760ff6ab4e5c4e6956c4ff06c9100eef5e75608658c6c4f6c8086e8ccc2a8251

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/MyBabylonTB.exe
Size

864KB
MD5

5b27dcc4d16b61ae5796c557a25d2286
SHA1

7ae67f82caa203abd4af485c0580a36f46d400ca
SHA256

b9b4298c5cbcc201ce8a0cbfd5f4a20b4790aac13ad1ba01627b1c988b97bbf8
SHA512

4b3e6a32ec62abf784230993c8f52c5ff27bc780c22c1d61e34497ca7f48f1eb5319bf69194bee6be8c36fdee1727de4bb0fc0cbc406a24a8c9e731e1d83cdb2
SSDEEP

12288:b8HGZMEdI1Sw9HQ3e0ysQCWHQ8gjKQCxs4RnH1n6JZlPXG+fpxyIQGYt8BploQe6:jMEdI1j9HQ37Kw4RnwXNR+I9zsQCQ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2680	Setup.exe

Loads dropped DLL 1 IoCs

pid	Process
1672	MyBabylonTB.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MyBabylonTB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	Setup.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Setup.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433f39789c636262604903622146b36a73673363732353575d0b5743535d130b574b5d274723675d731703477313530b272373935a06010181259cee4b011e150b61	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TEST.CAP	Setup.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2680	Setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2680	Setup.exe
Token: SeTakeOwnershipPrivilege	2680	Setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2680	Setup.exe
2680	Setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2680	1672	MyBabylonTB.exe	28
PID 1672 wrote to memory of 2680	1672	MyBabylonTB.exe	28
PID 1672 wrote to memory of 2680	1672	MyBabylonTB.exe	28
PID 1672 wrote to memory of 2680	1672	MyBabylonTB.exe	28
PID 1672 wrote to memory of 2680	1672	MyBabylonTB.exe	28
PID 1672 wrote to memory of 2680	1672	MyBabylonTB.exe	28
PID 1672 wrote to memory of 2680	1672	MyBabylonTB.exe	28

C:\Users\Admin\AppData\Local\Temp\$TEMP\MyBabylonTB.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\MyBabylonTB.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\Setup.exe" /s Files\Common Files
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Babylon\Setup\Setup3-9.0.3.12.zpb

Filesize
60KB

MD5
5c3f3322e2c2b9a2ba5e2c92030c2f2b

SHA1
c51a24a2520c7559b40b204832b0ea3b383c2eb2

SHA256
d889214c0c295373121aef32b8c2c50c8c20530e3b3aa1a74ffdd991ccb37168

SHA512
fefc62b8af19a38e14d9077163afc935029ef4457c228a0d357e49ce7e9b58319d4b6fa38a38c2adb0d005f15c3f304ae76d81ca838e430f8e97bdc840c148d4

Download Submit
C:\Users\Admin\AppData\Local\Babylon\Setup\setup2-9.0.3.12.zpb

Filesize
142KB

MD5
4d507fc2ad32d1d8a8e74aaa8c01c1ca

SHA1
6fe219d6c97c2482e386de8618b5814a04eef635

SHA256
a551b5fbdfbb2a519edada9902b6dae5be9810db1c6acdf2dfe4bee2aa4caf7d

SHA512
db9caa9fe8bab0d57cf4c8164e2ca5dcb5df8be6ec988f6cd11ff6128ecd31913ac5bbabc6a197948396045e471fd43139bc6a404b44ac31b573503eb58bd443

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\Babylon.dat

Filesize
10KB

MD5
9b617ee2110cffd44f5a61969e950417

SHA1
2db4d50bec670c20ab9efed57c2064fdc1782a42

SHA256
8a3a1b6a67fc0763ce7602b29ce788df8c3091d02b9651268fd93b1931945aa8

SHA512
3f9f3ef1cbbdb767a2613923316d47e248bdd3612964619bbda254e8e46106a78f5b7870a78009915b5f1533a0f62e64cec2180eba8fb82676e8d446569c7eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\BabylonTBUpdater.dll

Filesize
234KB

MD5
fac34edb0c496f2da810f406d0956883

SHA1
0078862a2c09ff5a0c964be68ce652b68a5bfa63

SHA256
67af4429d0c880b8ede08ef8bde8848343d611139d844f034a3692176628c2b7

SHA512
f90fd76dd8017be31c7f22b7465b4379648d1e4f3498e3bd4ecff72a3a7c42d2e6b3f89f51dca706271441265ab21beac7bebf38d3b9523dc68e3fd8ce2d8a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\BabylonTBUpdater.exe

Filesize
2KB

MD5
68b960be994aec5c88797ce0a4f5c3e8

SHA1
aa08061cc68a4f5865f6c0140bdd4ca960981d13

SHA256
2d386dded25ac2db37297534a77d081a12aa1ff1c497800ef87613507bab0c9b

SHA512
cea0e85da0cbd16b4a1976f7ed5ef571aa6133eb67339efc7df04169644d5e13705f0245336dcf6b05a38b4f0ddcdba39754dff192bf48b0a8a722917c8b18ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\HtmlScreens\Thumbs.db

Filesize
15KB

MD5
120a86adfa8ef421c67530205d09a6e0

SHA1
5e919c2958c778588a4e18e6a04d11e673640306

SHA256
2b611a7d7df7da65e0a8b5bfe80be87f0331d241d53a41254bfb69615a7e5b7c

SHA512
4759030f3a5f330e9fa34902c67e0492063efea3400e097af952270a3f4173120067787d340b05b26756fe271e97b501977e176c1680da404c89814188fa6b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\HtmlScreens\common.js

Filesize
2KB

MD5
1f86caaed7cbdf8476c7cd9661ff436b

SHA1
0fa7617ea6337c182070243572167ef206302575

SHA256
04f16991cbe73de04ca97b58d7af0a025fecfe58cee2660d2c8e7bf7934ba67e

SHA512
2cb9e2b16f031f401d97bac9d29479c0e72862cee17c28238dbed4b2b9858f7eda5cf7648d31c85af4a4da7f35e5e73491ae955e7f769634053a87a93a364187

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\HtmlScreens\eula.html

Filesize
62KB

MD5
43f3c7282a5cf225a4c8ab580309f27d

SHA1
7b2f6df42893c42b404cdf2bf0b020e83ac58075

SHA256
1750ba16aea8d20b9449a696b0fb20f6c9c5403daed15a6c118ffdcc71b77b47

SHA512
7c24fb911d56bf6a2481a2d1800bb0e3c7445178eb39cec15181a325f07b462b8b936495f989918adc52d6e550665afdacf69ae2b2e3711a9b1abadc0ae34d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\HtmlScreens\pBar.gif

Filesize
3KB

MD5
26621cb27bbc94f6bab3561791ac013b

SHA1
4010a489350cf59fd8f36f8e59b53e724c49cc5b

SHA256
e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3

SHA512
9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\HtmlScreens\page2.css

Filesize
2KB

MD5
613f21fd9be71493f7f0f7f289faba46

SHA1
3085884627bb5cbe1af9c29e9acaf353299b192f

SHA256
dc7e17ccfdf805ea69c553abdea2b6a86fd27ec68d58f759b9a85e5a4be98e17

SHA512
3be478d24f712d2b4ca3d9142fc446986426290678ddc89518155e7c46a6bae5659b9a748b30eb26ba20323c9d9a2c67e7dfe770d0689ab1548a9a48568df8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\HtmlScreens\page2.html

Filesize
3KB

MD5
a825fe7ea64c73bb4a25f3d41e1e2bf6

SHA1
9437c92f2285936682795ff14ef48c2b2cf91628

SHA256
75d9f3ff9b81933a99aa1d8f6afe9415be5a846d1ad5768ce9c2093f0f78d5d0

SHA512
bf2bd0567b121dc9c2fade0a7cff6d82cc301f47ab847a594f5005cfe96842b41e8e8070c5df6383a64087c64343f3174d99e842d7cfb79ae81f3c8ecf09d264

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\HtmlScreens\page2.js

Filesize
3KB

MD5
574d29f591a6c8e41526740aef35aef5

SHA1
16fd09104a40386b55d7a241c34841e1f881b346

SHA256
b1a88b9f78cb51b78b0abc00706269540cbddd4d22d06ef597c30aeda3f1806b

SHA512
86a1907fe6f9729eb6fc8b91a9581f071a608e2b808a49419efcd5930ea9408f45af2faeba92aa174c7fa680d014eebac001637622e0157065d4b898670c82fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\HtmlScreens\page2Lrg.css

Filesize
1KB

MD5
3acbc4a0b720fd5daff11530ae9e0295

SHA1
23031d0a31bc05de190843a9b0d8b3745c796385

SHA256
59b5de1efe45a796fab6130ee94db0dc13be896ab798e126cb2c5889aead32b7

SHA512
abc4815f7df7f65c57c61facd568616c9b844cdfea8d12ae819987dcec256d82c7ef040c1df24be2ddef0b42601f1a8e22755b7320d1fcbcee0dd94055092b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\HtmlScreens\page9.html

Filesize
668B

MD5
69d63df890d8445501ac73835d7966d3

SHA1
f385c25afc2b5180e7f0c34b2de8089c68f654f7

SHA256
041569cede5fc91021a788647e4dc1b4a1c3f925f2bbb8857dce0930bd3838ef

SHA512
879735c74bc6b2467ce2f5c88ff755191d781207fbdda9f65f4b0f032ca638c96413f049607bbe65672d51254456f159bc9f95a3fe9d67234087c046fd9de128

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\HtmlScreens\title2.png

Filesize
44KB

MD5
a9e1f1f2b2628c6ee61c1e11c7288baf

SHA1
48b2f87ad6bc5d7cdc22500df46a967acb077cfa

SHA256
c336644e20a898fc28b216d91908c9ed4b716f572c0b06d5b3a5a68e43c6aeb9

SHA512
3027aead5dc0a2de2dfe7bbdaefeac1dfc1829db1edcd60493f51bbe3d3f75363b938f60a2cc6c46dd9992d9c33df5f8ab7a62e4235ca0858358cb73ad2dc514

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\HtmlScreens\toolBar.jpg

Filesize
19KB

MD5
56dc3cb42b46309e642c15167003685d

SHA1
045749de2c1492e5dfc4c44f9eb6c0feefe06b3d

SHA256
bc488502223b3369dd657e8bac70abc42ffde2223a0661fb507c8ec87778bca1

SHA512
5f3dc868d6e128407e071d6d7d7b9d0bbe7e45a32ff76985dfa53fe9dad0f5fb372ce64d35170c3719a06dd6762e4bb33089bfaedf93e6064c06c74a21b65a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\SetupStrings.dat

Filesize
57KB

MD5
19f47f9cab41a5e07d49a4171748b598

SHA1
d30b022c9d85be7384f26f335e01e56d2ef1a9e6

SHA256
07638d54048adfb3229fbc6a56a8b7ff6f3a8370bf942306ecb5352de64c3e86

SHA512
b83181ffa46ac732e6c4aabcc26b77ee594c1381311ddde3151b7e740e80c07ef84c5910e535696b4ccf8ddb11b1c5b8b3d387ba08ec346bc375c0d2f490dfb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\Welcome.html

Filesize
181B

MD5
4c4f384b87c0f844b1be0432c3903cf1

SHA1
82ddc012e1a5cd7211233fab3da4f8362f021168

SHA256
28259c8103e1090033aa71739b35101d459abc2b7d8cd8cf22907ee14877c918

SHA512
e86ae31f9e433c945d5894de4d68d6f1e566f56727ba094400655e06d17ecec82b6d91f92b6c7bbc80f40f138f33341d3e5582cd493ec64dca4f12df38cebfaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\bab033.tbinst.dat

Filesize
236B

MD5
1ee8c638e49ee7137607722768afc5a2

SHA1
8719d7a498a49b042cd6fc411cac6c44f3c0f43a

SHA256
1368324e8df1654fb9c3bcae320e982ff9f40e76e0cc118d5f507649e1ec2f2e

SHA512
2acb5547bb9b62505a5332e3b2752c5004fee9579bc45c46271e53d42fff5f412f3a18863ed382052d961d33d0e0449d9c111950060663660d7dbb21e9bff575

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\bab091.norecovericon.dat

Filesize
174B

MD5
4f6e1fdbef102cdbd379fdac550b9f48

SHA1
5da6ee5b88a4040c80e5269e0cd2b0880b20659c

SHA256
e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c

SHA512
54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
\Users\Admin\AppData\Local\Temp\6FAE0398-BAB0-7891-8A62-4F83F074FC22\Setup.exe

Filesize
1.7MB

MD5
50168b22bbdbf97210d40bb4b34251eb

SHA1
803a83a5427537ff75869c2fff0ebcbe833e7141

SHA256
c47f7048524f5e9820dcd2f831d5eb775e753357442cafe263191519f8c5006e

SHA512
d90f1cbb65a63484db41509aee18bfdcc8300a39452d5cdc05812a1d530ed4654d39aa856a9f9f611171b1db5be2fa2031cbc4819fba658ab557be505e48ba80

Download Submit