938f0f59b235568981600a40bf7d6b0f7d01199405729fcd1fd26c0f52c9d3c4

Analysis

max time kernel
77s
max time network
65s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Badlion Client Setup 3.16.0.exe
Size

129.3MB
MD5

7c3a7f421537d2320e71cd80320dda25
SHA1

d538c158632582338e9e341685890adcf97e7cff
SHA256

938f0f59b235568981600a40bf7d6b0f7d01199405729fcd1fd26c0f52c9d3c4
SHA512

f77b16d938d34a975a7081271159e436b1c67a25a7246cb0f10d072e8b009b0f9bf7b777cb77d650ee6e171366449200ff3d56ad6074338e21534c6d91842201
SSDEEP

3145728:yYj7E+aREYwAT2roh0SgtY0NtZns6FUEF:Pj7QrTwoWSetZnsWUE

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Badlion Client\licenses\caffeine.license.txt	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\locales\de.pak	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\locales\en-GB.pak	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\ko.pak	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\LICENSE.electron.txt	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\locales\ja.pak	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\licenses\tiny-process-library.txt	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\vk_swiftshader_icd.json	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\Badlion Client.exe	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\uk.pak	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\es.pak	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\resources\elevate.exe	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\licenses\lunatriuscore.license.txt	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\locales\cs.pak	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\locales\te.pak	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\resources\app.asar	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\licenses\freetype.license.txt	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\locales\lv.pak	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\nb.pak	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\resources\app.asar	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\d3dcompiler_47.dll	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\ffmpeg.dll	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\licenses\aperature.license.txt	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\cursors\copy_drop.cur	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\pl.pak	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\d3dcompiler_47.dll	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\libEGL.dll	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\cursors\col_resize.cur	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\cursors\invalid.cur	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\cursors\invalid.cur	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\libs\disruptor-3.4.2.jar	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\libs\lz4-java-1.7.1.jar	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\licenses\notosansjp.font.license.txt	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\locales\sw.pak	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\native-modules\badlion_js.dll	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\cursors\hand_grabbing.cur	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\locales\sr.pak	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\locales\ta.pak	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\tr.pak	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\licenses\licenses.dependencies.txt	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\vk_swiftshader_icd.json	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\cursors\zoom_in.cur	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\icudtl.dat	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\locales\fr.pak	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\locales\he.pak	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\cursors\col_resize.png	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\cursors\zoom_in.cur	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\cursors\zoom_out.cur	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\libs\lz4-java-1.7.1.jar	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\licenses\skyblockaddons.license.txt	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\locales\hi.pak	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\locales\sv.pak	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\locales\tr.pak	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\cursors\row_resize.png	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\resources\roots.pem	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\licenses\quickplay.license.txt	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\locales\hr.pak	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\chrome_100_percent.pak	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\licenses\notoserifkr.font.license.txt	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\locales\ar.pak	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\locales\ca.pak	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\v8_context_snapshot.bin	Badlion Client Setup 3.16.0.exe
File opened for modification	C:\Program Files\Badlion Client\native-modules	Badlion Client Setup 3.16.0.exe
File created	C:\Program Files\Badlion Client\licenses\xxhash.license.txt	Badlion Client Setup 3.16.0.exe

Loads dropped DLL 16 IoCs

pid	Process
2344	Badlion Client Setup 3.16.0.exe
2344	Badlion Client Setup 3.16.0.exe
2344	Badlion Client Setup 3.16.0.exe
2344	Badlion Client Setup 3.16.0.exe
2344	Badlion Client Setup 3.16.0.exe
2344	Badlion Client Setup 3.16.0.exe
2344	Badlion Client Setup 3.16.0.exe
2344	Badlion Client Setup 3.16.0.exe
2344	Badlion Client Setup 3.16.0.exe
2344	Badlion Client Setup 3.16.0.exe
2344	Badlion Client Setup 3.16.0.exe
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
2344	Badlion Client Setup 3.16.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2344	Badlion Client Setup 3.16.0.exe
2344	Badlion Client Setup 3.16.0.exe
2344	Badlion Client Setup 3.16.0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2344	Badlion Client Setup 3.16.0.exe

