Overview
overview
8Static
static
3Badlion Cl....1.exe
windows7-x64
4Badlion Cl....1.exe
windows10-2004-x64
8$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDIR/app-64.7z
windows7-x64
3$PLUGINSDIR/app-64.7z
windows10-2004-x64
7LICENSE.electron.txt
windows7-x64
1LICENSE.electron.txt
windows10-2004-x64
1chrome_100...nt.pak
windows7-x64
3chrome_100...nt.pak
windows10-2004-x64
3cursors/co...ze.cur
windows7-x64
3cursors/co...ze.cur
windows10-2004-x64
3cursors/co...ze.png
windows7-x64
3cursors/co...ze.png
windows10-2004-x64
3cursors/copy_drop.cur
windows7-x64
3cursors/copy_drop.cur
windows10-2004-x64
3cursors/hand_grab.png
windows7-x64
3cursors/hand_grab.png
windows10-2004-x64
3cursors/ha...ng.png
windows7-x64
3cursors/ha...ng.png
windows10-2004-x64
3cursors/link_drop.cur
windows7-x64
3cursors/link_drop.cur
windows10-2004-x64
3cursors/ro...ze.cur
windows7-x64
3cursors/ro...ze.cur
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22/02/2024, 18:13
Static task
static1
Behavioral task
behavioral1
Sample
Badlion Client Setup 4.0.1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Badlion Client Setup 4.0.1.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/app-64.7z
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/app-64.7z
Resource
win10v2004-20240221-en
Behavioral task
behavioral15
Sample
LICENSE.electron.txt
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
LICENSE.electron.txt
Resource
win10v2004-20240221-en
Behavioral task
behavioral17
Sample
chrome_100_percent.pak
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
chrome_100_percent.pak
Resource
win10v2004-20240221-en
Behavioral task
behavioral19
Sample
cursors/col_resize.cur
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
cursors/col_resize.cur
Resource
win10v2004-20240221-en
Behavioral task
behavioral21
Sample
cursors/col_resize.png
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
cursors/col_resize.png
Resource
win10v2004-20240221-en
Behavioral task
behavioral23
Sample
cursors/copy_drop.cur
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
cursors/copy_drop.cur
Resource
win10v2004-20240221-en
Behavioral task
behavioral25
Sample
cursors/hand_grab.png
Resource
win7-20240215-en
Behavioral task
behavioral26
Sample
cursors/hand_grab.png
Resource
win10v2004-20240221-en
Behavioral task
behavioral27
Sample
cursors/hand_grabbing.png
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
cursors/hand_grabbing.png
Resource
win10v2004-20240221-en
Behavioral task
behavioral29
Sample
cursors/link_drop.cur
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
cursors/link_drop.cur
Resource
win10v2004-20240221-en
Behavioral task
behavioral31
Sample
cursors/row_resize.cur
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
cursors/row_resize.cur
Resource
win10v2004-20240221-en
General
-
Target
chrome_100_percent.pak
-
Size
138KB
-
MD5
0fd0a948532d8c353c7227ae69ed7800
-
SHA1
c6679bfb70a212b6bc570cbdf3685946f8f9464c
-
SHA256
69a3916ed3a28cd5467b32474a3da1c639d059abbe78525a3466aa8b24c722bf
-
SHA512
0ee0d16ed2afd7ebd405dbe372c58fd3a38bb2074abc384f2c534545e62dfe26986b16df1266c5807a373e296fe810554c480b5175218192ffacd6942e3e2b27
-
SSDEEP
3072:48Kzw9bpM/OO3eS2Z8Gb0+VRLf0ld0GY3cQ3F2DExm/KLQ2I:9Kzw96/xm8Gb0OV8ld0GecQ3mExhLY
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pak rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pak\ = "pak_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2372 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2372 AcroRd32.exe 2372 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2720 wrote to memory of 2752 2720 cmd.exe 29 PID 2720 wrote to memory of 2752 2720 cmd.exe 29 PID 2720 wrote to memory of 2752 2720 cmd.exe 29 PID 2752 wrote to memory of 2372 2752 rundll32.exe 32 PID 2752 wrote to memory of 2372 2752 rundll32.exe 32 PID 2752 wrote to memory of 2372 2752 rundll32.exe 32 PID 2752 wrote to memory of 2372 2752 rundll32.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\chrome_100_percent.pak1⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\chrome_100_percent.pak2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\chrome_100_percent.pak"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2372
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5d8d8aedca043ed321700c77b5d2adfc0
SHA1fec96818f45b59064cb18299606caa02bb8b12ba
SHA256ee9eb1f8c1fdf4506e65288e19973d3da202c794bf67d93992b750f8fe32a4d0
SHA512681eacc26b26da7623c478df967e5c46fe0eec89f818e0744b506a49d9fd1af0bffb2c2cd11f12f7faf5d1da4b6dcbec2d724abcd2f4fe062ba6d095a3a260e2