a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 00:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Size

45KB
MD5

b03469a76d12aeca26ac78015f67abd1
SHA1

83749376d48d5731828b25a5ed049681a3839293
SHA256

a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d
SHA512

621d1c9dc3b39d13db0e25b345c233912b021177cbc018a907c4bdd2037c9dc6c598113443a2d3d89a06eb1adbc116e932d22bf5da67d1f3c2dab91972b06750
SSDEEP

768:oMzk06sDnriJ3OGKeKNh/UkECjMtvR1VF2r+R5nOwekfZOSx:npDnq+5h/tDSZ15Wwdrx

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	csrss.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	babon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

pid	Process
2072	babon.exe
1080	IExplorer.exe
1668	winlogon.exe
3004	csrss.exe
2144	babon.exe
2156	IExplorer.exe
2216	winlogon.exe
1456	babon.exe
2432	csrss.exe
940	IExplorer.exe
2220	winlogon.exe
1832	babon.exe
1548	csrss.exe
672	IExplorer.exe
1936	lsass.exe
1608	babon.exe
1948	lsass.exe
2964	babon.exe
2720	winlogon.exe
2896	IExplorer.exe
2924	lsass.exe
484	IExplorer.exe
2708	csrss.exe
2728	winlogon.exe
852	csrss.exe
328	winlogon.exe
2552	lsass.exe
2740	lsass.exe
1176	csrss.exe
3052	lsass.exe
708	babon.exe
1152	IExplorer.exe
2004	winlogon.exe
2880	csrss.exe
1836	lsass.exe

Loads dropped DLL 53 IoCs

pid	Process
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
2072	babon.exe
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
2072	babon.exe
2072	babon.exe
2072	babon.exe
2072	babon.exe
2072	babon.exe
1080	IExplorer.exe
1080	IExplorer.exe
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
2072	babon.exe
2072	babon.exe
3004	csrss.exe
3004	csrss.exe
1080	IExplorer.exe
1080	IExplorer.exe
1668	winlogon.exe
1668	winlogon.exe
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
1080	IExplorer.exe
1080	IExplorer.exe
3004	csrss.exe
3004	csrss.exe
3004	csrss.exe
1668	winlogon.exe
1080	IExplorer.exe
1080	IExplorer.exe
3004	csrss.exe
3004	csrss.exe
1668	winlogon.exe
1668	winlogon.exe
1668	winlogon.exe
1668	winlogon.exe
1936	lsass.exe
1936	lsass.exe
1936	lsass.exe
1936	lsass.exe
1936	lsass.exe
1936	lsass.exe
1936	lsass.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	lsass.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened (read-only)	\??\W:	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened (read-only)	\??\M:	babon.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\R:	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\P:	winlogon.exe
File opened (read-only)	\??\N:	babon.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\I:	winlogon.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\G:	babon.exe
File opened (read-only)	\??\V:	babon.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\K:	winlogon.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\S:	babon.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\Q:	winlogon.exe
File opened (read-only)	\??\U:	winlogon.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\E:	babon.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\B:	IExplorer.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\E:	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened (read-only)	\??\T:	babon.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\Z:	winlogon.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\Z:	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\H:	winlogon.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\M:	winlogon.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\B:	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened (read-only)	\??\I:	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened (read-only)	\??\K:	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened (read-only)	\??\N:	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\W:	babon.exe
File opened (read-only)	\??\E:	IExplorer.exe
File opened (read-only)	\??\G:	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened (read-only)	\??\X:	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened (read-only)	\??\O:	babon.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\M:	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened (read-only)	\??\V:	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened (read-only)	\??\H:	babon.exe
File opened (read-only)	\??\I:	babon.exe
File opened (read-only)	\??\K:	babon.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	lsass.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened for modification	C:\autorun.inf	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File created	F:\autorun.inf	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened for modification	F:\autorun.inf	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\babon.scr	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	csrss.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	csrss.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	lsass.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	babon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	babon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	babon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File created	C:\Windows\SysWOW64\shell.exe	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	babon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	csrss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	lsass.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\babon.exe	winlogon.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened for modification	C:\Windows\babon.exe	csrss.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\babon.exe	csrss.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	lsass.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\babon.exe	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	babon.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\babon.exe	babon.exe
File created	C:\Windows\babon.exe	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\babon.exe	lsass.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\babon.exe	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe

Modifies Control Panel 42 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\s2359 = "Babon"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\s2359 = "Babon"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\s1159 = "Babon"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\s2359 = "Babon"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\s2359 = "Babon"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\s1159 = "Babon"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\s1159 = "Babon"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\s1159 = "Babon"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\s1159 = "Babon"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\s2359 = "Babon"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\s2359 = "Babon"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\s1159 = "Babon"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	csrss.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	lsass.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2072	babon.exe
3004	csrss.exe
1668	winlogon.exe
1080	IExplorer.exe
1936	lsass.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
2072	babon.exe
1080	IExplorer.exe
1668	winlogon.exe
3004	csrss.exe
2144	babon.exe
2156	IExplorer.exe
2216	winlogon.exe
1456	babon.exe
940	IExplorer.exe
2220	winlogon.exe
1832	babon.exe
2432	csrss.exe
1548	csrss.exe
1936	lsass.exe
1948	lsass.exe
672	IExplorer.exe
1608	babon.exe
2964	babon.exe
2720	winlogon.exe
2924	lsass.exe
2896	IExplorer.exe
484	IExplorer.exe
2728	winlogon.exe
2708	csrss.exe
852	csrss.exe
328	winlogon.exe
2552	lsass.exe
2740	lsass.exe
1176	csrss.exe
3052	lsass.exe
708	babon.exe
1152	IExplorer.exe
2004	winlogon.exe
2880	csrss.exe
1836	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2072	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	30
PID 2780 wrote to memory of 2072	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	30
PID 2780 wrote to memory of 2072	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	30
PID 2780 wrote to memory of 2072	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	30
PID 2780 wrote to memory of 1080	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	31
PID 2780 wrote to memory of 1080	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	31
PID 2780 wrote to memory of 1080	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	31
PID 2780 wrote to memory of 1080	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	31
PID 2780 wrote to memory of 1668	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	32
PID 2780 wrote to memory of 1668	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	32
PID 2780 wrote to memory of 1668	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	32
PID 2780 wrote to memory of 1668	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	32
PID 2780 wrote to memory of 3004	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	33
PID 2780 wrote to memory of 3004	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	33
PID 2780 wrote to memory of 3004	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	33
PID 2780 wrote to memory of 3004	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	33
PID 2780 wrote to memory of 2144	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	34
PID 2780 wrote to memory of 2144	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	34
PID 2780 wrote to memory of 2144	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	34
PID 2780 wrote to memory of 2144	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	34
PID 2780 wrote to memory of 2156	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	35
PID 2780 wrote to memory of 2156	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	35
PID 2780 wrote to memory of 2156	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	35
PID 2780 wrote to memory of 2156	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	35
PID 2780 wrote to memory of 2216	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	36
PID 2780 wrote to memory of 2216	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	36
PID 2780 wrote to memory of 2216	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	36
PID 2780 wrote to memory of 2216	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	36
PID 2072 wrote to memory of 1456	2072	babon.exe	37
PID 2072 wrote to memory of 1456	2072	babon.exe	37
PID 2072 wrote to memory of 1456	2072	babon.exe	37
PID 2072 wrote to memory of 1456	2072	babon.exe	37
PID 2780 wrote to memory of 2432	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	39
PID 2780 wrote to memory of 2432	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	39
PID 2780 wrote to memory of 2432	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	39
PID 2780 wrote to memory of 2432	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	39
PID 2072 wrote to memory of 940	2072	babon.exe	38
PID 2072 wrote to memory of 940	2072	babon.exe	38
PID 2072 wrote to memory of 940	2072	babon.exe	38
PID 2072 wrote to memory of 940	2072	babon.exe	38
PID 1080 wrote to memory of 1832	1080	IExplorer.exe	40
PID 1080 wrote to memory of 1832	1080	IExplorer.exe	40
PID 1080 wrote to memory of 1832	1080	IExplorer.exe	40
PID 1080 wrote to memory of 1832	1080	IExplorer.exe	40
PID 2072 wrote to memory of 2220	2072	babon.exe	41
PID 2072 wrote to memory of 2220	2072	babon.exe	41
PID 2072 wrote to memory of 2220	2072	babon.exe	41
PID 2072 wrote to memory of 2220	2072	babon.exe	41
PID 2072 wrote to memory of 1548	2072	babon.exe	42
PID 2072 wrote to memory of 1548	2072	babon.exe	42
PID 2072 wrote to memory of 1548	2072	babon.exe	42
PID 2072 wrote to memory of 1548	2072	babon.exe	42
PID 1080 wrote to memory of 672	1080	IExplorer.exe	43
PID 1080 wrote to memory of 672	1080	IExplorer.exe	43
PID 1080 wrote to memory of 672	1080	IExplorer.exe	43
PID 1080 wrote to memory of 672	1080	IExplorer.exe	43
PID 2780 wrote to memory of 1936	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	44
PID 2780 wrote to memory of 1936	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	44
PID 2780 wrote to memory of 1936	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	44
PID 2780 wrote to memory of 1936	2780	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe	44
PID 1668 wrote to memory of 1608	1668	winlogon.exe	45
PID 1668 wrote to memory of 1608	1668	winlogon.exe	45
PID 1668 wrote to memory of 1608	1668	winlogon.exe	45
PID 1668 wrote to memory of 1608	1668	winlogon.exe	45

