danabot | 3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2022 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953.exe
Size

146KB
MD5

43af0375a0a570ffef7dc42146625094
SHA1

d585dc4102417a5a15e2a1ac0c3c7ad4b004a53b
SHA256

3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953
SHA512

2c8d3df37267e7ddbe69f746b775ed86b0a2dda73b6593076a5f46ded615f004f5e7297b739995371a0fcfd3be47cda3545d29426f1be110caedbf6fba6a91f0
SSDEEP

3072:bbdkZd0JhfGt1g04yBv7baLmU/3wWy9vx/3sHSMreYZO:b5l21gnEZUIWwvh3ISMrDZ

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

Attributes

embedded_hash
EAD30BF58E340E9E105B328F524565E0
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4960-133-0x00000000022C0000-0x00000000022C9000-memory.dmp	family_smokeloader
behavioral1/memory/4960-136-0x00000000022C0000-0x00000000022C9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

75 3636 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

DC99.exefaterwf

pid process

2736 DC99.exe
692 faterwf
Suspicious use of SetThreadContext 1 IoCs

Processes:

DC99.exe

description pid process target process

PID 2736 set thread context of 3636 2736 DC99.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1796 2736 WerFault.exe DC99.exe
4568 2736 WerFault.exe DC99.exe
432 2736 WerFault.exe DC99.exe
4964 2736 WerFault.exe DC99.exe

flow	pid	process
75	3636	rundll32.exe

pid	process
2736	DC99.exe
692	faterwf

description	pid	process	target process
PID 2736 set thread context of 3636	2736	DC99.exe	rundll32.exe

pid	pid_target	process	target process
1796	2736	WerFault.exe	DC99.exe
4568	2736	WerFault.exe	DC99.exe
432	2736	WerFault.exe	DC99.exe
4964	2736	WerFault.exe	DC99.exe

Checks SCSI registry key(s) 3 TTPs 42 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953.exefaterwf

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	faterwf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	faterwf
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	faterwf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe

Checks processor information in registry 2 TTPs 47 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DC99.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	DC99.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	DC99.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	DC99.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DC99.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	DC99.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	DC99.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	DC99.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser

Modifies registry class 19 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2220

pid	process
2220

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953.exe

pid	process
4960	3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953.exe
4960	3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953.exe
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220
2220

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2220
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953.exefaterwf

pid process

4960 3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953.exe
692 faterwf

pid	process
2220

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	2544	svchost.exe
Token: SeShutdownPrivilege	2544	svchost.exe
Token: SeCreatePagefilePrivilege	2544	svchost.exe
Token: SeShutdownPrivilege	2220
Token: SeCreatePagefilePrivilege	2220
Token: SeShutdownPrivilege	2220
Token: SeCreatePagefilePrivilege	2220
Token: SeShutdownPrivilege	2220
Token: SeCreatePagefilePrivilege	2220
Token: SeShutdownPrivilege	2220
Token: SeCreatePagefilePrivilege	2220
Token: SeShutdownPrivilege	2220
Token: SeCreatePagefilePrivilege	2220
Token: SeShutdownPrivilege	2220
Token: SeCreatePagefilePrivilege	2220
Token: SeShutdownPrivilege	2220
Token: SeCreatePagefilePrivilege	2220
Token: SeShutdownPrivilege	2220
Token: SeCreatePagefilePrivilege	2220
Token: SeShutdownPrivilege	2220
Token: SeCreatePagefilePrivilege	2220
Token: SeShutdownPrivilege	2220
Token: SeCreatePagefilePrivilege	2220

