Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
08/05/2024, 22:00
Behavioral task
behavioral1
Sample
468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe
Resource
win10v2004-20240508-en
General
-
Target
468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe
-
Size
91KB
-
MD5
b1d40ed23f434400f1332a468bdd75d0
-
SHA1
1b02aafa08536bceea27f8fe633beffbe6f3c478
-
SHA256
468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c
-
SHA512
bb332dda06746f08a6049fc7a803ae0f013a58c19bab7a964af62e86eb65fdefe815c932f1af9497ab0c9e65794ce1d05f525d3f69bae4f3ae9699f2416a67ec
-
SSDEEP
1536:9a8jroAbRB+XWCQLZeIdSwkRa8jroAbRB+XWCQLZeIdSwky:LFRBLJSpFRBLJS8
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" lsass.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe -
Detects executables packed with ASPack 64 IoCs
resource yara_rule behavioral1/memory/2280-0-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/files/0x00070000000143db-8.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/2280-100-0x0000000002560000-0x0000000002583000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/files/0x00090000000145be-104.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/1504-106-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0006000000015686-109.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/2280-110-0x0000000002560000-0x0000000002583000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0006000000015b6e-121.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/2280-124-0x0000000002560000-0x0000000002583000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/1464-131-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0006000000015bf4-132.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/2280-134-0x0000000002560000-0x0000000002583000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0006000000015cb8-142.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/1660-150-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2280-154-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2804-189-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0006000000015cc7-158.dat INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0006000000015cc7-190.dat INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0006000000015693-248.dat INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0006000000015678-246.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/1176-280-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/896-296-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/1284-286-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0006000000015678-310.dat INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0006000000015670-307.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/2852-338-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/880-332-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0008000000015609-306.dat INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0006000000015cc7-305.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/3012-303-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/1176-294-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/896-292-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/1456-276-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0006000000015670-243.dat INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0008000000015609-242.dat INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0006000000015cc7-241.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/536-231-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/300-238-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/536-209-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/1504-208-0x00000000023A0000-0x00000000023C3000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/880-353-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2804-207-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2672-396-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2672-370-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/1712-369-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/1712-365-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2508-417-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2956-403-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/988-399-0x0000000001DE0000-0x0000000001E03000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2920-420-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/3012-348-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2740-409-0x00000000005C0000-0x00000000005E3000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2300-414-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/824-408-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2956-416-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2508-426-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2740-439-0x00000000005C0000-0x00000000005E3000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2920-428-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/1600-443-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2820-445-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2524-438-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/1352-435-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2936-453-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/1604-455-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe -
