Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08/05/2024, 22:00
Behavioral task
behavioral1
Sample
468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe
Resource
win10v2004-20240508-en
General
-
Target
468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe
-
Size
91KB
-
MD5
b1d40ed23f434400f1332a468bdd75d0
-
SHA1
1b02aafa08536bceea27f8fe633beffbe6f3c478
-
SHA256
468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c
-
SHA512
bb332dda06746f08a6049fc7a803ae0f013a58c19bab7a964af62e86eb65fdefe815c932f1af9497ab0c9e65794ce1d05f525d3f69bae4f3ae9699f2416a67ec
-
SSDEEP
1536:9a8jroAbRB+XWCQLZeIdSwkRa8jroAbRB+XWCQLZeIdSwky:LFRBLJSpFRBLJS8
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe -
Detects executables packed with ASPack 60 IoCs
resource yara_rule behavioral2/memory/1396-0-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x000700000002340b-8.dat INDICATOR_EXE_Packed_ASPack behavioral2/files/0x000700000002340e-100.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/2308-102-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023412-106.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/1212-109-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023414-114.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/4476-116-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023415-120.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/4564-121-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023416-126.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/4060-127-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1396-132-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023417-133.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/4512-162-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/2156-178-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/4512-176-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/2156-182-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023410-186.dat INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023413-191.dat INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023413-200.dat INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023410-261.dat INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023411-273.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/3160-282-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/3116-286-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/740-291-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1484-299-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/4572-297-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/2636-295-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x000700000002340f-269.dat INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023417-267.dat INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023413-265.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/4636-252-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/920-247-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1484-306-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/4040-230-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023417-228.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/4940-224-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x000700000002340f-213.dat INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023411-212.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/4572-309-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/624-316-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/3480-314-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/2636-312-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/4640-310-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/4640-322-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1464-324-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/640-329-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1464-333-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023411-189.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/640-341-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/5052-346-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023417-163.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/3104-372-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1776-395-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/2308-398-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/1212-399-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/4060-402-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/4476-400-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/memory/4564-401-0x0000000000400000-0x0000000000423000-memory.dmp INDICATOR_EXE_Packed_ASPack -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe -
