20a0615476fb2a77bf47dd471170d01d2e621246f224e078737eb17cb529dc3d

Analysis

max time kernel
119s
max time network
21s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 02:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

550a9fb1f896bdb21c8a3b4faef45700N.exe
Size

45KB
MD5

550a9fb1f896bdb21c8a3b4faef45700
SHA1

692e980a11f35e316e695b581d97a2ac7082a3b3
SHA256

20a0615476fb2a77bf47dd471170d01d2e621246f224e078737eb17cb529dc3d
SHA512

5ef80348a5a18b5b507bbece8b5e9c8d13c67d02b0d214f0360514ba7e68dd3008979ebcb19f6b60cb8d23bbd890baa1bf4780b06c86b7ab2c40666f66de554c
SSDEEP

768:/h4AXKiTroAq0RB+XPPmNwQLNXEzTxideVASwekft5nEwLB:/a8jroAbRB+XWCQLZeIdSwkO

Score

10^/10

aspackv2 discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	550a9fb1f896bdb21c8a3b4faef45700N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	550a9fb1f896bdb21c8a3b4faef45700N.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	babon.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

ASPack v2.12-2.42 21 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00060000000186c6-8.dat	aspack_v212_v242
behavioral1/files/0x00060000000186d9-103.dat	aspack_v212_v242
behavioral1/memory/1856-104-0x0000000002300000-0x0000000002323000-memory.dmp	aspack_v212_v242
behavioral1/files/0x0005000000019605-116.dat	aspack_v212_v242
behavioral1/files/0x0005000000019608-122.dat	aspack_v212_v242
behavioral1/files/0x000500000001960a-134.dat	aspack_v212_v242
behavioral1/files/0x000500000001960c-150.dat	aspack_v212_v242
behavioral1/memory/1856-151-0x0000000002300000-0x0000000002323000-memory.dmp	aspack_v212_v242
behavioral1/files/0x0005000000019606-167.dat	aspack_v212_v242
behavioral1/files/0x0005000000019604-165.dat	aspack_v212_v242
behavioral1/files/0x00060000000195d6-162.dat	aspack_v212_v242
behavioral1/files/0x0008000000018710-161.dat	aspack_v212_v242
behavioral1/files/0x000500000001961c-159.dat	aspack_v212_v242
behavioral1/memory/1456-219-0x0000000001EE0000-0x0000000001F03000-memory.dmp	aspack_v212_v242
behavioral1/files/0x000500000001961c-232.dat	aspack_v212_v242
behavioral1/files/0x0005000000019604-303.dat	aspack_v212_v242
behavioral1/files/0x0005000000019606-300.dat	aspack_v212_v242
behavioral1/files/0x00060000000195d6-296.dat	aspack_v212_v242
behavioral1/files/0x0008000000018710-294.dat	aspack_v212_v242
behavioral1/files/0x000500000001961c-292.dat	aspack_v212_v242
behavioral1/memory/1908-346-0x0000000000220000-0x0000000000230000-memory.dmp	aspack_v212_v242

Executes dropped EXE 30 IoCs

pid	Process
2948	babon.exe
1456	IExplorer.exe
3000	winlogon.exe
2704	csrss.exe
2904	lsass.exe
2396	babon.exe
2040	babon.exe
1636	IExplorer.exe
2360	IExplorer.exe
1240	babon.exe
856	babon.exe
1740	babon.exe
1040	winlogon.exe
2508	winlogon.exe
2716	csrss.exe
2472	IExplorer.exe
2736	csrss.exe
1908	lsass.exe
2968	IExplorer.exe
2172	IExplorer.exe
2676	lsass.exe
3060	winlogon.exe
1680	csrss.exe
1552	winlogon.exe
1580	winlogon.exe
1688	csrss.exe
2584	lsass.exe
828	csrss.exe
2928	lsass.exe
816	lsass.exe