Disables use of System Restore points 1 TTPs
-
resource yara_rule behavioral1/files/0x00070000000143db-8.dat aspack_v212_v242 behavioral1/files/0x00090000000145be-104.dat aspack_v212_v242 behavioral1/files/0x0006000000015686-109.dat aspack_v212_v242 behavioral1/files/0x0006000000015b6e-121.dat aspack_v212_v242 behavioral1/files/0x0006000000015bf4-132.dat aspack_v212_v242 behavioral1/files/0x0006000000015cb8-142.dat aspack_v212_v242 behavioral1/files/0x0006000000015cc7-158.dat aspack_v212_v242 behavioral1/files/0x0006000000015cc7-190.dat aspack_v212_v242 behavioral1/files/0x0006000000015693-248.dat aspack_v212_v242 behavioral1/files/0x0006000000015678-246.dat aspack_v212_v242 behavioral1/files/0x0006000000015678-310.dat aspack_v212_v242 behavioral1/files/0x0006000000015670-307.dat aspack_v212_v242 behavioral1/files/0x0008000000015609-306.dat aspack_v212_v242 behavioral1/files/0x0006000000015cc7-305.dat aspack_v212_v242 behavioral1/files/0x0006000000015670-243.dat aspack_v212_v242 behavioral1/files/0x0008000000015609-242.dat aspack_v212_v242 behavioral1/files/0x0006000000015cc7-241.dat aspack_v212_v242 -
Executes dropped EXE 30 IoCs
pid Process 1504 babon.exe 2740 IExplorer.exe 1464 winlogon.exe 988 csrss.exe 1660 lsass.exe 2804 babon.exe 536 IExplorer.exe 824 babon.exe 300 winlogon.exe 1456 babon.exe 1284 IExplorer.exe 1176 csrss.exe 896 winlogon.exe 3012 csrss.exe 2852 lsass.exe 880 babon.exe 1712 lsass.exe 2672 IExplorer.exe 2300 babon.exe 2956 winlogon.exe 2508 IExplorer.exe 2920 csrss.exe 2524 IExplorer.exe 1600 winlogon.exe 1352 lsass.exe 2480 winlogon.exe 2820 csrss.exe 2936 lsass.exe 1604 csrss.exe 1772 lsass.exe -
Loads dropped DLL 45 IoCs
pid Process 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 1504 babon.exe 1504 babon.exe 1504 babon.exe 1504 babon.exe 1504 babon.exe 1464 winlogon.exe 1464 winlogon.exe 1504 babon.exe 1464 winlogon.exe 1504 babon.exe 1504 babon.exe 1464 winlogon.exe 1464 winlogon.exe 1464 winlogon.exe 988 csrss.exe 1464 winlogon.exe 988 csrss.exe 988 csrss.exe 988 csrss.exe 2740 IExplorer.exe 1660 lsass.exe 1660 lsass.exe 2740 IExplorer.exe 988 csrss.exe 2740 IExplorer.exe 2740 IExplorer.exe 988 csrss.exe 988 csrss.exe 1660 lsass.exe 1660 lsass.exe 2740 IExplorer.exe 2740 IExplorer.exe 2740 IExplorer.exe 2740 IExplorer.exe 1660 lsass.exe 1660 lsass.exe 1660 lsass.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: babon.exe File opened (read-only) \??\O: babon.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\M: babon.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\N: babon.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\S: babon.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\K: babon.exe File opened (read-only) \??\X: babon.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\K: IExplorer.exe File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\E: babon.exe File opened (read-only) \??\J: babon.exe File opened (read-only) \??\Y: babon.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\B: babon.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\R: winlogon.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\Q: lsass.exe File opened (read-only) \??\W: babon.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\R: babon.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\B: lsass.exe File opened (read-only) \??\Z: babon.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\V: IExplorer.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" csrss.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf babon.exe File opened for modification F:\autorun.inf babon.exe File created C:\autorun.inf babon.exe File opened for modification C:\autorun.inf babon.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File created C:\Windows\SysWOW64\IExplorer.exe 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe File opened for modification C:\Windows\SysWOW64\babon.scr csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe babon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe babon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe File opened for modification C:\Windows\SysWOW64\shell.exe babon.exe File opened for modification C:\Windows\SysWOW64\babon.scr babon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe csrss.exe File opened for modification C:\Windows\SysWOW64\shell.exe lsass.exe File opened for modification C:\Windows\SysWOW64\babon.scr lsass.exe File opened for modification C:\Windows\SysWOW64\shell.exe 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe File created C:\Windows\SysWOW64\babon.scr 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 24 IoCs
