danabot | 8c9143ae4670b98579f711c960206fe0e20386e87340188c1c37673545ea3d9e

Analysis

max time kernel
151s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/10/2022, 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c9143ae4670b98579f711c960206fe0e20386e87340188c1c37673545ea3d9e.exe
Size

267KB
MD5

f56a6b0c5dece27be9c0dfcd5ba3dd05
SHA1

1f44751fe41663d9b3f5a0fec658321ec962acc5
SHA256

8c9143ae4670b98579f711c960206fe0e20386e87340188c1c37673545ea3d9e
SHA512

fed3dc8971c1bf39d34fb330d0219380bccd4030f9740883fe89105abe9517b11f434e5330dd0e03db68b1d2415663c7de61c64be77c79476ba51eaff875cbb9
SSDEEP

3072:YXIEuKOnkmql6N2x5ceSle3BnwKB5Xmb2KTncL60PwPT0WrxpzbgqruhA5QKWuDq:s+ol6H6Bf7McWLPT0uzbgwuhAgIwVfU

Score

10^/10

danabot smokeloader backdoor banker trojan

Malware Config

Extracted

Family

danabot

192.236.233.188:443

192.119.70.159:443

23.106.124.171:443

213.227.155.103:443

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

embedded_hash
56951C922035D696BFCE443750496462
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral1/memory/3536-133-0x00000000004C0000-0x00000000004C9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Blocklisted process makes network request 2 IoCs

flow	pid	Process
84	1268	rundll32.exe
85	2852	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3424	E29.exe
4816	wsdrhbd

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3424 set thread context of 2852	3424	E29.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
1004	3424	WerFault.exe	90
2304	3424	WerFault.exe	90
4928	3424	WerFault.exe	90
2536	3424	WerFault.exe	90
968	3424	WerFault.exe	90

Checks SCSI registry key(s) 3 TTPs 42 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wsdrhbd
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8c9143ae4670b98579f711c960206fe0e20386e87340188c1c37673545ea3d9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8c9143ae4670b98579f711c960206fe0e20386e87340188c1c37673545ea3d9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wsdrhbd
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8c9143ae4670b98579f711c960206fe0e20386e87340188c1c37673545ea3d9e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wsdrhbd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe

Checks processor information in registry 2 TTPs 47 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	E29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	E29.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	E29.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	E29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	E29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	E29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	E29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	E29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	E29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	E29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	E29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	E29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	E29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	E29.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	E29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	E29.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	E29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	E29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	E29.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	E29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	E29.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	E29.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Process not Found

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
724	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3536	8c9143ae4670b98579f711c960206fe0e20386e87340188c1c37673545ea3d9e.exe
3536	8c9143ae4670b98579f711c960206fe0e20386e87340188c1c37673545ea3d9e.exe
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found
724	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
724	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3536	8c9143ae4670b98579f711c960206fe0e20386e87340188c1c37673545ea3d9e.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2960	svchost.exe
Token: SeShutdownPrivilege	2960	svchost.exe
Token: SeCreatePagefilePrivilege	2960	svchost.exe
Token: SeShutdownPrivilege	724	Process not Found
Token: SeCreatePagefilePrivilege	724	Process not Found
Token: SeShutdownPrivilege	724	Process not Found
Token: SeCreatePagefilePrivilege	724	Process not Found
Token: SeShutdownPrivilege	724	Process not Found
Token: SeCreatePagefilePrivilege	724	Process not Found
Token: SeShutdownPrivilege	724	Process not Found
Token: SeCreatePagefilePrivilege	724	Process not Found
Token: SeShutdownPrivilege	724	Process not Found
Token: SeCreatePagefilePrivilege	724	Process not Found
Token: SeShutdownPrivilege	724	Process not Found
Token: SeCreatePagefilePrivilege	724	Process not Found
Token: SeShutdownPrivilege	724	Process not Found
Token: SeCreatePagefilePrivilege	724	Process not Found
Token: SeShutdownPrivilege	724	Process not Found
Token: SeCreatePagefilePrivilege	724	Process not Found
Token: SeShutdownPrivilege	724	Process not Found
Token: SeCreatePagefilePrivilege	724	Process not Found
Token: SeShutdownPrivilege	724	Process not Found
Token: SeCreatePagefilePrivilege	724	Process not Found
Token: SeShutdownPrivilege	724	Process not Found
Token: SeCreatePagefilePrivilege	724	Process not Found
Token: SeShutdownPrivilege	724	Process not Found
Token: SeCreatePagefilePrivilege	724	Process not Found
Token: SeShutdownPrivilege	724	Process not Found
Token: SeCreatePagefilePrivilege	724	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2852	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
724	Process not Found
724	Process not Found

