35fe663449b8fe601959fcfcbcc4907eb503283000418a35ba0743fa2f2d51bc

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 06:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0abd8450f48191489afe58f685a40098.exe
Size

1.8MB
MD5

0abd8450f48191489afe58f685a40098
SHA1

f6e0e5de52cd230e03a34b6f11e1f3a34a013ee9
SHA256

35fe663449b8fe601959fcfcbcc4907eb503283000418a35ba0743fa2f2d51bc
SHA512

c06b7793de95b47bb0a03da2c43a53e34106f4f30fb1233fda0abf11a4847e9dd579757e03390e604101ac9188a54b1aa4368319c06c8481ea707a3614076fd9
SSDEEP

49152:vseXldnEFNrYzjUWSG8Fd0qW9BT2HxKkaBdPk30Vv:keyFNrYzjUzeXBW30V

Score

7^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	extensions.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	WinPump.exe

Executes dropped EXE 5 IoCs

pid	Process
464	extensions.exe
2988	WinPump.exe
3496	BABYLON.EXE
3096	Setup.exe
2308	pumpa.exe

Loads dropped DLL 3 IoCs

pid	Process
3096	Setup.exe
3096	Setup.exe
3096	Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=18708"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}"	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}	Setup.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/home?AF=18708"	Setup.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP	Setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2988	WinPump.exe
2988	WinPump.exe
3096	Setup.exe
3096	Setup.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe
2988	WinPump.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3096	Setup.exe
Token: SeTakeOwnershipPrivilege	3096	Setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2988	WinPump.exe
2988	WinPump.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 464	2352	0abd8450f48191489afe58f685a40098.exe	92
PID 2352 wrote to memory of 464	2352	0abd8450f48191489afe58f685a40098.exe	92
PID 2352 wrote to memory of 464	2352	0abd8450f48191489afe58f685a40098.exe	92
PID 2352 wrote to memory of 2988	2352	0abd8450f48191489afe58f685a40098.exe	93
PID 2352 wrote to memory of 2988	2352	0abd8450f48191489afe58f685a40098.exe	93
PID 2352 wrote to memory of 2988	2352	0abd8450f48191489afe58f685a40098.exe	93
PID 464 wrote to memory of 3496	464	extensions.exe	94
PID 464 wrote to memory of 3496	464	extensions.exe	94
PID 464 wrote to memory of 3496	464	extensions.exe	94
PID 3496 wrote to memory of 3096	3496	BABYLON.EXE	95
PID 3496 wrote to memory of 3096	3496	BABYLON.EXE	95
PID 3496 wrote to memory of 3096	3496	BABYLON.EXE	95
PID 2988 wrote to memory of 2308	2988	WinPump.exe	98
PID 2988 wrote to memory of 2308	2988	WinPump.exe	98
PID 2988 wrote to memory of 2308	2988	WinPump.exe	98

C:\Users\Admin\AppData\Local\Temp\0abd8450f48191489afe58f685a40098.exe
"C:\Users\Admin\AppData\Local\Temp\0abd8450f48191489afe58f685a40098.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Roaming\WinPump\extensions.exe
  C:\Users\Admin\AppData\Roaming\WinPump\extensions.exe /aff=901 /saff=1500
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Users\Admin\AppData\Local\Temp\BABYLON.EXE
    "C:\Users\Admin\AppData\Local\Temp\BABYLON.EXE" -affilID=18708
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Users\Admin\AppData\Local\Temp\{008C7C0E-BAB0-7891-9C4A-F2235D039334}\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\{008C7C0E-BAB0-7891-9C4A-F2235D039334}\Setup.exe" -s -affilID=18708
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3096
- C:\Users\Admin\AppData\Roaming\WinPump\WinPump.exe
  "C:\Users\Admin\AppData\Roaming\WinPump\WinPump.exe" ""
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Roaming\WinPump\pumpa.exe
    "C:\Users\Admin\AppData\Roaming\WinPump\pumpa.exe"
    3⤵
    - Executes dropped EXE
    PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BABYLON.EXE

Filesize
98KB

MD5
31815dd1194f4e011a4726e452cb9dcd

SHA1
cf1587122a1fd1691afdceeba3301ab88e444cc3

SHA256
15fc76b6941c1a53f078a6f83ba3f781e071846026d0d36dfbc494cbd2215ece

SHA512
6a250ac56763f3b5699786708690e8bd6af9329b09d5419315c31bfaf8f7d1d9791a519b3d0c2e418a3fb2caad4fba268b17bc3f96ee7c6415d0c4536d1a62eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BABYLON.EXE

Filesize
93KB

MD5
5963ef460c324f24b45ea17c4da38d99

SHA1
ce444e69d15ff2858209bcd669f81ffa7c2bf44b

SHA256
5c7dc8fa0d67f6747cf719e702f44494e564960673a392b33fde2b38137f3ca3

SHA512
1656cb9316eaefe8e6e98037fd9788abacc0c95d0c71e1aa378ba778c3a68a303ff5ba0bde6b55d7b576338e5911ebc99be310df99fc65caa6bb216dc334f145

Download Submit
C:\Users\Admin\AppData\Local\Temp\{008C7C0E-BAB0-7891-9C4A-F2235D039334}\BException.dll

