Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 02:54
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe
Resource
win7-20240220-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe
-
Size
147KB
-
MD5
c5a3588560d77a3db1da483df905b7d1
-
SHA1
212fa66e44e2997552e88b492323d38f2f3f7ec6
-
SHA256
d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12
-
SHA512
046cf927424efb05a54160fe7de46faf81f5f153186a15148a8241cc06de946f138d90cf884b7145a1e64787b9f5429ce7231de3299770edab4bcf41946ae212
-
SSDEEP
1536:oWwaMcKOER0m9mwWjAggupnhycpDnq+5h/tDSZ15WwdAx:pzKR0xwW0WnhFpDRzSZaCAx
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" lsass.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Shell.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Shell.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe -
Detects executables packed with MEW 22 IoCs
resource yara_rule behavioral1/files/0x0007000000014183-7.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x000700000001418c-100.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x0006000000014b1c-104.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x0006000000014c2d-115.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x0006000000014f57-124.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x000600000001507a-133.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x0006000000014a60-151.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x000800000001432f-148.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x0007000000014251-147.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x000800000001432f-180.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x0006000000014bd7-185.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x0006000000014a60-183.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x0006000000014bd7-220.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x0006000000014a60-218.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x000800000001432f-215.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x0007000000014251-214.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x0006000000015083-213.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x0006000000014bd7-264.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x0006000000014a60-262.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x000800000001432f-258.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x0007000000014251-257.dat INDICATOR_EXE_Packed_MEW behavioral1/files/0x0006000000015083-256.dat INDICATOR_EXE_Packed_MEW -
Disables RegEdit via registry modification 7 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Shell.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Shell.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 46 IoCs
pid Process 1596 babon.exe 2404 IExplorer.exe 2660 winlogon.exe 1884 csrss.exe 2308 lsass.exe 2136 babon.exe 2280 babon.exe 324 IExplorer.exe 2864 IExplorer.exe 2256 babon.exe 988 winlogon.exe 1100 csrss.exe 2932 babon.exe 1796 winlogon.exe 944 IExplorer.exe 2992 babon.exe 2892 winlogon.exe 2936 csrss.exe 1500 lsass.exe 1728 IExplorer.exe 1532 IExplorer.exe 2676 lsass.exe 2608 csrss.exe 2840 winlogon.exe 2452 winlogon.exe 2444 lsass.exe 2472 csrss.exe 2588 csrss.exe 2344 lsass.exe 2492 Shell.exe 2468 Shell.exe 2488 Shell.exe 2740 Shell.exe 2328 lsass.exe 2132 Shell.exe 2664 Shell.exe 2312 Shell.exe 2772 Shell.exe 1876 Shell.exe 1004 babon.exe 1008 IExplorer.exe 1904 winlogon.exe 2768 csrss.exe 2184 lsass.exe 2456 Shell.exe 2796 Shell.exe -
Loads dropped DLL 64 IoCs
pid Process 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 1596 babon.exe 1596 babon.exe 2404 IExplorer.exe 2404 IExplorer.exe 1596 babon.exe 1596 babon.exe 1596 babon.exe 1596 babon.exe 2404 IExplorer.exe 2404 IExplorer.exe 2660 winlogon.exe 2660 winlogon.exe 2404 IExplorer.exe 2404 IExplorer.exe 1884 csrss.exe 1884 csrss.exe 2660 winlogon.exe 2308 lsass.exe 2308 lsass.exe 1596 babon.exe 1596 babon.exe 2660 winlogon.exe 2660 winlogon.exe 2404 IExplorer.exe 2404 IExplorer.exe 2308 lsass.exe 2308 lsass.exe 1884 csrss.exe 1884 csrss.exe 2660 winlogon.exe 2660 winlogon.exe 2308 lsass.exe 2308 lsass.exe 1884 csrss.exe 2308 lsass.exe 2704 WerFault.exe 3004 WerFault.exe 2324 WerFault.exe 2324 WerFault.exe 2704 WerFault.exe 3004 WerFault.exe 2324 WerFault.exe 2324 WerFault.exe 2432 WerFault.exe 2432 WerFault.exe 1884 csrss.exe 1884 csrss.exe 2324 WerFault.exe 2324 WerFault.exe 3004 WerFault.exe 3004 WerFault.exe 2432 WerFault.exe 2432 WerFault.exe 2432 WerFault.exe 2516 WerFault.exe 2432 WerFault.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe -
Adds Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" winlogon.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\R: babon.exe File opened (read-only) \??\V: Shell.exe File opened (read-only) \??\P: Shell.exe File opened (read-only) \??\V: lsass.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\E: Shell.exe File opened (read-only) \??\R: Shell.exe File opened (read-only) \??\U: Shell.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\W: winlogon.exe File opened (read-only) \??\Q: Shell.exe File opened (read-only) \??\H: babon.exe File opened (read-only) \??\X: babon.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\I: Shell.exe File opened (read-only) \??\V: babon.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\J: babon.exe File opened (read-only) \??\M: babon.exe File opened (read-only) \??\T: babon.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\B: babon.exe File opened (read-only) \??\W: Shell.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\B: lsass.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\W: babon.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\Q: babon.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\K: babon.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\U: babon.exe File opened (read-only) \??\O: Shell.exe File opened (read-only) \??\I: lsass.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\G: babon.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\K: Shell.exe -
Modifies WinLogon 2 TTPs 21 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ lsass.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf babon.exe File opened for modification F:\autorun.inf babon.exe File created C:\autorun.inf babon.exe File opened for modification C:\autorun.inf babon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe File opened for modification C:\Windows\SysWOW64\babon.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe Shell.exe File created C:\Windows\SysWOW64\IExplorer.exe d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe lsass.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\shell.exe d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe File opened for modification C:\Windows\SysWOW64\shell.exe csrss.exe File opened for modification C:\Windows\SysWOW64\shell.exe lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\shell.exe d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\babon.scr Shell.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe File created C:\Windows\SysWOW64\shell.exe Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr babon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\shell.exe Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\IExplorer.exe lsass.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe babon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\msvbvm60.dll Shell.exe File created C:\Windows\SysWOW64\IExplorer.exe Shell.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe babon.exe File created C:\Windows\SysWOW64\IExplorer.exe babon.exe File opened for modification C:\Windows\SysWOW64\babon.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe -
Drops file in Windows directory 50 IoCs
description ioc Process File created C:\Windows\babon.exe csrss.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\babon.exe babon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe lsass.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe Shell.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\babon.exe winlogon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\babon.exe Shell.exe File opened for modification C:\Windows\babon.exe babon.exe File created C:\Windows\babon.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe lsass.exe File opened for modification C:\Windows\babon.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File created C:\Windows\babon.exe d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe winlogon.exe File created C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe File opened for modification C:\Windows\msvbvm60.dll Shell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