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	lsass.exe

C:\Users\Admin\AppData\Local\Temp\a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe
"C:\Users\Admin\AppData\Local\Temp\a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2780
- C:\Windows\babon.exe
  C:\Windows\babon.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2072
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1456
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:940
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2220
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1548
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1948
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1080
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1832
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:672
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2720
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2708
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2552
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1668
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1608
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:484
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:328
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1176
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3052
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3004
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2964
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2896
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2728
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:852
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2740
- C:\Windows\babon.exe
  C:\Windows\babon.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2144
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2156
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2216
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2432
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1936
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:708
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1152
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2004
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2880
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1836
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
45KB

MD5
b03469a76d12aeca26ac78015f67abd1

SHA1
83749376d48d5731828b25a5ed049681a3839293

SHA256
a734a15aaa184c44cff75d9cd2db552281911cca12f913ce7866efe61a768e6d

SHA512
621d1c9dc3b39d13db0e25b345c233912b021177cbc018a907c4bdd2037c9dc6c598113443a2d3d89a06eb1adbc116e932d22bf5da67d1f3c2dab91972b06750

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
016e3a30d00365086d6f4090533808ef

SHA1
b4bb20903bcc665c4be741566e352586a7cca77d

SHA256
44fc4dcd0df66484637263418b35b8f289ea607bec43f4df3b35a63d9cea2fe8

SHA512
d7bd885c6dce5457f3d02187fd270192024fd0066d0ba471353eed2a2f864d2c8bf46b8990d2ab72e8d3b1d39fec428cf31a10c97cb494ec8549fd9c9cd55ca9

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
45KB

MD5
48c5f7846fe2abe1f4ea9e372f872089

SHA1
fe169de81f379c6d00c82653ac3fb5f3d4a5fc51

SHA256
83ec64de747ac6f057534bedfc23de053f44f3767d2571441a6b2a0908e2c863

SHA512
7fe64948e723072b590cc2511c97f73b63bddbfec0cae5b1b3f349aca5498cb11af124b25a8f5dc00c54410281b48317747f7539eb789e7bf5342b3444fa5fe9

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
45KB

MD5
efacaf342a67d579e920b1609e2c7840

SHA1
e8a8856d148f34056425d249b6260b273c1d643e

SHA256
f48304b9b7fcb0f7ffda3d5938b375cc4cc3ca5f110783b1fcbf933ba7515379

SHA512
200165674437aaa92ab74b57b7af07788913c833539a84905ad9df8e8380fdb2eb74cb193650c1ebef828f57d0f86665d07b4975460bcca205bf6b987ecc2d25

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
45KB

MD5
0bcc37397f9ca0dc16c9cbdc7b01cf02

SHA1
f6ecf97039d8cdf6d0f413b6aabc3430f793c1bc

SHA256
0c1ed138c808589d6e5461ae6f6fd0b5242c34bfbcb628be4c4f53604172c090

SHA512
473a3b6fab15259c7ed7798429b6635012495a130e26ebc27415a8541268d8282f5af4afe7805545e8592ec55aca9868a3d4cf39d55692c51a7b465190376796

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
45KB

MD5
e98a085932a8f8004668a0244d499e72

SHA1
d1c6a79a46a5789f25e83277dd136f19be1daffd

SHA256
5afce2044f6d1d686f3c3d3b88366a18485546009216762dcc02b5f1721c5d1c

SHA512
bd97f44406852e491b151cba79270508f5fbf0b80a6f72f4a594da53782fd3b785c2cbd45d6f7ef32e01189f7f63ad55acf3d34cc22e9b805273b3d3a04d7e4d

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
45KB

MD5
2b68ca36fb786cf1f4d544426afa4072

SHA1
6e70f5dd6792aeb7a112ca702b12d65392925447

SHA256
0662af0a6b09a21c9139224fb5b3e29f761e8e1375bcc1b51033f7fdaebbedcc

SHA512
d70a70b4ba9d0773639ba4d8198f3776410abe314e1d99b0ee79bb5dbe714479cbf6938cb5e15a3a6321f3fd0a434c3fc84630ca04f679adfe942bbfe7c742ea

