danabot | 3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2022 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

146KB
MD5

43af0375a0a570ffef7dc42146625094
SHA1

d585dc4102417a5a15e2a1ac0c3c7ad4b004a53b
SHA256

3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953
SHA512

2c8d3df37267e7ddbe69f746b775ed86b0a2dda73b6593076a5f46ded615f004f5e7297b739995371a0fcfd3be47cda3545d29426f1be110caedbf6fba6a91f0
SSDEEP

3072:bbdkZd0JhfGt1g04yBv7baLmU/3wWy9vx/3sHSMreYZO:b5l21gnEZUIWwvh3ISMrDZ

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

embedded_hash
EAD30BF58E340E9E105B328F524565E0
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1332-133-0x00000000006D0000-0x00000000006D9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

75 4484 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

15CA.exeriebjec

pid process

4732 15CA.exe
3604 riebjec
Suspicious use of SetThreadContext 1 IoCs

Processes:

15CA.exe

description pid process target process

PID 4732 set thread context of 4484 4732 15CA.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1116 4732 WerFault.exe 15CA.exe
1012 4732 WerFault.exe 15CA.exe
2672 4732 WerFault.exe 15CA.exe
2460 4732 WerFault.exe 15CA.exe

flow	pid	process
75	4484	rundll32.exe

pid	process
4732	15CA.exe
3604	riebjec

description	pid	process	target process
PID 4732 set thread context of 4484	4732	15CA.exe	rundll32.exe

pid	pid_target	process	target process
1116	4732	WerFault.exe	15CA.exe
1012	4732	WerFault.exe	15CA.exe
2672	4732	WerFault.exe	15CA.exe
2460	4732	WerFault.exe	15CA.exe

Checks SCSI registry key(s) 3 TTPs 42 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exeriebjecfile.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	riebjec
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	riebjec
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	riebjec
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe

Checks processor information in registry 2 TTPs 51 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe15CA.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	15CA.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	15CA.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	15CA.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	15CA.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	15CA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	15CA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	15CA.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 19 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2416

pid	process
2416

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
1332	file.exe
1332	file.exe
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2416
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

file.exeriebjec

pid process

1332 file.exe
3604 riebjec

pid	process
2416

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	2516	svchost.exe
Token: SeShutdownPrivilege	2516	svchost.exe
Token: SeCreatePagefilePrivilege	2516	svchost.exe
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4484 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2416
2416

pid	process
4484	rundll32.exe

pid	process
2416
2416

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

15CA.exe

description	pid	process	target process
PID 2416 wrote to memory of 4732	2416		15CA.exe
PID 2416 wrote to memory of 4732	2416		15CA.exe
PID 2416 wrote to memory of 4732	2416		15CA.exe
PID 4732 wrote to memory of 2604	4732	15CA.exe	agentactivationruntimestarter.exe
PID 4732 wrote to memory of 2604	4732	15CA.exe	agentactivationruntimestarter.exe
PID 4732 wrote to memory of 2604	4732	15CA.exe	agentactivationruntimestarter.exe
PID 4732 wrote to memory of 4484	4732	15CA.exe	rundll32.exe
PID 4732 wrote to memory of 4484	4732	15CA.exe	rundll32.exe
PID 4732 wrote to memory of 4484	4732	15CA.exe	rundll32.exe
PID 4732 wrote to memory of 4484	4732	15CA.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1332

C:\Users\Admin\AppData\Local\Temp\15CA.exe
C:\Users\Admin\AppData\Local\Temp\15CA.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\SysWOW64\agentactivationruntimestarter.exe
C:\Windows\system32\agentactivationruntimestarter.exe
2⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 828
2⤵
- Program crash
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 884
2⤵
- Program crash
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 984
2⤵
- Program crash
PID:2672

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 988
2⤵
- Program crash
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x340 0x490
1⤵
PID:2252

C:\Users\Admin\AppData\Roaming\riebjec
C:\Users\Admin\AppData\Roaming\riebjec
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4732 -ip 4732
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4732 -ip 4732
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4732 -ip 4732
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4732 -ip 4732
1⤵
PID:3228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0d502779-c529-4ae0-a0cb-e70926e21349.tmp
Filesize
22KB

MD5
99e972f6d63ded5a9f3d6a06ff481bec

SHA1
b3c98ed6975c649454bce3d88806ad1883e22327

SHA256
d6f11c606729d553e9c9b3d0db9e5d51567ea969bedd98008cce7b9415a17490

SHA512
ecc322a906b25ea835fdfcb528fb0bc11ade80112b9d0783f0c02100a83368b718c45ca5bdbe38c106e3559db7723dc2fdf38e2bf473fb461ddade999d02f416