Disables use of System Restore points 1 TTPs
-
resource yara_rule behavioral2/files/0x000700000002340b-8.dat aspack_v212_v242 behavioral2/files/0x000700000002340e-100.dat aspack_v212_v242 behavioral2/files/0x0007000000023412-106.dat aspack_v212_v242 behavioral2/files/0x0007000000023414-114.dat aspack_v212_v242 behavioral2/files/0x0007000000023415-120.dat aspack_v212_v242 behavioral2/files/0x0007000000023416-126.dat aspack_v212_v242 behavioral2/files/0x0007000000023417-133.dat aspack_v212_v242 behavioral2/files/0x0007000000023410-186.dat aspack_v212_v242 behavioral2/files/0x0007000000023413-191.dat aspack_v212_v242 behavioral2/files/0x0007000000023413-200.dat aspack_v212_v242 behavioral2/files/0x0007000000023410-261.dat aspack_v212_v242 behavioral2/files/0x0007000000023411-273.dat aspack_v212_v242 behavioral2/files/0x000700000002340f-269.dat aspack_v212_v242 behavioral2/files/0x0007000000023417-267.dat aspack_v212_v242 behavioral2/files/0x0007000000023413-265.dat aspack_v212_v242 behavioral2/files/0x0007000000023417-228.dat aspack_v212_v242 behavioral2/files/0x000700000002340f-213.dat aspack_v212_v242 behavioral2/files/0x0007000000023411-212.dat aspack_v212_v242 behavioral2/files/0x0007000000023411-189.dat aspack_v212_v242 behavioral2/files/0x0007000000023417-163.dat aspack_v212_v242 -
Executes dropped EXE 30 IoCs
pid Process 2308 babon.exe 1212 IExplorer.exe 4476 winlogon.exe 4564 csrss.exe 4060 lsass.exe 4512 babon.exe 2156 IExplorer.exe 4940 babon.exe 4040 IExplorer.exe 920 babon.exe 4636 IExplorer.exe 3160 babon.exe 3116 IExplorer.exe 740 babon.exe 2636 IExplorer.exe 4572 winlogon.exe 1484 winlogon.exe 3480 winlogon.exe 624 winlogon.exe 4640 csrss.exe 3048 csrss.exe 5004 csrss.exe 1464 winlogon.exe 696 csrss.exe 640 lsass.exe 3380 lsass.exe 5052 lsass.exe 3164 csrss.exe 1776 lsass.exe 3104 lsass.exe -
Loads dropped DLL 5 IoCs
pid Process 4512 babon.exe 4940 babon.exe 920 babon.exe 3160 babon.exe 740 babon.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command babon.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" lsass.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\H: babon.exe File opened (read-only) \??\V: babon.exe File opened (read-only) \??\Z: babon.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\J: babon.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\R: winlogon.exe File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\L: babon.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\Y: babon.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\K: IExplorer.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\Q: babon.exe File opened (read-only) \??\T: babon.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\B: lsass.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\E: babon.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\X: babon.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\P: babon.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ lsass.exe -
Drops autorun.inf file 1 TTPs 12 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf winlogon.exe File opened for modification C:\autorun.inf csrss.exe File created F:\autorun.inf winlogon.exe File opened for modification F:\autorun.inf winlogon.exe File created F:\autorun.inf IExplorer.exe File created F:\autorun.inf csrss.exe File created C:\autorun.inf IExplorer.exe File opened for modification C:\autorun.inf winlogon.exe File created C:\autorun.inf csrss.exe File opened for modification F:\autorun.inf IExplorer.exe File opened for modification F:\autorun.inf csrss.exe File opened for modification C:\autorun.inf IExplorer.