danabot | 1f7a10b683b0de5fe0de26dea80268144ac40511546513f39560666ae9d4fd49

Analysis

max time kernel
150s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
24-10-2022 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f7a10b683b0de5fe0de26dea80268144ac40511546513f39560666ae9d4fd49.exe
Size

221KB
MD5

92131ef7c2b669f6982e61f5045f87ae
SHA1

e76c98d8af081d4ede4bc1889e07c1052f28ae2d
SHA256

1f7a10b683b0de5fe0de26dea80268144ac40511546513f39560666ae9d4fd49
SHA512

d5ecdd4f2db0bde3053aff68d5ce3b3245dc6c2d7895d908e569adff6f75bc1385d5ae79fac83711df58a4b8c2bac2b168237a8ca93fcc77c56c1b8942df6522
SSDEEP

3072:pnnLHJ/vSTcwcZqlwLUNOwo6Usn574TeRI/fzFRakuws8a3hpso:pn93SqLU3o/zeOnzzaHz8a3hp

Score

10^/10

danabot vidar 937 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

embedded_hash
569235DCA8F16ED8310BBACCB674F896
type
loader

Extracted

Family

vidar

Version

55.2

Botnet

937

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
937

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

60 1472 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

E36F.exe951D.exe

pid process

4648 E36F.exe
2708 951D.exe
Deletes itself 1 IoCs

Processes:

pid process

2712
Loads dropped DLL 3 IoCs

Processes:

951D.exe

pid process

2708 951D.exe
2708 951D.exe
2708 951D.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

E36F.exe

description pid process target process

PID 4648 set thread context of 1472 4648 E36F.exe rundll32.exe
Drops file in Windows directory 1 IoCs

Processes:

description ioc process

File created C:\Windows\rescache\_merged\3720402701\2219095117.pri
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3152 2708 WerFault.exe 951D.exe

flow	pid	process
60	1472	rundll32.exe

pid	process
4648	E36F.exe
2708	951D.exe

pid	process
2712

pid	process
2708	951D.exe
2708	951D.exe
2708	951D.exe

description	pid	process	target process
PID 4648 set thread context of 1472	4648	E36F.exe	rundll32.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri

pid	pid_target	process	target process
3152	2708	WerFault.exe	951D.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1f7a10b683b0de5fe0de26dea80268144ac40511546513f39560666ae9d4fd49.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1f7a10b683b0de5fe0de26dea80268144ac40511546513f39560666ae9d4fd49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1f7a10b683b0de5fe0de26dea80268144ac40511546513f39560666ae9d4fd49.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1f7a10b683b0de5fe0de26dea80268144ac40511546513f39560666ae9d4fd49.exe

Checks processor information in registry 2 TTPs 46 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exeE36F.exe951D.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	E36F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	E36F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	E36F.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	951D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	E36F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	E36F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	E36F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	E36F.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	E36F.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	E36F.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	E36F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	E36F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	E36F.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	E36F.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	E36F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	E36F.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	951D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	E36F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	E36F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	E36F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	E36F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	E36F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	E36F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	E36F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	E36F.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	E36F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	E36F.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"

Modifies registry class 22 IoCs

Processes:

rundll32.exeOpenWith.exeE36F.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	E36F.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2712

pid	process
2712

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1f7a10b683b0de5fe0de26dea80268144ac40511546513f39560666ae9d4fd49.exe

pid	process
2540	1f7a10b683b0de5fe0de26dea80268144ac40511546513f39560666ae9d4fd49.exe
2540	1f7a10b683b0de5fe0de26dea80268144ac40511546513f39560666ae9d4fd49.exe
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2712
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1f7a10b683b0de5fe0de26dea80268144ac40511546513f39560666ae9d4fd49.exe

pid process

2540 1f7a10b683b0de5fe0de26dea80268144ac40511546513f39560666ae9d4fd49.exe

pid	process
2712

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712
Token: SeShutdownPrivilege	2712
Token: SeCreatePagefilePrivilege	2712

