danabot | ee43d7905e6761b168955f4cb672af00f7e0a1506f2baa5fb8170836ef5c82aa

Analysis

max time kernel
150s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2022 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee43d7905e6761b168955f4cb672af00f7e0a1506f2baa5fb8170836ef5c82aa.exe
Size

145KB
MD5

e2722c9b78abce4fd7d5979349041b2c
SHA1

3c514162739bad8a9b414cfb401b3715918ddc60
SHA256

ee43d7905e6761b168955f4cb672af00f7e0a1506f2baa5fb8170836ef5c82aa
SHA512

41c9937ca5a0635076737125f636513ce15f5442e0f90be8cb9bf2e4b133dd1b472c945ce497a7231b293c44c4d5d768a286915caca4c38139407450c02dc3fa
SSDEEP

3072:/gUWocfhfbL1TTHyXGB61AwrWQTlnRbdIpoGSJwO:4ewL13yWYAwrWml7IpoGSJw

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

embedded_hash
EAD30BF58E340E9E105B328F524565E0
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4832-133-0x00000000006D0000-0x00000000006D9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

72 3624 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

1F4F.exe

pid process

4092 1F4F.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

1F4F.exe

description pid process target process

PID 4092 set thread context of 3624 4092 1F4F.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1868 4092 WerFault.exe 1F4F.exe
3716 4092 WerFault.exe 1F4F.exe
2304 4092 WerFault.exe 1F4F.exe
4068 4092 WerFault.exe 1F4F.exe

flow	pid	process
72	3624	rundll32.exe

pid	process
4092	1F4F.exe

description	pid	process	target process
PID 4092 set thread context of 3624	4092	1F4F.exe	rundll32.exe

pid	pid_target	process	target process
1868	4092	WerFault.exe	1F4F.exe
3716	4092	WerFault.exe	1F4F.exe
2304	4092	WerFault.exe	1F4F.exe
4068	4092	WerFault.exe	1F4F.exe

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exeee43d7905e6761b168955f4cb672af00f7e0a1506f2baa5fb8170836ef5c82aa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ee43d7905e6761b168955f4cb672af00f7e0a1506f2baa5fb8170836ef5c82aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ee43d7905e6761b168955f4cb672af00f7e0a1506f2baa5fb8170836ef5c82aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ee43d7905e6761b168955f4cb672af00f7e0a1506f2baa5fb8170836ef5c82aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe

Checks processor information in registry 2 TTPs 47 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1F4F.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	1F4F.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	1F4F.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	1F4F.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	1F4F.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	1F4F.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1F4F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar

Modifies registry class 19 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3076

pid	process
3076

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ee43d7905e6761b168955f4cb672af00f7e0a1506f2baa5fb8170836ef5c82aa.exe

pid	process
4832	ee43d7905e6761b168955f4cb672af00f7e0a1506f2baa5fb8170836ef5c82aa.exe
4832	ee43d7905e6761b168955f4cb672af00f7e0a1506f2baa5fb8170836ef5c82aa.exe
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3076
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ee43d7905e6761b168955f4cb672af00f7e0a1506f2baa5fb8170836ef5c82aa.exe

pid process

4832 ee43d7905e6761b168955f4cb672af00f7e0a1506f2baa5fb8170836ef5c82aa.exe

pid	process
3076

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	3376	svchost.exe
Token: SeShutdownPrivilege	3376	svchost.exe
Token: SeCreatePagefilePrivilege	3376	svchost.exe
Token: SeShutdownPrivilege	3076
Token: SeCreatePagefilePrivilege	3076
Token: SeShutdownPrivilege	3076
Token: SeCreatePagefilePrivilege	3076
Token: SeShutdownPrivilege	3076
Token: SeCreatePagefilePrivilege	3076
Token: SeShutdownPrivilege	3076
Token: SeCreatePagefilePrivilege	3076
Token: SeShutdownPrivilege	3076
Token: SeCreatePagefilePrivilege	3076
Token: SeShutdownPrivilege	3076
Token: SeCreatePagefilePrivilege	3076
Token: SeShutdownPrivilege	3076
Token: SeCreatePagefilePrivilege	3076
Token: SeShutdownPrivilege	3076
Token: SeCreatePagefilePrivilege	3076
Token: SeShutdownPrivilege	3076
Token: SeCreatePagefilePrivilege	3076
Token: SeShutdownPrivilege	3076
Token: SeCreatePagefilePrivilege	3076

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3624 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

