danabot | 7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2022 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5.exe
Size

145KB
MD5

9278572290796cb6a8f80297d82b7b90
SHA1

0e8cf0306a07208d0d38c3e159a961c73b5096cb
SHA256

7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5
SHA512

bdb9469eb59c56d99ed7a87f4c5443f535304b55deeb033f160c716776f1ebafdb17d129bb18e8ba14115f6a21f0f96657188acf13b9cd5d292dcf8444a9cd18
SSDEEP

3072:YbJk1BhfVsi2c99mH0Y5blznQsBRgLLS/VU+a2Yu5O:4Wxsi2c9hcRQXLLS/VU+a25

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

Attributes

embedded_hash
EAD30BF58E340E9E105B328F524565E0
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4136-133-0x0000000000810000-0x0000000000819000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

74 4276 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

41FA.exevifhvij

pid process

3912 41FA.exe
1808 vifhvij
Suspicious use of SetThreadContext 1 IoCs

Processes:

41FA.exe

description pid process target process

PID 3912 set thread context of 4276 3912 41FA.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

736 3912 WerFault.exe 41FA.exe
2496 3912 WerFault.exe 41FA.exe
4368 3912 WerFault.exe 41FA.exe
2100 3912 WerFault.exe 41FA.exe

flow	pid	process
74	4276	rundll32.exe

pid	process
3912	41FA.exe
1808	vifhvij

description	pid	process	target process
PID 3912 set thread context of 4276	3912	41FA.exe	rundll32.exe

pid	pid_target	process	target process
736	3912	WerFault.exe	41FA.exe
2496	3912	WerFault.exe	41FA.exe
4368	3912	WerFault.exe	41FA.exe
2100	3912	WerFault.exe	41FA.exe

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe

Checks processor information in registry 2 TTPs 53 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

41FA.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	41FA.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	41FA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	41FA.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	41FA.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	41FA.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	41FA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 19 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2228

pid	process
2228

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5.exe

pid	process
4136	7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5.exe
4136	7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5.exe
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228
2228

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2228
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5.exe

pid process

4136 7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5.exe

pid	process
2228

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	3116	svchost.exe
Token: SeShutdownPrivilege	3116	svchost.exe
Token: SeCreatePagefilePrivilege	3116	svchost.exe
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228
Token: SeShutdownPrivilege	2228
Token: SeCreatePagefilePrivilege	2228

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4276 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2228
2228

pid	process
4276	rundll32.exe

pid	process
2228
2228

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

41FA.exe

description	pid	process	target process
PID 2228 wrote to memory of 3912	2228		41FA.exe
PID 2228 wrote to memory of 3912	2228		41FA.exe
PID 2228 wrote to memory of 3912	2228		41FA.exe
PID 3912 wrote to memory of 3224	3912	41FA.exe	agentactivationruntimestarter.exe
PID 3912 wrote to memory of 3224	3912	41FA.exe	agentactivationruntimestarter.exe
PID 3912 wrote to memory of 3224	3912	41FA.exe	agentactivationruntimestarter.exe
PID 3912 wrote to memory of 4276	3912	41FA.exe	rundll32.exe
PID 3912 wrote to memory of 4276	3912	41FA.exe	rundll32.exe
PID 3912 wrote to memory of 4276	3912	41FA.exe	rundll32.exe
PID 3912 wrote to memory of 4276	3912	41FA.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5.exe
"C:\Users\Admin\AppData\Local\Temp\7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4136

C:\Users\Admin\AppData\Local\Temp\41FA.exe
C:\Users\Admin\AppData\Local\Temp\41FA.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SysWOW64\agentactivationruntimestarter.exe
C:\Windows\system32\agentactivationruntimestarter.exe
2⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 840
2⤵
- Program crash
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 840
2⤵
- Program crash
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 900
2⤵
- Program crash
PID:4368

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 904
2⤵
- Program crash
PID:2100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x2fc
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3912 -ip 3912
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3912 -ip 3912
1⤵
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3912 -ip 3912
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3912 -ip 3912
1⤵
PID:2852

C:\Users\Admin\AppData\Roaming\vifhvij
C:\Users\Admin\AppData\Roaming\vifhvij
1⤵
- Executes dropped EXE
PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02fc4909-db62-4fee-8646-109dbf6b271b.tmp
Filesize
21KB

MD5
301ea18f32584b0102b1e4f710c6054d

SHA1
e970ec47138c443ec94a4c3671622f578ed09a26

SHA256
7f4e382d1c6724a5f173f3617e35d5ad74c28ffce9a918f00b48c88f978dc34e

SHA512
3c1dd0687ff4a98324f8f0c054e2bf24a3adc2edb28a4ee095f5e71d5943702bcdf36b4c5b2e163e17cc207833194539ed98b7830e94ac446a9d48d29837627b