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 724 wrote to memory of 3424	724	Process not Found	90
PID 724 wrote to memory of 3424	724	Process not Found	90
PID 724 wrote to memory of 3424	724	Process not Found	90
PID 3424 wrote to memory of 4000	3424	E29.exe	91
PID 3424 wrote to memory of 4000	3424	E29.exe	91
PID 3424 wrote to memory of 4000	3424	E29.exe	91
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 1268	3424	E29.exe	96
PID 3424 wrote to memory of 2852	3424	E29.exe	105
PID 3424 wrote to memory of 2852	3424	E29.exe	105
PID 3424 wrote to memory of 2852	3424	E29.exe	105
PID 3424 wrote to memory of 2852	3424	E29.exe	105

C:\Users\Admin\AppData\Local\Temp\8c9143ae4670b98579f711c960206fe0e20386e87340188c1c37673545ea3d9e.exe
"C:\Users\Admin\AppData\Local\Temp\8c9143ae4670b98579f711c960206fe0e20386e87340188c1c37673545ea3d9e.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3536

C:\Users\Admin\AppData\Local\Temp\E29.exe
C:\Users\Admin\AppData\Local\Temp\E29.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\SysWOW64\agentactivationruntimestarter.exe
  C:\Windows\system32\agentactivationruntimestarter.exe
  2⤵
  PID:4000
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:1268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 620
  2⤵
  - Program crash
  PID:1004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 880
  2⤵
  - Program crash
  PID:2304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 924
  2⤵
  - Program crash
  PID:4928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 904
  2⤵
  - Program crash
  PID:2536
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:2852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1032
  2⤵
  - Program crash
  PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x498
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3424 -ip 3424
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3424 -ip 3424
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3424 -ip 3424
1⤵
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3424 -ip 3424
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3424 -ip 3424
1⤵
PID:2072

C:\Users\Admin\AppData\Roaming\wsdrhbd
C:\Users\Admin\AppData\Roaming\wsdrhbd
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E29.exe

Filesize
1.3MB

MD5
8b97a9004a611ee5f1eda58cc8d057c6

SHA1
18307e806c6e289a048a9e82635bdf9be21de5c6

SHA256
e03f5bd6defc4d57b263955bafd77b8c8ceaf2d9ad4e6108948b7b558177dace

SHA512
362984800177f5804b99ed5a492c01a117f84cc02bdf1ecb00b47a4dae5a2b00b60ea89826e3a8ac6ffc82cbebf1ec2cafcca59ea44c3daff1b9b4b83eafc187

Download Submit
C:\Users\Admin\AppData\Local\Temp\E29.exe

Filesize
1.3MB

MD5
8b97a9004a611ee5f1eda58cc8d057c6

SHA1
18307e806c6e289a048a9e82635bdf9be21de5c6

SHA256
e03f5bd6defc4d57b263955bafd77b8c8ceaf2d9ad4e6108948b7b558177dace

SHA512
362984800177f5804b99ed5a492c01a117f84cc02bdf1ecb00b47a4dae5a2b00b60ea89826e3a8ac6ffc82cbebf1ec2cafcca59ea44c3daff1b9b4b83eafc187

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sepawuaopqtypsq.tmp

Filesize
3.3MB

MD5
8b9c0f72deaf2ee06e7441209cbe4ffb

SHA1
34912f3c7f4285d85497c96e95c33e5d6a597c97

SHA256
1e7242ac7c025b87636e59c07e3601f1bbf5894ce0b23709405b6fefbca4dabe

SHA512
db8fb980b6331f494fea8dd4adf6d8724c9ad1a7a2048c6d91e49d9e81fc83700c1195854efc5dcbe2b3aef8d94b5f0ddd7ae8910f40b9cdab017e381f855cd7

Download Submit
C:\Users\Admin\AppData\Roaming\wsdrhbd

Filesize
267KB

MD5
f56a6b0c5dece27be9c0dfcd5ba3dd05

SHA1
1f44751fe41663d9b3f5a0fec658321ec962acc5

SHA256
8c9143ae4670b98579f711c960206fe0e20386e87340188c1c37673545ea3d9e

SHA512
fed3dc8971c1bf39d34fb330d0219380bccd4030f9740883fe89105abe9517b11f434e5330dd0e03db68b1d2415663c7de61c64be77c79476ba51eaff875cbb9

Download Submit
C:\Users\Admin\AppData\Roaming\wsdrhbd

Filesize
267KB

MD5
f56a6b0c5dece27be9c0dfcd5ba3dd05

SHA1
1f44751fe41663d9b3f5a0fec658321ec962acc5

SHA256
8c9143ae4670b98579f711c960206fe0e20386e87340188c1c37673545ea3d9e

SHA512
fed3dc8971c1bf39d34fb330d0219380bccd4030f9740883fe89105abe9517b11f434e5330dd0e03db68b1d2415663c7de61c64be77c79476ba51eaff875cbb9