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File created C:\Windows\SysWOW64\IExplorer.exe lsass.exe File created C:\Windows\SysWOW64\IExplorer.exe 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe File opened for modification C:\Windows\SysWOW64\babon.scr 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\babon.scr IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe File opened for modification C:\Windows\SysWOW64\babon.scr babon.exe File opened for modification C:\Windows\SysWOW64\babon.scr lsass.exe File opened for modification C:\Windows\SysWOW64\shell.exe babon.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe csrss.exe File opened for modification C:\Windows\SysWOW64\babon.scr csrss.exe File opened for modification C:\Windows\SysWOW64\shell.exe lsass.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe babon.exe File opened for modification C:\Windows\SysWOW64\babon.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe babon.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe csrss.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe lsass.exe File opened for modification C:\Windows\SysWOW64\shell.exe 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe File created C:\Windows\SysWOW64\babon.scr 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe -
Drops file in Windows directory 24 IoCs
description ioc Process File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe winlogon.exe File opened for modification C:\Windows\babon.exe csrss.exe File created C:\Windows\babon.exe csrss.exe File created C:\Windows\babon.exe lsass.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe babon.exe File created C:\Windows\babon.exe babon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe lsass.exe File opened for modification C:\Windows\babon.exe 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe IExplorer.exe File created C:\Windows\babon.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe -
Modifies Control Panel 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s1159 = "Babon" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s2359 = "Babon" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\SwapMouseButtons = "1" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s1159 = "Babon" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\SwapMouseButtons = "1" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s1159 = "Babon" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s2359 = "Babon" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s2359 = "Babon" csrss.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\ csrss.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\ csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\SwapMouseButtons = "1" lsass.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\ IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\ lsass.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\ 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s2359 = "Babon" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\ lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" babon.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s1159 = "Babon" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s1159 = "Babon" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s2359 = "Babon" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s1159 = "Babon" lsass.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\SwapMouseButtons = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s2359 = "Babon" lsass.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\ 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" csrss.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\ csrss.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\ lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\ 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" lsass.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" csrss.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" babon.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2308 babon.exe 4564 csrss.exe 4476 winlogon.exe 1212 IExplorer.exe 4060 lsass.