3076
3076

pid	process
3624	rundll32.exe

pid	process
3076
3076

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

1F4F.exe

description	pid	process	target process
PID 3076 wrote to memory of 4092	3076		1F4F.exe
PID 3076 wrote to memory of 4092	3076		1F4F.exe
PID 3076 wrote to memory of 4092	3076		1F4F.exe
PID 4092 wrote to memory of 2036	4092	1F4F.exe	agentactivationruntimestarter.exe
PID 4092 wrote to memory of 2036	4092	1F4F.exe	agentactivationruntimestarter.exe
PID 4092 wrote to memory of 2036	4092	1F4F.exe	agentactivationruntimestarter.exe
PID 4092 wrote to memory of 3624	4092	1F4F.exe	rundll32.exe
PID 4092 wrote to memory of 3624	4092	1F4F.exe	rundll32.exe
PID 4092 wrote to memory of 3624	4092	1F4F.exe	rundll32.exe
PID 4092 wrote to memory of 3624	4092	1F4F.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ee43d7905e6761b168955f4cb672af00f7e0a1506f2baa5fb8170836ef5c82aa.exe
"C:\Users\Admin\AppData\Local\Temp\ee43d7905e6761b168955f4cb672af00f7e0a1506f2baa5fb8170836ef5c82aa.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4832

C:\Users\Admin\AppData\Local\Temp\1F4F.exe
C:\Users\Admin\AppData\Local\Temp\1F4F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\agentactivationruntimestarter.exe
C:\Windows\system32\agentactivationruntimestarter.exe
2⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 828
2⤵
- Program crash
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 908
2⤵
- Program crash
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 968
2⤵
- Program crash
PID:2304

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 980
2⤵
- Program crash
PID:4068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x45c 0x2ec
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4092 -ip 4092
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4092 -ip 4092
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4092 -ip 4092
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4092 -ip 4092
1⤵
PID:688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0d502779-c529-4ae0-a0cb-e70926e21349.tmp
Filesize
22KB

MD5
99e972f6d63ded5a9f3d6a06ff481bec

SHA1
b3c98ed6975c649454bce3d88806ad1883e22327

SHA256
d6f11c606729d553e9c9b3d0db9e5d51567ea969bedd98008cce7b9415a17490

SHA512
ecc322a906b25ea835fdfcb528fb0bc11ade80112b9d0783f0c02100a83368b718c45ca5bdbe38c106e3559db7723dc2fdf38e2bf473fb461ddade999d02f416

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F4F.exe
Filesize
4.5MB

MD5
630eda5f260f2dca98e6f04fbc12466b

SHA1
73204a957526c43ea8bae86cebd7297343575ff0

SHA256
dca1c32ed4c0d83654a8f3bb557ee6c17884e768ae19f81cdaa5b6f9fc6458c8

SHA512
15016f10c727a57a03fba182f54625327011501c30204b49992363f69ceaa291a6fee5f3d593669ba3b57ea85589ff5d3ebfaed40f30f40cdf0bb910c311e21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1F4F.exe
Filesize
4.5MB

MD5
630eda5f260f2dca98e6f04fbc12466b

SHA1
73204a957526c43ea8bae86cebd7297343575ff0

SHA256
dca1c32ed4c0d83654a8f3bb557ee6c17884e768ae19f81cdaa5b6f9fc6458c8

SHA512
15016f10c727a57a03fba182f54625327011501c30204b49992363f69ceaa291a6fee5f3d593669ba3b57ea85589ff5d3ebfaed40f30f40cdf0bb910c311e21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBQHURCC-20220812-1921.log
Filesize
60KB

MD5
1cf46c46969b3da7c921f538e1052d75

SHA1
55b4f1bf8834de7fcec5b964d4e207ab787d453a

SHA256
8c1d6e5d024f1fa3f60323e3d7b2d76c4090f73aab9aca557b74edf58cb68a19

SHA512
78de5976109b5351e68c28069cd543e667a6361ca9fe7e5b141b1979f94ec46e26389d2e1e871cd8259890ade477f90f29ca4a091968333bd8a4fbd8d820b2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uapaipuuih.tmp
Filesize
3.3MB

MD5
963024ce4b5518f20619bdcb2998a789

SHA1
bbce53b5aa2beeff5c9f1555a1e32350bba479b2

SHA256
e473b9afa947ef211c7e7cad6521687d504ec244a22f5ea5381f7020f947fc7d

SHA512
468f341fb7c284f0024ad5d13a72264d60e77b9ea724a770b4d45856dc0aaedd30e51263ea266e6979d7db1079703a9bc1358c5562aac6761ee45c06436baae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-4640.log
Filesize
470B

MD5
557f0a02b3501eb4e60e5fba315b99ee

SHA1
4f259e938512bda39d0701ee46d06823fa654e15

SHA256
13adbffe25952b222854ce31a71f71f5ffd885f91abcf912d3a9129be553a381

SHA512
def43befeed26be88a4997a649192cffabe428b58f99d0d833b74c40ab1e409bd2c42633d6f7acb83b8939413becb1e4f8d01291d4a9333c383c48a407f9e90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
Filesize
1KB