Download Submit
C:\Users\Admin\AppData\Local\Temp\41FA.exe
Filesize
4.5MB

MD5
62ba89d7affbfbcfbf23cde2b99db94d

SHA1
14cc964af2597640ae4eced7a97c0f51f5374655

SHA256
c7831dd1563f5fc62f794d0849831d2b12aaa1e094c4d66d6e74d656b75f4bc6

SHA512
7bd88e1c59b4aa95f29ca4fe3bf7e06fb8afa54c91d794d9b6b2b041b7ea19923144158d77ee737da8414aba0a776254e0c507498b14fec9d9cbb5fd7bb71779

Download Submit
C:\Users\Admin\AppData\Local\Temp\41FA.exe
Filesize
4.5MB

MD5
62ba89d7affbfbcfbf23cde2b99db94d

SHA1
14cc964af2597640ae4eced7a97c0f51f5374655

SHA256
c7831dd1563f5fc62f794d0849831d2b12aaa1e094c4d66d6e74d656b75f4bc6

SHA512
7bd88e1c59b4aa95f29ca4fe3bf7e06fb8afa54c91d794d9b6b2b041b7ea19923144158d77ee737da8414aba0a776254e0c507498b14fec9d9cbb5fd7bb71779

Download Submit
C:\Users\Admin\AppData\Local\Temp\607cd18f-98c4-4c86-94ad-33f9ee772d45.tmp
Filesize
25KB

MD5
9f670566b87be47f09e3871cd67ed6d9

SHA1
8b49dd7fb4bf06df0a16cfc03a42832b78bdfabd

SHA256
d7089602fa181dfd161165dc1bb34271e7481f88ee2ca06230da2a2269a68c80

SHA512
6e53a2d3c4329114f7e562d84bcb6345176ce4d7006c9d699d6dab9886d5aa277b5b8fe5cfb9e574a49e0c1de6414efa913cf9b3ffecd95e9fafa28370fc2456

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log
Filesize
25KB

MD5
e51378ad4760b76c65c377b422a67edf

SHA1
043123fc49bc9018918d39b7b7ca93d1ad8c478b

SHA256
833a94dd9e8aef79c0eba1208f9c2446898d21c210bc14f1567586811964a9c6

SHA512
08ed090bc9054a8d4c9fb3c1d9eac20031587a191518a393e248c87087bdbce7f1d80b468c2a0a53d20dcc8086b8b4445674e75a36e4e2164c10aea6909a8d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20220812_194409742.html
Filesize
93KB

MD5
71758797ae7914b1227d0b34c30c0797

SHA1
f63e17acdd4f8ed417c476a19742547291408963

SHA256
62bfa55487dface1cb7989308d91488315e79714153a4e40e1c14d4ca7a4a1c2

SHA512
98be11d1d910ad96ca12c39262e0be6ce451baebb2ceb0cc559762906e4993bdfaf7bdf3cb38eb67e055c9778560fe686fe155b39f8afc4a9d70880c14e9a829

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uapaipuuih.tmp
Filesize
3.3MB

MD5
963024ce4b5518f20619bdcb2998a789

SHA1
bbce53b5aa2beeff5c9f1555a1e32350bba479b2

SHA256
e473b9afa947ef211c7e7cad6521687d504ec244a22f5ea5381f7020f947fc7d

SHA512
468f341fb7c284f0024ad5d13a72264d60e77b9ea724a770b4d45856dc0aaedd30e51263ea266e6979d7db1079703a9bc1358c5562aac6761ee45c06436baae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XZIOFAVD-20220812-1951.log
Filesize
56KB

MD5
d431794afa91c4c3745055b53d795183

SHA1
ca518aa0948e9e8af5ec5a89bc613d7e4fc6c9d5

SHA256
2290c5fc19f04b088974b297c2677e0e848900c9188382d3b24611a02685ae03

SHA512
1ae72c1da9b766b3bea44aa3244ab028f7ed8c6e715b284ca111f6f22d3300dbc54a89639f3af0b0371c62c7cab81d4b8b76d807e9738f9d5aa4b329f25fdd64

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7a972bc-9460-4c6f-93c0-e6dd9473f34f.tmp
Filesize
23KB

MD5
2e0a52964e4f43a9830f01775bcb061b

SHA1
deedc2124380dcc834798466b7ae8ca986aba82f

SHA256
3884df97009ac7e97143743660ed8e010d5f77edcf611bf85276e876fc70754b

SHA512
56c28175bfeb1adfa70761dbf3d46f60b3545de1dd879b346658a2701a173c5fd1959dcb6ecb931f7589f8178fa46d026da0edcfef0471f0fc9d65df7bc6ea44

