danabot | 94a24841df9e30fab797665446d3ebbf9af6c8157a99d4c3f7afbe64d58777c6

General

Target

file.exe
Size

276KB
MD5

8a16ba45656454f73c16169a88d867fd
SHA1

cbd09b4d43c2acf42c87d9a6554fc7287d2cf52f
SHA256

94a24841df9e30fab797665446d3ebbf9af6c8157a99d4c3f7afbe64d58777c6
SHA512

de459bfe8839ab647921fb1d6a8e97fafa99a8f56d6e79ca50665c962f4e4751c2c7fda71e5e30b36c5780b6cbded1590775cd1ccea804891cbeaa270b98df43
SSDEEP

6144:sFV1oU2xqOUjJn3CP4XI5obljmGrwVfquS:sFgU28OUSh+dd

Score

10^/10

danabot smokeloader systembc backdoor banker trojan

Malware Config

Extracted

Family

danabot

C2

192.236.233.188:443

192.119.70.159:443

23.106.124.171:443

213.227.155.103:443

Attributes

embedded_hash
56951C922035D696BFCE443750496462
type
loader

Extracted

Family

systembc

C2

45.182.189.231:443

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2620-133-0x0000000000590000-0x0000000000599000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

80 68 rundll32.exe
82 4716 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

1CB0.exeD3FA.exejjtxr.exe

pid process

3360 1CB0.exe
4396 D3FA.exe
1548 jjtxr.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

1CB0.exe

description pid process target process

PID 3360 set thread context of 4716 3360 1CB0.exe rundll32.exe
Drops file in Windows directory 2 IoCs

Processes:

D3FA.exe

description ioc process

File created C:\Windows\Tasks\jjtxr.job D3FA.exe
File opened for modification C:\Windows\Tasks\jjtxr.job D3FA.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
80	68	rundll32.exe
82	4716	rundll32.exe

pid	process
3360	1CB0.exe
4396	D3FA.exe
1548	jjtxr.exe

description	pid	process	target process
PID 3360 set thread context of 4716	3360	1CB0.exe	rundll32.exe

description	ioc	process
File created	C:\Windows\Tasks\jjtxr.job	D3FA.exe
File opened for modification	C:\Windows\Tasks\jjtxr.job	D3FA.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
944	3360	WerFault.exe	1CB0.exe
3852	3360	WerFault.exe	1CB0.exe
3956	3360	WerFault.exe	1CB0.exe
2424	3360	WerFault.exe	1CB0.exe
1372	3360	WerFault.exe	1CB0.exe
1392	3360	WerFault.exe	1CB0.exe

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exefile.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe

Checks processor information in registry 2 TTPs 50 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1CB0.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	1CB0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	1CB0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	1CB0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	1CB0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	1CB0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	1CB0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser

Modifies registry class 19 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

600

pid	process
600

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
2620	file.exe
2620	file.exe
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600
600

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

600
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

file.exe

pid process

2620 file.exe

pid	process
600

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	3844	svchost.exe
Token: SeShutdownPrivilege	3844	svchost.exe
Token: SeCreatePagefilePrivilege	3844	svchost.exe
Token: SeShutdownPrivilege	600
Token: SeCreatePagefilePrivilege	600
Token: SeShutdownPrivilege	600
Token: SeCreatePagefilePrivilege	600
Token: SeShutdownPrivilege	600
Token: SeCreatePagefilePrivilege	600
Token: SeShutdownPrivilege	600
Token: SeCreatePagefilePrivilege	600
Token: SeShutdownPrivilege	600
Token: SeCreatePagefilePrivilege	600
Token: SeShutdownPrivilege	600
Token: SeCreatePagefilePrivilege	600
Token: SeShutdownPrivilege	600
Token: SeCreatePagefilePrivilege	600
Token: SeShutdownPrivilege	600
Token: SeCreatePagefilePrivilege	600
Token: SeShutdownPrivilege	600
Token: SeCreatePagefilePrivilege	600
Token: SeShutdownPrivilege	600
Token: SeCreatePagefilePrivilege	600
Token: SeShutdownPrivilege	600
Token: SeCreatePagefilePrivilege	600
Token: SeShutdownPrivilege	600
Token: SeCreatePagefilePrivilege	600
Token: SeShutdownPrivilege	600
Token: SeCreatePagefilePrivilege	600
Token: SeShutdownPrivilege	600
Token: SeCreatePagefilePrivilege	600
Token: SeShutdownPrivilege	600
Token: SeCreatePagefilePrivilege	600
Token: SeShutdownPrivilege	600
Token: SeCreatePagefilePrivilege	600
Token: SeShutdownPrivilege	600
Token: SeCreatePagefilePrivilege	600