description ioc Process File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe babon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe babon.exe File opened for modification C:\Windows\babon.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe csrss.exe File opened for modification C:\Windows\babon.exe lsass.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe lsass.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe IExplorer.exe File created C:\Windows\babon.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe csrss.exe File created C:\Windows\msvbvm60.dll IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Babon" babon.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Babon" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Babon" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\ csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Babon" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Babon" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ csrss.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\ lsass.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\ 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" babon.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Babon" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Babon" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" babon.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\ babon.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Babon" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Babon" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Babon" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ lsass.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Babon" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\ 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" babon.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\ lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Babon" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1" lsass.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\ csrss.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\ lsass.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\ 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" lsass.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" babon.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 1504 babon.exe 988 csrss.exe 1464 winlogon.exe 1660 lsass.exe 2740 IExplorer.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 1504 babon.exe 2740 IExplorer.exe 1464 winlogon.exe 988 csrss.exe 1660 lsass.exe 2804 babon.exe 536 IExplorer.exe 300 winlogon.exe 1456 babon.exe 1284 IExplorer.exe 1176 csrss.exe 896 winlogon.exe 2852 lsass.exe 3012 csrss.exe 880 babon.exe 1712 lsass.exe 2672 IExplorer.exe 824 babon.exe 2956 winlogon.exe 2300 babon.exe 2508 IExplorer.exe 2920 csrss.exe 2524 IExplorer.exe 1600 winlogon.exe 1352 lsass.exe 2820 csrss.exe 2480 winlogon.exe 2936 lsass.exe 1604 csrss.exe 1772 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2280 wrote to memory of 1504 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 28 PID 2280 wrote to memory of 1504 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 28 PID 2280 wrote to memory of 1504 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 28 PID 2280 wrote to memory of 1504 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 28 PID 2280 wrote to memory of 2740 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 29 PID 2280 wrote to memory of 2740 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 29 PID 2280 wrote to memory of 2740 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 29 PID 2280 wrote to memory of 2740 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 29 PID 2280 wrote to memory of 1464 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 30 PID 2280 wrote to memory of 1464 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 30 PID 2280 wrote to memory of 1464 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 30 PID 2280 wrote to memory of 1464 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 30 PID 2280 wrote to memory of 988 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 31 PID 2280 wrote to memory of 988 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 31 PID 2280 wrote to memory of 988 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 31 PID 2280 wrote to memory of 988 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 31 PID 2280 wrote to memory of 1660 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 32 PID 2280 wrote to memory of 1660 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 32 PID 2280 wrote