3ba30ffbb1a0059f5d0c2de7b38a33ba05031404d8cd8c970e50861e4c892475

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Babylon12_Setup.exe
Size

670KB
MD5

5cc9e44078f5a9740fa7692c8252a25a
SHA1

ad2256d2cf6d13e8aef26089bafa70c480c73623
SHA256

3ba30ffbb1a0059f5d0c2de7b38a33ba05031404d8cd8c970e50861e4c892475
SHA512

e024c97ca1273cd0660d128aad5ba44aa020701f50b9b6fd391576c652967876a7ea5cb18a84ef3a6b95a376d0cfe1d3c2119d9afd32d34378235ee369b002fa
SSDEEP

12288:7Wb5/jrfSV8RvOSmnIYVrr9bw9nwqfFBDuYGW+f7Ybf0H7n239fV:7gF3fSCRmSdyG9jlXGW+fv239t

Score

7^/10

evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

2508 setup.exe
Loads dropped DLL 3 IoCs

Processes:

setup.exerundll32.exe

pid process

2508 setup.exe
2768 rundll32.exe
2508 setup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2508	setup.exe

pid	process
2508	setup.exe
2768	rundll32.exe
2508	setup.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

setup.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exesetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID="	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\IESettingSync	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	setup.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

setup.exe

pid process

2508 setup.exe
2508 setup.exe
2508 setup.exe
2508 setup.exe
2508 setup.exe
2508 setup.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

setup.exe

pid process

2508 setup.exe
2508 setup.exe

pid	process
2508	setup.exe
2508	setup.exe
2508	setup.exe
2508	setup.exe
2508	setup.exe
2508	setup.exe

pid	process
2508	setup.exe
2508	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Babylon12_Setup.exe

description	pid	process	target process
PID 4316 wrote to memory of 2508	4316	Babylon12_Setup.exe	setup.exe
PID 4316 wrote to memory of 2508	4316	Babylon12_Setup.exe	setup.exe
PID 4316 wrote to memory of 2508	4316	Babylon12_Setup.exe	setup.exe

C:\Users\Admin\AppData\Local\Temp\Babylon12_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Babylon12_Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4316

C:\Users\Admin\AppData\Local\Temp\{CF4A42BA-BAB0-7891-94E8-FBD7037CEE9B}\setup.exe
"C:\Users\Admin\AppData\Local\Temp\{CF4A42BA-BAB0-7891-94E8-FBD7037CEE9B}\setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2508

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\{CF4A4~1\IECOOK~1.DLL,UpdateProtectedModeCookieCache affilID|http://babylon-software.com
3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
PID:2768

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__1D255EF91A51290F\Setup-client_cae2be57.zpb
Filesize
5.9MB

MD5
007acc9f4cf1d2037876784d7a10a9e0

SHA1
a761d0d7e507b711aeea95e877a9f63e1901f2ef

SHA256
5a27919e72079d7898abfca342ee7980734203ab2ef4f718d81d5fca9132c4fd

SHA512
0f3d2d9ab6e01e982a99304c7bf9cac60cdfc45a1789ad623ecce157b32d16277b3c516e19fc05aeedb1b59b6a0421bb27fec46529e1278aafb6d751b560515e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__1D255EF91A51290F\Setup-files_fd926fac.zpb
Filesize
159KB

MD5
72fb5450b0d0e9242d5c7ff6cf62e4d1

SHA1
da27e88635e071e94126ca3acab4f50a5991ac2c

SHA256
9929a83ffc94bda7baf732ace3316aca085afcbd3b0de45a6bf8f4d40a351e6a

SHA512
64708300946b9fa1db6206b8d067615296a9af4baa6a63edcf80e72cf42728a8e50c9e39a2a2079f9b23c075afd3f8483767e87347756a0491b0b76c6ae1883b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__1D255EF91A51290F\Setup-tsrct_64b90bf0.zpb
Filesize
8.1MB