Download Submit
memory/1268-153-0x0000000000F70000-0x0000000000F74000-memory.dmp

Filesize
16KB

Download
memory/1268-147-0x0000000000F10000-0x0000000000F14000-memory.dmp

Filesize
16KB

Download
memory/1268-158-0x0000000000FC0000-0x0000000000FC4000-memory.dmp

Filesize
16KB

Download
memory/1268-157-0x0000000000FB0000-0x0000000000FB4000-memory.dmp

Filesize
16KB

Download
memory/1268-156-0x0000000000FA0000-0x0000000000FA4000-memory.dmp

Filesize
16KB

Download
memory/1268-148-0x0000000000F20000-0x0000000000F24000-memory.dmp

Filesize
16KB

Download
memory/1268-154-0x0000000000F80000-0x0000000000F84000-memory.dmp

Filesize
16KB

Download
memory/1268-159-0x0000000000FD0000-0x0000000000FD4000-memory.dmp

Filesize
16KB

Download
memory/1268-160-0x0000000000FD0000-0x0000000000FD4000-memory.dmp

Filesize
16KB

Download
memory/1268-149-0x0000000000F30000-0x0000000000F34000-memory.dmp

Filesize
16KB

Download
memory/1268-155-0x0000000000F90000-0x0000000000F94000-memory.dmp

Filesize
16KB

Download
memory/1268-152-0x0000000000F60000-0x0000000000F64000-memory.dmp

Filesize
16KB

Download
memory/1268-150-0x0000000000F40000-0x0000000000F44000-memory.dmp

Filesize
16KB

Download
memory/1268-151-0x0000000000F50000-0x0000000000F54000-memory.dmp

Filesize
16KB

Download
memory/2852-180-0x00000000033A0000-0x0000000003E63000-memory.dmp

Filesize
10.8MB

Download
memory/2852-179-0x00000000033A0000-0x0000000003E63000-memory.dmp

Filesize
10.8MB

Download
memory/2852-175-0x00000000033A0000-0x0000000003E63000-memory.dmp

Filesize
10.8MB

Download
memory/2852-176-0x0000000003EF0000-0x0000000004030000-memory.dmp

Filesize
1.2MB

Download
memory/2852-177-0x0000000003EF0000-0x0000000004030000-memory.dmp

Filesize
1.2MB

Download
memory/2852-178-0x0000000001000000-0x00000000019A4000-memory.dmp

Filesize
9.6MB

Download
memory/3424-144-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3424-143-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3424-182-0x0000000003150000-0x0000000003C13000-memory.dmp

Filesize
10.8MB

Download
memory/3424-162-0x0000000003150000-0x0000000003C13000-memory.dmp

Filesize
10.8MB

Download
memory/3424-163-0x0000000003150000-0x0000000003C13000-memory.dmp

Filesize
10.8MB

Download
memory/3424-164-0x0000000003150000-0x0000000003C13000-memory.dmp

Filesize
10.8MB

Download
memory/3424-165-0x0000000003E50000-0x0000000003F90000-memory.dmp

Filesize
1.2MB

Download
memory/3424-166-0x0000000003E50000-0x0000000003F90000-memory.dmp

Filesize
1.2MB

Download
memory/3424-168-0x0000000003E50000-0x0000000003F90000-memory.dmp

Filesize
1.2MB

Download
memory/3424-167-0x0000000003E50000-0x0000000003F90000-memory.dmp

Filesize
1.2MB

Download
memory/3424-169-0x0000000003E50000-0x0000000003F90000-memory.dmp

Filesize
1.2MB

Download
memory/3424-170-0x0000000003E50000-0x0000000003F90000-memory.dmp

Filesize
1.2MB

Download
memory/3424-171-0x0000000003E50000-0x0000000003F90000-memory.dmp

Filesize
1.2MB

Download
memory/3424-145-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3424-172-0x0000000003E50000-0x0000000003F90000-memory.dmp

Filesize
1.2MB

Download
memory/3424-174-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3424-142-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3424-141-0x0000000002680000-0x0000000002942000-memory.dmp

Filesize
2.8MB

Download
memory/3424-140-0x0000000002558000-0x0000000002676000-memory.dmp

Filesize
1.1MB

Download
memory/3424-181-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3536-135-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3536-132-0x000000000053D000-0x000000000054E000-memory.dmp

Filesize
68KB

Download
memory/3536-134-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3536-133-0x00000000004C0000-0x00000000004C9000-memory.dmp

Filesize
36KB

Download
memory/4816-185-0x00000000006BD000-0x00000000006CE000-memory.dmp

Filesize
68KB

Download
memory/4816-186-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download