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3636 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2220
2220

pid	process
3636	rundll32.exe

pid	process
2220
2220

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

DC99.exe

description	pid	process	target process
PID 2220 wrote to memory of 2736	2220		DC99.exe
PID 2220 wrote to memory of 2736	2220		DC99.exe
PID 2220 wrote to memory of 2736	2220		DC99.exe
PID 2736 wrote to memory of 2876	2736	DC99.exe	agentactivationruntimestarter.exe
PID 2736 wrote to memory of 2876	2736	DC99.exe	agentactivationruntimestarter.exe
PID 2736 wrote to memory of 2876	2736	DC99.exe	agentactivationruntimestarter.exe
PID 2736 wrote to memory of 3636	2736	DC99.exe	rundll32.exe
PID 2736 wrote to memory of 3636	2736	DC99.exe	rundll32.exe
PID 2736 wrote to memory of 3636	2736	DC99.exe	rundll32.exe
PID 2736 wrote to memory of 3636	2736	DC99.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953.exe
"C:\Users\Admin\AppData\Local\Temp\3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4960

C:\Users\Admin\AppData\Local\Temp\DC99.exe
C:\Users\Admin\AppData\Local\Temp\DC99.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\agentactivationruntimestarter.exe
C:\Windows\system32\agentactivationruntimestarter.exe
2⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 828
2⤵
- Program crash
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 828
2⤵
- Program crash
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 976
2⤵
- Program crash
PID:432

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 968
2⤵
- Program crash
PID:4964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec 0x308
1⤵
PID:4676

C:\Users\Admin\AppData\Roaming\faterwf
C:\Users\Admin\AppData\Roaming\faterwf
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2736 -ip 2736
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2736 -ip 2736
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2736 -ip 2736
1⤵
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2736 -ip 2736
1⤵
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log
Filesize
1KB

MD5
07bd5d79e18651bb0758a150cca252da

SHA1
bafab651d3a8c900041b7460c4b3d0db6a362e52

SHA256
57c21ab757836c1979c5ea959cf760f7d2f88771ba6edfee4848f9f9bff6868a

SHA512
ba627fbde74d1b18fc4644df86c6a4832910464c110a8fa29fa24818b630040799113ea73dd8af24644f5de19ec49dc97bbda557e1cbce6278974f0ef4c461b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC99.exe
Filesize
4.5MB

MD5
62ba89d7affbfbcfbf23cde2b99db94d

SHA1
14cc964af2597640ae4eced7a97c0f51f5374655

SHA256
c7831dd1563f5fc62f794d0849831d2b12aaa1e094c4d66d6e74d656b75f4bc6

SHA512
7bd88e1c59b4aa95f29ca4fe3bf7e06fb8afa54c91d794d9b6b2b041b7ea19923144158d77ee737da8414aba0a776254e0c507498b14fec9d9cbb5fd7bb71779

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC99.exe
Filesize
4.5MB

MD5
62ba89d7affbfbcfbf23cde2b99db94d

SHA1
14cc964af2597640ae4eced7a97c0f51f5374655

SHA256
c7831dd1563f5fc62f794d0849831d2b12aaa1e094c4d66d6e74d656b75f4bc6

SHA512
7bd88e1c59b4aa95f29ca4fe3bf7e06fb8afa54c91d794d9b6b2b041b7ea19923144158d77ee737da8414aba0a776254e0c507498b14fec9d9cbb5fd7bb71779

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log
Filesize
25KB

MD5
6f6eb502bc56ef0c6af70970cab6b6bd

SHA1
80b18c9e92eec4d3efb993baa1cbb65b9f2efefe

SHA256
fae1c05269e8dd5949302a1ec38625e70e8167a0cfe0734bb0aaf8533ce6bf1e

SHA512
1865e8155bb6838f068d29cdb33eddbae49e5cfc94e8a3f97ea50d008ef0cd34b0fc3cffec43cea7b104dd8673ab77c9d3103a2272ec6c418b3da4c4b6a023d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20220812_191538705.html
Filesize
94KB

MD5
c37a4768436536ce937e2f4ae25bdee9

SHA1
d2ee32b61d348838b16b49005ffd112c77686970

SHA256
0be98a2f88b59cc8a14e48b604678303a0855a629751c2a31940a7b4073fa5a3

SHA512
2a9b95cb00e59a9365fd50589b68de9886e2b81a53ddee4032d25ff53024d3dd1b4620ae651cf665e639764e283db52987257eecb7525d2cdc44003e1a4f6f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uapaipuuih.tmp
Filesize
3.3MB