pid pid_target Process procid_target 3004 1596 WerFault.exe 28 2324 2404 WerFault.exe 29 2704 2660 WerFault.exe 30 2432 2308 WerFault.exe 32 2516 1884 WerFault.exe 31 1268 2492 WerFault.exe 60 -
Modifies Control Panel 49 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Babon" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Babon" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Babon" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Babon" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Babon" Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Babon" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Babon" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Babon" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\ d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Babon" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Babon" Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Babon" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Babon" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\ Shell.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ babon.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\ lsass.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\ babon.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Babon" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Babon" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" csrss.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\ lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\ Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" Shell.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\ d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" babon.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" lsass.exe -
Modifies Internet Explorer start page 1 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" Shell.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" lsass.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" Shell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} Shell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe -
Suspicious use of SetWindowsHookEx 47 IoCs
pid Process 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 1596 babon.exe 2404 IExplorer.exe 2660 winlogon.exe 1884 csrss.exe 2308 lsass.exe 2136 babon.exe 2280 babon.exe 324 IExplorer.exe 988 winlogon.exe 2864 IExplorer.exe 2256 babon.exe 1796 winlogon.exe 2932 babon.exe 944 IExplorer.exe 1100 csrss.exe 2992 babon.exe 2892 winlogon.exe 1500 lsass.exe 2936 csrss.exe 2676 lsass.exe 1532 IExplorer.exe 1728 IExplorer.exe 2608 csrss.exe 2840 winlogon.exe 2452 winlogon.exe 2444 lsass.exe 2472 csrss.exe 2344 lsass.exe 2492 Shell.exe 2468 Shell.exe 2588 csrss.exe 2488 Shell.exe 2328 lsass.exe 2740 Shell.exe 2132 Shell.exe 2664 Shell.exe 2312 Shell.exe 2772 Shell.exe 1876 Shell.exe 1004 babon.exe 1008 IExplorer.exe 1904 winlogon.exe 2768 csrss.exe 2184 lsass.exe 2456 Shell.exe 2796 Shell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2500 wrote to memory of 1596 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 28 PID 2500 wrote to memory of 1596 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 28 PID 2500 wrote to memory of 1596 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 28 PID 2500 wrote to memory of 1596 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 28 PID 2500 wrote to memory of 2404 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 29 PID 2500 wrote to memory of 2404 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 29 PID 2500 wrote to memory of 2404 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 29 PID 2500 wrote to memory of 2404 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 29 PID 2500 wrote to memory of 2660 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 30 PID 2500 wrote to memory of 2660 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 30 PID 2500 wrote to memory of 2660 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 30 PID 2500 wrote to memory of 2660 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 30 PID 2500 wrote to memory of 1884 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 31 PID 2500 wrote to memory of 1884 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 31 PID 2500 wrote to memory of 1884 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 31 PID 2500 wrote to memory of 1884 