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4716 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

600
600

pid	process
4716	rundll32.exe

pid	process
600
600

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

1CB0.exe

description	pid	process	target process
PID 600 wrote to memory of 3360	600		1CB0.exe
PID 600 wrote to memory of 3360	600		1CB0.exe
PID 600 wrote to memory of 3360	600		1CB0.exe
PID 3360 wrote to memory of 3564	3360	1CB0.exe	agentactivationruntimestarter.exe
PID 3360 wrote to memory of 3564	3360	1CB0.exe	agentactivationruntimestarter.exe
PID 3360 wrote to memory of 3564	3360	1CB0.exe	agentactivationruntimestarter.exe
PID 600 wrote to memory of 4396	600		D3FA.exe
PID 600 wrote to memory of 4396	600		D3FA.exe
PID 600 wrote to memory of 4396	600		D3FA.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 68	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 4716	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 4716	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 4716	3360	1CB0.exe	rundll32.exe
PID 3360 wrote to memory of 4716	3360	1CB0.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2620

C:\Users\Admin\AppData\Local\Temp\1CB0.exe
C:\Users\Admin\AppData\Local\Temp\1CB0.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\SysWOW64\agentactivationruntimestarter.exe
C:\Windows\system32\agentactivationruntimestarter.exe
2⤵
PID:3564

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:68

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 620
2⤵
- Program crash
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 880
2⤵
- Program crash
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 944
2⤵
- Program crash
PID:3956

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 944
2⤵
- Program crash
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 1088
2⤵
- Program crash
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 1096
2⤵
- Program crash
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x434 0x2d0
1⤵
PID:404

C:\Users\Admin\AppData\Local\Temp\D3FA.exe
C:\Users\Admin\AppData\Local\Temp\D3FA.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4396

C:\ProgramData\lmeq\jjtxr.exe
C:\ProgramData\lmeq\jjtxr.exe start
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3360 -ip 3360
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3360 -ip 3360
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3360 -ip 3360
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3360 -ip 3360
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3360 -ip 3360
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3360 -ip 3360
1⤵
PID:792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lmeq\jjtxr.exe
Filesize
276KB

MD5
d66be42ac16824299b55cdee82364d6f

SHA1
2e45e3ea10a9ee00fd3d495e15cef4cf8ca8f4d0

SHA256
2354b336950524c3f8800bf7f7e812866a64275f8eb590c68e88834ea0f7fb6b

SHA512
bc6ff2c7e5b36874513f0a8803a6346041bacd6f8bb52c932b25d7dba2f571106250ddef26cc9ee2b45ebe299c94051427c5edd511ea5efc5cfcf3cd675c90c5

Download Submit
C:\ProgramData\lmeq\jjtxr.exe
Filesize
276KB

MD5
d66be42ac16824299b55cdee82364d6f

SHA1
2e45e3ea10a9ee00fd3d495e15cef4cf8ca8f4d0

SHA256
2354b336950524c3f8800bf7f7e812866a64275f8eb590c68e88834ea0f7fb6b

SHA512
bc6ff2c7e5b36874513f0a8803a6346041bacd6f8bb52c932b25d7dba2f571106250ddef26cc9ee2b45ebe299c94051427c5edd511ea5efc5cfcf3cd675c90c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CB0.exe
Filesize
1.3MB