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
45KB

MD5
eb828d27c380fc7f249f1258f59c44ff

SHA1
1de193c6b03e141718311af49fa588cd6cbba3ac

SHA256
b0778cb5031ca905796bd1a4e3b305c4423dbbd7bb37d0125326123b08af92ac

SHA512
a498c62654276f1ad9d36c6990d6191fb0209b9bdcc1f7209eee1682fe949fb7690d601c6c58842d81058e93aae7be8d9a49333ec969895a80d589d59bd86808

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\babon.scr

Filesize
45KB

MD5
e838ca7bea9bb283eacf4d985d4e68e8

SHA1
b6d0a05074cd20144fc72615bf2f365d2be018e6

SHA256
a51315d8ca0d6017d0fc5acb2b47cdb55b783147515c308fd93fca1317383019

SHA512
2f0c396396507aa11429b38a905e0528fbd1cf53892def54533de75d791d516ab148a6f4f71dbfdf84359e0f91259bd433ee56dae3799694ac1506c6e37f10f1

Download Submit
C:\Windows\SysWOW64\babon.scr

Filesize
45KB

MD5
8af14127a202512d74fb8c59949062e2

SHA1
2b617b0365ae38dcc11ac962bef693f756db6e22

SHA256
084606b9fcc3f4b3f47c8c1fbef4c8ca339fb5801ecdfd1703b2f15e0712eca0

SHA512
fee5d480a9031cfcd3de0205c2ce926fcbbcc61adbd2b71fe2081ded5d53766c142508861aee9112477d7c4be5c6779bb4c86a9614bbd13cd405937d33618630

Download Submit
C:\Windows\SysWOW64\babon.scr

Filesize
45KB

MD5
c35c4b5ebe4e486cdfd3ae3257c92241

SHA1
713c0c8c10f83da0208dd24bf9346f378e498ad2

SHA256
92aab5ca485e35fc1b438fa93642f8dde9a10630660f635019419ed75447e24e

SHA512
6dc498715f9560d2cc1df7cf66269eb71703dad6659a41ac6c4c350b665b4f8897bb3c81999eebee28f1982b60c594343dca7c7be18650001e4441da7e8531ac

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
45KB

MD5
f856ee11ef1ea80c4442321a557258df

SHA1
6bab840fa6b69cee5d56bfcd2297fb3e2554e134

SHA256
4459f7903cb85ad5f6d565518fc9c69523dcad95ecd13706c7bc224bd639b283

SHA512
4624d46a473461eeda7893413361dee9f96dde0af2b0ef02466c64926a9b87c54c1a26c5206c483c20429c51a00964f9ce201a5ce9fe549feac4baaeeaba33b2

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
45KB

MD5
aeb52c3e4c370e55964a6b1fd05ff294

SHA1
2ff36c9ce626bb938fe152b685f189e77ee17cb4

SHA256
913274d4233301f6b3fb27d5262562883a681db3108517c2bad226c31d158640

SHA512
f928e9d3d4f8765aff831457852a2d956822a5ea57745c334fe28b8ae81bb50d30d21d84a81e0a5ed92f235fd60951ab3e7e973075da0acebe4190a299bdbd94

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
45KB

MD5
66fb3b236b935af7cff710050d5ae69e

SHA1
0cbbed41c9eb67657194d961d79e9d45fa83e36c

SHA256
6bcdbdd4dee57dae1fab8d6e3b120369e98402d75b1bcdb13fb9d3ff9091bc96

SHA512
98933e200c79ab07af9b48f15f37b02ce9674a70dd2277b39b712e77fabc2ededf589f8d6655dd1aa5eb468e31c903ef6e898f3dc79903d21c795826a7660e8d

Download Submit
C:\Windows\babon.exe

Filesize
45KB

MD5
b78d41e9729c41c8813f2f29b269441e

SHA1
24c1550e4984380844eff74913f3ebb518eee1c1

SHA256
d3ee18d7f062a29330ea557d32302d64764bcbf509cc0c31c9aeba993597829f

SHA512
39efa6bf49d39bf9b104cf6702f292d98530fe76a5d8029b08c0f40c20151e3f421efeeda7646d65a311b74e84fc62738c5a311042ae4732337070a9bd7bb3b6

