68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Size

64KB
MD5

4f9dd562449c7964589a8047e57b7b9e
SHA1

5b9dc26e8bdc0b847f89aaa13c531653c4e082e2
SHA256

68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe
SHA512

6a6183225350be29600768a353755c3cef8c82d34bf0c11d7329376f8ceb7bdce17e4be77e82de81a1c0f81c8cb7d9da9ae3ddcb6bc5a56da56f4d3a3ac6bc56
SSDEEP

1536:9a8jroAbRB+XWCQLZeIdSwkoa8jroAbRB+XWCQLw:LFRBLJSOFRBLw

Score

10^/10

aspackv2 evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe

Detects executables packed with ASPack 64 IoCs

resource	yara_rule
behavioral2/memory/2196-0-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0007000000023566-8.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0007000000023569-100.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3200-101-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x000700000002356d-107.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1168-108-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x000700000002356f-115.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3736-117-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0007000000023570-121.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3756-123-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0007000000023571-127.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4560-128-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2196-133-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4852-163-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0007000000023572-134.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4852-167-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3476-169-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3476-173-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/5088-177-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3512-178-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0007000000023572-179.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3512-190-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1272-214-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3172-215-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x000700000002356a-237.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0007000000023572-239.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x000700000002356b-260.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3172-275-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x000700000002356a-276.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0007000000023572-284.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x000700000002356e-282.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x000700000002356c-280.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x000700000002356b-278.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x000700000002356e-264.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x000700000002356c-262.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x000700000002356a-258.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/5028-296-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3460-321-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3724-333-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/5028-336-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1236-340-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3724-349-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2144-351-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1432-346-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4488-344-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1432-353-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4564-361-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/964-368-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3700-365-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/748-363-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3896-369-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/964-375-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3896-379-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2632-384-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1428-388-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1428-393-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3764-396-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2196-395-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2260-390-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1988-403-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3764-402-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3200-404-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1168-405-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3736-406-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	babon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

ASPack v2.12-2.42 19 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0007000000023566-8.dat	aspack_v212_v242
behavioral2/files/0x0007000000023569-100.dat	aspack_v212_v242
behavioral2/files/0x000700000002356d-107.dat	aspack_v212_v242
behavioral2/files/0x000700000002356f-115.dat	aspack_v212_v242
behavioral2/files/0x0007000000023570-121.dat	aspack_v212_v242
behavioral2/files/0x0007000000023571-127.dat	aspack_v212_v242
behavioral2/files/0x0007000000023572-134.dat	aspack_v212_v242
behavioral2/files/0x0007000000023572-179.dat	aspack_v212_v242
behavioral2/files/0x000700000002356a-237.dat	aspack_v212_v242
behavioral2/files/0x0007000000023572-239.dat	aspack_v212_v242
behavioral2/files/0x000700000002356b-260.dat	aspack_v212_v242
behavioral2/files/0x000700000002356a-276.dat	aspack_v212_v242
behavioral2/files/0x0007000000023572-284.dat	aspack_v212_v242
behavioral2/files/0x000700000002356e-282.dat	aspack_v212_v242
behavioral2/files/0x000700000002356c-280.dat	aspack_v212_v242
behavioral2/files/0x000700000002356b-278.dat	aspack_v212_v242
behavioral2/files/0x000700000002356e-264.dat	aspack_v212_v242
behavioral2/files/0x000700000002356c-262.dat	aspack_v212_v242
behavioral2/files/0x000700000002356a-258.dat	aspack_v212_v242

Executes dropped EXE 30 IoCs

pid	Process
3200	babon.exe
1168	IExplorer.exe
3736	winlogon.exe
3756	csrss.exe
4560	lsass.exe
4852	babon.exe
3476	IExplorer.exe
5088	winlogon.exe
3512	csrss.exe
1272	lsass.exe
3172	babon.exe
3460	babon.exe
1236	IExplorer.exe
5028	babon.exe
4488	IExplorer.exe
3724	babon.exe
2144	IExplorer.exe
1432	winlogon.exe
3700	IExplorer.exe
4564	winlogon.exe
748	winlogon.exe
1244	csrss.exe
964	winlogon.exe
3896	csrss.exe
2632	csrss.exe
2260	csrss.exe
1428	lsass.exe
2196	lsass.exe
3764	lsass.exe
1988	lsass.exe