MD5
542994bb707e825fce92a1c80de5c1de

SHA1
6c5a8fd8d0e74a46ba377870c3ca79de96091edd

SHA256
f9642f4cd784385d050bef551549507dc8cc295fcd14c62c1c16ba9e11174b0e

SHA512
72cc54bd47ac2b41904761d24b9071614bef33236123da2ba3b71fc509a167ad042e4ce42d68296616b75a761ab6b0a6ae715aeed733305f5c4fd0fb06d6aa2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CB0.exe
Filesize
1.3MB

MD5
542994bb707e825fce92a1c80de5c1de

SHA1
6c5a8fd8d0e74a46ba377870c3ca79de96091edd

SHA256
f9642f4cd784385d050bef551549507dc8cc295fcd14c62c1c16ba9e11174b0e

SHA512
72cc54bd47ac2b41904761d24b9071614bef33236123da2ba3b71fc509a167ad042e4ce42d68296616b75a761ab6b0a6ae715aeed733305f5c4fd0fb06d6aa2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3FA.exe
Filesize
276KB

MD5
d66be42ac16824299b55cdee82364d6f

SHA1
2e45e3ea10a9ee00fd3d495e15cef4cf8ca8f4d0

SHA256
2354b336950524c3f8800bf7f7e812866a64275f8eb590c68e88834ea0f7fb6b

SHA512
bc6ff2c7e5b36874513f0a8803a6346041bacd6f8bb52c932b25d7dba2f571106250ddef26cc9ee2b45ebe299c94051427c5edd511ea5efc5cfcf3cd675c90c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3FA.exe
Filesize
276KB

MD5
d66be42ac16824299b55cdee82364d6f

SHA1
2e45e3ea10a9ee00fd3d495e15cef4cf8ca8f4d0

SHA256
2354b336950524c3f8800bf7f7e812866a64275f8eb590c68e88834ea0f7fb6b

SHA512
bc6ff2c7e5b36874513f0a8803a6346041bacd6f8bb52c932b25d7dba2f571106250ddef26cc9ee2b45ebe299c94051427c5edd511ea5efc5cfcf3cd675c90c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sepawuaopqtypsq.tmp
Filesize
3.3MB

MD5
8b9c0f72deaf2ee06e7441209cbe4ffb

SHA1
34912f3c7f4285d85497c96e95c33e5d6a597c97

SHA256
1e7242ac7c025b87636e59c07e3601f1bbf5894ce0b23709405b6fefbca4dabe

SHA512
db8fb980b6331f494fea8dd4adf6d8724c9ad1a7a2048c6d91e49d9e81fc83700c1195854efc5dcbe2b3aef8d94b5f0ddd7ae8910f40b9cdab017e381f855cd7

Download Submit
memory/68-162-0x00000000005B0000-0x00000000005B4000-memory.dmp

Filesize
16KB

Download
memory/68-157-0x0000000000000000-mapping.dmp

Download
memory/68-171-0x0000000000830000-0x0000000000834000-memory.dmp

Filesize
16KB

Download
memory/68-165-0x00000000005E0000-0x00000000005E4000-memory.dmp

Filesize
16KB

Download
memory/68-166-0x00000000005F0000-0x00000000005F4000-memory.dmp

Filesize
16KB

Download
memory/68-167-0x0000000000800000-0x0000000000804000-memory.dmp

Filesize
16KB

Download
memory/68-168-0x0000000000810000-0x0000000000814000-memory.dmp

Filesize
16KB

Download
memory/68-169-0x0000000000820000-0x0000000000824000-memory.dmp

Filesize
16KB

Download
memory/68-170-0x0000000000830000-0x0000000000834000-memory.dmp

Filesize
16KB

Download
memory/68-164-0x00000000005D0000-0x00000000005D4000-memory.dmp

Filesize
16KB

Download
memory/68-163-0x00000000005C0000-0x00000000005C4000-memory.dmp

Filesize
16KB

Download
memory/68-161-0x00000000005A0000-0x00000000005A4000-memory.dmp

Filesize
16KB

Download
memory/68-159-0x0000000000580000-0x0000000000584000-memory.dmp

Filesize
16KB

Download
memory/68-160-0x0000000000590000-0x0000000000594000-memory.dmp

Filesize
16KB

Download
memory/68-158-0x0000000000570000-0x0000000000574000-memory.dmp

Filesize
16KB

Download
memory/1548-154-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1548-153-0x0000000000772000-0x0000000000782000-memory.dmp