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI645A.txt
Filesize
11KB

MD5
7b873b39db7b02204b2619e7ad882462

SHA1
6277c99ed98c622c7fbc190669144ccb3744c4c4

SHA256
2814f20a867472a4137808b9695eec04264dddbb2e5e9d447fd0f46c4f303b96

SHA512
429213d5ea5f84bbbd25daecfee504bafca10606204fb53569475112ef969355f9c90eb33a9af7e63ac89adef1d3e2b0af0029eff12ed2b93d265f3f89793a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\e60d62fd-4f64-4839-9b40-06d8d042b5b1.tmp
Filesize
242KB

MD5
541f52e24fe1ef9f8e12377a6ccae0c0

SHA1
189898bb2dcae7d5a6057bc2d98b8b450afaebb6

SHA256
81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82

SHA512
d779d78a15c5efca51ebd6b96a7ccb6d718741bdf7d9a37f53b2eb4b98aa1a78bc4cfa57d6e763aab97276c8f9088940ac0476690d4d46023ff4bf52f3326c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct7D63.tmp
Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Roaming\vifhvij
Filesize
145KB

MD5
9278572290796cb6a8f80297d82b7b90

SHA1
0e8cf0306a07208d0d38c3e159a961c73b5096cb

SHA256
7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5

SHA512
bdb9469eb59c56d99ed7a87f4c5443f535304b55deeb033f160c716776f1ebafdb17d129bb18e8ba14115f6a21f0f96657188acf13b9cd5d292dcf8444a9cd18

Download Submit
C:\Users\Admin\AppData\Roaming\vifhvij
Filesize
145KB

MD5
9278572290796cb6a8f80297d82b7b90

SHA1
0e8cf0306a07208d0d38c3e159a961c73b5096cb

SHA256
7dc38c894fa560ec5c212c12751a306111f223cf245e4f9bad113938827041c5

SHA512
bdb9469eb59c56d99ed7a87f4c5443f535304b55deeb033f160c716776f1ebafdb17d129bb18e8ba14115f6a21f0f96657188acf13b9cd5d292dcf8444a9cd18

Download Submit
memory/3224-139-0x0000000000000000-mapping.dmp

Download
memory/3912-143-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/3912-147-0x0000000003770000-0x0000000004237000-memory.dmp

Filesize
10.8MB

Download
memory/3912-149-0x00000000044F0000-0x0000000004630000-memory.dmp

Filesize
1.2MB

Download
memory/3912-150-0x00000000044F0000-0x0000000004630000-memory.dmp

Filesize
1.2MB

Download
memory/3912-151-0x00000000044F0000-0x0000000004630000-memory.dmp

Filesize
1.2MB

Download
memory/3912-153-0x00000000044F0000-0x0000000004630000-memory.dmp

Filesize
1.2MB

Download
memory/3912-152-0x00000000044F0000-0x0000000004630000-memory.dmp

Filesize
1.2MB

Download
memory/3912-154-0x00000000044F0000-0x0000000004630000-memory.dmp

Filesize
1.2MB

Download
memory/3912-155-0x00000000044F0000-0x0000000004630000-memory.dmp

Filesize
1.2MB

Download
memory/3912-156-0x00000000044F0000-0x0000000004630000-memory.dmp

Filesize
1.2MB

Download
memory/3912-175-0x0000000003770000-0x0000000004237000-memory.dmp

Filesize
10.8MB

Download
memory/3912-173-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/3912-136-0x0000000000000000-mapping.dmp

Download
memory/3912-140-0x00000000026B2000-0x0000000002B1C000-memory.dmp

Filesize
4.4MB

Download
memory/3912-141-0x0000000002B20000-0x0000000003136000-memory.dmp

Filesize
6.1MB

Download
memory/3912-148-0x0000000003770000-0x0000000004237000-memory.dmp

Filesize
10.8MB

Download
memory/3912-146-0x0000000003770000-0x0000000004237000-memory.dmp

Filesize
10.8MB

Download
memory/3912-145-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/3912-144-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/3912-142-0x0000000000400000-0x0000000000A22000-memory.dmp

Filesize
6.1MB

Download
memory/4136-132-0x000000000088E000-0x000000000089E000-memory.dmp

Filesize
64KB

Download
memory/4136-135-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4136-134-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4136-133-0x0000000000810000-0x0000000000819000-memory.dmp

Filesize
36KB

Download
memory/4276-161-0x0000000003890000-0x00000000039D0000-memory.dmp

Filesize
1.2MB

Download
memory/4276-165-0x0000000002DC0000-0x0000000003887000-memory.dmp

Filesize
10.8MB

Download
memory/4276-160-0x0000000003890000-0x00000000039D0000-memory.dmp

Filesize
1.2MB

Download
memory/4276-159-0x0000000000800000-0x00000000011A8000-memory.dmp

Filesize
9.7MB

Download
memory/4276-158-0x0000000002DC0000-0x0000000003887000-memory.dmp

Filesize
10.8MB

Download
memory/4276-174-0x0000000002DC0000-0x0000000003887000-memory.dmp

Filesize
10.8MB

Download
memory/4276-157-0x0000000000000000-mapping.dmp

Download