danabot | 9524e9e497be94859a9eff0512b01a7361a91c8c04363b1552349e7c4aba7ce9

Analysis

max time kernel
150s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-10-2022 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9524e9e497be94859a9eff0512b01a7361a91c8c04363b1552349e7c4aba7ce9.exe
Size

222KB
MD5

24b63883054a92d5dd4be0189efa1a6d
SHA1

3daa16c51cd3bdff234b9a15a0bb4e8892c9b2ef
SHA256

9524e9e497be94859a9eff0512b01a7361a91c8c04363b1552349e7c4aba7ce9
SHA512

bf8f1574a5089c6ad2673fef2300698ae4127df2bbfa07bea9d3e07caa4ffd73efc36c1c99f583e75680067f29867db16467c04f56055319a8c1331136677cdb
SSDEEP

3072:H6n8GJp0gjvFLUE3qVwt6Hk5zhfEkcZ3ohtmwOwFZkpZtZlWvUcc:H6F5LvtHZIZ3ohtmGFu7tZEs

Score

10^/10

danabot smokeloader vidar 937 backdoor banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

embedded_hash
569235DCA8F16ED8310BBACCB674F896
type
loader

Extracted

Family

vidar

Version

55.2

Botnet

937

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2500-145-0x00000000001D0000-0x00000000001D9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

62 1600 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

3604.exe7BC8.exe

pid process

4612 3604.exe
4356 7BC8.exe
Deletes itself 1 IoCs

Processes:

pid process

2968
Loads dropped DLL 3 IoCs

Processes:

7BC8.exe

pid process

4356 7BC8.exe
4356 7BC8.exe
4356 7BC8.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

3604.exe

description pid process target process

PID 4612 set thread context of 1600 4612 3604.exe rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

description ioc process

File created C:\Windows\rescache\_merged\3720402701\2219095117.pri
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
62	1600	rundll32.exe

pid	process
4612	3604.exe
4356	7BC8.exe

pid	process
2968

pid	process
4356	7BC8.exe
4356	7BC8.exe
4356	7BC8.exe

description	pid	process	target process
PID 4612 set thread context of 1600	4612	3604.exe	rundll32.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5116	4356	WerFault.exe	7BC8.exe
4732	4612	WerFault.exe	3604.exe
3032	4612	WerFault.exe	3604.exe
4708	4612	WerFault.exe	3604.exe
4624	4612	WerFault.exe	3604.exe
4692	4612	WerFault.exe	3604.exe
1824	4612	WerFault.exe	3604.exe
4452	4612	WerFault.exe	3604.exe
1132	4612	WerFault.exe	3604.exe
4792	4612	WerFault.exe	3604.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9524e9e497be94859a9eff0512b01a7361a91c8c04363b1552349e7c4aba7ce9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9524e9e497be94859a9eff0512b01a7361a91c8c04363b1552349e7c4aba7ce9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9524e9e497be94859a9eff0512b01a7361a91c8c04363b1552349e7c4aba7ce9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9524e9e497be94859a9eff0512b01a7361a91c8c04363b1552349e7c4aba7ce9.exe

Checks processor information in registry 2 TTPs 50 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7BC8.exe3604.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7BC8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7BC8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	3604.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3604.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	3604.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	3604.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	3604.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	3604.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 22 IoCs

Processes:

3604.exerundll32.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	3604.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2968

pid	process
2968

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9524e9e497be94859a9eff0512b01a7361a91c8c04363b1552349e7c4aba7ce9.exe

pid	process
2500	9524e9e497be94859a9eff0512b01a7361a91c8c04363b1552349e7c4aba7ce9.exe
2500	9524e9e497be94859a9eff0512b01a7361a91c8c04363b1552349e7c4aba7ce9.exe
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968
2968

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2968
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

9524e9e497be94859a9eff0512b01a7361a91c8c04363b1552349e7c4aba7ce9.exe

pid process

2500 9524e9e497be94859a9eff0512b01a7361a91c8c04363b1552349e7c4aba7ce9.exe

pid	process
2968

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968
Token: SeShutdownPrivilege	2968
Token: SeCreatePagefilePrivilege	2968