Filesize
93KB

MD5
2c97efc274997e886a26adce3dabc4c8

SHA1
a612f9d8c093744b102639727bf9df6366d3ae97

SHA256
3e12fb25288ae1eabb320d9d2498de02c25272a808c62ec821b8dbc27f5cddad

SHA512
b7c75038862fed41e971232d4f84ab9011d89da8ceda02aec937de853c5b26c2d7a1bd26936f024c3d229aa6d4ff7d4a800fdec58fe0ed2de8759e50bc855cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{008C7C0E-BAB0-7891-9C4A-F2235D039334}\BException.dll

Filesize
109KB

MD5
dc4b422a67d4260198f67e14476b1a66

SHA1
1cfca2b1dd1511f36cf2aa1871a7292c58431ec7

SHA256
e1218f416c7adbc11adc9e1695844581b8cb646fc76a22cd9eebe3a3732b8b7f

SHA512
7b498f5fbe14b6badfba4418ec666719405b9cd694be1a12f26ab00bcb1b5942804eadc58fa0f5b885b92a66ba5305e86fcf94ed69b2966c2f2a30903e137e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\{008C7C0E-BAB0-7891-9C4A-F2235D039334}\BabyServices.DLL

Filesize
85KB

MD5
162381ece0ced7e9ec54dace1a4c7813

SHA1
4081a4c30cf68ff5a7f9d2a082c9eca98c38cbbb

SHA256
a75c17222e581dec7e7a25916a3a4e58337fc1a905056553e4343a0ca709754a

SHA512
35be4c466816b433f1978dd7bd0aa4cbe2a75243889dc739328d2774783ca84af36483061d4db6e50522a96ad312c7e5685b556e464eb35c28fda21f1524b6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{008C7C0E-BAB0-7891-9C4A-F2235D039334}\BabyServices.dll

Filesize
92KB

MD5
ef7c43ae508ca45f93e024364425322c

SHA1
492183c3b6272c252fb08910069480eb8eede66b

SHA256
13a88c3c730e605cbd8d3c1a9a69416f61ff8bdb6f4bbba71fc5b73a94b93975

SHA512
a98db42a18a574af60a9103edc3e603607b9fd687ec5c9d75cb9d2853cbaae635a7d5f6c3ee9e8d53c81d51a13fe7d231efbdf99795220dbd2b90a891732d302

Download Submit
C:\Users\Admin\AppData\Local\Temp\{008C7C0E-BAB0-7891-9C4A-F2235D039334}\Setup.exe

Filesize
93KB

MD5
9dbe2a0dce20e6be0efedcb2d651b392

SHA1
7420a8f18bb0066e50b916278c357e1e8a7ab8db

SHA256
569960638b47e20bf20849630ac1334fbaa459c2a6fd4d2ac19fd5eaa2fd478d

SHA512
96ca171cb7e03a7eec0a1af8c67f05bd646fc2e140a12f7ecf0c9c2c02ed5ad97019f1c946cd26cd9b2be1125b62cf99a1686bc538e5165f275cd28d5d73d2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{008C7C0E-BAB0-7891-9C4A-F2235D039334}\Setup.exe

Filesize
382KB

MD5
aaf9c16c687886ab85ebffb043067943

SHA1
0ac431d7e5710ad70555f0f3b2ad50aeebf91cbe

SHA256
59089b53f99295800b75e3f62fc33cfc932d1c6e794d06002ea76838774c938b

SHA512
927b99bd1ab3e7169187d3e25e0c04a02ed19180378774e939db85cb7c6a73e6d5b831f0e2da4b3ad5b77d8ccdfaa3ffd95858559c1a8928d29de7157c6de56d

Download Submit
C:\Users\Admin\AppData\Roaming\WinPump\WinPump.exe

Filesize
1.1MB

MD5
dc904763017252f44c0ea014fcd3ed25

SHA1
b18a629ec2c02ef2a0bdc346ff48dbe60f425177

SHA256
3b1c395887e1f6b3fc2dae0d864a83dd8fadb53939755c1eccecdd98eee17e26

SHA512
a9122bfa940c608af2703062dc9686e62d98de8b62e3942eb7d9fda01feca1c53d8a80a404584a4b5cde0c9930b6a76619f845c8a10848c64d890c0074dc9fe9

Download Submit
C:\Users\Admin\AppData\Roaming\WinPump\extensions.exe

Filesize
320KB

MD5
dd11527cfb685e0333509966844e0d7e

SHA1
e63609c2092208270f7910a4954bb92a1d574e07

SHA256
bf82b83a91c607ffa657966ee83f9df7c4992570a46d1a7c19b17be348a13e89

SHA512
c5eb59b8bdcd6634dc1e1775bb0c69ee8506b27e5eaf2fa59780aa3dfbd50a10ff7f9e118d67ca62939179aef6fa7dd9eab2eddf281b1c794f722e2e78bf6e2f

Download Submit
C:\Users\Admin\AppData\Roaming\WinPump\extensions.exe

Filesize
221KB

MD5
2b82cc1919897e5b9325b4141b3be432

SHA1
b1e980424c4fa18c4bdfaab486837147b9bda84c

SHA256
8ce20d819034d8878af18150a1cc21f09e0636bc31e996cebba2ea92a4952b68

SHA512
fe29b712c2db728adc2a98e9fb9c3c9aa93fa9227bb3ade9f9f5b9ab24aeace9d5c40dab2572806ddb6012eadb0d377f8efb719e26fc86beeb14cf32aabba039

Download Submit
memory/464-76-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/464-90-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2988-14-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2988-77-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/2988-80-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/3096-40-0x00000000022F0000-0x00000000023FE000-memory.dmp

Filesize
1.1MB

Download