MD5
963024ce4b5518f20619bdcb2998a789

SHA1
bbce53b5aa2beeff5c9f1555a1e32350bba479b2

SHA256
e473b9afa947ef211c7e7cad6521687d504ec244a22f5ea5381f7020f947fc7d

SHA512
468f341fb7c284f0024ad5d13a72264d60e77b9ea724a770b4d45856dc0aaedd30e51263ea266e6979d7db1079703a9bc1358c5562aac6761ee45c06436baae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6b75105-7dc9-45ac-b70c-19519ab6d538.tmp
Filesize
21KB

MD5
301ea18f32584b0102b1e4f710c6054d

SHA1
e970ec47138c443ec94a4c3671622f578ed09a26

SHA256
7f4e382d1c6724a5f173f3617e35d5ad74c28ffce9a918f00b48c88f978dc34e

SHA512
3c1dd0687ff4a98324f8f0c054e2bf24a3adc2edb28a4ee095f5e71d5943702bcdf36b4c5b2e163e17cc207833194539ed98b7830e94ac446a9d48d29837627b

Download Submit
C:\Users\Admin\AppData\Local\Temp\adc52f94-c82e-434e-9f30-9b348375f053.tmp
Filesize
23KB

MD5
2e0a52964e4f43a9830f01775bcb061b

SHA1
deedc2124380dcc834798466b7ae8ca986aba82f

SHA256
3884df97009ac7e97143743660ed8e010d5f77edcf611bf85276e876fc70754b

SHA512
56c28175bfeb1adfa70761dbf3d46f60b3545de1dd879b346658a2701a173c5fd1959dcb6ecb931f7589f8178fa46d026da0edcfef0471f0fc9d65df7bc6ea44

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4F1D.txt
Filesize
427KB

MD5
7cb368867b63387e87ac8c43fda56652

SHA1
8337144cc4b0ac41f1c46fb822686d6c042988b4

SHA256
e1c789a635b5037c07d3653d00e1bd4fc421a8142a9def49cd35e17bc3ba3472

SHA512
2ed4333d01fe1b377c4131c7175d3547f677aa63f515b829d271d628ddde7c6172a50b9cf4032b2549f83f5e71e7434ab55c80a2fedd2df467c8a1778c1c5023

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4F1D.txt
Filesize
11KB

MD5
73cf8fc42f7a737ab5796c9e02dd7bc3

SHA1
91fa4c983663d8bb8af0608d8146168738901d45

SHA256
be8cdd1dd28c10adcfeff612a41b0985342246f049091a1d9e09d9e85e6ed392

SHA512
ee6c1a6dbfcbb3583be78b2d32330b080624431d16324dc523e0438e0aadcc0f865265bb9ab4d3141130196e956a50000e7b86893e549ca11a7007e7c8c859eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
266KB

MD5
24082ee6914d520e5e6789a2ed2b9d19

SHA1
8d31261ffdc3c25521d1439a6a468f015c5e5207

SHA256
57a0b1d1e4992728c2d86b5122a7b505e8faefa435afbcb0606f76f01538fc55

SHA512
7c95e4aa202fe47c198954fd163f213d8589647bee4050cb3c800f537ece32fabee95074c70f919c5c35c84518dee89b25ab54248213ff4df692a03d58ea776f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct399A.tmp
Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct4E2A.tmp
Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctC61E.tmp
Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Roaming\faterwf
Filesize
146KB

MD5
43af0375a0a570ffef7dc42146625094

SHA1
d585dc4102417a5a15e2a1ac0c3c7ad4b004a53b

SHA256
3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953

SHA512
2c8d3df37267e7ddbe69f746b775ed86b0a2dda73b6593076a5f46ded615f004f5e7297b739995371a0fcfd3be47cda3545d29426f1be110caedbf6fba6a91f0