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1600 rundll32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exe

pid process

4428 OpenWith.exe
2968
2968

pid	process
1600	rundll32.exe

pid	process
4428	OpenWith.exe
2968
2968

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

3604.exe

description	pid	process	target process
PID 2968 wrote to memory of 4612	2968		3604.exe
PID 2968 wrote to memory of 4612	2968		3604.exe
PID 2968 wrote to memory of 4612	2968		3604.exe
PID 4612 wrote to memory of 4300	4612	3604.exe	appidtel.exe
PID 4612 wrote to memory of 4300	4612	3604.exe	appidtel.exe
PID 4612 wrote to memory of 4300	4612	3604.exe	appidtel.exe
PID 2968 wrote to memory of 4356	2968		7BC8.exe
PID 2968 wrote to memory of 4356	2968		7BC8.exe
PID 2968 wrote to memory of 4356	2968		7BC8.exe
PID 4612 wrote to memory of 1600	4612	3604.exe	rundll32.exe
PID 4612 wrote to memory of 1600	4612	3604.exe	rundll32.exe
PID 4612 wrote to memory of 1600	4612	3604.exe	rundll32.exe
PID 4612 wrote to memory of 1600	4612	3604.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\9524e9e497be94859a9eff0512b01a7361a91c8c04363b1552349e7c4aba7ce9.exe
"C:\Users\Admin\AppData\Local\Temp\9524e9e497be94859a9eff0512b01a7361a91c8c04363b1552349e7c4aba7ce9.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2500

C:\Users\Admin\AppData\Local\Temp\3604.exe
C:\Users\Admin\AppData\Local\Temp\3604.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
2⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 620
2⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 964
2⤵
- Program crash
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 976
2⤵
- Program crash
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1052
2⤵
- Program crash
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1092
2⤵
- Program crash
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1060
2⤵
- Program crash
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1156
2⤵
- Program crash
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1248
2⤵
- Program crash
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1380
2⤵
- Program crash
PID:4792

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1600

C:\Users\Admin\AppData\Local\Temp\7BC8.exe
C:\Users\Admin\AppData\Local\Temp\7BC8.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1640
2⤵
- Program crash
PID:5116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3604.exe
Filesize
8.4MB

MD5
203629921fccb8846f944f46ca80498a

SHA1
de60c837f0faa8f8dfa26710f2d74d1048bace09

SHA256
4f3b96b84ed2763ac10ea655ae70be9f9445b5b48f5aa10ffc91df2649c3b9a1

SHA512
edd6cace28d1c7c87d9358d7d521860cec967f896ceb2350e24d43b84388d239852af2193075c714aabbde9619f6dc758d244eefd1fc9fedefd151ebf398b72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3604.exe
Filesize
8.4MB

MD5
203629921fccb8846f944f46ca80498a

SHA1
de60c837f0faa8f8dfa26710f2d74d1048bace09

SHA256
4f3b96b84ed2763ac10ea655ae70be9f9445b5b48f5aa10ffc91df2649c3b9a1

SHA512
edd6cace28d1c7c87d9358d7d521860cec967f896ceb2350e24d43b84388d239852af2193075c714aabbde9619f6dc758d244eefd1fc9fedefd151ebf398b72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BC8.exe
Filesize
332KB

MD5
e75ec445beb33e400201791a3fba433d

SHA1
a2c29449d05c2a26077e45dfcb45e37ef7c638a8

SHA256
f16953dfb98fb54bde6e9410883839e228ee09aa0a09892ab56a5ddfc76e7a0e

SHA512
4efdb748bcaef9aa1ca5bc934d5797f692a7bbd974fc675318124a4bfce62e074fd32a3033a10057a5af5cc1b9d2c7d87de316c31bce0f5b7d61983f1f967134

Download Submit
C:\Users\Admin\AppData\Local\Temp\7BC8.exe
Filesize
332KB

MD5
e75ec445beb33e400201791a3fba433d

SHA1
a2c29449d05c2a26077e45dfcb45e37ef7c638a8

SHA256
f16953dfb98fb54bde6e9410883839e228ee09aa0a09892ab56a5ddfc76e7a0e

SHA512
4efdb748bcaef9aa1ca5bc934d5797f692a7bbd974fc675318124a4bfce62e074fd32a3033a10057a5af5cc1b9d2c7d87de316c31bce0f5b7d61983f1f967134

