18c2653e47ef2e10d19946caaddfb5ed71340e2cf256e95e5033028024877edc1213b08e328e786a7360c55f1
-
Filesize
508KB
MD50f66e8e2340569fb17e774dac2010e31
SHA1406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA51239275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05
-
Filesize
508KB
MD50f66e8e2340569fb17e774dac2010e31
SHA1406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA51239275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05
-
Filesize
6KB
MD5a21de5067618d4f2df261416315ed120
SHA17759a3318de2abc3755ebb7f50322c6d586b5286
SHA2566d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca
SHA5126b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a
-
Filesize
9KB
MD5275596dec9cfad85401b803630d7e6c5
SHA1a0abe06d091fc974c363329d968182528e9bd74c
SHA2568b1cd85c1a3878e7d48be4be267eba73c14160cf05a19b0d45bbbc308855d531
SHA512a82c59b2785deff5844db361b6c95d1a2a4b5c7762b501aa4b250c93cc37985ebaa6ce152aeb488fbdd6d648a7d2a64ffbd4b050bf63c1d3e2fa0ff43e0ab391