Download Submit
C:\Users\Admin\AppData\Roaming\faterwf
Filesize
146KB

MD5
43af0375a0a570ffef7dc42146625094

SHA1
d585dc4102417a5a15e2a1ac0c3c7ad4b004a53b

SHA256
3d01424d0e57eabd41eda9eb7843795a582096c821be587c6980acc407dac953

SHA512
2c8d3df37267e7ddbe69f746b775ed86b0a2dda73b6593076a5f46ded615f004f5e7297b739995371a0fcfd3be47cda3545d29426f1be110caedbf6fba6a91f0

Download Submit
memory/692-148-0x000000000095E000-0x000000000096E000-memory.dmp

Filesize
64KB

Download
memory/692-149-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/692-150-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2736-144-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/2736-138-0x0000000000000000-mapping.dmp

Download
memory/2736-153-0x0000000003790000-0x0000000004257000-memory.dmp

Filesize
10.8MB

Download
memory/2736-154-0x0000000003790000-0x0000000004257000-memory.dmp

Filesize
10.8MB

Download
memory/2736-155-0x0000000003790000-0x0000000004257000-memory.dmp

Filesize
10.8MB

Download
memory/2736-156-0x0000000004420000-0x0000000004560000-memory.dmp

Filesize
1.2MB

Download
memory/2736-157-0x0000000004420000-0x0000000004560000-memory.dmp

Filesize
1.2MB

Download
memory/2736-158-0x0000000004420000-0x0000000004560000-memory.dmp

Filesize
1.2MB

Download
memory/2736-159-0x0000000004420000-0x0000000004560000-memory.dmp

Filesize
1.2MB

Download
memory/2736-160-0x0000000004420000-0x0000000004560000-memory.dmp

Filesize
1.2MB

Download
memory/2736-161-0x0000000004420000-0x0000000004560000-memory.dmp

Filesize
1.2MB

Download
memory/2736-163-0x0000000004420000-0x0000000004560000-memory.dmp

Filesize
1.2MB

Download
memory/2736-162-0x0000000004420000-0x0000000004560000-memory.dmp

Filesize
1.2MB

Download
memory/2736-184-0x0000000003790000-0x0000000004257000-memory.dmp

Filesize
10.8MB

Download
memory/2736-183-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/2736-152-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/2736-142-0x000000000277E000-0x0000000002BE8000-memory.dmp

Filesize
4.4MB

Download
memory/2736-143-0x0000000002BF0000-0x0000000003206000-memory.dmp

Filesize
6.1MB

Download
memory/2736-151-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/2736-145-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/2876-141-0x0000000000000000-mapping.dmp

Download
memory/3636-182-0x0000000002AA0000-0x0000000003567000-memory.dmp

Filesize
10.8MB

Download
memory/3636-167-0x0000000003750000-0x0000000003890000-memory.dmp

Filesize
1.2MB

Download
memory/3636-181-0x0000000002AA0000-0x0000000003567000-memory.dmp

Filesize
10.8MB

Download
memory/3636-168-0x0000000000660000-0x0000000001008000-memory.dmp

Filesize
9.7MB

Download
memory/3636-166-0x0000000003750000-0x0000000003890000-memory.dmp

Filesize
1.2MB

Download
memory/3636-164-0x0000000000000000-mapping.dmp

Download
memory/3636-165-0x0000000002AA0000-0x0000000003567000-memory.dmp

Filesize
10.8MB

Download
memory/4960-137-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/4960-134-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/4960-133-0x00000000022C0000-0x00000000022C9000-memory.dmp

Filesize
36KB

Download
memory/4960-135-0x000000000072E000-0x000000000073F000-memory.dmp

Filesize
68KB

Download
memory/4960-136-0x00000000022C0000-0x00000000022C9000-memory.dmp

Filesize
36KB

Download
memory/4960-132-0x000000000072E000-0x000000000073F000-memory.dmp

Filesize
68KB

Download