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exe

pid process

2712
1472 rundll32.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

2712
2712
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exe

pid process

3180 OpenWith.exe
2712
2712

pid	process
2712
1472	rundll32.exe

pid	process
2712
2712

pid	process
3180	OpenWith.exe
2712
2712

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

E36F.exe

description	pid	process	target process
PID 2712 wrote to memory of 4648	2712		E36F.exe
PID 2712 wrote to memory of 4648	2712		E36F.exe
PID 2712 wrote to memory of 4648	2712		E36F.exe
PID 4648 wrote to memory of 3908	4648	E36F.exe	appidtel.exe
PID 4648 wrote to memory of 3908	4648	E36F.exe	appidtel.exe
PID 4648 wrote to memory of 3908	4648	E36F.exe	appidtel.exe
PID 2712 wrote to memory of 2708	2712		951D.exe
PID 2712 wrote to memory of 2708	2712		951D.exe
PID 2712 wrote to memory of 2708	2712		951D.exe
PID 4648 wrote to memory of 1472	4648	E36F.exe	rundll32.exe
PID 4648 wrote to memory of 1472	4648	E36F.exe	rundll32.exe
PID 4648 wrote to memory of 1472	4648	E36F.exe	rundll32.exe
PID 4648 wrote to memory of 1472	4648	E36F.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\1f7a10b683b0de5fe0de26dea80268144ac40511546513f39560666ae9d4fd49.exe
"C:\Users\Admin\AppData\Local\Temp\1f7a10b683b0de5fe0de26dea80268144ac40511546513f39560666ae9d4fd49.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2540

C:\Users\Admin\AppData\Local\Temp\E36F.exe
C:\Users\Admin\AppData\Local\Temp\E36F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\appidtel.exe
C:\Windows\system32\appidtel.exe
2⤵
PID:3908

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1472

C:\Users\Admin\AppData\Local\Temp\951D.exe
C:\Users\Admin\AppData\Local\Temp\951D.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 1748
2⤵
- Program crash
PID:3152

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7c815cc3-a697-492c-ad3d-ee39ec4beb84\3020113183.pri
Filesize
3KB

MD5
74569c19169a2e038295d05562d5da96

SHA1
fceaadfa602836b9f411753a8c397c45d75dc764

SHA256
4abc493ec8a55236df2e2ce505f53ecc9934c94a379189e7c901aa68ae005593

SHA512
1e4c79d9f1bb357c3b093b49e2f2b6629c99c38a835b43cd2ebeb4f97715989e68722c9b7ef2d0d4447eefccce67a1b9744357015de30e96464406ab1a306575

Download Submit
C:\Users\Admin\AppData\Local\Temp\8aacb23b-65fd-4242-b509-ee40beebd386.tmp
Filesize
22KB

MD5
99e972f6d63ded5a9f3d6a06ff481bec

SHA1
b3c98ed6975c649454bce3d88806ad1883e22327

SHA256
d6f11c606729d553e9c9b3d0db9e5d51567ea969bedd98008cce7b9415a17490

SHA512
ecc322a906b25ea835fdfcb528fb0bc11ade80112b9d0783f0c02100a83368b718c45ca5bdbe38c106e3559db7723dc2fdf38e2bf473fb461ddade999d02f416

Download Submit
C:\Users\Admin\AppData\Local\Temp\951D.exe
Filesize
332KB

MD5
e75ec445beb33e400201791a3fba433d

SHA1
a2c29449d05c2a26077e45dfcb45e37ef7c638a8

SHA256
f16953dfb98fb54bde6e9410883839e228ee09aa0a09892ab56a5ddfc76e7a0e

SHA512
4efdb748bcaef9aa1ca5bc934d5797f692a7bbd974fc675318124a4bfce62e074fd32a3033a10057a5af5cc1b9d2c7d87de316c31bce0f5b7d61983f1f967134

Download Submit
C:\Users\Admin\AppData\Local\Temp\951D.exe
Filesize
332KB

MD5
e75ec445beb33e400201791a3fba433d

SHA1
a2c29449d05c2a26077e45dfcb45e37ef7c638a8

SHA256
f16953dfb98fb54bde6e9410883839e228ee09aa0a09892ab56a5ddfc76e7a0e

SHA512
4efdb748bcaef9aa1ca5bc934d5797f692a7bbd974fc675318124a4bfce62e074fd32a3033a10057a5af5cc1b9d2c7d87de316c31bce0f5b7d61983f1f967134

Download Submit
C:\Users\Admin\AppData\Local\Temp\E36F.exe
Filesize
8.4MB

MD5
26b7073a5ae1ee5015cb712b883b6fae

SHA1
a0dd060a51a516b0413537d3bb7be78b99813359

SHA256
d503cb0269cd044dcd38a06cf1df7839d4045e764e2fdeae3560b97bd5155f15

SHA512
2a1fde5c59a4c4fb24176740d77ff22abd52b71e34bea40851728907323150f8772867337d80a9438eb0f1896c58605437440e9e2f0cb2c9ee5fec6cdb874f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\E36F.exe
Filesize
8.4MB

MD5
26b7073a5ae1ee5015cb712b883b6fae

SHA1
a0dd060a51a516b0413537d3bb7be78b99813359

SHA256
d503cb0269cd044dcd38a06cf1df7839d4045e764e2fdeae3560b97bd5155f15

SHA512
2a1fde5c59a4c4fb24176740d77ff22abd52b71e34bea40851728907323150f8772867337d80a9438eb0f1896c58605437440e9e2f0cb2c9ee5fec6cdb874f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGWSITJI-20220812-1714a.log
Filesize
184KB