to memory of 1660 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 32 PID 2280 wrote to memory of 1660 2280 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 32 PID 1504 wrote to memory of 2804 1504 babon.exe 33 PID 1504 wrote to memory of 2804 1504 babon.exe 33 PID 1504 wrote to memory of 2804 1504 babon.exe 33 PID 1504 wrote to memory of 2804 1504 babon.exe 33 PID 1504 wrote to memory of 536 1504 babon.exe 34 PID 1504 wrote to memory of 536 1504 babon.exe 34 PID 1504 wrote to memory of 536 1504 babon.exe 34 PID 1504 wrote to memory of 536 1504 babon.exe 34 PID 2740 wrote to memory of 824 2740 IExplorer.exe 35 PID 2740 wrote to memory of 824 2740 IExplorer.exe 35 PID 2740 wrote to memory of 824 2740 IExplorer.exe 35 PID 2740 wrote to memory of 824 2740 IExplorer.exe 35 PID 1504 wrote to memory of 300 1504 babon.exe 36 PID 1504 wrote to memory of 300 1504 babon.exe 36 PID 1504 wrote to memory of 300 1504 babon.exe 36 PID 1504 wrote to memory of 300 1504 babon.exe 36 PID 1464 wrote to memory of 1456 1464 winlogon.exe 38 PID 1464 wrote to memory of 1456 1464 winlogon.exe 38 PID 1464 wrote to memory of 1456 1464 winlogon.exe 38 PID 1464 wrote to memory of 1456 1464 winlogon.exe 38 PID 1464 wrote to memory of 1284 1464 winlogon.exe 39 PID 1464 wrote to memory of 1284 1464 winlogon.exe 39 PID 1464 wrote to memory of 1284 1464 winlogon.exe 39 PID 1464 wrote to memory of 1284 1464 winlogon.exe 39 PID 1504 wrote to memory of 1176 1504 babon.exe 37 PID 1504 wrote to memory of 1176 1504 babon.exe 37 PID 1504 wrote to memory of 1176 1504 babon.exe 37 PID 1504 wrote to memory of 1176 1504 babon.exe 37 PID 1464 wrote to memory of 896 1464 winlogon.exe 40 PID 1464 wrote to memory of 896 1464 winlogon.exe 40 PID 1464 wrote to memory of 896 1464 winlogon.exe 40 PID 1464 wrote to memory of 896 1464 winlogon.exe 40 PID 1504 wrote to memory of 2852 1504 babon.exe 41 PID 1504 wrote to memory of 2852 1504 babon.exe 41 PID 1504 wrote to memory of 2852 1504 babon.exe 41 PID 1504 wrote to memory of 2852 1504 babon.exe 41 PID 1464 wrote to memory of 3012 1464 winlogon.exe 42 PID 1464 wrote to memory of 3012 1464 winlogon.exe 42 PID 1464 wrote to memory of 3012 1464 winlogon.exe 42 PID 1464 wrote to memory of 3012 1464 winlogon.exe 42 PID 988 wrote to memory of 880 988 csrss.exe 43 PID 988 wrote to memory of 880 988 csrss.exe 43 PID 988 wrote to memory of 880 988 csrss.exe 43 PID 988 wrote to memory of 880 988 csrss.exe 43 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System babon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe"C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2280 -
C:\Windows\babon.exeC:\Windows\babon.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1504 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:536
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:300
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1176
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2740 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:824
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2508
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1600
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2820
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2936
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1464 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1456
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1284
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:896
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3012
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1712
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:988 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:880
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2672
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2956
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2920
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1352
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1660 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2300
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2480
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1604
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1772
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD5b1d40ed23f434400f1332a468bdd75d0
SHA11b02aafa08536bceea27f8fe633beffbe6f3c478
SHA256468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c
SHA512bb332dda06746f08a6049fc7a803ae0f013a58c19bab7a964af62e86eb65fdefe815c932f1af9497ab0c9e65794ce1d05f525d3f69bae4f3ae9699f2416a67ec
-
Filesize
91KB
MD5be4edf18ba6e1925dc6aec78669c193b
SHA1008cc0f18e05294bb89f15a7c284071f8d7aa23c
SHA2568bf9e32284de09c930de70fe760bbe7d7f8e55558f92f10f7cb9f7a00800cf86
SHA5125da7dab78d3225fa433a65130edba41eb618a46d5e71a04586366e2caacbb9955aa19adde5740fd6a2726fa7c906af742a904580a87d79cc58158923eb9f2c80
-
Filesize
91KB