MD5
0e90961b61fe2bba06fe5a0b29b9f7a3

SHA1
ea023ea3fba4e3e086e939cc2fd4e114552140a9

SHA256
edb2daddf55d78188d2e7b53da4896a8006c181cad2737ad6a2f9217adf0ce88

SHA512
9656c5517490628310e8660190a5f8131aa8e6ec1c93472f92204c352b0deada6ad1c1228771bd5579a103e238c4ad6a40c6c558607cdb613afe881159ed3c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\sa.9NXQXXLFST89_0__.Public.InstallAgent.dat
Filesize
123KB

MD5
6fa88eb60d3724434d1901e14b45ac54

SHA1
f9c633c011ad3dfed94b06ec62cf1b7f87f1487a

SHA256
3141626a68fe932635b551c6c779023d03dd8244c67e1c14c7b10ad6e094c149

SHA512
e0a045c099fd79e6de04cdc8d21f4a35f910f29cc4473d98ed3fd66fa512430ccc69a8c206c5435d3e04dabae171082a9d951901ff360066a4895e86c4e9ce08

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
697B

MD5
bdcd60d0f8f1a5c5541b99599702de47

SHA1
e18d6ad9df2a91c55f90c725fb0a5885cef369bc

SHA256
c4975a51f52c7e43048be7ca33fca70869ad84845a489967ab7c93d4be28cf3c

SHA512
c98abf7754f78d171e18e5ca3ba8fb25f4793b02bc1f3f43ecf626c1c4f80f28f9ebec95b2ff4548235db7dbe4f15338623b3259ca73feade3bca6ff76bf3e76

Download Submit
memory/2036-139-0x0000000000000000-mapping.dmp

Download
memory/3624-168-0x0000000000E60000-0x0000000001808000-memory.dmp

Filesize
9.7MB

Download
memory/3624-169-0x0000000003330000-0x0000000003DF7000-memory.dmp

Filesize
10.8MB

Download
memory/3624-157-0x0000000000000000-mapping.dmp

Download
memory/3624-172-0x0000000003330000-0x0000000003DF7000-memory.dmp

Filesize
10.8MB

Download
memory/3624-160-0x0000000003FF0000-0x0000000004130000-memory.dmp

Filesize
1.2MB

Download
memory/3624-159-0x0000000003FF0000-0x0000000004130000-memory.dmp

Filesize
1.2MB

Download
memory/3624-158-0x0000000003330000-0x0000000003DF7000-memory.dmp

Filesize
10.8MB

Download
memory/4092-142-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/4092-146-0x0000000003A90000-0x0000000004557000-memory.dmp

Filesize
10.8MB

Download
memory/4092-151-0x0000000004560000-0x00000000046A0000-memory.dmp

Filesize
1.2MB

Download
memory/4092-152-0x0000000004560000-0x00000000046A0000-memory.dmp

Filesize
1.2MB

Download
memory/4092-153-0x0000000004560000-0x00000000046A0000-memory.dmp

Filesize
1.2MB

Download
memory/4092-154-0x0000000004560000-0x00000000046A0000-memory.dmp

Filesize
1.2MB

Download
memory/4092-155-0x0000000004560000-0x00000000046A0000-memory.dmp

Filesize
1.2MB

Download
memory/4092-156-0x0000000004560000-0x00000000046A0000-memory.dmp

Filesize
1.2MB

Download
memory/4092-149-0x0000000004560000-0x00000000046A0000-memory.dmp

Filesize
1.2MB

Download
memory/4092-148-0x0000000003A90000-0x0000000004557000-memory.dmp

Filesize
10.8MB

Download
memory/4092-147-0x0000000003A90000-0x0000000004557000-memory.dmp

Filesize
10.8MB

Download
memory/4092-150-0x0000000004560000-0x00000000046A0000-memory.dmp

Filesize
1.2MB

Download
memory/4092-145-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/4092-144-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/4092-143-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/4092-171-0x0000000003A90000-0x0000000004557000-memory.dmp

Filesize
10.8MB

Download
memory/4092-141-0x0000000002CB0000-0x00000000032C6000-memory.dmp

Filesize
6.1MB

Download
memory/4092-140-0x000000000283C000-0x0000000002CA6000-memory.dmp

Filesize
4.4MB

Download
memory/4092-136-0x0000000000000000-mapping.dmp

Download
memory/4092-170-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/4832-134-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4832-135-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4832-132-0x000000000076D000-0x000000000077D000-memory.dmp

Filesize
64KB

Download
memory/4832-133-0x00000000006D0000-0x00000000006D9000-memory.dmp

Filesize
36KB

Download