C:\Users\Admin\AppData\Local\Temp\Badlion Client Setup 3.16.0.exe
"C:\Users\Admin\AppData\Local\Temp\Badlion Client Setup 3.16.0.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Badlion Client\Badlion Client.exe

Filesize
134.1MB

MD5
b33e52c1348b7b7ccbb9d97d533596c2

SHA1
926539a521dc653e21e19f96b31d3e20e7464186

SHA256
032cb2e6b7eb4267ea5644ae4c6d21d6716335e6e3f85f522e8d54804ff370bb

SHA512
d6460c2b1844077e07378f6507efe256f2bb980d23b2ed028c080b06bab020296db290a6574d8bd67b5b21419f77bcf52f25872d0d89076ec94dffd14eb4ab04

Download Submit
C:\Program Files\Badlion Client\licenses\lz4-java.license.txt

Filesize
11KB

MD5
0ba5044c64ef53cb0189c9546081e228

SHA1
c8bc7df08db9dd3b39c2c2259a163a36cf2f6808

SHA256
49bbe9114e49214df2ccc324cb3ac8d1d1aa1c3a0947f94c286765e86647b32e

SHA512
a7ce8c7f21c031e4e6d037f4eabe8b200b8f1470731c05ea86028171f2964310dadc5def814d2d65164fbd23d720ecfd4d479ff5e269e519c787b4db96c7724f

Download Submit
C:\Program Files\Badlion Client\licenses\notoseriftc.font.license.txt

Filesize
4KB

MD5
bec6f772ed2e38634da53c388c30437d

SHA1
43513d1f6a1329962106efc212457e1d6ef9e980

SHA256
7f18ec1ebb6b50e3ed0f74b2c61f25b8d7cd69e43f4de66e991bcfd3c419a8bb

SHA512
de6c45f891db9add2d253939f35739f3c246ab93f6bde97232ecf32fadcf0afcadea4aa632e44df4ddc0e3b80e1db669f4769e9d59a04a4e38888b530fb050f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse40E9.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse40E9.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse40E9.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Program Files\Badlion Client\Badlion Client.exe

Filesize
134.1MB

MD5
b33e52c1348b7b7ccbb9d97d533596c2

SHA1
926539a521dc653e21e19f96b31d3e20e7464186

SHA256
032cb2e6b7eb4267ea5644ae4c6d21d6716335e6e3f85f522e8d54804ff370bb

SHA512
d6460c2b1844077e07378f6507efe256f2bb980d23b2ed028c080b06bab020296db290a6574d8bd67b5b21419f77bcf52f25872d0d89076ec94dffd14eb4ab04

Download Submit
\Program Files\Badlion Client\Badlion Client.exe

Filesize
134.1MB

MD5
b33e52c1348b7b7ccbb9d97d533596c2

SHA1
926539a521dc653e21e19f96b31d3e20e7464186

SHA256
032cb2e6b7eb4267ea5644ae4c6d21d6716335e6e3f85f522e8d54804ff370bb

SHA512
d6460c2b1844077e07378f6507efe256f2bb980d23b2ed028c080b06bab020296db290a6574d8bd67b5b21419f77bcf52f25872d0d89076ec94dffd14eb4ab04

Download Submit
\Program Files\Badlion Client\Badlion Client.exe

Filesize
134.1MB

MD5
b33e52c1348b7b7ccbb9d97d533596c2

SHA1
926539a521dc653e21e19f96b31d3e20e7464186

SHA256
032cb2e6b7eb4267ea5644ae4c6d21d6716335e6e3f85f522e8d54804ff370bb

SHA512
d6460c2b1844077e07378f6507efe256f2bb980d23b2ed028c080b06bab020296db290a6574d8bd67b5b21419f77bcf52f25872d0d89076ec94dffd14eb4ab04