Filesize
64KB

Download
memory/2620-135-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2620-133-0x0000000000590000-0x0000000000599000-memory.dmp

Filesize
36KB

Download
memory/2620-132-0x00000000007B7000-0x00000000007C7000-memory.dmp

Filesize
64KB

Download
memory/2620-134-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3360-182-0x0000000003E30000-0x0000000003F70000-memory.dmp

Filesize
1.2MB

Download
memory/3360-177-0x0000000003E30000-0x0000000003F70000-memory.dmp

Filesize
1.2MB

Download
memory/3360-136-0x0000000000000000-mapping.dmp

Download
memory/3360-193-0x0000000003130000-0x0000000003BF3000-memory.dmp

Filesize
10.8MB

Download
memory/3360-192-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3360-184-0x0000000003E30000-0x0000000003F70000-memory.dmp

Filesize
1.2MB

Download
memory/3360-183-0x0000000003E30000-0x0000000003F70000-memory.dmp

Filesize
1.2MB

Download
memory/3360-144-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3360-143-0x00000000024D0000-0x0000000002792000-memory.dmp

Filesize
2.8MB

Download
memory/3360-142-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3360-140-0x00000000024D0000-0x0000000002792000-memory.dmp

Filesize
2.8MB

Download
memory/3360-139-0x0000000000C07000-0x0000000000D25000-memory.dmp

Filesize
1.1MB

Download
memory/3360-156-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3360-173-0x0000000003130000-0x0000000003BF3000-memory.dmp

Filesize
10.8MB

Download
memory/3360-174-0x0000000003130000-0x0000000003BF3000-memory.dmp

Filesize
10.8MB

Download
memory/3360-175-0x0000000003130000-0x0000000003BF3000-memory.dmp

Filesize
10.8MB

Download
memory/3360-176-0x0000000003E30000-0x0000000003F70000-memory.dmp

Filesize
1.2MB

Download
memory/3360-155-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3360-178-0x0000000003E30000-0x0000000003F70000-memory.dmp

Filesize
1.2MB

Download
memory/3360-180-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3360-179-0x0000000003E30000-0x0000000003F70000-memory.dmp

Filesize
1.2MB

Download
memory/3360-181-0x0000000003E30000-0x0000000003F70000-memory.dmp

Filesize
1.2MB

Download
memory/3564-141-0x0000000000000000-mapping.dmp

Download
memory/4396-150-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4396-145-0x0000000000000000-mapping.dmp

Download
memory/4396-148-0x0000000000737000-0x0000000000747000-memory.dmp

Filesize
64KB

Download
memory/4396-149-0x0000000000560000-0x0000000000569000-memory.dmp

Filesize
36KB

Download
memory/4716-185-0x0000000000000000-mapping.dmp

Download
memory/4716-186-0x0000000002980000-0x0000000003443000-memory.dmp

Filesize
10.8MB

Download
memory/4716-187-0x0000000003510000-0x0000000003650000-memory.dmp

Filesize
1.2MB

Download
memory/4716-188-0x0000000003510000-0x0000000003650000-memory.dmp

Filesize
1.2MB

Download
memory/4716-189-0x0000000000600000-0x0000000000FA4000-memory.dmp

Filesize
9.6MB

Download
memory/4716-190-0x0000000002980000-0x0000000003443000-memory.dmp

Filesize
10.8MB

Download
memory/4716-191-0x0000000002980000-0x0000000003443000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads