danabot | 1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5

Analysis

max time kernel
150s
max time network
151s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-10-2022 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5.exe
Size

221KB
MD5

b003078f86a2ee4bd3eea3e3e9dc4cd0
SHA1

d0ad65dddd52c488d2d5fcb41d1bc40d4aea0357
SHA256

1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5
SHA512

e895aa3ad3fc31ba7ba4ff4ae979974f8776687a38e3dea92fde15549adf88fc635766520587c852635d19ea638ba2815dcee00e86eb221d963faf369ec144d3
SSDEEP

3072:e9nVYZj/ESbcu7o6lphGLWgXOwU6Ahsz52vil9NeBM9k8hOZDLTTdTHrBO:e9AjsSVhGL9ZUBhxKrsMW2CLTZB

Score

10^/10

danabot smokeloader vidar 937 backdoor banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

embedded_hash
569235DCA8F16ED8310BBACCB674F896
type
loader

Extracted

Family

vidar

Version

55.2

Botnet

937

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1816-154-0x00000000001D0000-0x00000000001D9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

54 4504 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

3BD0.exeudsbduw7933.exe

pid process

2820 3BD0.exe
3728 udsbduw
5016 7933.exe
Deletes itself 1 IoCs

Processes:

pid process

2144
Loads dropped DLL 3 IoCs

Processes:

7933.exe

pid process

5016 7933.exe
5016 7933.exe
5016 7933.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

3BD0.exe

description pid process target process

PID 2820 set thread context of 4504 2820 3BD0.exe rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

description ioc process

File created C:\Windows\rescache\_merged\3720402701\2219095117.pri
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4116 5016 WerFault.exe 7933.exe

flow	pid	process
54	4504	rundll32.exe

pid	process
2820	3BD0.exe
3728	udsbduw
5016	7933.exe

pid	process
2144

pid	process
5016	7933.exe
5016	7933.exe
5016	7933.exe

description	pid	process	target process
PID 2820 set thread context of 4504	2820	3BD0.exe	rundll32.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri

pid	pid_target	process	target process
4116	5016	WerFault.exe	7933.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5.exeudsbduw

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	udsbduw
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	udsbduw
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	udsbduw

Checks processor information in registry 2 TTPs 53 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3BD0.exerundll32.exe7933.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	3BD0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	3BD0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	3BD0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	3BD0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7933.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3BD0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	3BD0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	3BD0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	3BD0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7933.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	3BD0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	3BD0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	3BD0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	3BD0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	3BD0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	3BD0.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	3BD0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	3BD0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3BD0.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	3BD0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	3BD0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3BD0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	3BD0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	3BD0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	3BD0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	3BD0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Internet Explorer\Toolbar

Modifies registry class 22 IoCs

Processes:

rundll32.exeOpenWith.exe3BD0.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	3BD0.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2144

pid	process
2144

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5.exe

pid	process
1816	1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5.exe
1816	1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5.exe
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144
2144

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2144
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5.exeudsbduw

pid process

1816 1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5.exe
3728 udsbduw

pid	process
2144

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2144
Token: SeCreatePagefilePrivilege	2144
Token: SeShutdownPrivilege	2144
Token: SeCreatePagefilePrivilege	2144
Token: SeShutdownPrivilege	2144
Token: SeCreatePagefilePrivilege	2144
Token: SeShutdownPrivilege	2144
Token: SeCreatePagefilePrivilege	2144
Token: SeShutdownPrivilege	2144
Token: SeCreatePagefilePrivilege	2144
Token: SeShutdownPrivilege	2144
Token: SeCreatePagefilePrivilege	2144
Token: SeShutdownPrivilege	2144
Token: SeCreatePagefilePrivilege	2144
Token: SeShutdownPrivilege	2144
Token: SeCreatePagefilePrivilege	2144
Token: SeShutdownPrivilege	2144
Token: SeCreatePagefilePrivilege	2144
Token: SeShutdownPrivilege	2144
Token: SeCreatePagefilePrivilege	2144
Token: SeShutdownPrivilege	2144
Token: SeCreatePagefilePrivilege	2144
Token: SeShutdownPrivilege	2144
Token: SeCreatePagefilePrivilege	2144

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4504 rundll32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exe

pid process

4540 OpenWith.exe
2144
2144

pid	process
4504	rundll32.exe

pid	process
4540	OpenWith.exe
2144
2144

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

3BD0.exe

description	pid	process	target process
PID 2144 wrote to memory of 2820	2144		3BD0.exe
PID 2144 wrote to memory of 2820	2144		3BD0.exe
PID 2144 wrote to memory of 2820	2144		3BD0.exe
PID 2820 wrote to memory of 2368	2820	3BD0.exe	appidtel.exe
PID 2820 wrote to memory of 2368	2820	3BD0.exe	appidtel.exe
PID 2820 wrote to memory of 2368	2820	3BD0.exe	appidtel.exe
PID 2820 wrote to memory of 4504	2820	3BD0.exe	rundll32.exe
PID 2820 wrote to memory of 4504	2820	3BD0.exe	rundll32.exe
PID 2820 wrote to memory of 4504	2820	3BD0.exe	rundll32.exe
PID 2820 wrote to memory of 4504	2820	3BD0.exe	rundll32.exe
PID 2144 wrote to memory of 5016	2144		7933.exe
PID 2144 wrote to memory of 5016	2144		7933.exe
PID 2144 wrote to memory of 5016	2144		7933.exe

C:\Users\Admin\AppData\Local\Temp\1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5.exe
"C:\Users\Admin\AppData\Local\Temp\1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1816

C:\Users\Admin\AppData\Local\Temp\3BD0.exe
C:\Users\Admin\AppData\Local\Temp\3BD0.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
2⤵
PID:2368

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4504

C:\Users\Admin\AppData\Roaming\udsbduw
C:\Users\Admin\AppData\Roaming\udsbduw
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4540

C:\Users\Admin\AppData\Local\Temp\7933.exe
C:\Users\Admin\AppData\Local\Temp\7933.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1748
2⤵
- Program crash
PID:4116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\01636ca4-e395-41a2-a392-f421478506d1\1713683155.pri
Filesize
3KB

MD5
3d2f97aca704836e5a440db3c2b2d5f8

SHA1
b4710c16a79a3880ec3df0ba37a27dbb60021b0b

SHA256
af2fc4069e6e84d29d5a4cd37c52713337ffac0c2df1f2cc02c1ade946a817db

SHA512
e55f72d13fb241c124c43ad69f90ca4eaf7bb696505990925e997f6ffe3fda775bc3892437694ee596ed42a11dbc83496cd4f22fa1b61ac45db81bf0ac8980a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BD0.exe
Filesize
8.4MB

MD5
26b7073a5ae1ee5015cb712b883b6fae

SHA1
a0dd060a51a516b0413537d3bb7be78b99813359

SHA256
d503cb0269cd044dcd38a06cf1df7839d4045e764e2fdeae3560b97bd5155f15

SHA512
2a1fde5c59a4c4fb24176740d77ff22abd52b71e34bea40851728907323150f8772867337d80a9438eb0f1896c58605437440e9e2f0cb2c9ee5fec6cdb874f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BD0.exe
Filesize
8.4MB

MD5
26b7073a5ae1ee5015cb712b883b6fae

SHA1
a0dd060a51a516b0413537d3bb7be78b99813359

SHA256
d503cb0269cd044dcd38a06cf1df7839d4045e764e2fdeae3560b97bd5155f15

SHA512
2a1fde5c59a4c4fb24176740d77ff22abd52b71e34bea40851728907323150f8772867337d80a9438eb0f1896c58605437440e9e2f0cb2c9ee5fec6cdb874f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\7933.exe
Filesize
332KB

MD5
e75ec445beb33e400201791a3fba433d

SHA1
a2c29449d05c2a26077e45dfcb45e37ef7c638a8

SHA256
f16953dfb98fb54bde6e9410883839e228ee09aa0a09892ab56a5ddfc76e7a0e

SHA512
4efdb748bcaef9aa1ca5bc934d5797f692a7bbd974fc675318124a4bfce62e074fd32a3033a10057a5af5cc1b9d2c7d87de316c31bce0f5b7d61983f1f967134

Download Submit
C:\Users\Admin\AppData\Local\Temp\7933.exe
Filesize
332KB

MD5
e75ec445beb33e400201791a3fba433d

SHA1
a2c29449d05c2a26077e45dfcb45e37ef7c638a8

SHA256
f16953dfb98fb54bde6e9410883839e228ee09aa0a09892ab56a5ddfc76e7a0e

SHA512
4efdb748bcaef9aa1ca5bc934d5797f692a7bbd974fc675318124a4bfce62e074fd32a3033a10057a5af5cc1b9d2c7d87de316c31bce0f5b7d61983f1f967134

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syhidsduo.tmp
Filesize
3.3MB

MD5
13d0ff809f24a408728fd6fe00241020

SHA1
fde8484da982eceb86cf6959460ffc4ce33271a9

SHA256
db9190e9eb5298547a3d266f298ec1e7ede0426841da9512f2827f1e7c027520

SHA512
38dd1c523eb9f5aa1c3da0e95f4064f22fc191ce8cea20803c5f60fcbc40d83f5c3545529863ca18f4e65b3ea7a8eddc247ae0db11c6ffa70af560998611e768

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
Filesize
1KB

MD5
2b332ec3539d7ae839f4f6706c41f5fa

SHA1
22041d6c79f91cf2dc09b3b81ffcc0aec1a9b854

SHA256
3cee7f4853cbb8c238d2a56f17193a2dd615bb8c0cf5576b4dd3d3cf7f9ff636

SHA512
7757f62fa08d8ed6390977a4609061e70a5fe68c0327f423ea0a9c88a3fc659ed0a2d3250e7344ce1a7e598ed5d19102d8c87d71cddcf9724206ba88e469906f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt
Filesize
2KB

MD5
c8c7e9b4224595317a08c41e6d042f1b

SHA1
1dd853cd297486844714db4301669ae5702385ef

SHA256
a3150537957b83b897283c60c695acf5eb2af4e98c65480aee2f75e537c6dbdb

SHA512
e5e1d4a680e9fe3f2cec35c7c115f3ea989d7840c4f1ec3a2802e927042eb4aab0aa88ed044753108f03f6e8d01586f61ca171237bc54c32a4febcdc5ccb673d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6116bae-0100-4484-b715-90bda65650d7.tmp
Filesize
23KB

MD5
2e0a52964e4f43a9830f01775bcb061b

SHA1
deedc2124380dcc834798466b7ae8ca986aba82f

SHA256
3884df97009ac7e97143743660ed8e010d5f77edcf611bf85276e876fc70754b

SHA512
56c28175bfeb1adfa70761dbf3d46f60b3545de1dd879b346658a2701a173c5fd1959dcb6ecb931f7589f8178fa46d026da0edcfef0471f0fc9d65df7bc6ea44

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html
Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Users\Admin\AppData\Roaming\udsbduw
Filesize
221KB

MD5
b003078f86a2ee4bd3eea3e3e9dc4cd0

SHA1
d0ad65dddd52c488d2d5fcb41d1bc40d4aea0357

SHA256
1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5

SHA512
e895aa3ad3fc31ba7ba4ff4ae979974f8776687a38e3dea92fde15549adf88fc635766520587c852635d19ea638ba2815dcee00e86eb221d963faf369ec144d3

Download Submit
C:\Users\Admin\AppData\Roaming\udsbduw
Filesize
221KB

MD5
b003078f86a2ee4bd3eea3e3e9dc4cd0

SHA1
d0ad65dddd52c488d2d5fcb41d1bc40d4aea0357

SHA256
1d3f37d2989eed7acee995c28e8cb9010ef54c45a4ccf84be54d036388a24ab5

SHA512
e895aa3ad3fc31ba7ba4ff4ae979974f8776687a38e3dea92fde15549adf88fc635766520587c852635d19ea638ba2815dcee00e86eb221d963faf369ec144d3

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\ProgramData\sqlite3.dll
Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
memory/1816-140-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-148-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-131-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-132-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-133-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-134-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-135-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-136-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-137-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-138-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-139-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-129-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-141-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-142-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-143-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-144-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-145-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-146-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-147-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-130-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-149-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-150-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-151-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-152-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-153-0x0000000000721000-0x0000000000731000-memory.dmp

Filesize
64KB

Download
memory/1816-154-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/1816-155-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/1816-128-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-127-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-126-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-125-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-124-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-123-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-122-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-121-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-120-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-156-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2368-192-0x0000000000000000-mapping.dmp

Download
memory/2368-193-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2368-194-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-172-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-197-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/2820-175-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-176-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-177-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-178-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-179-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-181-0x0000000001130000-0x0000000001971000-memory.dmp

Filesize
8.3MB

Download
memory/2820-182-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-183-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-184-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-185-0x0000000003320000-0x0000000003CF6000-memory.dmp

Filesize
9.8MB

Download
memory/2820-180-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-187-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-188-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-189-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-186-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-190-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-191-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-168-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-205-0x0000000001130000-0x0000000001971000-memory.dmp

Filesize
8.3MB

Download
memory/2820-206-0x0000000003320000-0x0000000003CF6000-memory.dmp

Filesize
9.8MB

Download
memory/2820-207-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/2820-174-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-171-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-157-0x0000000000000000-mapping.dmp

Download
memory/2820-159-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-173-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-160-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-249-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/2820-161-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-306-0x0000000004D10000-0x00000000057C2000-memory.dmp

Filesize
10.7MB

Download
memory/2820-162-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-170-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-169-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-347-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/2820-350-0x0000000004D10000-0x00000000057C2000-memory.dmp

Filesize
10.7MB

Download
memory/2820-163-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-164-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/2820-165-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/3728-246-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3728-247-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3728-244-0x00000000006D0000-0x000000000081A000-memory.dmp

Filesize
1.3MB

Download
memory/3728-245-0x00000000006D0000-0x000000000081A000-memory.dmp

Filesize
1.3MB

Download
memory/4504-304-0x0000000000305FB0-mapping.dmp

Download
memory/4504-371-0x0000000002820000-0x00000000031B2000-memory.dmp

Filesize
9.6MB

Download
memory/4504-415-0x0000000004C50000-0x0000000005702000-memory.dmp

Filesize
10.7MB

Download
memory/4504-506-0x0000000002820000-0x00000000031B2000-memory.dmp

Filesize
9.6MB

Download
memory/4504-507-0x0000000004C50000-0x0000000005702000-memory.dmp

Filesize
10.7MB

Download
memory/5016-317-0x0000000000000000-mapping.dmp

Download
memory/5016-374-0x0000000002200000-0x0000000002249000-memory.dmp

Filesize
292KB

Download
memory/5016-407-0x0000000000771000-0x000000000079D000-memory.dmp

Filesize
176KB

Download
memory/5016-409-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/5016-508-0x0000000002200000-0x0000000002249000-memory.dmp

Filesize
292KB

Download
memory/5016-509-0x0000000000771000-0x000000000079D000-memory.dmp

Filesize
176KB

Download
memory/5016-510-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download