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a12144b-018d-4609-82b9-20cdb0122eb2.tmp
Filesize
25KB

MD5
9f670566b87be47f09e3871cd67ed6d9

SHA1
8b49dd7fb4bf06df0a16cfc03a42832b78bdfabd

SHA256
d7089602fa181dfd161165dc1bb34271e7481f88ee2ca06230da2a2269a68c80

SHA512
6e53a2d3c4329114f7e562d84bcb6345176ce4d7006c9d699d6dab9886d5aa277b5b8fe5cfb9e574a49e0c1de6414efa913cf9b3ffecd95e9fafa28370fc2456

Download Submit
C:\Users\Admin\AppData\Local\Temp\SUAJYJLY-20220812-1728a.log
Filesize
183KB

MD5
586431fac48ddf721b5673450d7d11a9

SHA1
fe58a44318b3f31290014717dec66a2e100f8a2f

SHA256
8530c2e19404e82076a677251cb2ec381028e3cf7eca6c4cea638236d509e907

SHA512
93fe2d90afed56d385ef00694972ba48e498cb959489a47f3774930654aac5399d2cd04809c9263f12eb761f9efd60a5b4a88793615f8d638ddf07efdc1f5dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syhidsduo.tmp
Filesize
3.3MB

MD5
13d0ff809f24a408728fd6fe00241020

SHA1
fde8484da982eceb86cf6959460ffc4ce33271a9

SHA256
db9190e9eb5298547a3d266f298ec1e7ede0426841da9512f2827f1e7c027520

SHA512
38dd1c523eb9f5aa1c3da0e95f4064f22fc191ce8cea20803c5f60fcbc40d83f5c3545529863ca18f4e65b3ea7a8eddc247ae0db11c6ffa70af560998611e768

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt
Filesize
2KB

MD5
c8c7e9b4224595317a08c41e6d042f1b

SHA1
1dd853cd297486844714db4301669ae5702385ef

SHA256
a3150537957b83b897283c60c695acf5eb2af4e98c65480aee2f75e537c6dbdb

SHA512
e5e1d4a680e9fe3f2cec35c7c115f3ea989d7840c4f1ec3a2802e927042eb4aab0aa88ed044753108f03f6e8d01586f61ca171237bc54c32a4febcdc5ccb673d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI75E9.txt
Filesize
425KB

MD5
fa7efd54b7a1a82e3aeabd5f7c8d64c1

SHA1
d7db04c713f10ae3b001d78b5be253c7b5aaf6e4

SHA256
a8bec2b6be94b922f1a725366fa56d7b38de7bc22e9af676a8d773a883e30d03

SHA512
a985281e5756e6d5ccbeb82d73ae86cf4a80602ce6f7e09c67a36de0f1c1c2e4eee287e80b34b65c61f093aa8c7a6bdfdf3336704c700f64a78830b6ef51e04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI75E9.txt
Filesize
11KB

MD5
3f028bb0db8f722d733bc936c1d6284c

SHA1
11842c8c0c2dcf8f44de02e42f0da7917f9e1833

SHA256
98931a29d56cae1db90115fcc1a9235b74b1acf1e2a2e3ad08e8d5df5a2616b5

SHA512
170a36556029933db6a0a090e99e9ec4262312d2a7c690d7aa359793ac083fc66b93e0fe43bd1390e79414a33acb183eee1093897303692b9ba4b69eac2c037b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sa.9PHNB71MKR4J_0_0010_.Public.InstallAgent.dat
Filesize
64KB

MD5
efd344e33c47f0c6058aa188e07b50d0

SHA1
46af7722495b1926acf3fbb758c27f68a613d4bd

SHA256
605f40d42b2e7a9d0698999609dca21bebd1d97a91a8bb4b97b228bbdc472b53

SHA512
f0ff57f6065a931a2a0967062fa76485fe9fde3cbb53a2125a29656053ba49c5b8b30bd1714603da1da32c94e433429c0d79d78c010dcf26e913acc54ab2d6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent.dat
Filesize
65KB

MD5
dc7e6cc5a47edc01738a38ad70f9a8b3

SHA1
c07046f0a19ad63d830fc97b6d9a79c3ede32f42

SHA256
34d45b244945e8c37900145bb52afc763074b301ca5153d369ddb900199fccca

SHA512
8ac5a5ba64c70e608b5cef3e06aca9f7bc9a9da0a9e4c9527a1b24384109306b4e93f2e1cb19375fef7c972ee9ec15361d4b34bb0eb7f97d93c4d836a6a93f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\sa.9WZDNCRFHVFW_0_0010_.Public.InstallAgent.dat
Filesize
85KB

MD5
7ccbd37d0a5066e728a7a420b90e6d34

SHA1
1ea2aa552a6cb2ef86bceec5c354f43424dbf469

SHA256
cc7bc6b4aa0ec6ca8c6492498c6ae1509aeebf56f114595085e8d55d3e2939ec

SHA512
1d62d50420806ed3bfef1e16f276bcee73e351116966f6131e8f454296f006a10a7349784118f4a726e6a44fa848bc0396c83139bd833581625f911dd9ed7273

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctA6AC.tmp
Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\ProgramData\sqlite3.dll
Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
memory/1600-363-0x00000000000A5FB0-mapping.dmp

Download
memory/1600-476-0x0000000004AF0000-0x00000000055A2000-memory.dmp

Filesize
10.7MB

Download
memory/1600-436-0x0000000004AF0000-0x00000000055A2000-memory.dmp

Filesize
10.7MB

Download
memory/1600-413-0x0000000002600000-0x0000000002F92000-memory.dmp

Filesize
9.6MB

Download
memory/1600-475-0x0000000002600000-0x0000000002F92000-memory.dmp

Filesize
9.6MB

Download
memory/2500-135-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-137-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-143-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-145-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/2500-146-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2500-147-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-148-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-149-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-150-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-151-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-152-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-153-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-154-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-155-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-156-0x0000000000731000-0x0000000000742000-memory.dmp

Filesize
68KB

Download
memory/2500-157-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2500-142-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-141-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-140-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-139-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-138-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-144-0x0000000000731000-0x0000000000742000-memory.dmp

Filesize
68KB

Download
memory/2500-136-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-121-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-134-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-133-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-132-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-131-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-130-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-129-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-128-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-127-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-126-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-125-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-124-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-123-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-120-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2500-122-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4300-194-0x0000000000000000-mapping.dmp

Download
memory/4300-196-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4300-195-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4356-257-0x0000000000620000-0x00000000006CE000-memory.dmp

Filesize
696KB

Download
memory/4356-208-0x0000000000000000-mapping.dmp

Download
memory/4356-305-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/4356-304-0x0000000000620000-0x00000000006CE000-memory.dmp

Filesize
696KB

Download
memory/4356-303-0x0000000000620000-0x00000000006CE000-memory.dmp

Filesize
696KB

Download
memory/4356-259-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/4356-258-0x0000000000620000-0x00000000006CE000-memory.dmp

Filesize
696KB

Download
memory/4612-177-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-187-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-193-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4612-184-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-183-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-182-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-206-0x0000000001120000-0x000000000196B000-memory.dmp

Filesize
8.3MB

Download
memory/4612-207-0x0000000003310000-0x0000000003CE6000-memory.dmp

Filesize
9.8MB

Download
memory/4612-191-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-181-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-180-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-218-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4612-179-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-190-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-189-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-178-0x0000000001120000-0x000000000196B000-memory.dmp

Filesize
8.3MB

Download
memory/4612-185-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-176-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-188-0x0000000003310000-0x0000000003CE6000-memory.dmp

Filesize
9.8MB

Download
memory/4612-192-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-186-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-318-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4612-352-0x0000000004CF0000-0x00000000057A2000-memory.dmp

Filesize
10.7MB

Download
memory/4612-175-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-174-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-412-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4612-416-0x0000000004CF0000-0x00000000057A2000-memory.dmp

Filesize
10.7MB

Download
memory/4612-173-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-172-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-171-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-170-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-169-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-166-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-165-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-164-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-163-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-162-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-161-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-160-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4612-158-0x0000000000000000-mapping.dmp

Download