Loads dropped DLL 5 IoCs

pid	Process
4852	babon.exe
3172	babon.exe
3460	babon.exe
5028	babon.exe
3724	babon.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	winlogon.exe
File opened (read-only)	\??\K:	winlogon.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\X:	babon.exe
File opened (read-only)	\??\J:	winlogon.exe
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\L:	IExplorer.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\J:	babon.exe
File opened (read-only)	\??\S:	babon.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\I:	winlogon.exe
File opened (read-only)	\??\P:	winlogon.exe
File opened (read-only)	\??\I:	IExplorer.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\Q:	babon.exe
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\U:	winlogon.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\G:	babon.exe
File opened (read-only)	\??\K:	babon.exe
File opened (read-only)	\??\S:	winlogon.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\Z:	babon.exe
File opened (read-only)	\??\V:	winlogon.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\M:	babon.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\Y:	winlogon.exe
File opened (read-only)	\??\Z:	winlogon.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\V:	IExplorer.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\W:	winlogon.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\R:	winlogon.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\E:	babon.exe
File opened (read-only)	\??\H:	babon.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\H:	winlogon.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\M:	lsass.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	csrss.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	babon.exe
File created	F:\autorun.inf	babon.exe
File opened for modification	F:\autorun.inf	babon.exe
File created	C:\autorun.inf	babon.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	lsass.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	babon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	babon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	lsass.exe
File created	C:\Windows\SysWOW64\babon.scr	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	lsass.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	babon.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	babon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	csrss.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	csrss.exe
File opened for modification	C:\Windows\babon.exe	lsass.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
File created	C:\Windows\babon.exe	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\babon.exe	IExplorer.exe
File created	C:\Windows\babon.exe	csrss.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\babon.exe	lsass.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	babon.exe
File created	C:\Windows\babon.exe	babon.exe
File opened for modification	C:\Windows\babon.exe	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	winlogon.exe
File created	C:\Windows\babon.exe	winlogon.exe

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Mouse\	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Mouse\SwapMouseButtons = "1"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\s1159 = "Babon"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\s2359 = "Babon"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\s1159 = "Babon"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Mouse\SwapMouseButtons = "1"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\s2359 = "Babon"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Mouse\	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\s1159 = "Babon"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Mouse\SwapMouseButtons = "1"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Mouse\SwapMouseButtons = "1"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\s2359 = "Babon"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Mouse\	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\s1159 = "Babon"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\s2359 = "Babon"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\s2359 = "Babon"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Mouse\	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Mouse\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Mouse\	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\s2359 = "Babon"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\s1159 = "Babon"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\s1159 = "Babon"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\	lsass.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	IExplorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1768	Notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
3200	babon.exe
3756	csrss.exe
3736	winlogon.exe
4560	lsass.exe
1168	IExplorer.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
3200	babon.exe
1168	IExplorer.exe
3736	winlogon.exe
3756	csrss.exe
4560	lsass.exe
4852	babon.exe
3476	IExplorer.exe
5088	winlogon.exe
3512	csrss.exe
1272	lsass.exe
3172	babon.exe
3460	babon.exe
5028	babon.exe
1236	IExplorer.exe
4488	IExplorer.exe
3724	babon.exe
2144	IExplorer.exe
1432	winlogon.exe
4564	winlogon.exe
3700	IExplorer.exe
748	winlogon.exe
964	winlogon.exe
1244	csrss.exe
3896	csrss.exe
2632	csrss.exe
2260	csrss.exe
1428	lsass.exe
2196	lsass.exe
3764	lsass.exe
1988	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 3200	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	81
PID 2196 wrote to memory of 3200	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	81
PID 2196 wrote to memory of 3200	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	81
PID 3200 wrote to memory of 1768	3200	babon.exe	82
PID 3200 wrote to memory of 1768	3200	babon.exe	82
PID 2196 wrote to memory of 1168	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	83
PID 2196 wrote to memory of 1168	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	83
PID 2196 wrote to memory of 1168	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	83
PID 2196 wrote to memory of 3736	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	84
PID 2196 wrote to memory of 3736	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	84
PID 2196 wrote to memory of 3736	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	84
PID 2196 wrote to memory of 3756	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	86
PID 2196 wrote to memory of 3756	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	86
PID 2196 wrote to memory of 3756	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	86
PID 2196 wrote to memory of 4560	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	87
PID 2196 wrote to memory of 4560	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	87
PID 2196 wrote to memory of 4560	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	87
PID 3200 wrote to memory of 4852	3200	babon.exe	91
PID 3200 wrote to memory of 4852	3200	babon.exe	91
PID 3200 wrote to memory of 4852	3200	babon.exe	91
PID 3200 wrote to memory of 3476	3200	babon.exe	92
PID 3200 wrote to memory of 3476	3200	babon.exe	92
PID 3200 wrote to memory of 3476	3200	babon.exe	92
PID 3200 wrote to memory of 5088	3200	babon.exe	93
PID 3200 wrote to memory of 5088	3200	babon.exe	93
PID 3200 wrote to memory of 5088	3200	babon.exe	93
PID 3200 wrote to memory of 3512	3200	babon.exe	94
PID 3200 wrote to memory of 3512	3200	babon.exe	94
PID 3200 wrote to memory of 3512	3200	babon.exe	94
PID 3200 wrote to memory of 1272	3200	babon.exe	95
PID 3200 wrote to memory of 1272	3200	babon.exe	95
PID 3200 wrote to memory of 1272	3200	babon.exe	95
PID 1168 wrote to memory of 3172	1168	IExplorer.exe	96
PID 1168 wrote to memory of 3172	1168	IExplorer.exe	96
PID 1168 wrote to memory of 3172	1168	IExplorer.exe	96
PID 1168 wrote to memory of 1236	1168	IExplorer.exe	97
PID 1168 wrote to memory of 1236	1168	IExplorer.exe	97
PID 1168 wrote to memory of 1236	1168	IExplorer.exe	97
PID 3736 wrote to memory of 3460	3736	winlogon.exe	98
PID 3736 wrote to memory of 3460	3736	winlogon.exe	98
PID 3736 wrote to memory of 3460	3736	winlogon.exe	98
PID 3756 wrote to memory of 5028	3756	csrss.exe	99
PID 3756 wrote to memory of 5028	3756	csrss.exe	99
PID 3756 wrote to memory of 5028	3756	csrss.exe	99
PID 3736 wrote to memory of 4488	3736	winlogon.exe	100
PID 3736 wrote to memory of 4488	3736	winlogon.exe	100
PID 3736 wrote to memory of 4488	3736	winlogon.exe	100
PID 4560 wrote to memory of 3724	4560	lsass.exe	101
PID 4560 wrote to memory of 3724	4560	lsass.exe	101
PID 4560 wrote to memory of 3724	4560	lsass.exe	101
PID 3756 wrote to memory of 2144	3756	csrss.exe	102
PID 3756 wrote to memory of 2144	3756	csrss.exe	102
PID 3756 wrote to memory of 2144	3756	csrss.exe	102
PID 1168 wrote to memory of 1432	1168	IExplorer.exe	103
PID 1168 wrote to memory of 1432	1168	IExplorer.exe	103
PID 1168 wrote to memory of 1432	1168	IExplorer.exe	103
PID 4560 wrote to memory of 3700	4560	lsass.exe	104
PID 4560 wrote to memory of 3700	4560	lsass.exe	104
PID 4560 wrote to memory of 3700	4560	lsass.exe	104
PID 3736 wrote to memory of 4564	3736	winlogon.exe	105
PID 3736 wrote to memory of 4564	3736	winlogon.exe	105
PID 3736 wrote to memory of 4564	3736	winlogon.exe	105
PID 3756 wrote to memory of 748	3756	csrss.exe	106
PID 3756 wrote to memory of 748	3756	csrss.exe	106

