cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Size

91KB
MD5

65c451983d571e652f41a07f80045799
SHA1

4d83f8e91ac8e730819afe89606112ca3f7daa2d
SHA256

cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e
SHA512

336b11f744f6860070a64f4d8d5d784327ec5dc8a1a9350a441deb0d76517b07cb753d9090da32221a49456fbc0058827621035a2da59916705121fabb74ac07
SSDEEP

1536:9a8jroAbRB+XWCQLZeIdSwkqa8jroAbRB+XWCQLZeIdSwkS4:LFRBLJSkFRBLJSB

Score

10^/10

aspackv2 discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	babon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	lsass.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

ASPack v2.12-2.42 14 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000700000002345b-8.dat	aspack_v212_v242
behavioral2/files/0x000700000002345e-100.dat	aspack_v212_v242
behavioral2/files/0x0007000000023462-106.dat	aspack_v212_v242
behavioral2/files/0x0007000000023464-114.dat	aspack_v212_v242
behavioral2/files/0x0007000000023465-120.dat	aspack_v212_v242
behavioral2/files/0x0007000000023466-126.dat	aspack_v212_v242
behavioral2/files/0x0007000000023467-133.dat	aspack_v212_v242
behavioral2/files/0x0007000000023467-168.dat	aspack_v212_v242
behavioral2/files/0x0007000000023467-204.dat	aspack_v212_v242
behavioral2/files/0x0007000000023463-231.dat	aspack_v212_v242
behavioral2/files/0x0007000000023460-274.dat	aspack_v212_v242
behavioral2/files/0x0007000000023463-286.dat	aspack_v212_v242
behavioral2/files/0x0007000000023467-292.dat	aspack_v212_v242
behavioral2/files/0x0007000000023461-297.dat	aspack_v212_v242

Executes dropped EXE 30 IoCs

pid	Process
4468	babon.exe
3316	IExplorer.exe
3924	winlogon.exe
1168	csrss.exe
3408	lsass.exe
4324	babon.exe
1860	IExplorer.exe
392	winlogon.exe
1352	csrss.exe
872	lsass.exe
2236	babon.exe
1708	IExplorer.exe
5016	babon.exe
3640	babon.exe
1528	babon.exe
552	IExplorer.exe
208	IExplorer.exe
4032	IExplorer.exe
2432	winlogon.exe
4048	winlogon.exe
4824	winlogon.exe
2008	winlogon.exe
4568	csrss.exe
1908	csrss.exe
2988	csrss.exe
3700	csrss.exe
1664	lsass.exe
4452	lsass.exe
548	lsass.exe
2400	lsass.exe