MD5
eb45d64442e9b12e0a9ccc2a5eda4ee6

SHA1
e8a1e3121729ae0179ca387155dcb25b9910a297

SHA256
f8f71bc1beeb954db5d89ca55d6094a2572d7a8d8440a641ae0b8b7b7cf6ed1b

SHA512
37bdf007e34ec18d7c59ca64447c60ebf3406a7d78b1dde0b32172a115d58e3c498d30f0a550f4b251723f1ccc7e20d1acd99e91a51d75642636b29be427d1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__1D255EF91A51290F\Setup-w64_ee21e6ac.zpb
Filesize
263KB

MD5
ee6bb1966c5d3af6fa6e9c74c90c419b

SHA1
e501a11c8ab1fb96f3090b07921a0e33d31c431b

SHA256
a8575b3800cc26991bde8ba09353ea32bd2d7ee35b082645985fbb1bfa59dcdf

SHA512
6fc26eefcc3b21e71010add7943b728757cd3a4cbc59f593e760b2239d9349dc6e360934c909217f5bfb7f210ee18e05e385af5da93c8d470f82ccf6ba486212

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CF4A42BA-BAB0-7891-94E8-FBD7037CEE9B}\AbortPage.aoi
Filesize
172B

MD5
7ac8227fb82182da706dfbb26044c977

SHA1
00c29bd1e6c04f265e6ac70d9b56c8da7855f78c

SHA256
a509f4b818e7fc359cf104cd4f320b3116c4b1e4e06c826b4279808194eaf276

SHA512
272f89b7a4bcecfac91f0ee7f73e372f13fa172bb31a734904a09a5300465a6cad0cac1920f45a6a47813564c29706d2a5327c166a79e3dfbe72170b6a3f664a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CF4A42BA-BAB0-7891-94E8-FBD7037CEE9B}\ClientSetup.aoi
Filesize
190B

MD5
c7cefa16289de8830edbe5a693386f74

SHA1
393cff22ff616d03e2623b42c49d163fd3548536

SHA256
794d60dfd8d3652d914f6210113657a552c39f8a972c58236f172a6d57bffe2e

SHA512
d6eb73a2c8daf679961017567a712eca709c27640825d736e748fafc5341d3e82bf7e959d02032a018d1dad1337cd880dd651bb95e2b12144a0df9aa14e4b157

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CF4A42BA-BAB0-7891-94E8-FBD7037CEE9B}\ClientSetupStart.aoi
Filesize
86B

MD5
1408225f8c6c919c3f7fdc3a0a70d9c4

SHA1
6ae23a3d57d0d09d182dd3fa24c8173c311aaf64

SHA256
4b91c539986a1083986741a3472b1b2e91ffa06d57f3916c82b0ec731ac568d4

SHA512
df359c41ad452c5833cb3693f829b95c2d4466b74dd655fd622f2f040912cd1debbe402a407e12ce1189e92449080286ea1290fc2797a3844eccd3107e53d295

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CF4A42BA-BAB0-7891-94E8-FBD7037CEE9B}\ClientSetupStart.dll
Filesize
8KB

MD5
b76864cf7b4b3e220e14d108df981c57

SHA1
0571e35974a218650bd2ef487c4f443962b01a0c

SHA256
eb689b0bfcab08794f7ad33c63aeef12b26e0cc5183f11cea87e01e9ae7b8493

SHA512
17a28cef3fba618d498608c22a18e568ab3deb003594bc003685020838ff52d46e31b4356ff464934385cff7304866d5cfd0df50d730dadef53e07f8958c2ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CF4A42BA-BAB0-7891-94E8-FBD7037CEE9B}\HtmlScreens\loading.html
Filesize
644B

MD5
3e800e2e002f460a1597e673fd8e8585

SHA1
d4f92749d9a9247a550a883466eb837dd1aa4ea4

SHA256
0698229d787a96a822a730a8a7670b8e8f7a4e7f7879db9d1bc2d5637db3913b

SHA512
b5770ff44df49b87198be5c7298228df9474e3fef7c6819eaa64b5ef03d5907fa1313610f460b1c11d190b33ebd579bc1c43d3eeb51d1d8fe2973806797b0418

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CF4A42BA-BAB0-7891-94E8-FBD7037CEE9B}\HtmlScreens\pBar.gif
Filesize
3KB

