Analysis
-
max time kernel
205s -
max time network
161s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
14/03/2025, 18:20
Behavioral task
behavioral1
Sample
ws4.exe
Resource
win10ltsc2021-20250314-en
General
-
Target
ws4.exe
-
Size
355KB
-
MD5
474885a0b7d7ce32f93b1b141f716a6b
-
SHA1
d3b796ebc8b1121a80972d6d5bb3bcfecefce3ef
-
SHA256
cb831ca08798bcea49874f81a7fe08368c057bd3bf9d1bfba6d7bb92fa61c4c1
-
SHA512
6a05d281970222ebb7868ba0653ac64ef3973cd62165da78404cb5a7589b977be0a01b4bd5c3d7e4d2210fefef1e4de340741e912bf8532cb7bd2a7184bb371b
-
SSDEEP
6144:RL1ncfWwN0oc35jeRh8Xqfy/Ka1OHAH0tMrKCTEABG+Z9d3cQT/9nR4Ioy19K:RLdcfxaeM6fy/KaVUtgKkTZ73coNRJ
Malware Config
Signatures
-
Babylon RAT
Babylon RAT is remote access trojan written in C++.
-
Babylonrat family
-
Executes dropped EXE 7 IoCs
pid Process 252 client.exe 2188 client.exe 1644 client.exe 3864 client.exe 1760 client.exe 1672 client.exe 1112 client.exe -
Adds Run key to start application 2 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" ws4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" ws4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" client.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" ws4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" client.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" ws4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" client.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" client.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" client.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" client.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" ws4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" ws4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" client.exe Set value (str) \REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Babylon RAT = "C:\\ProgramData\\Babylon RAT\\client.exe" ws4.exe -
resource yara_rule behavioral1/memory/756-0-0x0000000000600000-0x00000000006C9000-memory.dmp upx behavioral1/files/0x0008000000028205-1.dat upx behavioral1/memory/252-2-0x0000000000390000-0x0000000000459000-memory.dmp upx behavioral1/memory/756-4-0x0000000000600000-0x00000000006C9000-memory.dmp upx behavioral1/memory/252-5-0x0000000000390000-0x0000000000459000-memory.dmp upx behavioral1/memory/252-6-0x0000000000390000-0x0000000000459000-memory.dmp upx behavioral1/memory/252-7-0x0000000000390000-0x0000000000459000-memory.dmp upx behavioral1/memory/252-10-0x0000000000390000-0x0000000000459000-memory.dmp upx behavioral1/memory/252-49-0x0000000000390000-0x0000000000459000-memory.dmp upx behavioral1/memory/5740-51-0x0000000000600000-0x00000000006C9000-memory.dmp upx behavioral1/memory/2188-53-0x0000000000390000-0x0000000000459000-memory.dmp upx behavioral1/memory/2188-55-0x0000000000390000-0x0000000000459000-memory.dmp upx behavioral1/memory/252-56-0x0000000000390000-0x0000000000459000-memory.dmp upx behavioral1/memory/4088-58-0x0000000000600000-0x00000000006C9000-memory.dmp upx behavioral1/memory/1644-61-0x0000000000390000-0x0000000000459000-memory.dmp upx behavioral1/memory/252-62-0x0000000000390000-0x0000000000459000-memory.dmp upx behavioral1/memory/6060-65-0x0000000000600000-0x00000000006C9000-memory.dmp upx behavioral1/memory/3864-67-0x0000000000390000-0x0000000000459000-memory.dmp upx behavioral1/memory/5244-72-0x0000000000600000-0x00000000006C9000-memory.dmp upx behavioral1/memory/1760-75-0x0000000000390000-0x0000000000459000-memory.dmp upx behavioral1/memory/1880-78-0x0000000000600000-0x00000000006C9000-memory.dmp upx behavioral1/memory/1672-80-0x0000000000390000-0x0000000000459000-memory.dmp upx behavioral1/memory/3452-88-0x0000000000600000-0x00000000006C9000-memory.dmp upx behavioral1/memory/1112-90-0x0000000000390000-0x0000000000459000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ws4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ws4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ws4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ws4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ws4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ws4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ws4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 252 client.exe 252 client.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 252 client.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeShutdownPrivilege 756 ws4.exe Token: SeDebugPrivilege 756 ws4.exe Token: SeTcbPrivilege 756 ws4.exe Token: SeShutdownPrivilege 252 client.exe Token: SeDebugPrivilege 252 client.exe Token: SeTcbPrivilege 252 client.exe Token: SeShutdownPrivilege 5740 ws4.exe Token: SeDebugPrivilege 5740 ws4.exe Token: SeTcbPrivilege 5740 ws4.exe Token: SeShutdownPrivilege 2188 client.exe Token: SeDebugPrivilege 2188 client.exe Token: SeTcbPrivilege 2188 client.exe Token: SeShutdownPrivilege 4088 ws4.exe Token: SeDebugPrivilege 4088 ws4.exe Token: SeTcbPrivilege 4088 ws4.exe Token: SeShutdownPrivilege 1644 client.exe Token: SeDebugPrivilege 1644 client.exe Token: SeTcbPrivilege 1644 client.exe Token: SeShutdownPrivilege 6060 ws4.exe Token: SeDebugPrivilege 6060 ws4.exe Token: SeTcbPrivilege 6060 ws4.exe Token: SeShutdownPrivilege 3864 client.exe Token: SeDebugPrivilege 3864 client.exe Token: SeTcbPrivilege 3864 client.exe Token: SeShutdownPrivilege 5244 ws4.exe Token: SeDebugPrivilege 5244 ws4.exe Token: SeTcbPrivilege 5244 ws4.exe Token: SeShutdownPrivilege 1760 client.exe Token: SeDebugPrivilege 1760 client.exe Token: SeTcbPrivilege 1760 client.exe Token: SeShutdownPrivilege 1880 ws4.exe Token: SeDebugPrivilege 1880 ws4.exe Token: SeTcbPrivilege 1880 ws4.exe Token: SeShutdownPrivilege 1672 client.exe Token: SeDebugPrivilege 1672 client.exe Token: SeTcbPrivilege 1672 client.exe Token: SeShutdownPrivilege 3452 ws4.exe Token: SeDebugPrivilege 3452 ws4.exe Token: SeTcbPrivilege 3452 ws4.exe Token: SeShutdownPrivilege 1112 client.exe Token: SeDebugPrivilege 1112 client.exe Token: SeTcbPrivilege 1112 client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 252 client.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 756 wrote to memory of 252 756 ws4.exe 81 PID 756 wrote to memory of 252 756 ws4.exe 81 PID 756 wrote to memory of 252 756 ws4.exe 81 PID 5740 wrote to memory of 2188 5740 ws4.exe 91 PID 5740 wrote to memory of 2188 5740 ws4.exe 91 PID 5740 wrote to memory of 2188 5740 ws4.exe 91 PID 4088 wrote to memory of 1644 4088 ws4.exe 93 PID 4088 wrote to memory of 1644 4088 ws4.exe 93 PID 4088 wrote to memory of 1644 4088 ws4.exe 93 PID 6060 wrote to memory of 3864 6060 ws4.exe 95 PID 6060 wrote to memory of 3864 6060 ws4.exe 95 PID 6060 wrote to memory of 3864 6060 ws4.exe 95 PID 5244 wrote to memory of 1760 5244 ws4.exe 97 PID 5244 wrote to memory of 1760 5244 ws4.exe 97 PID 5244 wrote to memory of 1760 5244 ws4.exe 97 PID 1880 wrote to memory of 1672 1880 ws4.exe 99 PID 1880 wrote to memory of 1672 1880 ws4.exe 99 PID 1880 wrote to memory of 1672 1880 ws4.exe 99 PID 3452 wrote to memory of 1112 3452 ws4.exe 101 PID 3452 wrote to memory of 1112 3452 ws4.exe 101 PID 3452 wrote to memory of 1112 3452 ws4.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\ws4.exe"C:\Users\Admin\AppData\Local\Temp\ws4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756 -
C:\ProgramData\Babylon RAT\client.exe"C:\ProgramData\Babylon RAT\client.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:252
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\ws4.exe"C:\Users\Admin\AppData\Local\Temp\ws4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5740 -
C:\ProgramData\Babylon RAT\client.exe"C:\ProgramData\Babylon RAT\client.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Users\Admin\AppData\Local\Temp\ws4.exe"C:\Users\Admin\AppData\Local\Temp\ws4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\ProgramData\Babylon RAT\client.exe"C:\ProgramData\Babylon RAT\client.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\ws4.exe"C:\Users\Admin\AppData\Local\Temp\ws4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6060 -
C:\ProgramData\Babylon RAT\client.exe"C:\ProgramData\Babylon RAT\client.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
-
C:\Users\Admin\AppData\Local\Temp\ws4.exe"C:\Users\Admin\AppData\Local\Temp\ws4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5244 -
C:\ProgramData\Babylon RAT\client.exe"C:\ProgramData\Babylon RAT\client.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Users\Admin\AppData\Local\Temp\ws4.exe"C:\Users\Admin\AppData\Local\Temp\ws4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\ProgramData\Babylon RAT\client.exe"C:\ProgramData\Babylon RAT\client.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
C:\Users\Admin\AppData\Local\Temp\ws4.exe"C:\Users\Admin\AppData\Local\Temp\ws4.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\ProgramData\Babylon RAT\client.exe"C:\ProgramData\Babylon RAT\client.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
355KB
MD5474885a0b7d7ce32f93b1b141f716a6b
SHA1d3b796ebc8b1121a80972d6d5bb3bcfecefce3ef
SHA256cb831ca08798bcea49874f81a7fe08368c057bd3bf9d1bfba6d7bb92fa61c4c1
SHA5126a05d281970222ebb7868ba0653ac64ef3973cd62165da78404cb5a7589b977be0a01b4bd5c3d7e4d2210fefef1e4de340741e912bf8532cb7bd2a7184bb371b
-
Filesize
82B
MD51e3d429a9b7ebcee23ea29302d4f7e0e
SHA14242f0e605572bb2cccff1066b2bd7f6ab7b34c0
SHA25606878b276e3fa2b975c18483ee816b6dc8cf3aeafd02ce886f918c55f0b10ca1
SHA512e4674739026e89f628c7c93342b060260f6dfa103eab7d4b957e419165a0100f34894ced18535b759ba02bef9ba674b6177c6cfac97f8b5b29063393cae93beb
-
Filesize
106B
MD500e5a53a9f8fa6ed1495898d19078d33
SHA1d4b5d30e42851fb6983052b56a5c967f1aa4556e
SHA2564d271db58fad4f8153c824b8b707949dede286ad56c305ba7e2dcd6a34fd5ed2
SHA512f133e6c1a7982e904b222328e9864ff53405d1e4c55bab42424cd7f6c22453dfdda3869ec8168f41b0c58dc2da815d0c09b19ddd897bf0952084106d9f9567e8
-
Filesize
112B
MD53459dfca89e40b3adcf47a00c74c2072
SHA10d79122f802c128171faa6bd696b06422f490ea5
SHA2564b790feddca6749e0d086eac403e0b3cc01cddcb4feeb131d598552b74b6a25d
SHA512dfe4990b6d82b84f9c9269636c49719e7fbd509f7ac3300099fdc4565fa7859108474ab6741b30d388cdb5fcee183a38d209c7f6194dfbef4219232da85137d0