Download Submit
\Program Files\Badlion Client\Badlion Client.exe

Filesize
134.1MB

MD5
b33e52c1348b7b7ccbb9d97d533596c2

SHA1
926539a521dc653e21e19f96b31d3e20e7464186

SHA256
032cb2e6b7eb4267ea5644ae4c6d21d6716335e6e3f85f522e8d54804ff370bb

SHA512
d6460c2b1844077e07378f6507efe256f2bb980d23b2ed028c080b06bab020296db290a6574d8bd67b5b21419f77bcf52f25872d0d89076ec94dffd14eb4ab04

Download Submit
\Program Files\Badlion Client\Badlion Client.exe

Filesize
134.1MB

MD5
b33e52c1348b7b7ccbb9d97d533596c2

SHA1
926539a521dc653e21e19f96b31d3e20e7464186

SHA256
032cb2e6b7eb4267ea5644ae4c6d21d6716335e6e3f85f522e8d54804ff370bb

SHA512
d6460c2b1844077e07378f6507efe256f2bb980d23b2ed028c080b06bab020296db290a6574d8bd67b5b21419f77bcf52f25872d0d89076ec94dffd14eb4ab04

Download Submit
\Program Files\Badlion Client\Badlion Client.exe

Filesize
134.1MB

MD5
b33e52c1348b7b7ccbb9d97d533596c2

SHA1
926539a521dc653e21e19f96b31d3e20e7464186

SHA256
032cb2e6b7eb4267ea5644ae4c6d21d6716335e6e3f85f522e8d54804ff370bb

SHA512
d6460c2b1844077e07378f6507efe256f2bb980d23b2ed028c080b06bab020296db290a6574d8bd67b5b21419f77bcf52f25872d0d89076ec94dffd14eb4ab04

Download Submit
\Program Files\Badlion Client\Badlion Client.exe

Filesize
134.1MB

MD5
b33e52c1348b7b7ccbb9d97d533596c2

SHA1
926539a521dc653e21e19f96b31d3e20e7464186

SHA256
032cb2e6b7eb4267ea5644ae4c6d21d6716335e6e3f85f522e8d54804ff370bb

SHA512
d6460c2b1844077e07378f6507efe256f2bb980d23b2ed028c080b06bab020296db290a6574d8bd67b5b21419f77bcf52f25872d0d89076ec94dffd14eb4ab04

Download Submit
\Program Files\Badlion Client\Badlion Client.exe

Filesize
134.1MB

MD5
b33e52c1348b7b7ccbb9d97d533596c2

SHA1
926539a521dc653e21e19f96b31d3e20e7464186

SHA256
032cb2e6b7eb4267ea5644ae4c6d21d6716335e6e3f85f522e8d54804ff370bb

SHA512
d6460c2b1844077e07378f6507efe256f2bb980d23b2ed028c080b06bab020296db290a6574d8bd67b5b21419f77bcf52f25872d0d89076ec94dffd14eb4ab04

Download Submit
\Users\Admin\AppData\Local\Temp\nse40E9.tmp\NSISdl.dll

Filesize
15KB

MD5
ba2cc9634ebed71cea697a31144af802

SHA1
8221c522b24f4808f66a476381db3e6455eab5c3

SHA256
9a3c2fe5490c34f73f1a05899ef60cfef05e0c9599cd704e524ef7a46ead67ba

SHA512
dcc74bcedd9402f7ac7e2d1872fe0e2876ae93cf8bbd869d5b9b7b56cea244ba8d2891fa2b51382092b86480337936f5ec495d9005d47fbfd9e2b71cb7f6ba8f

Download Submit
\Users\Admin\AppData\Local\Temp\nse40E9.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nse40E9.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nse40E9.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nse40E9.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nse40E9.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nse40E9.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nse40E9.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit