danabot | 0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff

Analysis

max time kernel
132s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2022, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Size

1.4MB
MD5

ad249734c9084190f4a7de38913a5d6a
SHA1

a949eb32b55a621adc6f1471d5de85d1e8450e87
SHA256

0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff
SHA512

e4d7473529b98ce1a8e239d781a27b769d5565681c5b8f68d73a0321636137bbd87d57351bf8b144449669c0c780255e6ef814df8a21870ea935981f47014fe0
SSDEEP

24576:QregzTQdvsek+yLJzKf3FF3Ys+w2hJ5P34cyjs9Q83z7v7SxEPHR:QqgzTOk+y1zyF3Ys/2Qjz83zb7EoH

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

192.236.233.188:443

23.106.124.171:443

192.119.70.159:443

Attributes

embedded_hash
A813CAF845B5703DA814AF785BB60B21
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	4980	rundll32.exe
4	4980	rundll32.exe
20	5036	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E187839F-BB6C-4932-BAAC-425F28A5C38E}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{0C70E18E-4297-4944-83F4-F4DB3A709C46}.catalogItem	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2228 set thread context of 5036	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4960	2228	WerFault.exe	74
5012	2228	WerFault.exe	74
2736	2228	WerFault.exe	74
3384	2228	WerFault.exe	74
4292	2228	WerFault.exe	74

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe

Checks processor information in registry 2 TTPs 51 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5036	rundll32.exe
5036	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2408	svchost.exe
Token: SeShutdownPrivilege	2408	svchost.exe
Token: SeCreatePagefilePrivilege	2408	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5036	rundll32.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 3084	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	75
PID 2228 wrote to memory of 3084	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	75
PID 2228 wrote to memory of 3084	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	75
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 4980	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	80
PID 2228 wrote to memory of 5036	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	95
PID 2228 wrote to memory of 5036	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	95
PID 2228 wrote to memory of 5036	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	95
PID 2228 wrote to memory of 5036	2228	0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe	95

C:\Users\Admin\AppData\Local\Temp\0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe
"C:\Users\Admin\AppData\Local\Temp\0d61854433bd9993177f977182bb1a3c29a339029e969515362910dc12d7c5ff.exe"
1⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\agentactivationruntimestarter.exe
  C:\Windows\system32\agentactivationruntimestarter.exe
  2⤵
  PID:3084
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:4980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 596
  2⤵
  - Program crash
  PID:4960
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 928
  2⤵
  - Program crash
  PID:5012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 928
  2⤵
  - Program crash
  PID:2736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1072
  2⤵
  - Program crash
  PID:3384
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:5036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1080
  2⤵
  - Program crash
  PID:4292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x2cc
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2228 -ip 2228
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2228 -ip 2228
1⤵
PID:4968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2228 -ip 2228
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2228 -ip 2228
1⤵
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2228 -ip 2228
1⤵
PID:1408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Pyttofehs.tmp

Filesize
3.3MB

MD5
2650634b147c287fe1040f3efb6e9a15

SHA1
0a4aea004ebc7d42249909cab658b09f87e4cd16

SHA256
39668f3125e1fb7e220f6f3566783eb6b3126c39d3b63be287172d16018accbf

SHA512
d7634b9f01a6b055433643a04f89ce5c623879c5a8acac52beea9b0918388e7d291db541f4ce7f8b2dfb83ddbd5780b3a6fbf97579b4441e59142c812b62dc50

Download Submit
memory/2228-154-0x0000000003E50000-0x0000000003F90000-memory.dmp

Filesize
1.2MB

Download
memory/2228-134-0x00000000024B0000-0x000000000277E000-memory.dmp

Filesize
2.8MB

Download
memory/2228-135-0x0000000000400000-0x00000000006DA000-memory.dmp

Filesize
2.9MB

Download
memory/2228-136-0x0000000000400000-0x00000000006DA000-memory.dmp

Filesize
2.9MB

Download
memory/2228-137-0x0000000000400000-0x00000000006DA000-memory.dmp

Filesize
2.9MB

Download
memory/2228-138-0x0000000000400000-0x00000000006DA000-memory.dmp

Filesize
2.9MB

Download
memory/2228-164-0x00000000031D0000-0x0000000003C87000-memory.dmp

Filesize
10.7MB

Download
memory/2228-152-0x0000000003E50000-0x0000000003F90000-memory.dmp

Filesize
1.2MB

Download
memory/2228-153-0x0000000003E50000-0x0000000003F90000-memory.dmp

Filesize
1.2MB

Download
memory/2228-155-0x0000000003E50000-0x0000000003F90000-memory.dmp

Filesize
1.2MB

Download
memory/2228-144-0x00000000031D0000-0x0000000003C87000-memory.dmp

Filesize
10.7MB

Download
memory/2228-145-0x0000000000400000-0x00000000006DA000-memory.dmp

Filesize
2.9MB

Download
memory/2228-133-0x0000000000B6C000-0x0000000000C8E000-memory.dmp

Filesize
1.1MB

Download
memory/2228-146-0x00000000031D0000-0x0000000003C87000-memory.dmp

Filesize
10.7MB

Download
memory/2228-147-0x00000000031D0000-0x0000000003C87000-memory.dmp

Filesize
10.7MB

Download
memory/2228-148-0x0000000003E50000-0x0000000003F90000-memory.dmp

Filesize
1.2MB

Download
memory/2228-149-0x0000000003E50000-0x0000000003F90000-memory.dmp

Filesize
1.2MB

Download
memory/2228-150-0x0000000003E50000-0x0000000003F90000-memory.dmp

Filesize
1.2MB

Download
memory/2228-151-0x0000000003E50000-0x0000000003F90000-memory.dmp

Filesize
1.2MB

Download
memory/4980-141-0x0000000000A30000-0x0000000000A34000-memory.dmp

Filesize
16KB

Download
memory/4980-142-0x0000000000A30000-0x0000000000A34000-memory.dmp

Filesize
16KB

Download
memory/4980-140-0x0000000000A20000-0x0000000000A24000-memory.dmp

Filesize
16KB

Download
memory/5036-157-0x0000000000A30000-0x00000000013C8000-memory.dmp

Filesize
9.6MB

Download
memory/5036-158-0x0000000002FB0000-0x0000000003A67000-memory.dmp

Filesize
10.7MB

Download
memory/5036-159-0x0000000003B30000-0x0000000003C70000-memory.dmp

Filesize
1.2MB

Download
memory/5036-160-0x0000000003B30000-0x0000000003C70000-memory.dmp

Filesize
1.2MB

Download
memory/5036-161-0x0000000002FB0000-0x0000000003A67000-memory.dmp

Filesize
10.7MB

Download
memory/5036-162-0x0000000002FB0000-0x0000000003A67000-memory.dmp

Filesize
10.7MB

Download
memory/5036-163-0x0000000000A30000-0x00000000013C8000-memory.dmp

Filesize
9.6MB

Download