2e67c8f0ff93f5b145bdb1056cd73756384fbabb933969d8b8acc6d6ed722f58

Analysis

max time kernel
94s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/low-q.exe
Size

714KB
MD5

ac139b9fa9dac213262ecb40444dd027
SHA1

571a625e260e16090c40b312185dc9a90916a8bf
SHA256

8867924485bcf38f2ce033ae78fd8c78ab3f990cf9c9df30c067df2643b2d0b5
SHA512

1855198f2900ea63fe22546257a98614659c71f71f196ddce3bad572841ba9c205328d134f2f73942dbdb27cf3ecadca9e981b7381ccac354c307c4ed56af09c
SSDEEP

12288:zG9Bt1HY4jk7jdBajQh69yo3UJuA3UfSD4XDl6R+NmF2uLC35HfnQnOR2jBMFUZp:z8RHYn7jdBwu69y6SbD4R6RpFG3RfQOQ

Score

7^/10

evasion spyware stealer trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	low-q.exe

Executes dropped EXE 2 IoCs

pid	Process
2924	BABYLON.exe
220	Setup.exe

Loads dropped DLL 3 IoCs

pid	Process
220	Setup.exe
220	Setup.exe
220	Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=18777"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}"	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}	Setup.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/home?AF=18777"	Setup.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP	Setup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
220	Setup.exe
220	Setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	220	Setup.exe
Token: SeTakeOwnershipPrivilege	220	Setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2924	BABYLON.exe
220	Setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 2924	520	low-q.exe	86
PID 520 wrote to memory of 2924	520	low-q.exe	86
PID 520 wrote to memory of 2924	520	low-q.exe	86
PID 2924 wrote to memory of 220	2924	BABYLON.exe	88
PID 2924 wrote to memory of 220	2924	BABYLON.exe	88
PID 2924 wrote to memory of 220	2924	BABYLON.exe	88

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\low-q.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\low-q.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:520
- C:\Users\Admin\AppData\Local\Temp\BABYLON.exe
  "C:\Users\Admin\AppData\Local\Temp\BABYLON.exe" -affilID=18777 -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\B7DC7548-BAB0-7891-B9A2-85DDE5A4092A\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\B7DC7548-BAB0-7891-B9A2-85DDE5A4092A\Setup.exe" -affilID=18777 -s
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Babylon\Setup\Setup2-9.0.2.5.zpb

Filesize
3KB

MD5
5e6230b3b16798e23720958756ac6d9e

SHA1
c7bcb001c48a67d4c9d6e70e92473ebd85b30585

SHA256
d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2

SHA512
6b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7DC7548-BAB0-7891-B9A2-85DDE5A4092A\BException.dll

Filesize
109KB

MD5
e58f89171a6e3ba50638f3f62e3c4c9c

SHA1
c50721176d35cb338fee371e6b822806d6a4dbd1

SHA256
cbe6eb9bf78a5372e72feea7886855c3dacf3b0e25e1144232d6ffeb9b235c06

SHA512
624c763eb67c96de8dc53dda598916ca8546269be377583ba83b13f70e808786e692df283daca59bb0fbf89e720df4699ad88fb249eaa573a5ff0b69727adcc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7DC7548-BAB0-7891-B9A2-85DDE5A4092A\BabyServices.DLL

Filesize
1.0MB

MD5
fd0756f04af1bde0e17c16e82e236df6

SHA1
7a4eac2712ab7bb578996e5ae6e827ff3f14036e

SHA256
dd632b49514b20256bf85b60ab4ef4dba953c0b05bf7cea3697ef334d486efc5

SHA512
1691eee1a81d0e15fe167e33e551c174e6922937427b3fcbee3a5927ac10846885c33835919f37f464b6956322c1a774776e9223ea0e84368f2f872d9605061c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7DC7548-BAB0-7891-B9A2-85DDE5A4092A\Babylon.dat

Filesize
10KB

MD5
1c8f0f72b9f7174f10ac2587f2d933d5

SHA1
d89e6300da475258854fe0de11cf191d261f7c94

SHA256
bea29419fbc448727a08ca9875d5609c6cd0f7464d6c927d18df19c98bcaee74

SHA512
506741f2476cad83cd96ca11fba97fc995e708e59a271e10c7239594c0c421f1e98e2fe967f27aa1a678b913d9fd89598d623ce2343d0c21ba61f7dcde05c3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7DC7548-BAB0-7891-B9A2-85DDE5A4092A\EULA.rtf

Filesize
185KB

MD5
089e564107ae87fed07d9f9be4ba647a

SHA1
b9880121b48b767ef4cb0889663857db0dcfbd63

SHA256
e2cc9bd171a3ea88d4a0b2149956b5b2e3a9cd6ce4b6df1ac32168770e061c39

SHA512
1314a1f8219caa36b5ad16e2cef0390f1a23db3277cfb5c5feb0abd6a555278abb22b2ad3f40296512647ba4cf54b59f98dd2373a424b6a9f995c632b6fb4d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7DC7548-BAB0-7891-B9A2-85DDE5A4092A\Setup.exe