Download Submit
C:\babon.exe

Filesize
45KB

MD5
7491517a398a8293fbf61eaa7a8a7d3d

SHA1
357f1316e371a69eb592a4f3b053fade1688cdac

SHA256
2893e42cf015e1b173d8b3771bffb29a0142387e3f16fc02f59d9ece707db6cc

SHA512
28b4fcb55766de2a796e43d2ea441e21ccbccb3be10d2c6a82c20b111e5cccf25df5e22f65d72a68c6ca6bb6ce465330ad07bea15287c4ecff874edb2f908f97

Download Submit
C:\babon.exe

Filesize
45KB

MD5
bca4c7f09e0f5e7e4c2b0b42299f0b9f

SHA1
8fbb81fcaf32a974f03f0b48feca5f5427b1a1bb

SHA256
5ace743bb939a58399b62f9b142d3108377a8665e1f568d84fe373ec713b6d08

SHA512
5534a53e400530392bc1bb39bf296912ad12767241ef1ec2ea5177b9c24e7b9b746ccfb03aa7a37a4e33a54d718d536ae2953a9aa46e329745bd7c6b324aa80c

Download Submit
C:\babon.exe

Filesize
45KB

MD5
1ef808cfed19cc8470da8be99b244902

SHA1
cb889de4bd449370a1f1e7d7eb4438df0379e832

SHA256
40d77ad48cc542962506a2e392f2e007210aa1d7cef6fa9b3c7d56c8445b636a

SHA512
80f47ff0e5fede1a0fa640eb837d1774b744287f09fac4ccc40e1de747a45e88b66047d953b804495de68413db3382dcd0ffd80ca3df3d60ee63fde4ac22283b

Download Submit
C:\wangsit.txt

Filesize
359B

MD5
df2f3e6971a7548c1688706f9a9798a8

SHA1
e38539857523a1e7eb3aa857e017bf6461b16a08

SHA256
1fd0a101a74c19c0c9e287eac64ee506df3eebdbc11f12022dda94fedd123918

SHA512
d2d41257135381d7f4c4936139282a505094af7a8f9bc824ccc08d09da9ab010b6adf1460feacf5c0151cb9d4299b8bde934fd90904bb3c3ce6c396af449c072

Download Submit
F:\autorun.inf

Filesize
41B

MD5
097661e74e667ec2329bc274acb87b0d

SHA1
91c68a6089af2f61035e2e5f2a8da8c908dc93ed

SHA256
aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0

SHA512
e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\csrss.exe

Filesize
45KB

MD5
f980c8c1b20c8d2c29c35f75f8d6a90f

SHA1
7160dc0af6cb72e8f98deabc04a3ffa44385268a

SHA256
2b0a1d6a86ab6c7e872511f16b3eb5bdc1108265f139ba93af3e5d830b73780c

SHA512
9ad3e5d883524912f2e155697268e36649ad949e64a91981174122e035b8b0b00974158a053d96d26ab3262f316b39c4ade1772eaf81ef333dfe2b14dfddc90b

Download Submit
\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
63f0f425321feb9700fb7f17079b6754

SHA1
321295401bd980c2b918b09ab9b6cdb74f8673e7

SHA256
d82d9da92410cfb81863e0d63979faadefd0d04371066a133d3a03bc716d811f

SHA512
2d98e0f01c404f5e049d58db9d3be6638f3933d52beeb59a456fada226ee7f1b5e22d08212121cb5d68b0df532e3e7f658576f6e5e148f5472ae46e6cd8d885f

Download Submit
\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
45KB

MD5
deb76a80579a00226fadba343e07e62f

SHA1
729e3a54f14e97efe48e09717f98a9c1d836ddbc

SHA256
5776c47acd1b027adf252359e884f10fe340669743a2a767a9cb9876124f5bfb

SHA512
a555191d25522b9e9562733ec5197df0d80d227949253e7e19ac618b0d0da8ce0de4338d6e270eca33f75f30f1c8b60b3f42abc2a1b7d73c6d7a6fd228ee297c

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
71141a4b940bec03dadf7b8ba8182fe5

SHA1
87468d273522f674727ac28765486ac7fb884cd7

SHA256
766baeb145d200a0b0a61bc266528d8d23cc0f91543940a62ee072a61665a9b1

SHA512
155c333fdd30fdd7afd9a7d8ac6c9a340130e8f4d61f20193996374b00441d0b45c3174054a81a778922fd773d1d66889c2cd2297e40be80b9c0df5176c0fc20

Download Submit
memory/708-431-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1456-239-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1608-380-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1832-295-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2144-188-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2720-383-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2720-382-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2896-389-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2964-381-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download