MD5bb495374fcd212b84e2215d218b35f8d
SHA1bba2e1e4dfdae51dcb924dbaabffe78508ebd218
SHA25664f4d187d74afe04f40efe85823f9ab290c91a4cce0aa70241efa4eda812c0e2
SHA5122bf2575f81939f8ccce5d569f2787d9f4092480db45cc06657abffc374ffbb8bb81d3e0d09e4e448c671b30ed74b745db3d57d40b9d4e3b3d0e7cb373f9d5481
-
Filesize
91KB
MD5f943aff0f8f42f8aaa8046700c72a791
SHA175008314f650c5f6c577b530d3e42cdd45969edf
SHA25677a30173ccfb5056e68d89fe6736b624ca531682c116c57a4b28068bbb282148
SHA5121ea61354e8e1be2a41b9254688987cb605e07a6678201a3ca3c622b6f4e6e1f0fcde14457c1bfd51cc1f17c58308b45290de74c7bc697e8bdc1309c0562126ef
-
Filesize
91KB
MD5ea3020dd40790c7b7d7255a3422ac3f5
SHA18cb10d3b5fdbacd8581d8c563bf81dbc9a107243
SHA256db987d55e361766227e401046963adbf07a272c24a0df59db5f0f7ebed53e9f1
SHA5129dbce95bc2084985bfe94afc5ab8315e76cc0cd9bc7fb1cb34b5ee95e3f0c1e39ff8a5291ee4602f70204395fe6a81498f1c95e8dc5b1765f7acef5cd633249a
-
Filesize
91KB
MD59db73b51ebe314816e0dc7ad7fda2393
SHA142a19801e826bf4c8e30c7ec82ad5417a5e729a4
SHA25625f9bf8d56e78897478943507e25c8140f4037ab8005de4327fc8b690c56033e
SHA512930034e135c9ae9e84ff05cfd4cd90efd3a4b9c13b0db1a57b280f5c75fecf88af781a84e76d525745955111c1d9944f1ef61e35c678498d4215bf19f5470439
-
Filesize
91KB
MD5d73e21e8c4f04a021749fdc10dfac0d9
SHA1f714159a570d18c1d8c5d9eb247d33a5e8a0a5f9
SHA2569965ac697c8672240a409e4c56ca04cd26028dfc989b8209358d4ce33e47aa12
SHA512e142635d4fe79d10d013b2a5c6877d0e62e1ea5f7ba6bc39f80c495c598c0abc43adfeb560f12e70fa6fee2980c11921ae024f6679329e36f6cb516a71802ee6
-
Filesize
91KB
MD5157de3b6fdb9b87374fda5edc67872b4
SHA18d05ee540a3009e65e892f8921a2176d0785a8f7
SHA25659fe596fc0b807b410493001e1304a062b4d5bd7237a5953e59150ebdeae3ff1
SHA512d8c040c44fa27b8505871dbf86c259918340e2b2eb0e2829d44759bd19250b78e1a51060fc79321d91ac10b37e26fe9bff07b55f5c393ae8fc180aad180db868
-
Filesize
91KB
MD58dcf6cbc58fb587985efd36af6e1cdd2
SHA14cb1ece01ab761f714f3e984e8d9941acc5e4e35
SHA2561c53af601b77fcaafc85717ba2441c0b5534f13ebcd12e09eed65877e56fbb02
SHA5127320d27151e19c4df826233d14c7814dccf8d2246709cd0cbe097abebd186bc53734e75065a3da43b894f03a9acbc3e282ebc028195773f295c93555c11844ee
-
Filesize
91KB
MD5f50c9eb98c5e50c75e533f39c7f62917
SHA1311bd875eafcf308303999adef1fe694edbf08ef
SHA2562afb3f45b525242db6a58f2d2a95720cbd4be92aff1096ea2fb4cabb569d00fa
SHA512fa27f4bd9efc82a314406489057d0eb55b5f14ddd9d6e5d4b69c3f04b8cfbcdc7cdb897a13b491a99e24642f51cb4b306b29d70741a5040f11a2c56f756abc15
-
Filesize
91KB
MD5ea62df7d718eb7a68ac477dcb2dcec2b
SHA1df12b3889b8924fe24e1360bb98804b3ac11802c
SHA2568a3745125a76f06acd09d9b1ab3d1c280fc830f6ef32c4d88f7b72ff74f463a4
SHA5125cb39da3a6760e89063e208e193b97a140e4ba1fd2df81653269db18c1b6aea1eb171c9545e330c39df591480fd84f97da3ae285d3020856080d3c7a0a21a5bb
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
91KB
MD57f6982ec92c236866188de882ea998e6
SHA1589548be21378f06e163e8f20b92c6a304e10edc
SHA2566c71053f7fcf17085ddf55a4211a9547521a0d1915a9d4655f08b16353a56be0
SHA51294877160db836e7ad70eb4643f9166eccc3003e3bc586529ce4de76f4917a92206ac03165118a31078aaf56d68f13cfd214804aaec6d76e973b0577e74298852
-
Filesize
91KB
MD576b4bb0515cca80dd6b0dbf812c7c880
SHA13d18bb2d1e91ddbb407fbe5af8b00907ac0f3f93
SHA2565f2777f146969ac2d6a0523fc15a3859e852836f209e164c5120d3bf0c41444e
SHA5125349378c732b2a877428f31913b12ca7b695e2dfdc4c644626c68fa24380be81ab52657b44942b88fc05f37a42bec4969e84d5fdced9707dec63507f08a7f9b0
-
Filesize
416B
MD58c460e27a1949370d14f20942ef964c3
SHA1fb1f75839903c83911b45b49956792d27db56185
SHA2562c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d
SHA512ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd
-
Filesize
41B
MD5097661e74e667ec2329bc274acb87b0d
SHA191c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e
-
Filesize
91KB
MD562ebac52f4e0e132a905dc854605a892
SHA1c62bcf2236fe2e9edd3f2c2b27b93f6b2cfb68bb
SHA2562edfba3bc8ae4b72c5638190006daedf290d4e59f2587c9fcbab28d59bbfb196
SHA512342b9263a98bc719efe06d367409458ab939d89fb31175f89f6b84937864f4d7921dc505e49ee5a15cb5c8f238d795dd466a60917841d22884b0f5f5a351bfa4
-
Filesize
91KB
MD5c556c2398297e80ca3fd3862569694a2
SHA1a91b986ce905e0c2647b0cf3fddfda1cc5426f35
SHA256b5bf1f58724159a56011c48e9ce496782a84fdf93a0e0613054a1ee66c85a33a
SHA5124fb93f7b503f23539e357f7c208cf7cbbde236a76d9f20420702774c556ac2a05659d2619f25bd4a3123fe79ebcb891ba2bb385356284522de6e601d66042e76
-
Filesize
91KB
MD5677bf37d5d18fb32d81567a411c8075b
SHA1727c967c652e43ae479460c99f7c6b28923efe90
SHA256a9f64353454d5d4a6686a57f8b06dbab4fdb17da2b40dcb103c99a347258721e
SHA512d73631ee50591efd709cf4d12aef67154f63cb63948db2cb98cc8887733cdc0ce94550e46d5ccbf656571ce96f25b58ca26f6e440a3aa83f4924503be39875e7
-
Filesize
91KB
MD536fac6cd982640eb7e21e09264d047d7
SHA1dc987cb5115efd988d3e4fad26b7a3c617fd3340
SHA256556b7d20710add59a4fb36076a8a33e2672fb3f4b77474f3bcef7b042189f6d0
SHA5122ceaac2e3e82f0f28855d42035ca1755d0382f6f12b8e11c588fa99146148ff8e389c077bc397f7cec0716d46adfea3fa5e73ca8060d6483ff8a7cda1087b3b0