Filesize
898KB

MD5
b797cb0a4f42e1e6cace1592f6a57c6c

SHA1
d841842880ffa183dcd7a94ab256195b2c73a7a9

SHA256
9364417675d58ee408cc22df80581e85357b72b7eb7dd3311fd14c721a3c4e38

SHA512
69ac0a9472e62fe84b4309d480285a33b085aae51a0862e5ba237c196c5465551a27d008e595e019d16bc1c01c6d47b23251544e8775ed7f3802920df977e5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7DC7548-BAB0-7891-B9A2-85DDE5A4092A\SetupStrings.dat

Filesize
49KB

MD5
e502e1bbc4e2d7e0433981f1b0b6f19b

SHA1
08e4cc3759f23ad2f4c221047aa31cd15f32da45

SHA256
01ff567bba66f5cdf20c5c6d357bcde1a8be73d6b207cf3d2fb194f77f0c2c83

SHA512
872b472d81b3720a14b004d73209ee7a4f150c017a83af65e50d2af13f89d66246db01d2eeda76e55cc43606829c443738a997b4735c8478b0a9c56a0bd915e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7DC7548-BAB0-7891-B9A2-85DDE5A4092A\bab025.cbid20.dat

Filesize
189B

MD5
31b0a6106458ffd1646b92282af8c742

SHA1
0ff54058a685435264b74e94dc497a434ab41237

SHA256
6871f6258fccc0a9fff017c92bb82af9f293ced44b93a7eece34acd8eb884278

SHA512
76d7b2a05917ed32d50c392e541397b2f8bedec5c849b0953ab35d5bd3d9287abcb78b8c176ea1a4b981f791687e1e1104efcaad7b9a3bb647494487f4ae7905

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7DC7548-BAB0-7891-B9A2-85DDE5A4092A\bab027.Ttype090511_def.dat

Filesize
200B

MD5
f8078c09034cad89d368a7a1b1a9fbb3

SHA1
37df1cf10c468d2e6a9aec030573ec24d3d88671

SHA256
bf3b86caaabf5f03b2d2afc5a7ebc047cf0c35523b2bdc27c241dbb86d02d990

SHA512
c384753023f06e887a73771a9bf19d23c68ead58998b1a37f287f9a18c04ffe79e36130b44c9045191a95223ebff3e388b3a8fe0f6138d9da491a1b380672516

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7DC7548-BAB0-7891-B9A2-85DDE5A4092A\bab065.engset.dat

Filesize
192B

MD5
9d291922f477f4ab11c5a3d96def52d3

SHA1
625cf2c2898bdd75d7f4c3c078d964d69accde0f

SHA256
d0a32dc13f8763a15caea1ceb7ed0737ee0c3c5f055d9f552717548dc9bdca40

SHA512
897501bc61988c7f62b745f70018e5236dec3d702a09ff12fc76096b82321fb2add08d4f482ea89e2b9003a2792d4477dba40b2ce090bb29458f71fce78880ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7DC7548-BAB0-7891-B9A2-85DDE5A4092A\bab094.noprot.dat

Filesize
186B

MD5
6b8f361ef76c81bf7ef02408ad95ff5e

SHA1
f55c305a751a3e4b3393639548149de5ef6fe3a9

SHA256
07605692c9fbbe180e5ea8ab07441caa1b126804dda414faa03c9c31e11d89bf

SHA512
be9e4a8b467d0498bd20a885ed2f7747ac91fbbc1bd1a444fc2e426d56e6823caebee15c035728c20f80e190a9d3ccac5b4b123e12f32a8781050de0cd4af0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7DC7548-BAB0-7891-B9A2-85DDE5A4092A\bab267.mntra-tb.dat

Filesize
447B

MD5
28d4a7245d2a2875749d5be3fd470360

SHA1
ff78741b0695493f5048e4ba5bf8f7fb86116bc6

SHA256
8448cd3c3a86e706a674955db2f06a35f38191f5c43c0bb3a6b23762ee0757e7

SHA512
96aa8aa05221ef9912d4c670d06feb07f0af85f80c7836c0ca6229d6ca343a809f9eab37ade7a76b71c2733f12fc0b509d2faad02fe89deeea37e377d234fe95

Download Submit
C:\Users\Admin\AppData\Local\Temp\BABYLON.exe

Filesize
612KB

MD5
b9e5f50a942ab47e39f4a55af5de1980

SHA1
a24fddab6708c0615b9cb0b739243577386968c5

SHA256
2469ed0c8abcbdd8f7f160fd0e50413322be872520c8f454171dcffa86883bfb

SHA512
8647771a6b6290002e6bcf002d5f958bb153b91d929ac1bc99955cacb2380680bfdb3e5e216f916ea6aa0b39915fb93a1d8d0e619c2548960b4cd7af5af91412

Download Submit
memory/220-30-0x0000000002320000-0x000000000242E000-memory.dmp

Filesize
1.1MB

Download
memory/520-76-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/520-83-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download