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 31 PID 2500 wrote to memory of 2308 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 32 PID 2500 wrote to memory of 2308 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 32 PID 2500 wrote to memory of 2308 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 32 PID 2500 wrote to memory of 2308 2500 d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe 32 PID 1596 wrote to memory of 2136 1596 babon.exe 33 PID 1596 wrote to memory of 2136 1596 babon.exe 33 PID 1596 wrote to memory of 2136 1596 babon.exe 33 PID 1596 wrote to memory of 2136 1596 babon.exe 33 PID 2404 wrote to memory of 2280 2404 IExplorer.exe 34 PID 2404 wrote to memory of 2280 2404 IExplorer.exe 34 PID 2404 wrote to memory of 2280 2404 IExplorer.exe 34 PID 2404 wrote to memory of 2280 2404 IExplorer.exe 34 PID 1596 wrote to memory of 324 1596 babon.exe 35 PID 1596 wrote to memory of 324 1596 babon.exe 35 PID 1596 wrote to memory of 324 1596 babon.exe 35 PID 1596 wrote to memory of 324 1596 babon.exe 35 PID 2404 wrote to memory of 2864 2404 IExplorer.exe 36 PID 2404 wrote to memory of 2864 2404 IExplorer.exe 36 PID 2404 wrote to memory of 2864 2404 IExplorer.exe 36 PID 2404 wrote to memory of 2864 2404 IExplorer.exe 36 PID 2660 wrote to memory of 2256 2660 winlogon.exe 37 PID 2660 wrote to memory of 2256 2660 winlogon.exe 37 PID 2660 wrote to memory of 2256 2660 winlogon.exe 37 PID 2660 wrote to memory of 2256 2660 winlogon.exe 37 PID 1596 wrote to memory of 988 1596 babon.exe 38 PID 1596 wrote to memory of 988 1596 babon.exe 38 PID 1596 wrote to memory of 988 1596 babon.exe 38 PID 1596 wrote to memory of 988 1596 babon.exe 38 PID 1596 wrote to memory of 1100 1596 babon.exe 39 PID 1596 wrote to memory of 1100 1596 babon.exe 39 PID 1596 wrote to memory of 1100 1596 babon.exe 39 PID 1596 wrote to memory of 1100 1596 babon.exe 39 PID 1884 wrote to memory of 2932 1884 csrss.exe 40 PID 1884 wrote to memory of 2932 1884 csrss.exe 40 PID 1884 wrote to memory of 2932 1884 csrss.exe 40 PID 1884 wrote to memory of 2932 1884 csrss.exe 40 PID 2404 wrote to memory of 1796 2404 IExplorer.exe 41 PID 2404 wrote to memory of 1796 2404 IExplorer.exe 41 PID 2404 wrote to memory of 1796 2404 IExplorer.exe 41 PID 2404 wrote to memory of 1796 2404 IExplorer.exe 41 PID 2660 wrote to memory of 944 2660 winlogon.exe 42 PID 2660 wrote to memory of 944 2660 winlogon.exe 42 PID 2660 wrote to memory of 944 2660 winlogon.exe 42 PID 2660 wrote to memory of 944 2660 winlogon.exe 42 PID 2308 wrote to memory of 2992 2308 lsass.exe 44 PID 2308 wrote to memory of 2992 2308 lsass.exe 44 PID 2308 wrote to memory of 2992 2308 lsass.exe 44 PID 2308 wrote to memory of 2992 2308 lsass.exe 44 -
System policy modification 1 TTPs 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Shell.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" Shell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe"C:\Users\Admin\AppData\Local\Temp\d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2500 -
C:\Windows\babon.exeC:\Windows\babon.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1596 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2136
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:324
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:988
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1100
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 3723⤵
- Loads dropped DLL
- Program crash
PID:3004 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2488
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2664
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2404 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2280
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1796
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2936
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 3803⤵
- Loads dropped DLL
- Program crash
PID:2324 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2468
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2132
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2660 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2256
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:944
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2892
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2608
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 3523⤵
- Loads dropped DLL
- Program crash
PID:2704 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2492 -
C:\Windows\babon.exeC:\Windows\babon.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1004
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1008
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1904
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 4005⤵
- Program crash
PID:1268 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2456
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2796
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1884 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2932
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1728
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2452
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2588
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 3883⤵
- Loads dropped DLL
- Program crash
PID:2516 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2772
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1876
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2308 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2992
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1532
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2840
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2472
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 3563⤵
- Loads dropped DLL
- Program crash
PID:2432 -
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2740
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2312
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD5c5a3588560d77a3db1da483df905b7d1
SHA1212fa66e44e2997552e88b492323d38f2f3f7ec6
SHA256d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12
SHA512046cf927424efb05a54160fe7de46faf81f5f153186a15148a8241cc06de946f138d90cf884b7145a1e64787b9f5429ce7231de3299770edab4bcf41946ae212
-
Filesize
147KB
MD570e9aff82220c6da83983188e790b794
SHA143b28c1cd1cb352cb55b58e8b404383afd196914
SHA25656fe5e832f1444396b28033b05b2e4bedbfb5e24e62252a3b55d723c8c695caa
SHA5129583ef15219f5492efe8844f567e90612e045eda3fab5c854d0653611e5e280d6e6c8d8045d265e58029138a5134a95f72e7147e5a83e7e91b5ca1e25973551f
-
Filesize
147KB
MD5bdbe60a5c48a25f151e9f3d1f5b44261
SHA14697561c30a4de584b9540725ca3ec7d6e3cca0f
SHA256c7eedac27e267db81adfb77cd267b1f0a45e9478675e10ea35273f80266ebe64
SHA512e24fb08f932bc0fce30ecb28b32e31a7b0f9084be8f87a930e88b1064f5b12582e1e5c811e2c0c0efbdb812f9f01f9c165c1cc5e501c3c780b4095b42869ab03
-
Filesize
147KB
MD558c6b8c0f663815be90f685193733953
SHA199bcb5f553e55be5aca582a8f5df5e13cf70a3fa
SHA256aec4639c2938804c372f31fb0f8f636a9121d89ac5bdca950645c4b5f525e977
SHA512ee8c8097ba674deea6ee57d2790a5eec0030d9e19c8f2646d58327e63593cbb8e25cca096ba13666c7764291145472e326845c8fd0cd08b4135b8f6302232f35
-
Filesize
147KB
MD56de48f5a6a61a51f2d7e92e700bc31d3
SHA1a6432252d1aed5bfd15aaabb61789176335fbe9e
SHA256268497966315f457b79766854cd3ad240e04fc4f0f50be2b96f00b0391664c27
SHA5122fd3045eb7c29c58d728b668ba0132418192ffbf32708fb00f8b4bed0ce93fb131ebdb75c6649b9c4a40e867c37dab79eee0fd40ec2f3c27e41d8ade670d46ce
-
Filesize
147KB
MD5799afb740aa83882f4e79801400b0d25
SHA14e93ffa4f9fd6b74f8918a87785d7805627f5fa6
SHA256a89c58e0b7800ba333412ba9f6918fa6e57894cdf6241d799abc849ff7709029
SHA512a00009efa74c5ea98f9909de8c10d01483d559c45503b60505b113855054a11bcbe7087c7930ab2412de68d87f650195ca8cc8c61b57ba11c371b4512c057a9b
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
147KB
MD511d764f1b2986c3753e51f5b95277283
SHA13919a24553bf750e6dd3064ff9454ac7bfbedef7
SHA25641bfa0132240af489db5e61568641c6ddc4ab8d01e308ced2808fe33fe580e76
SHA512c810493bfa5d8ac6abb06a539f1d54de4e41da27d3df044e762c42a83107d173cd5b5269fdd5e8e41972538f8ee808bebb3ec35f1a0be5e0211352a318a0a023
-
Filesize
147KB
MD51b3b71345a28cd3f4fa0af4d9aa89186
SHA13cee0e856604e5517bc356a0e0f7146904c1b03a
SHA2569de28f5e93bde74a2029c6279c334da35b71ec62691a05eab0515b69561fe929
SHA512dcd1e0afff0ba3cf6d80b854db1d31246f70f245335a991cf4c346bffbfc7a790f6ca0b508c8756cdc817578ec575c254e25d8d78d85d705599e2eec7feb4d4f
-
Filesize
147KB
MD57ae4e2ba7386553f17d7a35252a344b9
SHA1288f7d0749c4133c88a0c5382664cd53bb2a8a56
SHA256d8f80f9c8233f092d0c069e3930136324b154125c0de1eea9a43485029d0a015
SHA512b479ddabf77ab14947f014259a079e7155c32915216a6869a8781e90278e2acea27507836be944fe05f209b8a14e4ab72645963fc0d4cf626d8e92acd105a3d0
-
Filesize
147KB
MD5794b79b51cb35b9200c99da535b4649f
SHA16db0a0ea9e85f270f93d24aa9734c6ab80c07d81
SHA256fc6e8b38e89fdaaf80b5952ab2528753174e51fc65ba8653b5de6a05fc639398
SHA512762c6197ead17f9bcbb066421eb06e64b7c05e1eb5676e62b78ebd74e85d0d3ed84d36344d9abce8cb7b1ebb05796cd963e01983749d086aee4e7fa039d3a597
-
Filesize
147KB
MD59c7487bec6bd7532e7e58784673d05d4
SHA175ddfb9de4003a3f15e87627e58f1eb7d429ad47
SHA256d9aa1d3395682a6f365db6b985cc97a37be8d34de46fa29967783420db236a26
SHA5123f66b66438fa3c3f90e22e37150e0121093cc8574adf967d487e1671d223a6eb1ff8ae026cd3677706dc1d5c8655d0959b12aacebfd8fa67a73be0ab826fd1bd
-
Filesize
147KB
MD5f31275ef82d305ac849203a4366613ae
SHA152dcaaa189aba50ee18d976e0a3a2a61ba56cb6a
SHA25669af9b9f2c1f2a17732a1ee0a7728272de68168327fb791bf404d08cbb117628
SHA51278a0a0c69f8e9810d0d4197596a2d5704f3e290ce7b92c11c34af8b2e67c04b2343c96bc87a80f1fad29683f8e82bb4013675b72a73528e58d65ccb6126dbef9
-
Filesize
147KB
MD567c71f5f61d0a318dbd867656c768dac
SHA188751c49207ad745f1a591366d4b743bf0106ff0
SHA2568a603049f2f3f5fb3ed3555c9af194ee61a47219679cfe860277ba540ae4208b
SHA512f409e31ad97742e76f7f9ea7c45449cc44a07f7a3c7bac666a15b4fe8f4769217816c7a9e664869330bb3a55bd5305ac18a7d0a6369dbbca578dc9c2da0b2e84
-
Filesize
147KB
MD5ac1bd921d171399d9e51326e1d0a491b
SHA1a9a5b172c94ed31c71568a2d77b96bbc2f528976
SHA25668d39ffcd2149c82e71b952d67b78b6a76dda84fa8d1bc0fbcc4e9d4bc159acc
SHA5126ae55fec40d115e0529c3a87c4db1457246c123f00ae33a9d1b0f9753627d8763308e4994eb690ed2ffafd46510f525187b250b99abb119b2ea7795a344b92d5
-
Filesize
147KB
MD5614831aaee28de1282f295d4142dbd4d
SHA1cd05c785392c916173deeb14939fb2278b942aa6
SHA256a44beedc52f3963a31591d36ee83e7dd35152efb8f32540c02869eed47f11cc0
SHA512ecd2f788dc76d849ec3f0a8b16387d86dbf0c7d4dfbca2a7fbe05a1a532d5d3d47a1e3209cf456dc3c864d6ac761f79c13bcd773168567b77352a523c20f52cd
-
Filesize
147KB
MD58c7495655e2172e2586bd6ed99e2f59a
SHA1a7d5d9930c7c6cfd0f65051d03e3de3b4d7dfda5
SHA256117431a62f5c22e7b4f64d04c380c1a7e67d5d6e3c8b6ed7b0c17e917988d13b
SHA5125c3e076f1e7ed8580cc5b532e1e656febf78b58518ad4555be99221c076f260b89efee9e92298a654e6fbff5c45f2350454838c676f0fcb05e0cb4e28bd3702c
-
Filesize
147KB
MD52c5f19a2420bf9a1127dfc660b829649
SHA17d65768260c96a4a8a2ae0fd35d355cb26a579c0
SHA256db7b7ab030617ac99eaa2f245e252581d85186a8a214de74fdb7db1922aa9091
SHA512b465b9adbad925baf65e071d9d9b7912c17935f65e464b472eceb5ab3beffb9f5b06231952f0acecdd5a46412394313f43396f70e364bd537c1f569ff6693e05
-
Filesize
147KB
MD56894c9a196f7a362898c73a785575e11
SHA1a1f3dffc69073e82fa9020deecd9072792adfb3f
SHA25632f91f454cd5d81f79c1934b1ce22279d2801eb64973f8ec557be9baf5184b84
SHA512b3f0117657d431810eb15095a12bcc680f3d3aad99fe88d16cac11bc75afe9429f8c1cedf6f9fcc40bd6ecab1f2d8b3a2b6c7e6eff384756248414e8a2aeb1a2
-
Filesize
359B
MD5df2f3e6971a7548c1688706f9a9798a8
SHA1e38539857523a1e7eb3aa857e017bf6461b16a08
SHA2561fd0a101a74c19c0c9e287eac64ee506df3eebdbc11f12022dda94fedd123918
SHA512d2d41257135381d7f4c4936139282a505094af7a8f9bc824ccc08d09da9ab010b6adf1460feacf5c0151cb9d4299b8bde934fd90904bb3c3ce6c396af449c072
-
Filesize
41B
MD5097661e74e667ec2329bc274acb87b0d
SHA191c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e
-
Filesize
147KB
MD50fa767df37dcd675d44c0c6f4eeb2772
SHA1f9e1af08b1eaa197b0d23a867751431a9176fd4b
SHA256657212a2bb5d02ba09896d901d169fa1f5508f24683eddd3338260b5dcef0784
SHA512b7df42f065f36767c7ec61c82745cb6123c578dcea5eba8e32303b284eaa823214b6ab55743401d7fff0266f3a0257940d63546d7ce1bb7246df54b0050cd8c6
-
Filesize
147KB
MD50473991d7d04b1a79c68d43387891098
SHA1e1c7f0dbae1eaa061653abe998bead91c9253f07
SHA2569d1c9a147060e7424eea89f595bd1dc958797212d3b177b548665029925e5df2
SHA51205c6232252ffd7c0705f6e5b6b0318c024721af58febd59a54b86b2cd2dec10661497b2650ac6e28d9fdde629eb4373d71c4390370b71f4932a1387bb4517b65
-
Filesize
147KB
MD507370646e3ff68ce552a4bd37389263c
SHA1ec10ac9e6a64f0853ad21314cfc909bc299ce095
SHA25667c1db1ccd8dca37bb3d5bf59b1253edfcc4a95dc0e32cf98067cdbf3d723e64
SHA512fe8cf726f56c68aa2bb5d081e660b2e24fc99dbc404c71a6db84ee8336deab3a9761d4c3e052516b5bb7e569bd0785a084746a7b471e86185094c999269771c3
-
Filesize
147KB
MD5c9a35816103cd83d6deb4c10d333e84f
SHA10f7f12eda62eb6f3a24ab931c5ac93e112362bff
SHA256c52ea91a19bc7d1583b85a73fc45e91cdf7a3678ee1feb445988e6ec2c70b3db
SHA5121e3990e25414174e6d7480c05e2a4b269bc1342807564c0725d9a2617cccc58c902cc93397d427ff3bc6df0c3136470b8020a3236a96683d3711ab1eba01002b