Loads dropped DLL 45 IoCs

pid	Process
1856	550a9fb1f896bdb21c8a3b4faef45700N.exe
1856	550a9fb1f896bdb21c8a3b4faef45700N.exe
1856	550a9fb1f896bdb21c8a3b4faef45700N.exe
1856	550a9fb1f896bdb21c8a3b4faef45700N.exe
1856	550a9fb1f896bdb21c8a3b4faef45700N.exe
1856	550a9fb1f896bdb21c8a3b4faef45700N.exe
1856	550a9fb1f896bdb21c8a3b4faef45700N.exe
1856	550a9fb1f896bdb21c8a3b4faef45700N.exe
2948	babon.exe
2948	babon.exe
1456	IExplorer.exe
1456	IExplorer.exe
2948	babon.exe
2948	babon.exe
2704	csrss.exe
2704	csrss.exe
1456	IExplorer.exe
1456	IExplorer.exe
1456	IExplorer.exe
1456	IExplorer.exe
2948	babon.exe
2948	babon.exe
1456	IExplorer.exe
1456	IExplorer.exe
3000	winlogon.exe
3000	winlogon.exe
2904	lsass.exe
2904	lsass.exe
2948	babon.exe
2948	babon.exe
2704	csrss.exe
2704	csrss.exe
2704	csrss.exe
2904	lsass.exe
2904	lsass.exe
3000	winlogon.exe
2904	lsass.exe
3000	winlogon.exe
3000	winlogon.exe
2904	lsass.exe
2704	csrss.exe
2704	csrss.exe
2904	lsass.exe
3000	winlogon.exe
3000	winlogon.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	550a9fb1f896bdb21c8a3b4faef45700N.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	lsass.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	IExplorer.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\J:	babon.exe
File opened (read-only)	\??\Q:	winlogon.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\H:	winlogon.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\B:	babon.exe
File opened (read-only)	\??\H:	babon.exe
File opened (read-only)	\??\Q:	babon.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\W:	babon.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\Z:	winlogon.exe
File opened (read-only)	\??\K:	babon.exe
File opened (read-only)	\??\M:	winlogon.exe
File opened (read-only)	\??\T:	winlogon.exe
File opened (read-only)	\??\U:	babon.exe
File opened (read-only)	\??\V:	babon.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\N:	babon.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\P:	winlogon.exe
File opened (read-only)	\??\B:	IExplorer.exe
File opened (read-only)	\??\S:	babon.exe
File opened (read-only)	\??\Z:	babon.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\X:	babon.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\I:	winlogon.exe
File opened (read-only)	\??\V:	winlogon.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\U:	winlogon.exe
File opened (read-only)	\??\R:	babon.exe
File opened (read-only)	\??\T:	babon.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\K:	winlogon.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\Y:	winlogon.exe
File opened (read-only)	\??\R:	winlogon.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\R:	IExplorer.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\W:	winlogon.exe
File opened (read-only)	\??\K:	IExplorer.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\O:	winlogon.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	lsass.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	IExplorer.exe
File created	C:\autorun.inf	IExplorer.exe
File opened for modification	C:\autorun.inf	IExplorer.exe
File created	F:\autorun.inf	IExplorer.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	550a9fb1f896bdb21c8a3b4faef45700N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	babon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	babon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	csrss.exe
File created	C:\Windows\SysWOW64\babon.scr	550a9fb1f896bdb21c8a3b4faef45700N.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	babon.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	lsass.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	csrss.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	babon.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	csrss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	550a9fb1f896bdb21c8a3b4faef45700N.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	550a9fb1f896bdb21c8a3b4faef45700N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	550a9fb1f896bdb21c8a3b4faef45700N.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	550a9fb1f896bdb21c8a3b4faef45700N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	csrss.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File created	C:\Windows\babon.exe	csrss.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	csrss.exe
File created	C:\Windows\babon.exe	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	babon.exe
File created	C:\Windows\babon.exe	babon.exe
File opened for modification	C:\Windows\babon.exe	lsass.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	IExplorer.exe
File created	C:\Windows\babon.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\babon.exe	lsass.exe
File opened for modification	C:\Windows\babon.exe	550a9fb1f896bdb21c8a3b4faef45700N.exe