Loads dropped DLL 5 IoCs

pid	Process
4324	babon.exe
2236	babon.exe
5016	babon.exe
1528	babon.exe
3640	babon.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	csrss.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	babon.exe
File opened (read-only)	\??\L:	IExplorer.exe
File opened (read-only)	\??\T:	winlogon.exe
File opened (read-only)	\??\V:	babon.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\Y:	babon.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\H:	winlogon.exe
File opened (read-only)	\??\K:	babon.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\Q:	winlogon.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\R:	winlogon.exe
File opened (read-only)	\??\P:	babon.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\I:	babon.exe
File opened (read-only)	\??\X:	babon.exe
File opened (read-only)	\??\P:	IExplorer.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\Q:	babon.exe
File opened (read-only)	\??\B:	winlogon.exe
File opened (read-only)	\??\E:	babon.exe
File opened (read-only)	\??\T:	IExplorer.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\H:	babon.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\O:	winlogon.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\S:	babon.exe
File opened (read-only)	\??\G:	IExplorer.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\J:	babon.exe
File opened (read-only)	\??\R:	babon.exe
File opened (read-only)	\??\U:	babon.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\I:	winlogon.exe
File opened (read-only)	\??\M:	babon.exe
File opened (read-only)	\??\I:	IExplorer.exe
File opened (read-only)	\??\R:	IExplorer.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\S:	winlogon.exe
File opened (read-only)	\??\U:	winlogon.exe
File opened (read-only)	\??\Z:	babon.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	IExplorer.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	babon.exe
File opened for modification	C:\autorun.inf	babon.exe
File created	F:\autorun.inf	babon.exe
File opened for modification	F:\autorun.inf	babon.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	csrss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	lsass.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	lsass.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	babon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	babon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\babon.scr	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	babon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	csrss.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	babon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\babon.exe	babon.exe
File created	C:\Windows\babon.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
File created	C:\Windows\babon.exe	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	winlogon.exe
File opened for modification	C:\Windows\babon.exe	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	csrss.exe
File opened for modification	C:\Windows\babon.exe	lsass.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\babon.exe	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	babon.exe
File created	C:\Windows\babon.exe	csrss.exe
File created	C:\Windows\babon.exe	lsass.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	babon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Mouse\	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Mouse\SwapMouseButtons = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Mouse\SwapMouseButtons = "1"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s1159 = "Babon"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s1159 = "Babon"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s2359 = "Babon"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s2359 = "Babon"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s1159 = "Babon"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s2359 = "Babon"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Mouse\	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Mouse\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s2359 = "Babon"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s1159 = "Babon"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s1159 = "Babon"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s2359 = "Babon"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Mouse\	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s1159 = "Babon"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Mouse\	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Mouse\SwapMouseButtons = "1"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\s2359 = "Babon"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Mouse\	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	lsass.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	lsass.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	babon.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
4468	babon.exe
1168	csrss.exe
3924	winlogon.exe
3316	IExplorer.exe
3408	lsass.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
4468	babon.exe
3316	IExplorer.exe
3924	winlogon.exe
1168	csrss.exe
3408	lsass.exe
4324	babon.exe
1860	IExplorer.exe
392	winlogon.exe
1352	csrss.exe
872	lsass.exe
2236	babon.exe
5016	babon.exe
1528	babon.exe
1708	IExplorer.exe
3640	babon.exe
4032	IExplorer.exe
208	IExplorer.exe
552	IExplorer.exe
2432	winlogon.exe
4048	winlogon.exe
2008	winlogon.exe
4824	winlogon.exe
4568	csrss.exe
1908	csrss.exe
3700	csrss.exe
2988	csrss.exe
1664	lsass.exe
548	lsass.exe
4452	lsass.exe
2400	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 4468	3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe	84
PID 3404 wrote to memory of 4468	3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe	84
PID 3404 wrote to memory of 4468	3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe	84
PID 3404 wrote to memory of 3316	3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe	86
PID 3404 wrote to memory of 3316	3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe	86
PID 3404 wrote to memory of 3316	3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe	86
PID 3404 wrote to memory of 3924	3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe	87
PID 3404 wrote to memory of 3924	3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe	87
PID 3404 wrote to memory of 3924	3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe	87
PID 3404 wrote to memory of 1168	3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe	88
PID 3404 wrote to memory of 1168	3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe	88
PID 3404 wrote to memory of 1168	3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe	88
PID 3404 wrote to memory of 3408	3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe	89
PID 3404 wrote to memory of 3408	3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe	89
PID 3404 wrote to memory of 3408	3404	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe	89
PID 4468 wrote to memory of 4324	4468	babon.exe	91
PID 4468 wrote to memory of 4324	4468	babon.exe	91
PID 4468 wrote to memory of 4324	4468	babon.exe	91
PID 4468 wrote to memory of 1860	4468	babon.exe	92
PID 4468 wrote to memory of 1860	4468	babon.exe	92
PID 4468 wrote to memory of 1860	4468	babon.exe	92
PID 4468 wrote to memory of 392	4468	babon.exe	93
PID 4468 wrote to memory of 392	4468	babon.exe	93
PID 4468 wrote to memory of 392	4468	babon.exe	93
PID 4468 wrote to memory of 1352	4468	babon.exe	94
PID 4468 wrote to memory of 1352	4468	babon.exe	94
PID 4468 wrote to memory of 1352	4468	babon.exe	94
PID 4468 wrote to memory of 872	4468	babon.exe	95
PID 4468 wrote to memory of 872	4468	babon.exe	95
PID 4468 wrote to memory of 872	4468	babon.exe	95
PID 3316 wrote to memory of 2236	3316	IExplorer.exe	97
PID 3316 wrote to memory of 2236	3316	IExplorer.exe	97
PID 3316 wrote to memory of 2236	3316	IExplorer.exe	97
PID 3316 wrote to memory of 1708	3316	IExplorer.exe	98
PID 3316 wrote to memory of 1708	3316	IExplorer.exe	98
PID 3316 wrote to memory of 1708	3316	IExplorer.exe	98
PID 3408 wrote to memory of 5016	3408	lsass.exe	99
PID 3408 wrote to memory of 5016	3408	lsass.exe	99
PID 3408 wrote to memory of 5016	3408	lsass.exe	99
PID 1168 wrote to memory of 3640	1168	csrss.exe	100
PID 1168 wrote to memory of 3640	1168	csrss.exe	100
PID 1168 wrote to memory of 3640	1168	csrss.exe	100
PID 3924 wrote to memory of 1528	3924	winlogon.exe	101
PID 3924 wrote to memory of 1528	3924	winlogon.exe	101
PID 3924 wrote to memory of 1528	3924	winlogon.exe	101
PID 3408 wrote to memory of 552	3408	lsass.exe	102
PID 3408 wrote to memory of 552	3408	lsass.exe	102
PID 3408 wrote to memory of 552	3408	lsass.exe	102
PID 3924 wrote to memory of 208	3924	winlogon.exe	103
PID 3924 wrote to memory of 208	3924	winlogon.exe	103
PID 3924 wrote to memory of 208	3924	winlogon.exe	103
PID 1168 wrote to memory of 4032	1168	csrss.exe	104
PID 1168 wrote to memory of 4032	1168	csrss.exe	104
PID 1168 wrote to memory of 4032	1168	csrss.exe	104
PID 3316 wrote to memory of 2432	3316	IExplorer.exe	105
PID 3316 wrote to memory of 2432	3316	IExplorer.exe	105
PID 3316 wrote to memory of 2432	3316	IExplorer.exe	105
PID 1168 wrote to memory of 4824	1168	csrss.exe	106
PID 1168 wrote to memory of 4824	1168	csrss.exe	106
PID 1168 wrote to memory of 4824	1168	csrss.exe	106
PID 3924 wrote to memory of 4048	3924	winlogon.exe	107
PID 3924 wrote to memory of 4048	3924	winlogon.exe	107
PID 3924 wrote to memory of 4048	3924	winlogon.exe	107
PID 3408 wrote to memory of 2008	3408	lsass.exe	108

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	babon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe

C:\Users\Admin\AppData\Local\Temp\cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe
"C:\Users\Admin\AppData\Local\Temp\cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3404
- C:\Windows\babon.exe
  C:\Windows\babon.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4468
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4324
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1860
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:392
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1352
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:872
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3316
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2236
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1708
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2432
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4568
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1664
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3924
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1528
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:208
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4048
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2988
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2400
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1168
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3640
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4032
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4824
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3700
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:548
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3408
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5016
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:552
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2008
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1908
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\csrss.exe

Filesize
91KB

MD5
2012b4173b28400bbc5af8acfcd9ff28

SHA1
e2b3970bbba7338e974380245c2a27e305e0c708

SHA256
21ee0e18b0d6a77af91fb35cc21dce5c756c81dd69fe7072eb092be77fc9ad0b

SHA512
960e1077aa1e25ff30e1ea51519ccc42f5ecd250fbfdd6a455c167e98366323d8e3fa4146af06bd670440884c5733104de3b5de77790e6d97159a0bef0222143

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
91KB

MD5
c5f242a318cc08b34a1414a374274f47

SHA1
f90c79feaf23509becefb2e7f5e8456501c3778a

SHA256
7d76b4fdd5e0af12c97e9a55126f2664f1b13f0180c73e3b15cc98bd573a99bd

SHA512
3839c72f79e4f68bd062b2ac607042d6648ba5af985b2614b95e7961987390fe30d8c234f58874537ca5adb49a0d9513d58df2e7ec466216dc04313ced030aee

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
91KB

MD5
ce7f75f105de44e22c7b017d3a301e78

SHA1
7bee636c9b99f07febb0ddfe22db4436fae37b60

SHA256
5fb7ba4a65401828f90ab8c0ef593d4b5f3234231843211f40208fc410d0d42f

SHA512
2d85413909855c2d15de4591c76e3df84fa3f460ccb960824433a7afec089afff021af9bba505c491121e8c0c1910a417dc9a2172e75ca5758eae100dcd0ac3f

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
65c451983d571e652f41a07f80045799

SHA1
4d83f8e91ac8e730819afe89606112ca3f7daa2d

SHA256
cb8375f07cd275040eeb2987f477f973e32310fbe96001e250581bc82e37af6e

SHA512
336b11f744f6860070a64f4d8d5d784327ec5dc8a1a9350a441deb0d76517b07cb753d9090da32221a49456fbc0058827621035a2da59916705121fabb74ac07

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
91KB

MD5
6e8ac732a37cc8dde79c5c72af980771

SHA1
0ecd1bb3509ad1d1a27a58f51338bd990ab75587

SHA256
6d5fd630fb26bba05c47ba720764473ba283d5717378d4907e95aa07fcb13f10

SHA512
1d847447d542c14a8f6228c4ed4cb15b815066a57e9c0734b3ed7798b7b9be36aab22ab65b754621fec3e20b310c4ef6fa58695c5cfbb7b17901afd6132c4b29

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
91KB

MD5
aafc3f24296f1e17c8365eb299ffe44e

SHA1
59f0283e1858ab743afe450e9a8c26e60f677bb6

SHA256
312bfc8c3ba1f7227d9e6d1d33dbee0c356d4eb3ce06895e4cccb8a72f153993

SHA512
2e2b3162cc04f176761411ca24542a7ad24a89c34921bca39a4499bb604998693a678d9d8e7057a9d7d94b245b2d82f5133ff0792de77448cbe2177511bcd123

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
91KB

MD5
fc7ef1e0c0468273db4bb9f25ad48265

SHA1
79e601bf88ebb2031f193cffeab15337ccda58cb

SHA256
7f64969f8d18c7b30aeedc29bda2dd7d53c3e32cfa9da783f7f996f63779ccd3

SHA512
9532bb640942928a3735f76a5dc7fe165a59534bc7b58cfb8b82e843e2e67e00e9feea1dcef690aa58f34678d82d088f2e7bbfd020a1217c7c2404197002b84e

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
91KB

MD5
80d81efa87b1968de736fb29b4aff322

SHA1
e95e9494c4e8119b82aa54965e6a273b5e5782e9

SHA256
f2a36385109be75b81d5154c2cb6126b823a5546a66432289beb46bb02605e85

SHA512
6a5419a251cfca183de4cd58f1f1c0e75d175c898a80c19c58c7fd96d0a5cd25902c4a8e1ede6e6c19d5810303c509bd7647dd947b0414bd00b7f6ae244da33d

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
64KB

MD5
5a15e3aa444598893506158f94155cf5

SHA1
cba7649b499811c9a33d4ae16013542caa6827c1

SHA256
8c20a3a0c4e44dc8e5b3a233ec0ea9596fd0f7df39223669fa9c668188bcc01d

SHA512
c747fe64a00d45b0f3233dacb3851adb9498800389cebb2e5219943bf8772d316dcc99ad621e22afcb8a3587102c641109214cdcbf01dc5cf22bc8f2a34f8267

