00d2a0b06abeb9d202e4714995c631d95c033ae50f433e6bf9ceb59e83281fb9

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/Toolbar_Toggle.exe
Size

818KB
MD5

bd234ce960895e7df492ceefeb67863a
SHA1

3f20dc68a6aac23c4702d16c8a5388dcfe591aea
SHA256

ee814d798c6071977a9e51568fb83c0232d44106a96c5b85492e339b0ba50f18
SHA512

ba3de1bbea6c7eac232f0991ca6e238f62544fb2c52b2e5b591f98ba17cff75fff2df5f7a56f3363dd0e3e1fa1d4a653e4ca095f6a36752f6d7111de3f75ff2a
SSDEEP

24576:cCF80piqnZp9Qu1Y0nmen61qLL0pbacdj4knmE2:cCFpp/nd1YGmennLL6OcdjHx2

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2792	Setup.exe

Loads dropped DLL 1 IoCs

pid	Process
2716	Toolbar_Toggle.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Toolbar_Toggle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Setup.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TEST.CAP	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433f39789c636262604903622146b36a3333035337630b435d637347535d131723575d271737275d377337035727473327634ba35a06010181854764a20021d00bd6	Setup.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2792	Setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2792	Setup.exe
Token: SeTakeOwnershipPrivilege	2792	Setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2792	Setup.exe
2792	Setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2792	2716	Toolbar_Toggle.exe	30
PID 2716 wrote to memory of 2792	2716	Toolbar_Toggle.exe	30
PID 2716 wrote to memory of 2792	2716	Toolbar_Toggle.exe	30
PID 2716 wrote to memory of 2792	2716	Toolbar_Toggle.exe	30
PID 2716 wrote to memory of 2792	2716	Toolbar_Toggle.exe	30
PID 2716 wrote to memory of 2792	2716	Toolbar_Toggle.exe	30
PID 2716 wrote to memory of 2792	2716	Toolbar_Toggle.exe	30

C:\Users\Admin\AppData\Local\Temp\$TEMP\Toolbar_Toggle.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\Toolbar_Toggle.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\Setup.exe" /s Files\Common Files
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Babylon\Setup\Setup3-9.0.3.19.zpb

Filesize
60KB

MD5
5c3f3322e2c2b9a2ba5e2c92030c2f2b

SHA1
c51a24a2520c7559b40b204832b0ea3b383c2eb2

SHA256
d889214c0c295373121aef32b8c2c50c8c20530e3b3aa1a74ffdd991ccb37168

SHA512
fefc62b8af19a38e14d9077163afc935029ef4457c228a0d357e49ce7e9b58319d4b6fa38a38c2adb0d005f15c3f304ae76d81ca838e430f8e97bdc840c148d4

Download Submit
C:\Users\Admin\AppData\Local\Babylon\Setup\setup2-9.0.3.19.zpb

Filesize
142KB

MD5
4d507fc2ad32d1d8a8e74aaa8c01c1ca

SHA1
6fe219d6c97c2482e386de8618b5814a04eef635

SHA256
a551b5fbdfbb2a519edada9902b6dae5be9810db1c6acdf2dfe4bee2aa4caf7d

SHA512
db9caa9fe8bab0d57cf4c8164e2ca5dcb5df8be6ec988f6cd11ff6128ecd31913ac5bbabc6a197948396045e471fd43139bc6a404b44ac31b573503eb58bd443

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\Babylon.dat

Filesize
10KB

MD5
0ea4b325aeded4466c4cf6f8dae88ecf

SHA1
b3778ea32251e0f6dd4b94ed493244563f73c8db

SHA256
813f2727907a5aa4fe0b04de140184226b87bdf9fc1a6a86e1c9932ac85097d1

SHA512
f786ab86a5cf8bc9f49de0bf00cdff8da16ec53f5dc888bb68ca3d5250590349f4f426ccb3ac3ca1d74324df30fa4c1fa4af80416975e269546b67b4cc440746

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\HtmlScreens\common.js

Filesize
3KB

MD5
61326fe65b7ab277221d5fd3c3d8154f

SHA1
292d39c304209e0c87cbab00f8c5c37fcd0b1887

SHA256
055cc4086e5c6f5991aab46999cb147c155a1b4bd4675b1fe673ccc8527dbd07

SHA512
1f77de3af5266342429baf3e26ac71b5d476026213cb2a06f74b37251e4ba442f468b49c5691c4a0563373dfe4274bd606cf8bbb5033bacc2cd665a31022b93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\HtmlScreens\eula.html

Filesize
62KB

MD5
43f3c7282a5cf225a4c8ab580309f27d

SHA1
7b2f6df42893c42b404cdf2bf0b020e83ac58075

SHA256
1750ba16aea8d20b9449a696b0fb20f6c9c5403daed15a6c118ffdcc71b77b47

SHA512
7c24fb911d56bf6a2481a2d1800bb0e3c7445178eb39cec15181a325f07b462b8b936495f989918adc52d6e550665afdacf69ae2b2e3711a9b1abadc0ae34d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\HtmlScreens\pBar.gif

Filesize
3KB

MD5
26621cb27bbc94f6bab3561791ac013b

SHA1
4010a489350cf59fd8f36f8e59b53e724c49cc5b

SHA256
e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3

SHA512
9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\HtmlScreens\page2.css