MD5
384945b12fabe9c145800dc481c00434

SHA1
0ca7225e05df93ec9186e3e57cef53bbe090a3a8

SHA256
65ef1e544f629377a857cc642d685741ae75df21c3f888dffbfabc0354697f6d

SHA512
1403e4e872ba91b3063eb6b6ada26e8ada8ffbe7d2e00ca9579802149171ceec187c1f0c97330f194d005e05b5c46aecb9a6dca18fecafbc219c1bde2ce4e213

Download Submit
C:\Users\Admin\AppData\Local\Temp\Syhidsduo.tmp
Filesize
3.3MB

MD5
13d0ff809f24a408728fd6fe00241020

SHA1
fde8484da982eceb86cf6959460ffc4ce33271a9

SHA256
db9190e9eb5298547a3d266f298ec1e7ede0426841da9512f2827f1e7c027520

SHA512
38dd1c523eb9f5aa1c3da0e95f4064f22fc191ce8cea20803c5f60fcbc40d83f5c3545529863ca18f4e65b3ea7a8eddc247ae0db11c6ffa70af560998611e768

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-4632.log
Filesize
470B

MD5
11fdd06fc45d3cf594840734c1e36365

SHA1
d558725548507c629b92094c9b7b978ff5262330

SHA256
e2bf63639ea1e69c7811e60ffdfd03f31d21354bf8f80533e252674262d51a9a

SHA512
df656ffc045649c1d82200aef821ec01d17b4592ea847d3d5700ba3bd3e100f8cec0f2aecb1eea44400fecbf158c86621611a5a8e0071736c1bc23b88741bc93

Download Submit
C:\Users\Admin\AppData\Local\Temp\b402bd2a-1839-4d44-b612-679fe27bfec4.tmp
Filesize
23KB

MD5
7cd73270bd735f9fe77bc9278f9f2b8b

SHA1
b27a898970297c750fb7e4d70ad8f87c1e6c1739

SHA256
ee80340a02c0f96a3f9d01e635857d38d7b92444d6102ee29804f559f2eaa7f4

SHA512
1fe70455d4d8c0fbab9ef20cf85d0de55fea9f18499c653af5d234462aa5c45eaacceadab39e9be62dc548af4f710362dd34970e1d8a666bf09fe4101bf32077

Download Submit
C:\Users\Admin\AppData\Local\Temp\c207da40-d6da-4e55-9419-3b5a0451ed73\1713683155.pri
Filesize
3KB

MD5
3d2f97aca704836e5a440db3c2b2d5f8

SHA1
b4710c16a79a3880ec3df0ba37a27dbb60021b0b

SHA256
af2fc4069e6e84d29d5a4cd37c52713337ffac0c2df1f2cc02c1ade946a817db

SHA512
e55f72d13fb241c124c43ad69f90ca4eaf7bb696505990925e997f6ffe3fda775bc3892437694ee596ed42a11dbc83496cd4f22fa1b61ac45db81bf0ac8980a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9f7bc3b-2bdc-4b02-baea-b2f12d6cafdb.tmp
Filesize
23KB

MD5
2e0a52964e4f43a9830f01775bcb061b

SHA1
deedc2124380dcc834798466b7ae8ca986aba82f

SHA256
3884df97009ac7e97143743660ed8e010d5f77edcf611bf85276e876fc70754b

SHA512
56c28175bfeb1adfa70761dbf3d46f60b3545de1dd879b346658a2701a173c5fd1959dcb6ecb931f7589f8178fa46d026da0edcfef0471f0fc9d65df7bc6ea44

Download Submit
C:\Users\Admin\AppData\Local\Temp\dac4d7c5-9685-45a9-88f2-0464a31b480d.tmp
Filesize
19KB

MD5
613b4d43b64a6d9630f389c4e12295b4

SHA1
06bef00ff378997f9b05d77c78563e01fb713e2d

SHA256
bbe5def034f4c1e6c16beb775ecbbbbe5e6f1aa8100639e87997c9f656a002c6

SHA512
3d48d3dbd49750d6154a3ecde4f60b7ba0cdfbf4781357971102222707ff9a6ee34f5cdbbb64111e3b43bf3946c1fdfb5024d1bcf710e13a850b257c61e5a365

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI6D50.txt
Filesize
414KB

MD5
23c32201914ed67eeb73ef01e902279b

SHA1
ca614164445a64c856b1614adac29f860d688f75

SHA256
28b3a20d19f5cc61c50a2fd63f400cb6db3463e2e1b37c0a974e15434507d440

SHA512
f1c374a4644326875beab6b7cf0766ba2205e67acc5149086caa2f9b94628ea024632e44c752de3040124b07bd92a1d07e1c46ef48a0dc97510ba8d78e6a307c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI6D50.txt
Filesize
11KB

MD5
e608cecad8f6caa78ae1581cf75b9f9c

SHA1
ca39b3733c50c9fdd559a9e0f5270fd0e8d2efad

SHA256
288d4096ba701c81c5e84bfe04d38c3558afb25bd29fa54196de21f3b5d96cc4

SHA512
ddbd14791a3f17367d0c5a74f26042b5653eddd210568831027b5f420567c594b55b31e0248815715409f40b75c2f4a795c4fd744f06b49f3f917acaa1ccb517

Download Submit
C:\Users\Admin\AppData\Local\Temp\sa.9WZDNCRCWFTB_0_0010_.Public.InstallAgent.dat
Filesize
65KB

MD5
dc7e6cc5a47edc01738a38ad70f9a8b3

SHA1
c07046f0a19ad63d830fc97b6d9a79c3ede32f42

SHA256
34d45b244945e8c37900145bb52afc763074b301ca5153d369ddb900199fccca

SHA512
8ac5a5ba64c70e608b5cef3e06aca9f7bc9a9da0a9e4c9527a1b24384109306b4e93f2e1cb19375fef7c972ee9ec15361d4b34bb0eb7f97d93c4d836a6a93f10

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\ProgramData\sqlite3.dll
Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
memory/1472-422-0x0000000004E40000-0x00000000058F2000-memory.dmp

Filesize
10.7MB

Download
memory/1472-355-0x0000000001085FB0-mapping.dmp

Download
memory/1472-416-0x00000000030A0000-0x0000000003A32000-memory.dmp

Filesize
9.6MB

Download
memory/1472-469-0x00000000030A0000-0x0000000003A32000-memory.dmp

Filesize
9.6MB

Download
memory/1472-470-0x0000000004E40000-0x00000000058F2000-memory.dmp

Filesize
10.7MB

Download
memory/2540-131-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-134-0x00000000005F0000-0x000000000069E000-memory.dmp

Filesize
696KB

Download
memory/2540-142-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2540-143-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-145-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-144-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-146-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-147-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-148-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-149-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-150-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-151-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-152-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2540-140-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-139-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-138-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-137-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-136-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-135-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-141-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-133-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-132-0x00000000005F0000-0x000000000069E000-memory.dmp

Filesize
696KB

Download
memory/2540-130-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-129-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-128-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-127-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-126-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-125-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-124-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-123-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-121-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-120-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-119-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-118-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-117-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-115-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2540-116-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/2708-244-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/2708-297-0x0000000000400000-0x00000000005B1000-memory.dmp

Filesize
1.7MB

Download
memory/2708-296-0x0000000000921000-0x000000000094D000-memory.dmp

Filesize
176KB

Download
memory/2708-242-0x0000000000720000-0x0000000000769000-memory.dmp

Filesize
292KB

Download
memory/2708-240-0x0000000000921000-0x000000000094D000-memory.dmp

Filesize
176KB

Download
memory/2708-203-0x0000000000000000-mapping.dmp

Download
memory/3908-189-0x0000000000000000-mapping.dmp

Download
memory/3908-191-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/3908-190-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-174-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-344-0x0000000004CE0000-0x0000000005792000-memory.dmp

Filesize
10.7MB

Download
memory/4648-182-0x0000000003380000-0x0000000003D56000-memory.dmp

Filesize
9.8MB

Download
memory/4648-187-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-186-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-201-0x0000000003380000-0x0000000003D56000-memory.dmp

Filesize
9.8MB

Download
memory/4648-202-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4648-185-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-178-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-176-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-184-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-177-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-183-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-175-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-180-0x00000000011A0000-0x00000000019DF000-memory.dmp

Filesize
8.2MB

Download
memory/4648-173-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-181-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-179-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-310-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4648-188-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4648-172-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-413-0x0000000000400000-0x0000000000DE1000-memory.dmp

Filesize
9.9MB

Download
memory/4648-170-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-418-0x0000000004CE0000-0x0000000005792000-memory.dmp

Filesize
10.7MB

Download
memory/4648-171-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-169-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-168-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-167-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-166-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-165-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-164-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-161-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-160-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-159-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-158-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-157-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-156-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-155-0x0000000077E00000-0x0000000077F8E000-memory.dmp

Filesize
1.6MB

Download
memory/4648-153-0x0000000000000000-mapping.dmp

Download