Download Submit
C:\Users\Admin\AppData\Local\Temp\15CA.exe
Filesize
4.5MB

MD5
62ba89d7affbfbcfbf23cde2b99db94d

SHA1
14cc964af2597640ae4eced7a97c0f51f5374655

SHA256
c7831dd1563f5fc62f794d0849831d2b12aaa1e094c4d66d6e74d656b75f4bc6

SHA512
7bd88e1c59b4aa95f29ca4fe3bf7e06fb8afa54c91d794d9b6b2b041b7ea19923144158d77ee737da8414aba0a776254e0c507498b14fec9d9cbb5fd7bb71779

Download Submit
C:\Users\Admin\AppData\Local\Temp\15CA.exe
Filesize
4.5MB

MD5
62ba89d7affbfbcfbf23cde2b99db94d

SHA1
14cc964af2597640ae4eced7a97c0f51f5374655

SHA256
c7831dd1563f5fc62f794d0849831d2b12aaa1e094c4d66d6e74d656b75f4bc6

SHA512
7bd88e1c59b4aa95f29ca4fe3bf7e06fb8afa54c91d794d9b6b2b041b7ea19923144158d77ee737da8414aba0a776254e0c507498b14fec9d9cbb5fd7bb71779

Download Submit
C:\Users\Admin\AppData\Local\Temp\684259a6-0175-4108-a860-699cb31f63c2.tmp
Filesize
23KB

MD5
7cd73270bd735f9fe77bc9278f9f2b8b

SHA1
b27a898970297c750fb7e4d70ad8f87c1e6c1739

SHA256
ee80340a02c0f96a3f9d01e635857d38d7b92444d6102ee29804f559f2eaa7f4

SHA512
1fe70455d4d8c0fbab9ef20cf85d0de55fea9f18499c653af5d234462aa5c45eaacceadab39e9be62dc548af4f710362dd34970e1d8a666bf09fe4101bf32077

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log
Filesize
1KB

MD5
07bd5d79e18651bb0758a150cca252da

SHA1
bafab651d3a8c900041b7460c4b3d0db6a362e52

SHA256
57c21ab757836c1979c5ea959cf760f7d2f88771ba6edfee4848f9f9bff6868a

SHA512
ba627fbde74d1b18fc4644df86c6a4832910464c110a8fa29fa24818b630040799113ea73dd8af24644f5de19ec49dc97bbda557e1cbce6278974f0ef4c461b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uapaipuuih.tmp
Filesize
3.3MB

MD5
963024ce4b5518f20619bdcb2998a789

SHA1
bbce53b5aa2beeff5c9f1555a1e32350bba479b2

SHA256
e473b9afa947ef211c7e7cad6521687d504ec244a22f5ea5381f7020f947fc7d

SHA512
468f341fb7c284f0024ad5d13a72264d60e77b9ea724a770b4d45856dc0aaedd30e51263ea266e6979d7db1079703a9bc1358c5562aac6761ee45c06436baae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6b75105-7dc9-45ac-b70c-19519ab6d538.tmp
Filesize
21KB

MD5
301ea18f32584b0102b1e4f710c6054d

SHA1
e970ec47138c443ec94a4c3671622f578ed09a26

SHA256
7f4e382d1c6724a5f173f3617e35d5ad74c28ffce9a918f00b48c88f978dc34e

SHA512
3c1dd0687ff4a98324f8f0c054e2bf24a3adc2edb28a4ee095f5e71d5943702bcdf36b4c5b2e163e17cc207833194539ed98b7830e94ac446a9d48d29837627b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-4640.log
Filesize
470B

MD5
557f0a02b3501eb4e60e5fba315b99ee

SHA1
4f259e938512bda39d0701ee46d06823fa654e15

SHA256
13adbffe25952b222854ce31a71f71f5ffd885f91abcf912d3a9129be553a381

SHA512
def43befeed26be88a4997a649192cffabe428b58f99d0d833b74c40ab1e409bd2c42633d6f7acb83b8939413becb1e4f8d01291d4a9333c383c48a407f9e90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4F1D.txt
Filesize
427KB

MD5
7cb368867b63387e87ac8c43fda56652

SHA1
8337144cc4b0ac41f1c46fb822686d6c042988b4

SHA256
e1c789a635b5037c07d3653d00e1bd4fc421a8142a9def49cd35e17bc3ba3472

SHA512
2ed4333d01fe1b377c4131c7175d3547f677aa63f515b829d271d628ddde7c6172a50b9cf4032b2549f83f5e71e7434ab55c80a2fedd2df467c8a1778c1c5023

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4F1D.txt
Filesize
11KB

MD5
73cf8fc42f7a737ab5796c9e02dd7bc3

SHA1
91fa4c983663d8bb8af0608d8146168738901d45

SHA256
be8cdd1dd28c10adcfeff612a41b0985342246f049091a1d9e09d9e85e6ed392

SHA512
ee6c1a6dbfcbb3583be78b2d32330b080624431d16324dc523e0438e0aadcc0f865265bb9ab4d3141130196e956a50000e7b86893e549ca11a7007e7c8c859eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log
Filesize
3KB