File created	C:\Windows\babon.exe	550a9fb1f896bdb21c8a3b4faef45700N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Babon"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Babon"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Babon"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Babon"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Babon"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Babon"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Babon"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Babon"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Babon"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Babon"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s1159 = "Babon"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\s2359 = "Babon"	csrss.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	550a9fb1f896bdb21c8a3b4faef45700N.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	lsass.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1856	550a9fb1f896bdb21c8a3b4faef45700N.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2948	babon.exe
2704	csrss.exe
3000	winlogon.exe
1456	IExplorer.exe
2904	lsass.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
1856	550a9fb1f896bdb21c8a3b4faef45700N.exe
2948	babon.exe
1456	IExplorer.exe
3000	winlogon.exe
2704	csrss.exe
2904	lsass.exe
2396	babon.exe
2040	babon.exe
1636	IExplorer.exe
1240	babon.exe
2360	IExplorer.exe
1040	winlogon.exe
2508	winlogon.exe
856	babon.exe
2716	csrss.exe
1740	babon.exe
1908	lsass.exe
2736	csrss.exe
2472	IExplorer.exe
2968	IExplorer.exe
2172	IExplorer.exe
2676	lsass.exe
3060	winlogon.exe
1552	winlogon.exe
1580	winlogon.exe
1680	csrss.exe
2584	lsass.exe
1688	csrss.exe
828	csrss.exe
2928	lsass.exe
816	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2948	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	30
PID 1856 wrote to memory of 2948	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	30
PID 1856 wrote to memory of 2948	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	30
PID 1856 wrote to memory of 2948	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	30
PID 1856 wrote to memory of 1456	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	31
PID 1856 wrote to memory of 1456	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	31
PID 1856 wrote to memory of 1456	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	31
PID 1856 wrote to memory of 1456	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	31
PID 1856 wrote to memory of 3000	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	32
PID 1856 wrote to memory of 3000	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	32
PID 1856 wrote to memory of 3000	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	32
PID 1856 wrote to memory of 3000	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	32
PID 1856 wrote to memory of 2704	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	33
PID 1856 wrote to memory of 2704	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	33
PID 1856 wrote to memory of 2704	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	33
PID 1856 wrote to memory of 2704	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	33
PID 1856 wrote to memory of 2904	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	34
PID 1856 wrote to memory of 2904	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	34
PID 1856 wrote to memory of 2904	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	34
PID 1856 wrote to memory of 2904	1856	550a9fb1f896bdb21c8a3b4faef45700N.exe	34
PID 2948 wrote to memory of 2396	2948	babon.exe	35
PID 2948 wrote to memory of 2396	2948	babon.exe	35
PID 2948 wrote to memory of 2396	2948	babon.exe	35
PID 2948 wrote to memory of 2396	2948	babon.exe	35
PID 1456 wrote to memory of 2040	1456	IExplorer.exe	36
PID 1456 wrote to memory of 2040	1456	IExplorer.exe	36
PID 1456 wrote to memory of 2040	1456	IExplorer.exe	36
PID 1456 wrote to memory of 2040	1456	IExplorer.exe	36
PID 2948 wrote to memory of 1636	2948	babon.exe	37
PID 2948 wrote to memory of 1636	2948	babon.exe	37
PID 2948 wrote to memory of 1636	2948	babon.exe	37
PID 2948 wrote to memory of 1636	2948	babon.exe	37
PID 1456 wrote to memory of 2360	1456	IExplorer.exe	38
PID 1456 wrote to memory of 2360	1456	IExplorer.exe	38
PID 1456 wrote to memory of 2360	1456	IExplorer.exe	38
PID 1456 wrote to memory of 2360	1456	IExplorer.exe	38
PID 2704 wrote to memory of 1240	2704	csrss.exe	39
PID 2704 wrote to memory of 1240	2704	csrss.exe	39
PID 2704 wrote to memory of 1240	2704	csrss.exe	39
PID 2704 wrote to memory of 1240	2704	csrss.exe	39
PID 2904 wrote to memory of 1740	2904	lsass.exe	40
PID 2904 wrote to memory of 1740	2904	lsass.exe	40
PID 2904 wrote to memory of 1740	2904	lsass.exe	40
PID 2904 wrote to memory of 1740	2904	lsass.exe	40
PID 3000 wrote to memory of 856	3000	winlogon.exe	41
PID 3000 wrote to memory of 856	3000	winlogon.exe	41
PID 3000 wrote to memory of 856	3000	winlogon.exe	41
PID 3000 wrote to memory of 856	3000	winlogon.exe	41
PID 2948 wrote to memory of 1040	2948	babon.exe	42
PID 2948 wrote to memory of 1040	2948	babon.exe	42
PID 2948 wrote to memory of 1040	2948	babon.exe	42
PID 2948 wrote to memory of 1040	2948	babon.exe	42
PID 2704 wrote to memory of 2472	2704	csrss.exe	43
PID 2704 wrote to memory of 2472	2704	csrss.exe	43
PID 2704 wrote to memory of 2472	2704	csrss.exe	43
PID 2704 wrote to memory of 2472	2704	csrss.exe	43
PID 1456 wrote to memory of 2508	1456	IExplorer.exe	44
PID 1456 wrote to memory of 2508	1456	IExplorer.exe	44
PID 1456 wrote to memory of 2508	1456	IExplorer.exe	44
PID 1456 wrote to memory of 2508	1456	IExplorer.exe	44
PID 1456 wrote to memory of 2716	1456	IExplorer.exe	45
PID 1456 wrote to memory of 2716	1456	IExplorer.exe	45
PID 1456 wrote to memory of 2716	1456	IExplorer.exe	45
PID 1456 wrote to memory of 2716	1456	IExplorer.exe	45