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 2308 babon.exe 1212 IExplorer.exe 4476 winlogon.exe 4564 csrss.exe 4060 lsass.exe 4512 babon.exe 2156 IExplorer.exe 4940 babon.exe 4040 IExplorer.exe 920 babon.exe 4636 IExplorer.exe 3160 babon.exe 3116 IExplorer.exe 740 babon.exe 4572 winlogon.exe 1484 winlogon.exe 2636 IExplorer.exe 3480 winlogon.exe 624 winlogon.exe 4640 csrss.exe 3048 csrss.exe 1464 winlogon.exe 5004 csrss.exe 696 csrss.exe 640 lsass.exe 5052 lsass.exe 3380 lsass.exe 3164 csrss.exe 1776 lsass.exe 3104 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1396 wrote to memory of 2308 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 79 PID 1396 wrote to memory of 2308 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 79 PID 1396 wrote to memory of 2308 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 79 PID 1396 wrote to memory of 1212 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 80 PID 1396 wrote to memory of 1212 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 80 PID 1396 wrote to memory of 1212 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 80 PID 1396 wrote to memory of 4476 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 81 PID 1396 wrote to memory of 4476 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 81 PID 1396 wrote to memory of 4476 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 81 PID 1396 wrote to memory of 4564 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 82 PID 1396 wrote to memory of 4564 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 82 PID 1396 wrote to memory of 4564 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 82 PID 1396 wrote to memory of 4060 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 83 PID 1396 wrote to memory of 4060 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 83 PID 1396 wrote to memory of 4060 1396 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe 83 PID 2308 wrote to memory of 4512 2308 babon.exe 88 PID 2308 wrote to memory of 4512 2308 babon.exe 88 PID 2308 wrote to memory of 4512 2308 babon.exe 88 PID 2308 wrote to memory of 2156 2308 babon.exe 89 PID 2308 wrote to memory of 2156 2308 babon.exe 89 PID 2308 wrote to memory of 2156 2308 babon.exe 89 PID 1212 wrote to memory of 4940 1212 IExplorer.exe 91 PID 1212 wrote to memory of 4940 1212 IExplorer.exe 91 PID 1212 wrote to memory of 4940 1212 IExplorer.exe 91 PID 1212 wrote to memory of 4040 1212 IExplorer.exe 92 PID 1212 wrote to memory of 4040 1212 IExplorer.exe 92 PID 1212 wrote to memory of 4040 1212 IExplorer.exe 92 PID 4476 wrote to memory of 920 4476 winlogon.exe 94 PID 4476 wrote to memory of 920 4476 winlogon.exe 94 PID 4476 wrote to memory of 920 4476 winlogon.exe 94 PID 4476 wrote to memory of 4636 4476 winlogon.exe 95 PID 4476 wrote to memory of 4636 4476 winlogon.exe 95 PID 4476 wrote to memory of 4636 4476 winlogon.exe 95 PID 4564 wrote to memory of 3160 4564 csrss.exe 97 PID 4564 wrote to memory of 3160 4564 csrss.exe 97 PID 4564 wrote to memory of 3160 4564 csrss.exe 97 PID 4564 wrote to memory of 3116 4564 csrss.exe 98 PID 4564 wrote to memory of 3116 4564 csrss.exe 98 PID 4564 wrote to memory of 3116 4564 csrss.exe 98 PID 4060 wrote to memory of 740 4060 lsass.exe 100 PID 4060 wrote to memory of 740 4060 lsass.exe 100 PID 4060 wrote to memory of 740 4060 lsass.exe 100 PID 2308 wrote to memory of 624 2308 babon.exe 90 PID 2308 wrote to memory of 624 2308 babon.exe 90 PID 2308 wrote to memory of 624 2308 babon.exe 90 PID 4060 wrote to memory of 2636 4060 lsass.exe 101 PID 4060 wrote to memory of 2636 4060 lsass.exe 101 PID 4060 wrote to memory of 2636 4060 lsass.exe 101 PID 4476 wrote to memory of 4572 4476 winlogon.exe 96 PID 4476 wrote to memory of 4572 4476 winlogon.exe 96 PID 4476 wrote to memory of 4572 4476 winlogon.exe 96 PID 1212 wrote to memory of 1484 1212 IExplorer.exe 93 PID 1212 wrote to memory of 1484 1212 IExplorer.exe 93 PID 1212 wrote to memory of 1484 1212 IExplorer.exe 93 PID 4564 wrote to memory of 3480 4564 csrss.exe 99 PID 4564 wrote to memory of 3480 4564 csrss.exe 99 PID 4564 wrote to memory of 3480 4564 csrss.exe 99 PID 4476 wrote to memory of 4640 4476 winlogon.exe 102 PID 4476 wrote to memory of 4640 4476 winlogon.exe 102 PID 4476 wrote to memory of 4640 4476 winlogon.exe 102 PID 1212 wrote to memory of 3048 1212 IExplorer.exe 103 PID 1212 wrote to memory of 3048 1212 IExplorer.exe 103 PID 1212 wrote to memory of 3048 1212 IExplorer.exe 103 PID 4060 wrote to memory of 1464 4060 lsass.exe 104 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System babon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe"C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1396 -