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	babon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	lsass.exe

C:\Users\Admin\AppData\Local\Temp\68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
"C:\Users\Admin\AppData\Local\Temp\68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2196
- C:\Windows\babon.exe
  C:\Windows\babon.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3200
- - C:\Windows\Notepad.exe
    Notepad.exe C:\wangsit.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1768
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4852
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3476
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5088
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3512
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1272
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1168
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3172
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1236
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1432
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3896
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2196
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3736
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3460
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4488
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4564
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1244
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1428
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3756
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:5028
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2144
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:748
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2632
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3764
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4560
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3724
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3700
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:964
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2260
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\csrss.exe

Filesize
64KB

MD5
5fa7f50413cbbc744264970ad08236a0

SHA1
d7c339db2a9270cdf06586ec759828ed828bb8aa

SHA256
5ed05a854c0dfd02035b912494e7f9195059a4273d9f6e8cb25c957bc4e12974

SHA512
ba6ad6a7da3192aa9547219820c37011cbca0d0b5321b7e35feb188482c85e0ed495cfdd9522268b447d15d079a8649dbf3f9cd86809a763d17b33d4095f4c8f

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
64KB

MD5
d3015c7ec22d48be916ed715abe6e652

SHA1
a11af836cacfe4329220cf433fab5f4ac911a0af

SHA256
6788dde2d29034e91a286853c78b6d4233c84bc9b09b52767ef1c04c57426566

SHA512
9dc97b0785d0be619a4b755e340fd8fd6e0afffc930176adf9791b62c481dac541f5b774a116e8b5fa52dba9d64b4d9463c28be64d77e874d72edb7f4c12af26

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
64KB

MD5
2bc1078fe060b1572d0a51580445e022

SHA1
860f213274996a49e33f38bbf0de0bc788dec7f4

SHA256
adf6e6305f9da4d454f5e2abb7ba955c5bfc7006a4c57e2fb1f2f9f67f535b16

SHA512
8d11db3e9f63a74c860b1ce377ad3a3aaeba0f5435a8f0ea79875647567a83fae4fcbecb161a377c98842adbb92cab1d84278b8bbf086d67d176d3d7c9bf1b7a

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
64KB

MD5
4f9dd562449c7964589a8047e57b7b9e

SHA1
5b9dc26e8bdc0b847f89aaa13c531653c4e082e2

SHA256
68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe

SHA512
6a6183225350be29600768a353755c3cef8c82d34bf0c11d7329376f8ceb7bdce17e4be77e82de81a1c0f81c8cb7d9da9ae3ddcb6bc5a56da56f4d3a3ac6bc56

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
64KB

MD5
7d4c14fb0ba4397af280f54247aeab6a

SHA1
990eb657daf5cb723e4338292e89476a7af09533

SHA256
a76825bca3c1a967295dba2dc225f14458e7c5343193d1c5933872645ab195ec

SHA512
cec15e15a158eee82a11417d54524348c48cf6e1f5843e55db2fe1b60962c76271dc021d2ce42663594ae19d718b089189191527e024390c1d12b73dcf93697c

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
64KB

MD5
1b3966f9757ab71b6fbd338e9620f076

SHA1
79e178c4047bd799e01c8f87a598096a44ab798b

SHA256
8ca09d918c41c734413b8c298802741455ee0f73de0c9fbc2255d68913ff08e5

SHA512
2f7a36f2187f3cd5bd4790858489cd2ea467aaf3db30a67297d0b74f47efaca90be2cbdb0cd04c62b4359110ba610cf7f368a2ea7c0c878c36c90dca077075d1