MD5
c46f084c955c9413f1f375707a49141d

SHA1
591830d0afefb8c15c06527d072a1fb8902395e6

SHA256
7bc05c175a0201ec193933f45c3a16ae8f4b9d959ef9f8253ebd6d0d7579d569

SHA512
94915075cdbf3b7cb87b19466a4543f5a3191ca123da8a0ba14ca1ab610ce025ab18af671c7e62eeb5bcc7e76ba9e84444f2d8904961af430556a1ed2e83f4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct399A.tmp
Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Roaming\riebjec
Filesize
146KB

MD5
43af0375a0a570ffef7dc42146625094

SHA1
d585dc4102417a5a15e2a1ac0c3c7ad4b004a53b

SHA256
3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953

SHA512
2c8d3df37267e7ddbe69f746b775ed86b0a2dda73b6593076a5f46ded615f004f5e7297b739995371a0fcfd3be47cda3545d29426f1be110caedbf6fba6a91f0

Download Submit
C:\Users\Admin\AppData\Roaming\riebjec
Filesize
146KB

MD5
43af0375a0a570ffef7dc42146625094

SHA1
d585dc4102417a5a15e2a1ac0c3c7ad4b004a53b

SHA256
3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953

SHA512
2c8d3df37267e7ddbe69f746b775ed86b0a2dda73b6593076a5f46ded615f004f5e7297b739995371a0fcfd3be47cda3545d29426f1be110caedbf6fba6a91f0

Download Submit
memory/1332-132-0x00000000008BD000-0x00000000008CE000-memory.dmp

Filesize
68KB

Download
memory/1332-133-0x00000000006D0000-0x00000000006D9000-memory.dmp

Filesize
36KB

Download
memory/1332-134-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/1332-135-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2604-139-0x0000000000000000-mapping.dmp

Download
memory/3604-146-0x000000000087D000-0x000000000088E000-memory.dmp

Filesize
68KB

Download
memory/3604-147-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/3604-148-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/4484-178-0x00000000032F0000-0x0000000003DB7000-memory.dmp

Filesize
10.8MB

Download
memory/4484-162-0x0000000000000000-mapping.dmp

Download
memory/4484-167-0x0000000003DC0000-0x0000000003F00000-memory.dmp

Filesize
1.2MB

Download
memory/4484-166-0x0000000003DC0000-0x0000000003F00000-memory.dmp

Filesize
1.2MB

Download
memory/4484-165-0x00000000032F0000-0x0000000003DB7000-memory.dmp

Filesize
10.8MB

Download
memory/4484-164-0x00000000032F0000-0x0000000003DB7000-memory.dmp

Filesize
10.8MB

Download
memory/4484-163-0x0000000000E00000-0x00000000017A8000-memory.dmp

Filesize
9.7MB

Download
memory/4732-155-0x0000000004520000-0x0000000004660000-memory.dmp

Filesize
1.2MB

Download
memory/4732-142-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/4732-160-0x0000000004520000-0x0000000004660000-memory.dmp

Filesize
1.2MB

Download
memory/4732-159-0x0000000004520000-0x0000000004660000-memory.dmp

Filesize
1.2MB

Download
memory/4732-154-0x0000000004520000-0x0000000004660000-memory.dmp

Filesize
1.2MB

Download
memory/4732-158-0x0000000004520000-0x0000000004660000-memory.dmp

Filesize
1.2MB

Download
memory/4732-157-0x0000000004520000-0x0000000004660000-memory.dmp

Filesize
1.2MB

Download
memory/4732-156-0x0000000004520000-0x0000000004660000-memory.dmp

Filesize
1.2MB

Download
memory/4732-143-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/4732-161-0x0000000004520000-0x0000000004660000-memory.dmp

Filesize
1.2MB

Download
memory/4732-141-0x0000000002BC0000-0x00000000031D6000-memory.dmp

Filesize
6.1MB

Download
memory/4732-140-0x000000000274A000-0x0000000002BB4000-memory.dmp

Filesize
4.4MB

Download
memory/4732-153-0x0000000003790000-0x0000000004257000-memory.dmp

Filesize
10.8MB

Download
memory/4732-136-0x0000000000000000-mapping.dmp

Download
memory/4732-152-0x0000000003790000-0x0000000004257000-memory.dmp

Filesize
10.8MB

Download
memory/4732-151-0x0000000003790000-0x0000000004257000-memory.dmp

Filesize
10.8MB

Download
memory/4732-150-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/4732-149-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/4732-179-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/4732-180-0x0000000003790000-0x0000000004257000-memory.dmp

Filesize
10.8MB

Download