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	babon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	550a9fb1f896bdb21c8a3b4faef45700N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	550a9fb1f896bdb21c8a3b4faef45700N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	lsass.exe

C:\Users\Admin\AppData\Local\Temp\550a9fb1f896bdb21c8a3b4faef45700N.exe
"C:\Users\Admin\AppData\Local\Temp\550a9fb1f896bdb21c8a3b4faef45700N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1856
- C:\Windows\babon.exe
  C:\Windows\babon.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2948
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2396
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1636
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1040
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2736
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2676
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1456
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2040
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2360
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2508
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2716
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1908
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3000
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:856
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2172
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1580
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:828
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:816
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2704
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1240
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2472
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3060
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1680
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2584
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2904
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1740
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2968
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1552
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1688
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
d6397328a6b8ae2b4a4117d5394fa616

SHA1
b87254fbc561d54eb0bbc1c9310ac890810f6ab1

SHA256
2fff25df2c76a001bdf045a0fcb5bd99560a12d01ab07b596ee0b253809145af

SHA512
7c4f068e8accae58e6d27cbf3242aef0b522a3e9abae7187cf055c741fb955826d68041bc1431b0ddba5c54f0c39c06e16378c9fe550809f576ba589b60247f1

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
45KB

MD5
550a9fb1f896bdb21c8a3b4faef45700

SHA1
692e980a11f35e316e695b581d97a2ac7082a3b3

SHA256
20a0615476fb2a77bf47dd471170d01d2e621246f224e078737eb17cb529dc3d

SHA512
5ef80348a5a18b5b507bbece8b5e9c8d13c67d02b0d214f0360514ba7e68dd3008979ebcb19f6b60cb8d23bbd890baa1bf4780b06c86b7ab2c40666f66de554c

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
45KB

MD5
778166bf4e60a1cd5781dc0ae8aa5847

SHA1
1fba4d13df9bd5a144ddebf760c171d012c2023e

SHA256
2b7a966d0f726527bdcc3e70499bc52f6ffc79a47191ee4bf2d8a44d4b4beecf

SHA512
6d24920667960c1aaa8668ade573ba89271e68d7723f8c9185bb1281021c0b9e1040540fc4505e90f7081b0a606ffdf6f26baca77d4e5ac16f3889239c56582e