C:\Windows\babon.exeC:\Windows\babon.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2308 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4512
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2156
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:624
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:696
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1776
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1212 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4940
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4040
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1484
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3048
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5052
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4476 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:920
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4636
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4572
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4640
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:640
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4564 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3160
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3116
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3480
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5004
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3380
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4060 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:740
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2636
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1464
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3164
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3104
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD5122372ce2028bcec969d6f4039149e51
SHA1f7e8ac5c7334da4ae2f91b367e318b5df5bbbe12
SHA256ef8b6d0a9450d024b358a7a49d261665987d72c7c40e42002add23af07ff42bf
SHA51200c1f6a1ffd0d6af94d78371956b16461696eb7d8fc59257dc87bef52ec5055be92de9beca0caac7f7d18b447949cbf7324b83e49003f5460a5900faf99fd656
-
Filesize
91KB
MD5637d2c6224867fa0f37d2f09f2186857
SHA1a34057dfb3692929ebd45d2aac02ff4389b95443
SHA25684f5d2220901b6b089e35a4de581ac9c38f752fa1f6cf2f6778dd5b5b1118ff6
SHA512f294a199914bffdc5767b6dfd32142acd56ff65beb88cd12b4482ca0c8fa2ea8cffb787275741e620d171bb7d2a6f21e9cddfa4a7d6090ca8c099a0716efcc2c
-
Filesize
91KB
MD5770113bbd293c60ef68455a43370ffa9
SHA1ca7a3582c89b0f7042001791fbf22b16fa2f721b
SHA2565183130392172eabb1a56f93f1f66c63faaaa6043570462c821c93c80686c2b1
SHA512669115500042b710d179aa30cddf6563f0dd0aae773c040593dc1935481ba891641ad805b020d4bc9b987ebe91c92180c445ef649f627f5c66cca5491ce9c77f
-
Filesize
91KB
MD5b1d40ed23f434400f1332a468bdd75d0
SHA11b02aafa08536bceea27f8fe633beffbe6f3c478
SHA256468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c
SHA512bb332dda06746f08a6049fc7a803ae0f013a58c19bab7a964af62e86eb65fdefe815c932f1af9497ab0c9e65794ce1d05f525d3f69bae4f3ae9699f2416a67ec
-
Filesize
91KB
MD57fbe141b08ef0a4d20a9f7b2d84713b1
SHA176722824bda42d25f0c622679de98b3cb8face6f
SHA256ab10410aa13ec7f590ab35e5fc3948e6a204d52b32300b889ddcfcfbe5816ace
SHA512c0a788eba87e69897665044710c7bbc6d0d90280a6def2bce53296094238220a21aad3f7a2dad65eaefe13c16a01fa2a6acdbb50b98ffdb99fd58e4290ef6014
-
Filesize
91KB
MD5a97cb8bbf9a43ff425132c1be59979d6
SHA1d998d2cdf70c275709485b0d82c2c74ff982b97b
SHA256e3ce99ca7fdd765f42d37477ab28fc9e49a2f6f179d20e8943900740ecb4eb75
SHA512fbda67c27c4cdbb68d37c64cb791509e13fa0570c89fbcd6dc87ccda610696efaa9bb5afd85bc46b9732ec24fe8589a03dceb0aff611e20cb8eb14370da41814
-
Filesize
91KB
MD54f417dc08f3911edebdf723d55b6581e
SHA1f65e1fba07c6735ff243e9aff49c7ea7cd290ae0
SHA2564075692e943ee0abde529f22d528472e8cf52a0c1c3ba1adde1614f570e89401
SHA512332353ecdbe9bc8f4f35e1a4f56096c775987e7a03f25aec043accaba6b27c921b908166ccdd3b86c1bd4e7af2dfc44939076537c4e7666bca611a9c1bb163ea
-
Filesize
91KB
MD5c5008a8b2eebb44f6149e4dbbfcc5822