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
91KB

MD5
6db58c31380755b1042c31908775c0cf

SHA1
5f0c970e9a11a60e048124fc555bc838e03a2647

SHA256
5715fd7cd3d1e6093de11ee21760c9511549cfe3610eb516e7cb8e34c31895c6

SHA512
7153264c67c90c98b874f254e42e044b5483535bb6115c053f11df4ac7d15843d3accf4dbcf3a3ae0e7930f40a4dd287d9acd222c4cc119d40584ff6ddd7a7d5

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
05832f7666ca84084c11c1e451d01f4d

SHA1
d61cdee27b71c2dbdb07ba7a4d0aa49218be5104

SHA256
0d0d832f5af09f89485098ee12c0215d2c71f8577b1bef6d1790d00a6ae95da2

SHA512
760bb420c20e12e9d364d320eff4a7c5615a8c36eecb37e836d2c7806d22916702c81c0a14afa0e49b5d3f5675db635cefc9e5d9fabc33a24f24fcd9acb0b834

Download Submit
C:\Windows\SysWOW64\babon.scr

Filesize
91KB

MD5
f11a8b7ca0b7829b44083ed431d538e8

SHA1
bf3a5859f92f2844a7f13f628021bbc01f501011

SHA256
e48cc5fc1e6d00f3a60d4c3916124b5ad056f1c92da0fc24fbcaa19d957d45a2

SHA512
0761257144779cbd763aadc81881fc3ce6d045bf63105829964e5eb54b00d2736515b393896868a8dc6d5cf464bb44f72b2c04218943ff1d7c3a65a320dd535e

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
91KB

MD5
ac907ed469382baa1a717ff4c39fbb9f

SHA1
103442627a79630b1ded24cabffe504760a717b1

SHA256
2fc89d06009b26575af5c64f6af1acd16b9d751dcec688ed7b4f6b436eaab9ae

SHA512
4654ddbde99278e9c936c46d1721e76df546e593b5d74d7f55e12309cbf27907007663637f3585dbe946356bcd15cca439af90526d6175d3c2c96bad0784cc7a

Download Submit
C:\Windows\babon.exe

Filesize
91KB

MD5
81b65a7b444cd2f13e366a4c98ca2b83

SHA1
55731bad2325ccacbf9b0545d38449be9134536e

SHA256
d7f2c53075a9b70c144fe20b97270e0d4b73ab4c3b646a869a41aad8bd945762

SHA512
4dc0664d5d47ca438a3dd06dbf4d30ac4572e6a5140b811f569b2f942ae021b4f25343c7edf5913172a16e0bb91d964b59187136cbd8bf296b04979195e21da0

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\wangsit.txt

Filesize
416B

MD5
8c460e27a1949370d14f20942ef964c3

SHA1
fb1f75839903c83911b45b49956792d27db56185

SHA256
2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d

SHA512
ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

Download Submit
F:\autorun.inf

Filesize
41B

MD5
097661e74e667ec2329bc274acb87b0d

SHA1
91c68a6089af2f61035e2e5f2a8da8c908dc93ed

SHA256
aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0

SHA512
e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

Download Submit
memory/208-320-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/208-341-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/392-193-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/392-195-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/548-383-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/552-342-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/872-218-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/872-238-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1168-390-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1168-121-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1352-197-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1352-203-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1528-316-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1528-322-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1664-374-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1708-326-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1860-189-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2008-357-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2008-347-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2236-256-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2400-386-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2432-344-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2432-335-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3316-107-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3316-388-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3404-132-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3404-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3408-127-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3408-391-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3640-327-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3924-115-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3924-389-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4032-338-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4032-324-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4048-353-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4324-167-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4452-384-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4468-101-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4468-387-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4568-361-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4824-355-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5016-319-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5016-308-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download