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
64KB

MD5
0883d9ef6fde1e33cf8dd5630c1b3f5d

SHA1
1d2ea30d9f462e0b40ccb87a851523cb445872a5

SHA256
1ea2e3739ffbdc18451a9aa403cd5848f9f0d281df8cb49f11150ff108378d0a

SHA512
8458aa9953476ced26c7785a81422d31da53f0b2d0c988830cc21886e55dada441481efe9ce4be803d89ecbbb348702a547c947feb5fc882e0a063dc499749e9

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
64KB

MD5
2bdf109195ce44a8b31a440127494b73

SHA1
2ac362ccffd8f714844f3c83fe97a93232ede9d3

SHA256
609435202064102d151c5d8fc06370a26222b3aac3bd1496d4795344b5aeb9c3

SHA512
e51cc78f201ee7518b47d947c090f2072a8e07401e36fcdedaca9da6a8538105485e45bf129068c20fe539cf847252b1fd64e4f8c268965bf22b333f9896d3d3

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
64KB

MD5
ceef0e9fd55a8650b00f33118f17e678

SHA1
def39c26c7a23f52171b839e8949131580571148

SHA256
1f9c7df3672550c0ba6c8d7df4faf45383140c7cbe54560d8c9f87b803ca3757

SHA512
3bfacf48ab08ddf88fd21de27bd0b33862b2ab530ca99fccc7424072fbda0784a008ce79a74027fbce15fdb790fc51a551b9a225cc42e39043afaab4055dcd3e

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
64KB

MD5
ff290f78b24d1fb1e77a05a149d53491

SHA1
aa9da421325e65aefed36184638848871d66e4e6

SHA256
9c8ce875692cb6de9ec8d706a2a2dd8058b704ba294dc512e99f2004e831a820

SHA512
69150939e32d28967adf6ea058df94b273d33c32ceacd9156788ebb1880e34fda57fa2ef88b09bc85b9ec662bea686ea5836a014b46f2b8ce9a02d0241613f57

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
64KB

MD5
c53bcbc166ef10bdca643cc68ef7d6a8

SHA1
f19df5882f57a177c68a12839ed911ba68598602

SHA256
539f0a3c8ab590072690c6af310d5501c0cb2d7b638c00af660ac8623c8832c2

SHA512
6292cc8a926c0a103719c638aaa7d425422bf380f3fe915657716546aa8657f9faaac57187151567180649e06f7a642e8cde08c2d6b9e761c1d33ca2e6223944

Download Submit
C:\Windows\SysWOW64\babon.scr

Filesize
64KB

MD5
93ded941c1b7670bc0f933d6de92ae24

SHA1
fba40fb183f133be7c3e8162e1724058667f8f22

SHA256
4bec74fb5de22f466bc64eca2661105dc45d4a5f7c9204a119feedb6334edd4b

SHA512
ebce47aa7d242e9b4513f4fcf0168f0974f273ca26fb10d3c67b4a190bbc56d2953ec1dbc182359c828b68b9431c335c2a0423f75d2319546cd2050f2a914564

Download Submit
C:\Windows\SysWOW64\babon.scr

Filesize
64KB

MD5
62c645cd33a1b19355fbb9b3fc4d7de8

SHA1
9262d9b729465746dcfb4f1a87a957d1e8d012e3

SHA256
5d4b13bd7546ecf0c4e1cd87ac73559bf9e3b83d6807305de6db9cb4a08fa8d4

SHA512
13dfea43dedeced93d81ea968e33d0111fd44f63be1d303f2730c5c2b4ed4db11bc39852020b25ec89afa4ef597db9fde683aa4ee469b5e71ed58974b3119035

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
64KB

MD5
b197a6f2cc96e511240f90b158470ddd

SHA1
4763ce8aafcd7d14c4b96c7eb9be7187e78261fe

SHA256
fc2828cf9041dcd09c4cd792031f8a65e70b76593a4fff817c89b941dc7ebc93

SHA512
edf9a85dda2b1d734c7d320dd1fc360c79ee6af6e36db48dc7ab67da2aab0c0ace41e362ba4e824b294523812cf5ecb567ef604fb74f6315bb02ad80744baadf

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
64KB

MD5
b5932aa369f02a9955ceecde54669201

SHA1
283be65a7939c58031a4f0b277661e15161a876d

SHA256
369552abaebb609689bdeaa8a2e14a67d1cd58e164651d896b797467b14a83bc

SHA512
0ddf40eae5615eeb588bc11aaa630952ce4709ae4293aed91eafbc38ae11124940e70d9ad8c5500187ce654138e9fb4ff3503466253c37ed98587a3969ca9065

Download Submit
C:\Windows\babon.exe

Filesize
64KB

MD5
0471ca7342ac9dcc6f1533811417790d

SHA1
c90610c5e4fbf7294fa9a85d3eaf5924c1853b03

SHA256
5781e4518ff34890d0c282d85ecc1c47e3d2fcb620faff48daeed9e7bb3eb9d7

SHA512
8177586da04de80f7527581e5817e2a931a0c96303505da195da57cdb5af41407478105ec44d754c9b1bba594c7316c6ea713680279844354bd7ea6f0680b2e1

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\babon.exe

Filesize
64KB

MD5
fb515328b3000b2ecfb9de3028477d51

SHA1
3c086cdb4400f80ee6be1b3ff65a30cc5b7f992d

SHA256
d20e405e06ae92efd048cbfedb9954ef240744a44666a6a18ecec5179fd3e70a

SHA512
9213756dcde81ddf259295377e43d711d8c30dc2a993c6f212dffd48a85963d2331fc4806beac4829f8f953803b165ef5027486c657c29a45e38970868b5e7cd

Download Submit
C:\babon.exe

Filesize
64KB

MD5
6a094a7dfb1b2c8a34a63d49fa1a0863

SHA1
ededb0ae7b58e9eeab057a32515560e4b6ba9c59

SHA256
f3d9503e3d29b5792ee3c9dd5c97e0c46ed172baa68fc6f95c11460b2c688823

SHA512
d65cace6b4d6009fd53905c5c6c9c8698e4ff0dc7d89e3c57a092d169d2b3bdf5a5f6064e11e12db194d7b69832551bb909b110f712dac1fdc6fd9ded6763cb0

Download Submit
C:\babon.exe

Filesize
64KB

MD5
29677e28471f2b71d62a3e5a1037a29e

SHA1
17aa94339c7f3403c31a07f69651a56131cf39eb

SHA256
5d3a967e192f9448fe079147167e4a67275cfe562bc57d234cbc2ba4534ed8ee

SHA512
c2a8479338d97e486e780d643c87d7c22a884f96dd57905930884388f9ba66b0e22a7d50b69f88667bb90fad60acbae12c8fb47283322114d159fed6eafe4bc6

Download Submit
C:\wangsit.txt

Filesize
416B

MD5
8c460e27a1949370d14f20942ef964c3

SHA1
fb1f75839903c83911b45b49956792d27db56185

SHA256
2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d

SHA512
ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

Download Submit
F:\autorun.inf

Filesize
41B

MD5
097661e74e667ec2329bc274acb87b0d

SHA1
91c68a6089af2f61035e2e5f2a8da8c908dc93ed

SHA256
aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0

SHA512
e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

Download Submit
memory/748-363-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/964-368-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/964-375-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1168-108-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1168-405-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1236-340-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1272-214-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1428-393-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1428-388-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1432-346-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1432-353-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1988-403-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2144-351-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2196-395-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2196-133-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2196-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2260-390-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2632-384-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3172-275-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3172-215-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3200-404-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3200-101-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3460-321-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3476-169-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3476-173-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3512-190-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3512-178-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3700-365-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3724-333-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3724-349-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3736-406-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3736-117-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3756-407-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3756-123-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3764-402-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3764-396-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3896-379-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3896-369-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4488-344-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4560-128-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4560-408-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4564-361-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4852-167-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4852-163-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5028-336-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5028-296-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5088-177-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download