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
45KB

MD5
8de0db88b9baf6c6aa96894f263dbc75

SHA1
667c3f1b9714559c4548f149e3ea04baac7c155c

SHA256
468b29aecf56e57c99932ca4b8fd30c8cf4c0e4f60c0e4bfff59611547a7c824

SHA512
c64c84593a06efafc43f6db80c9e068aac1438b58f9855ec79623278e8b4cacc73370da8c0a864420acc44480e7aeff916b44e5c475cc804a8f3e6133b4123a0

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
45KB

MD5
201dc7422eb3d34c5f42570cac221351

SHA1
f919fa239485f2036411e6798de85425c4fd32e0

SHA256
a70cd60ffaa6e3badb804bef80fc29b5839251d2d60a44f1e4eaaa9319052417

SHA512
390d5242cb0302983b12d83426d5d2a3e406a3a01f65198548239a7dcd49289080dcd7beb1dd322e9d9cf9992bb137132e07c2d3c36e503d0ba022e679cb7548

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
45KB

MD5
b066ea840869132f7f8239bd181d8d75

SHA1
ee3242bcde3bfe8f31a3b794c5fe819d3469eb83

SHA256
353d0cf40daade5487f609daf3dc6604e5653fe5b237c1826c66072f71c7cd21

SHA512
6333c9832b762610fb7d09ec349b1b1e3d13ea6541f664b7913c21c6089175dd3e603af3f100a6f812a6099038354a5c5d046eeb19fc430eef0785c6f5afdb64

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
45KB

MD5
f01e09a2142983c6b4efba32043be2c0

SHA1
2a43f0610e443cb7585f3d787fc053941458a718

SHA256
3d8d6eca5629e78877f5ea07fffa9a0f3e2e5b4a60f1c96cdf979e7fc1701f38

SHA512
3194c84f17f93cd3d339c662caecc6eb7127b378fb544c7da368d9f784414f9e4a05ce3d18334f917d4762d700c9874d4d5ed5483963791f17fb5a992d9beaf3

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
0c3df90e8a92ce50b3df063ef68db16a

SHA1
69aa7b8ff3bc64343a4d43c3b88db99cc87443e4

SHA256
e6fb58dc626acc4e59bac936c7f89bf95768b8a07f28d6326f0ddf28febf614f

SHA512
eedf66bfba51b644fd6c734c06a83c67b47da25b840216c8962a63fda05d0c8847a664aa60707dfcb9805603b2b6ac14df965744d851a23cbbc63534665aca7e

Download Submit
C:\Windows\SysWOW64\babon.scr

Filesize
45KB

MD5
15cf51f652a4c0fdbf775cf42ab8794d

SHA1
3534ba5d283de9cb5e70029a91fe4a84df22f14c

SHA256
32be694fca5503ca34e6fd8f6351630cdff854527c8401a0dd6bebd963ec2c40

SHA512
477d6cd1ad0a69a926b0c75cbc369f0185676626177c579905f93fd5d32ab1a645fef7e52afb4c43f0136b8e9cd396df9854acd51382905e716bc2fb98d052b5

Download Submit
C:\Windows\SysWOW64\babon.scr

Filesize
45KB

MD5
072ef04300cdeac5e1acc46c59b50c44

SHA1
3919c85033f20ff567b786304b5954a67b607b2f

SHA256
041da96b0637019917cb616a6be86929af3fea90f0f8c2cdcd16be149ac83f98

SHA512
4113d2bea9fc128a128d108153fed83fe63b3153c4ca090656ac77207b3bf826016cd487b3ceb31d52122f5fec28ef1ca764ce776335103fd5d65160ee81c629

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
45KB

MD5
35c05c5a0e9643423fc63fb3400606f9

SHA1
2a6c830ff9a96157ea25ad0c3411325c4399bea6

SHA256
cfcd29b3a3e14d83f2fbf15f26750949304c6c8328b871daa5485fd4839a33a3

SHA512
1ae96e342bb46f300e692cdf5414a20cb5fae5f5b262cfecf206d76208d6bc7e1e244c3a76f92996bc8c8a71333f07fd866318ba64ca072ef061cd222c46fd36

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
45KB

MD5
76382fb1f3b14a6160b1cf49b3e01258

SHA1
5590e1f553427647962c72c86063210c2070beed

SHA256
8494f83599610de40988f04aab1c181a495d7a38ec50129abf2fb1a9436a3789

SHA512
6dcdc117a83196daa6ffb5f180f94fed9e88aa261386ffa0769bf9ce19996d3d2049c1c6ab1fa5cbeba5c46fa60814cf4a2bff0b20b0f13d6d105cf35045f395

Download Submit
C:\Windows\babon.exe

Filesize
45KB

MD5
9be52f1bfcaa5cf7af2ec516b13c130b

SHA1
c2a311a0bf6827b7e90bc70ede23437ae84d6c1e

SHA256
8af34974d09473cf7712cd5966c0434601d9f85f9ba104d37cb05a992b4fd918

SHA512
09983306553d0f558387fea1b26379c5274ea1e48ef33ddca99b22b5dd7fe0383d338ac24451ab707bf7ee4e61bd7a633eb0bb8aa30eec9cf6dc004dcaf72c12

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\babon.exe

Filesize
45KB

MD5
4830baba3ff7f6a26d186747e45ce7aa

SHA1
0eb7ff862b5b9d55ba1a8657b41c8695c7624937

SHA256
41b13f95a5aa4eb788683cbce83867f1b06083faec9c99dc8a625e10457e9558

SHA512
396358f57cff57744f4fef60a3ce0f2d2c6c48a9fc6f1ab7b494ff801d70d50fe11290e3e7d96c4d0fa78994b750aca3cd9b149281d3d3992f5ac3c864368545

Download Submit
C:\babon.exe

Filesize
45KB

MD5
a580dc4291193ce8d582cf5245ff3e88

SHA1
8c298e69fd6c8b08a5cd5cfc560a62cd2f34efc7

SHA256
15ac02ecaf144780d3158adf3debd6a3ba7e2e6a71c002e87002c4b07166fb21

SHA512
9f52eb72575d34feb8df6dc2f6bf217795bd67b1d5055c3b83ff2aeeaf20c2170f9bb9289101ff0afff00b8252e7763b2d19735c7e0711cb7e719bf93b1b6d4a

Download Submit
C:\wangsit.txt

Filesize
416B

MD5
8c460e27a1949370d14f20942ef964c3

SHA1
fb1f75839903c83911b45b49956792d27db56185

SHA256
2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d

SHA512
ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

Download Submit
F:\autorun.inf

Filesize
41B

MD5
097661e74e667ec2329bc274acb87b0d

SHA1
91c68a6089af2f61035e2e5f2a8da8c908dc93ed

SHA256
aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0

SHA512
e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\csrss.exe

Filesize
45KB

MD5
3abe1bd76cad8a8ee35559f5b6c61535

SHA1
4c759de4629bdb879f66500538c52f89928ad56b

SHA256
ec30c6bf30c51153aa116773ad153917c9767d5d34fd466a27228d9a552d9abd

SHA512
5f932ade1c6d52787cc583fbc979b114e884e76708e623f41474ddc2f620bcf3c672c4b3a7aabba72bb2d58356cbaed26759239d69be7e032de200df97a65f6c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
45KB

MD5
685cd8b4989f36c3cc15ee1b63d43b20

SHA1
43d0659cb9113b02521db4309cd56162dcfcb9ad

SHA256
3bd9cac5615d26754a99cfe66e2a97e426001883774a40b1607b927962d37100

SHA512
aa36bf9e8684fbf4dd6d5cd8aa76ad14841b2df6500c66ef33794ec37096331ee34f5f15d439bb7099f5ca0b75465adc7945f3435d8115cf838ef158f1c50b5a

