Overview

overview

10

Static

static

1

DriverDiag...ol.exe

windows7-x64

10

DriverDiag...ol.exe

windows10-2004-x64

10

KENAPA_UMN...AN.lnk

windows7-x64

10

KENAPA_UMN...AN.lnk

windows10-2004-x64

10

KENAPA_UMN...AN.pdf

windows7-x64

1

KENAPA_UMN...AN.pdf

windows10-2004-x64

1

KENAPA_UMN...AN.ps1

windows7-x64

10

KENAPA_UMN...AN.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    178s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    11-07-2023 09:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KENAPA_UMNO_BERSAMA_KERAJAAN_PERPADUAN.lnk

  • Size

    3KB

  • MD5

    67919ac65f71daac11a70f8d9e9b75d3

  • SHA1

    0ce2c4fe931dc3e711ea4af9913476a4e08fc7b2

  • SHA256

    2c202c8fb88c907867f43a1d3c82a15b3b67204799efaed9e5cca2e150cdaacc

  • SHA512

    c235a6a0913da127b70a46491e51d47813a3a7edcfcae6e1bcf1a06ccc418eb304ed05062fd6c84215533f8b30aea4e6dd3f59ad7c2b4ff2f9aab1a93914c533

Score
10/10
babylonratpersistencetrojanupx

Malware Config

Extracted

Family

babylonrat

C2

149.28.19.207

Signatures

  • Babylon RAT

    Babylon RAT is remote access trojan written in C++.

    trojanbabylonrat
  • Executes dropped EXE 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\KENAPA_UMNO_BERSAMA_KERAJAAN_PERPADUAN.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -WindowStyle hidden -nologo -executionpolicy bypass -File "KENAPA_UMNO_BERSAMA_KERAJAAN_PERPADUAN.ps1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle hidden -nologo -executionpolicy bypass -File "KENAPA_UMNO_BERSAMA_KERAJAAN_PERPADUAN.ps1"
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\KENAPA_UMNO_BERSAMA_KERAJAAN_PERPADUAN.pdf"
          4⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:1124
        • C:\Users\Admin\AppData\Local\Temp\DriverDiagnoseTool.exe
          "C:\Users\Admin\AppData\Local\Temp\DriverDiagnoseTool.exe"
          4⤵
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2064
        • C:\Users\Admin\AppData\Roaming\DriverDiagnoseTool.exe
          "C:\Users\Admin\AppData\Roaming\DriverDiagnoseTool.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2716

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    9e23efdb124c387f0f50c74cce0f1186

    SHA1

    4b6e2a4bf1866ea10adb9784affc67b5c1b323b4

    SHA256

    48ded289499683f53802de5a253fa46002d8ac439bdd532b1cc4e83aa3fd3b99

    SHA512

    62b50b6b67724c9272d70227872de7553d51188554b987b27a31346db68235c18e4142248eca83de542a7e700f1a997893d93d61e3039b3d583e9774047518db

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DriverDiagnoseTool.exe
    Filesize

    300.9MB

    MD5

    d70de5a533c758bcba7ff16d204cdbe6

    SHA1

    38d9f39f8c3699c04c4e4ba3e33afbed745e3e8f

    SHA256

    40d348783300d039d969f27a22433a8cba8d31c28e2e8d542c10a5792d34c1d3

    SHA512

    a9355532ad9310a61f1b07926a64d48669ebf3e15e45c18a28a7b16c3e94d66037752d45b36e26c2dbb247b2d9fdcedc18f00fb4229daece372f44af418c07f1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DriverDiagnoseTool.exe
    Filesize

    300.9MB

    MD5

    d70de5a533c758bcba7ff16d204cdbe6

    SHA1

    38d9f39f8c3699c04c4e4ba3e33afbed745e3e8f

    SHA256

    40d348783300d039d969f27a22433a8cba8d31c28e2e8d542c10a5792d34c1d3

    SHA512

    a9355532ad9310a61f1b07926a64d48669ebf3e15e45c18a28a7b16c3e94d66037752d45b36e26c2dbb247b2d9fdcedc18f00fb4229daece372f44af418c07f1

    Download Submit

  • memory/1532-111-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1532-112-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1532-113-0x00000000028E0000-0x0000000002960000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1532-114-0x00000000028E0000-0x0000000002960000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1532-115-0x00000000028E0000-0x0000000002960000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2064-119-0x0000000000150000-0x000000000021A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/2064-121-0x0000000000150000-0x000000000021A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/2064-118-0x0000000000150000-0x000000000021A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/2064-117-0x0000000000150000-0x000000000021A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/2064-129-0x0000000000150000-0x000000000021A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/2064-116-0x0000000000150000-0x000000000021A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/2064-149-0x0000000000150000-0x000000000021A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/2716-130-0x0000000000270000-0x000000000033A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/2716-131-0x0000000000270000-0x000000000033A000-memory.dmp

    Filesize

    808KB

    Download