SHA1309af6b7b400dce91af417b0004ee1d3f6e1f2a6
SHA2567008a4f7f2baf0b3aa5d39732b14201774ac6405135b05db20722a6b7367587b
SHA512f901f238f5799d61670e779f87413be5923fbd958f796ebf0a146c9bba9c5c1bfefefa0075932d5286be924f691512e34c6b32dbd4ea52fc7c8d6cdba666fcc9
-
Filesize
91KB
MD5ab47ebed6e55093f78024f3726be3070
SHA1cc66b2f8b3b08a2b432774c6b2224c10e313ead3
SHA2564b8166e4df6958d6cc417eee4753fcb8ff8f3b28ecc98fcf7aa25bd4898d3d4f
SHA51216f535fa10596117dd091ff34ac57f51a833071f776a62aacd41286bd657c57459fdeed3a5acd92127d10374651092705c87c2e094ca988320adfb3ba3048488
-
Filesize
91KB
MD57f7fb796dad5afa365589476a896c3d6
SHA17a26b9dde60bb8ac4fb70d779a5ca425e177b272
SHA256477b77944458f11c7a22ead5a51f9c41068f4d22f0fba0f57e8ac724c7ce5b15
SHA51276554d479c4b35024f525490b75329f4952e3bac559d0ef501fd85abc7bad3972d180a6918053e97062d0f5aba695c7b13070c223a90fe45c12436790ce616cf
-
Filesize
91KB
MD5e5405fa99b9b7534ccefaafea5990874
SHA16dc55957395403cfe575a6daf47278e3ef958cea
SHA25653db639439cc340a9106e70c874034e99104b168e5b4ef4a9e64e419a51af492
SHA5128d8e03ebea08f21065581413655340a7660497592b50e9532f5c5dedd14436607e126d2609d2f6062b44cbd1468c5c656154a4d4431d464aafc52d6032278cd2
-
Filesize
91KB
MD50e31e3515b8196573ffd06b69bf87aed
SHA10af6a4adca8b207fcbacfa3eb645cdb8567bab76
SHA256d9c361dcfb17bedb963956808a0f3d329adf6693b660dc310e4b1e06092cf532
SHA512aaab26e946195efcceac31a04e112480bc26e2a7383d01d65967e0ef652938b88904c9a2c0759ae72d134fced3286569a3ef9c99e9b982e820f4ade6b108fa54
-
Filesize
91KB
MD5617fbc142165e322a5705011afe2687f
SHA1fd4d1365a2a52e271a708bf751bd792b9d8b9adf
SHA25692d8ea792368d53f1cec7e52f9a60362008348c0bc4760a2fe23feffc4ff0633
SHA51299711f10f2a6106a94e21550f68ffa9bcdffd8150d93e7c3b07cd27ada33eaa5cbd117dca00d3f5f49a7d4f46cc80297de4a9f28084e31f17334661a38506d3a
-
Filesize
91KB
MD5ca41d0f22295d4991223ef71f124c132
SHA12dcab07f63c53052e39dcab774bc50ad5d609c4d
SHA25634fc8d535888cc89acc5aae27c974341cd81b90aa407abda07706c34e1366107
SHA512e97be022f2e4f940b33c5274c04109f13da835e6e842df6e6744bf0008864abe04b934aeed023029c8328425f0f8654b8031dace383cf8a671d0e7ff69527fd2
-
Filesize
91KB
MD55b80fc7658e849f5196b330a833a2551
SHA1626323263f4909bb030e4a45a9a90281b220ca1f
SHA2564d2a697701335fef91fba39d15b6329dcd29ee7b05612ceeda0895cc42f604ea
SHA512e42fccd8ab7ffcff1fe1bd735f105c89778ae595b0a3c1de4ba75e7c0e590546e8ce4689087f9f94c98f7136bf294e1cbdc22d9c0e327cc0cf308d1a66935353
-
Filesize
91KB
MD571f06556ad0c8e188ed07db9fa4015ab
SHA16cb0b33fdd4bf57e2f8dcbff834bdbc0613751d6
SHA25627f66e6e8879d6f2698e2ffdf24227da5b695a63ef3a7f3feed8b8e10550946e
SHA5122891421f8be520e19b4d6d430e0d67d2efaed6328ee7a387ab6b7bee226034895b3955385ac3c83761952919c6653d4abfc7fced261eb202aa8a9225c9f3988c
-
Filesize
91KB
MD57b294a1786cb566409516bad3f0a932f
SHA1595b461bfa6ad5161edcd131b6b62a178f37166b
SHA256032cf1d6e6d7a31d55ad0eb45541b8a1375c23c1e46022095797049bb47f7fbc
SHA512e1909565b0c5e159997af94f963bf0907c63b0d5a3cadf5a28ee2c6dc69a45df40c004bc3e724b17e85b6d8a882e993343588b875561be45ed270a129c39e4ef
-
Filesize
91KB
MD588332c4cbfa8dbc0d030f49f21be6776
SHA1756f2729847405baf2352322a3b15cdd440ad6ae
SHA256e5a1ba13c6627690c87f0d4fcd31da17178650560a9fc3e0f4adf30f3cd0ccf5
SHA5129d61001a0cd41e13734158c8cec1ba6a9b45ee09cd844b74e12f7bedaadcffe31112ce2529d2d4d2d317b354b2f2faa90020b0a0cd1d00bcd9de571abc553ad1
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
91KB
MD574491fded5f82b1a63f2c5fd2cfe2b71
SHA171aefda4f6deb726d287cacc43514289951cad3a
SHA256a44126a455ca139c552599a6fc32d743868badb4e2d4290c05fa6d43c3104a66
SHA512f5c264d3d72968981001d794fc5b19b273cf9d880869de405cac7660cee225ba9875fb4f593a6c1fe52a08ae17e3a7d269a1445fb97ecffe3404209876e2a41b
-
Filesize
91KB
MD5199d9f3dea30210a75ea4ab26e0fa108
SHA1ed3f0b65c0e433ae72b0b3d738fd3722491bcc24
SHA256431b6cfa8ab9a4fbda469e428fa8f2d3a96b36ad1fefc4332eed876773b4229c
SHA51294cf01ae372c6674e14fece9fb4d2cfc1727f41dd546973c2fbf2afb214729ecab293f0516226671bee996fe5befc4930cfd4babc567fc91908cd047dbff3a75
-
Filesize
416B
MD58c460e27a1949370d14f20942ef964c3
SHA1fb1f75839903c83911b45b49956792d27db56185
SHA2562c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d
SHA512ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd
-
Filesize
41B
MD5097661e74e667ec2329bc274acb87b0d
SHA191c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e