Filesize
2KB

MD5
613f21fd9be71493f7f0f7f289faba46

SHA1
3085884627bb5cbe1af9c29e9acaf353299b192f

SHA256
dc7e17ccfdf805ea69c553abdea2b6a86fd27ec68d58f759b9a85e5a4be98e17

SHA512
3be478d24f712d2b4ca3d9142fc446986426290678ddc89518155e7c46a6bae5659b9a748b30eb26ba20323c9d9a2c67e7dfe770d0689ab1548a9a48568df8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\HtmlScreens\page2.html

Filesize
3KB

MD5
652dc84986ad79e823d07a0503f39fa2

SHA1
bb209be48b2bc746ee0f600fb18027fc9dd96b57

SHA256
18e1f4d19a0caed84851fbc3d7b1ad84da141b0b9553cfb7ab43671ad5bbba75

SHA512
abb9768bbbfbb88be990b7875c1bf93552567a736857cd97382a9c9c5837dad532acb9376071348b6f7a4021519d0a2b612c5120fb20efb257cf382d15226353

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\HtmlScreens\page2.js

Filesize
3KB

MD5
574d29f591a6c8e41526740aef35aef5

SHA1
16fd09104a40386b55d7a241c34841e1f881b346

SHA256
b1a88b9f78cb51b78b0abc00706269540cbddd4d22d06ef597c30aeda3f1806b

SHA512
86a1907fe6f9729eb6fc8b91a9581f071a608e2b808a49419efcd5930ea9408f45af2faeba92aa174c7fa680d014eebac001637622e0157065d4b898670c82fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\HtmlScreens\page2Lrg.css

Filesize
1KB

MD5
3acbc4a0b720fd5daff11530ae9e0295

SHA1
23031d0a31bc05de190843a9b0d8b3745c796385

SHA256
59b5de1efe45a796fab6130ee94db0dc13be896ab798e126cb2c5889aead32b7

SHA512
abc4815f7df7f65c57c61facd568616c9b844cdfea8d12ae819987dcec256d82c7ef040c1df24be2ddef0b42601f1a8e22755b7320d1fcbcee0dd94055092b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\HtmlScreens\page9.html

Filesize
668B

MD5
69d63df890d8445501ac73835d7966d3

SHA1
f385c25afc2b5180e7f0c34b2de8089c68f654f7

SHA256
041569cede5fc91021a788647e4dc1b4a1c3f925f2bbb8857dce0930bd3838ef

SHA512
879735c74bc6b2467ce2f5c88ff755191d781207fbdda9f65f4b0f032ca638c96413f049607bbe65672d51254456f159bc9f95a3fe9d67234087c046fd9de128

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\HtmlScreens\title2.png

Filesize
44KB

MD5
a9e1f1f2b2628c6ee61c1e11c7288baf

SHA1
48b2f87ad6bc5d7cdc22500df46a967acb077cfa

SHA256
c336644e20a898fc28b216d91908c9ed4b716f572c0b06d5b3a5a68e43c6aeb9

SHA512
3027aead5dc0a2de2dfe7bbdaefeac1dfc1829db1edcd60493f51bbe3d3f75363b938f60a2cc6c46dd9992d9c33df5f8ab7a62e4235ca0858358cb73ad2dc514

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\HtmlScreens\toolBar.jpg

Filesize
19KB

MD5
56dc3cb42b46309e642c15167003685d

SHA1
045749de2c1492e5dfc4c44f9eb6c0feefe06b3d

SHA256
bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1

SHA512
5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\SetupStrings.dat

Filesize
57KB

MD5
19f47f9cab41a5e07d49a4171748b598

SHA1
d30b022c9d85be7384f26f335e01e56d2ef1a9e6

SHA256
07638d54048adfb3229fbc6a56a8b7ff6f3a8370bf942306ecb5352de64c3e86

SHA512
b83181ffa46ac732e6c4aabcc26b77ee594c1381311ddde3151b7e740e80c07ef84c5910e535696b4ccf8ddb11b1c5b8b3d387ba08ec346bc375c0d2f490dfb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\Welcome.html

Filesize
181B

MD5
74f50446b18a1a2daee2041a3d08009b

SHA1
aee7668609144599cfe6b4df0a45af651f55bb46

SHA256
78d88f0ee5d32d5406aa7d395f22f375e5c4ba8f2572f70d7a962ab830b803dc

SHA512
0a585a5f7f5a0de47b064a862c86ee05e45ce69b98bb0fb09b844232773becd5a097c04ff57872f80ddf2d3f71d3ff7fdb95e6988633f27092d3a3663934dbca

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\bab033.tbinst.dat

Filesize
236B

MD5
1ee8c638e49ee7137607722768afc5a2

SHA1
8719d7a498a49b042cd6fc411cac6c44f3c0f43a

SHA256
1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e

SHA512
2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\bab091.norecovericon.dat

Filesize
174B

MD5
4f6e1fdbef102cdbd379fdac550b9f48

SHA1
5da6ee5b88a4040c80e5269e0cd2b0880b20659c

SHA256
e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c

SHA512
54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
\Users\Admin\AppData\Local\Temp\41A0885C-BAB0-7891-9665-F3CABCA8C607\Setup.exe

Filesize
1.7MB

MD5
2cea6f4da60058bad2924385202c25cf

SHA1
5f437ecc88a691b6161b1d168b3f4a93624f5832

SHA256
a1a97e5c13a8e39ec8b5a9ffd7c5cff11749b1b203ce6f7095fec28d01b4798e

SHA512
07485068c9862ab09144312cb652fdc97fde34bd7de573d587ad25454aa8f611fcc5853ab2f1261d8e50cf39772e14fa6d518580d6ce5386a01dafd0ba3f59a5

Download Submit