MD5
26621cb27bbc94f6bab3561791ac013b

SHA1
4010a489350cf59fd8f36f8e59b53e724c49cc5b

SHA256
e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3

SHA512
9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CF4A42BA-BAB0-7891-94E8-FBD7037CEE9B}\Setup.exe
Filesize
1.1MB

MD5
8de9de6410fedeedc1d66cb1aa7e6b55

SHA1
c95531ac2408c2b2ce684e982e22f51c5306fe8e

SHA256
1dcbe2f9fbab8f1c71cd39edb981b4647f0700d1a30cd3bab87c34a7e41e17b7

SHA512
39f46897579db309294997dfcd4d6a70ad4e875eddc18f810c73c5e1a9e60eaabbb49d12badbf86f3f06d67324c4fa43f0b68bbc87320484f6bdc75b2fc6787b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CF4A42BA-BAB0-7891-94E8-FBD7037CEE9B}\Setup.ico
Filesize
31KB

MD5
dd7f9d6e00b90c9d463bb00d105a3b85

SHA1
7d645f32dfaf4f977965fef03bd693f66b2b8af5

SHA256
4f524c32357af8de0bd65cb9fe1bc3139683bbc5bccc64d8cbafdc72bb4da0a7

SHA512
0c46deb0016ec877e56caad2f3c1d5123e877aa032fdc03f536f3fab5ccc3792504b23135296a572acccb7b75b456efa5b8c9f6a08fc0077698a1bf4c06897dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CF4A42BA-BAB0-7891-94E8-FBD7037CEE9B}\SetupStrings.dat
Filesize
16KB

MD5
29f499560e54ace4ac6d95c20f7a5e85

SHA1
d6e99033ecede912fb0403ae02d60141e1e6c67b

SHA256
1a13997c37bed6159085726f844de6455172cda3812be9b557422e3c6ef789d6

SHA512
cf71be7260776c84389a9ac34689a7f456ab3f806bfd9e04201ab068bb83c0bff890c7c7b4a644c061a30092a2554b9861058bd60293d3cd3fc1304ab06762c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CF4A42BA-BAB0-7891-94E8-FBD7037CEE9B}\setup.exe
Filesize
529KB

MD5
0db6ee9333b1c439835238593799dd50

SHA1
0dd5d5d3bc4a3121644895a2efbae742d8b7e010

SHA256
59f5c0cdec6763058f408df8fbeadcc36d27cde6b7d792463908d6bc5b19cbe6

SHA512
34af6723b90eb4013d222966c1374320dca5cf51978a08e80e895a7f08f7f23c2eb9ca6612fc7d6df70553dc86c690d2236e970a0fb1fa797e2b667a02195f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CF4A42BA-BAB0-7891-94E8-FBD7037CEE9B}\sqlite3.dll
Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CF4A42BA-BAB0-7891-94E8-FBD7037CEE9B}\stp_bbl.dat
Filesize
280B

MD5
7722e3fff6c99bddaaf66252c322ea93

SHA1
64d936780e1a598b1e3d08a252bc3a1acd59d738

SHA256
0c7d9669aad062e26eb592f27772a15778842c1d81da280fc45f8c9fe4d08f6a

SHA512
f16caf5991cf3ce20d59378d954b75978c6c7c3c11d09ac871bf29fc9463e82387f81b29cf99cc3ad3d45d2c05be3b1572266e6610deb5b7b6a62d6d57c03831

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CF4A4~1\IECOOK~1.DLL
Filesize
9KB

MD5
abd901c6fee432c162aa229f5b45ff46

SHA1
c75aa78967b501bf285e1f902c75979169981806

SHA256
ce53a29075d1317863c453b74c1bbae045b00fa85b10e969d0cc93be3fccd030

SHA512
f55906fa73f06d01503ccf18431d3064055f8539b831c61344bb0dd2f0dde420ba6d3979e150e74aee420e482fa953ab4978f3a7797a271c7e659d573b290728

Download Submit
memory/2508-40-0x0000000060900000-0x0000000060970000-memory.dmp

Filesize
448KB

Download