Download Submit
memory/816-439-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/816-436-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/828-421-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/828-430-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/856-333-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/856-341-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/856-340-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1040-315-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1040-332-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1240-310-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1240-320-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1240-319-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1456-467-0x0000000001EE0000-0x0000000001F03000-memory.dmp

Filesize
140KB

Download
memory/1456-327-0x0000000001EE0000-0x0000000001F03000-memory.dmp

Filesize
140KB

Download
memory/1456-372-0x0000000001EE0000-0x0000000001F03000-memory.dmp

Filesize
140KB

Download
memory/1456-442-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1456-461-0x0000000001EE0000-0x0000000001F03000-memory.dmp

Filesize
140KB

Download
memory/1456-219-0x0000000001EE0000-0x0000000001F03000-memory.dmp

Filesize
140KB

Download
memory/1456-468-0x0000000001EE0000-0x0000000001F03000-memory.dmp

Filesize
140KB

Download
memory/1552-402-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1552-407-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1580-409-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1580-405-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1636-229-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1636-269-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1680-410-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1680-414-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1688-431-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1688-417-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1740-351-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1740-350-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1740-314-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1856-110-0x0000000002300000-0x0000000002323000-memory.dmp

Filesize
140KB

Download
memory/1856-151-0x0000000002300000-0x0000000002323000-memory.dmp

Filesize
140KB

Download
memory/1856-130-0x0000000002300000-0x0000000002323000-memory.dmp

Filesize
140KB

Download
memory/1856-105-0x0000000002300000-0x0000000002323000-memory.dmp

Filesize
140KB

Download
memory/1856-104-0x0000000002300000-0x0000000002323000-memory.dmp

Filesize
140KB

Download
memory/1856-129-0x0000000002300000-0x0000000002323000-memory.dmp

Filesize
140KB

Download
memory/1856-136-0x0000000002300000-0x0000000002323000-memory.dmp

Filesize
140KB

Download
memory/1856-117-0x0000000002300000-0x0000000002323000-memory.dmp

Filesize
140KB

Download
memory/1856-155-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1856-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1908-348-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1908-346-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2040-230-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2040-260-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2040-259-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2172-376-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2172-396-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2360-270-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2360-338-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2396-221-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2396-227-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2396-225-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2396-190-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2472-390-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2508-321-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2508-323-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2508-322-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2508-325-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2584-423-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2584-420-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2676-400-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2676-384-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2704-419-0x00000000004E0000-0x0000000000503000-memory.dmp

Filesize
140KB

Download
memory/2704-444-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2704-482-0x00000000004E0000-0x0000000000503000-memory.dmp

Filesize
140KB

Download
memory/2704-479-0x00000000004E0000-0x0000000000503000-memory.dmp

Filesize
140KB

Download
memory/2704-418-0x00000000004E0000-0x0000000000503000-memory.dmp

Filesize
140KB

Download
memory/2716-328-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2716-343-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2716-336-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2716-335-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2736-386-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2736-330-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2904-445-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2904-152-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2904-480-0x0000000001D70000-0x0000000001D93000-memory.dmp

Filesize
140KB

Download
memory/2928-437-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2948-441-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2948-188-0x00000000025F0000-0x0000000002613000-memory.dmp

Filesize
140KB

Download
memory/2948-106-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2948-383-0x00000000025F0000-0x0000000002613000-memory.dmp

Filesize
140KB

Download
memory/2948-329-0x00000000025F0000-0x0000000002613000-memory.dmp

Filesize
140KB

Download
memory/2968-373-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2968-392-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3000-443-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3000-131-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3000-412-0x0000000002490000-0x00000000024B3000-memory.dmp

Filesize
140KB

Download
memory/3000-481-0x0000000002490000-0x00000000024B3000-memory.dmp

Filesize
140KB

Download
memory/3060-398-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download