danabot | b251c7a53d746aed311efcb379be6b78bfedfb782c11f8e5cc8fc5402eb8db94

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2022 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b251c7a53d746aed311efcb379be6b78bfedfb782c11f8e5cc8fc5402eb8db94.exe
Size

269KB
MD5

d0db6fb4dda23fb89836dafd6017a8fc
SHA1

6f3d8768e07a42736c7f0e157d9393bd44ed03b6
SHA256

b251c7a53d746aed311efcb379be6b78bfedfb782c11f8e5cc8fc5402eb8db94
SHA512

6522683a962d14d12b07ca8a9b71fc933c19ef3e127ccafefd78a1bc350bb061138355f73b8a761c65ebcf851ece54f101bc57df723f4336faa727e463708cce
SSDEEP

3072:FXi5HzOJD8myKrcX27dUeRUQXbLeHIM+wfdKr8wZuqwBopgqr1jV79HnIo0K+:BiHzWrI2BUa3eo78q2IrnRIo0/

Score

10^/10

danabot smokeloader systembc backdoor banker trojan

Malware Config

Extracted

Family

danabot

172.86.120.215:443

213.227.155.103:443

103.187.26.147:443

172.86.120.138:443

Attributes

embedded_hash
BBBB0DB8CB7E6D152424535822E445A7
type
loader

Extracted

Family

systembc

45.182.189.231:443

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2536-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

77 1160 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

2D59.exeF628.exeqdfpu.exesjawueu

pid process

3456 2D59.exe
4700 F628.exe
1212 qdfpu.exe
3384 sjawueu
Drops file in Windows directory 2 IoCs

Processes:

F628.exe

description ioc process

File created C:\Windows\Tasks\qdfpu.job F628.exe
File opened for modification C:\Windows\Tasks\qdfpu.job F628.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
77	1160	rundll32.exe

pid	process
3456	2D59.exe
4700	F628.exe
1212	qdfpu.exe
3384	sjawueu

description	ioc	process
File created	C:\Windows\Tasks\qdfpu.job	F628.exe
File opened for modification	C:\Windows\Tasks\qdfpu.job	F628.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3108	3456	WerFault.exe	2D59.exe
2220	3456	WerFault.exe	2D59.exe
3036	3456	WerFault.exe	2D59.exe
4392	3456	WerFault.exe	2D59.exe
616	3456	WerFault.exe	2D59.exe

Checks SCSI registry key(s) 3 TTPs 42 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exesjawueub251c7a53d746aed311efcb379be6b78bfedfb782c11f8e5cc8fc5402eb8db94.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sjawueu
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sjawueu
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sjawueu
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b251c7a53d746aed311efcb379be6b78bfedfb782c11f8e5cc8fc5402eb8db94.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b251c7a53d746aed311efcb379be6b78bfedfb782c11f8e5cc8fc5402eb8db94.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b251c7a53d746aed311efcb379be6b78bfedfb782c11f8e5cc8fc5402eb8db94.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2D59.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	2D59.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	2D59.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	2D59.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	2D59.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	2D59.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2D59.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	2D59.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	2D59.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	2D59.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2D59.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2D59.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	2D59.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	2D59.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2D59.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	2D59.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	2D59.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	2D59.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	2D59.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	2D59.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	2D59.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	2D59.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	2D59.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b251c7a53d746aed311efcb379be6b78bfedfb782c11f8e5cc8fc5402eb8db94.exe

pid	process
2536	b251c7a53d746aed311efcb379be6b78bfedfb782c11f8e5cc8fc5402eb8db94.exe
2536	b251c7a53d746aed311efcb379be6b78bfedfb782c11f8e5cc8fc5402eb8db94.exe
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092
3092

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3092
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

b251c7a53d746aed311efcb379be6b78bfedfb782c11f8e5cc8fc5402eb8db94.exesjawueu

pid process

2536 b251c7a53d746aed311efcb379be6b78bfedfb782c11f8e5cc8fc5402eb8db94.exe
3384 sjawueu

pid	process
3092

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	1296	svchost.exe
Token: SeShutdownPrivilege	1296	svchost.exe
Token: SeCreatePagefilePrivilege	1296	svchost.exe
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092
Token: SeShutdownPrivilege	3092
Token: SeCreatePagefilePrivilege	3092

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

2D59.exe

description	pid	process	target process
PID 3092 wrote to memory of 3456	3092		2D59.exe
PID 3092 wrote to memory of 3456	3092		2D59.exe
PID 3092 wrote to memory of 3456	3092		2D59.exe
PID 3456 wrote to memory of 2152	3456	2D59.exe	agentactivationruntimestarter.exe
PID 3456 wrote to memory of 2152	3456	2D59.exe	agentactivationruntimestarter.exe
PID 3456 wrote to memory of 2152	3456	2D59.exe	agentactivationruntimestarter.exe
PID 3092 wrote to memory of 4700	3092		F628.exe
PID 3092 wrote to memory of 4700	3092		F628.exe
PID 3092 wrote to memory of 4700	3092		F628.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe
PID 3456 wrote to memory of 1160	3456	2D59.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b251c7a53d746aed311efcb379be6b78bfedfb782c11f8e5cc8fc5402eb8db94.exe
"C:\Users\Admin\AppData\Local\Temp\b251c7a53d746aed311efcb379be6b78bfedfb782c11f8e5cc8fc5402eb8db94.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2536

C:\Users\Admin\AppData\Local\Temp\2D59.exe
C:\Users\Admin\AppData\Local\Temp\2D59.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\SysWOW64\agentactivationruntimestarter.exe
C:\Windows\system32\agentactivationruntimestarter.exe
2⤵
PID:2152

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Blocklisted process makes network request
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 628
2⤵
- Program crash
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 924
2⤵
- Program crash
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1056
2⤵
- Program crash
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1084
2⤵
- Program crash
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 1032
2⤵
- Program crash
PID:616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x50c
1⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\F628.exe
C:\Users\Admin\AppData\Local\Temp\F628.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4700

C:\ProgramData\pbwpm\qdfpu.exe
C:\ProgramData\pbwpm\qdfpu.exe start
1⤵
- Executes dropped EXE
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3456 -ip 3456
1⤵
PID:2148

C:\Users\Admin\AppData\Roaming\sjawueu
C:\Users\Admin\AppData\Roaming\sjawueu
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3456 -ip 3456
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3456 -ip 3456
1⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3456 -ip 3456
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3456 -ip 3456
1⤵
PID:4388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pbwpm\qdfpu.exe
Filesize
255KB

MD5
cd7f488588b891094c27999d19388be9

SHA1
8f6d5e96247d0bd8c04842727f08b9fdaf879d06

SHA256
2a9262660a612c10017d661e2cd82a2e1dabef943542e83bc0f72426622a761a

SHA512
b8d90f7b60d90d269239da9b8845d84e546da2135aa3f444e84efd52b347cc96d46440ed2f728489e281ffad1cf220697c6bfa57137c9f3e44632102a408d188

Download Submit
C:\ProgramData\pbwpm\qdfpu.exe
Filesize
255KB

MD5
cd7f488588b891094c27999d19388be9

SHA1
8f6d5e96247d0bd8c04842727f08b9fdaf879d06

SHA256
2a9262660a612c10017d661e2cd82a2e1dabef943542e83bc0f72426622a761a

SHA512
b8d90f7b60d90d269239da9b8845d84e546da2135aa3f444e84efd52b347cc96d46440ed2f728489e281ffad1cf220697c6bfa57137c9f3e44632102a408d188

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D59.exe
Filesize
1.3MB

MD5
044d24bfe683577607808993d382adbf

SHA1
88e4bea2b2fa7811040b756e2962c264d4f07c29

SHA256
bc44a6bf30e3c50959639be5ba20c7019b15ece46da8b1c9b041901adef3c3c8

SHA512
4349acbb6f2812f47b56ae21a8bb6421ec9ae85bd068cee4f10c7bd4bf17591a3038acad4b229579fde828d06cd9aa39fe09ee88af5e1b22d750b33a9a852fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2D59.exe
Filesize
1.3MB

MD5
044d24bfe683577607808993d382adbf

SHA1
88e4bea2b2fa7811040b756e2962c264d4f07c29

SHA256
bc44a6bf30e3c50959639be5ba20c7019b15ece46da8b1c9b041901adef3c3c8

SHA512
4349acbb6f2812f47b56ae21a8bb6421ec9ae85bd068cee4f10c7bd4bf17591a3038acad4b229579fde828d06cd9aa39fe09ee88af5e1b22d750b33a9a852fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dhfteep.tmp
Filesize
3.3MB

MD5
9ee66bd586450c037b6a14eed557a159

SHA1
6218331454c5204349b259ea260dd2161ce41371

SHA256
d9cf31419401bed1796f49f2daea2f9eea468c3643ab9086ba61d24e3283db0f

SHA512
eabdb81f278abe54088740b4139ca6d5b8cf99c014102128b9c3ebebf51b163d6ba0b06a066de1eeb33199c2a475c0ce585c102b7684ce2d086b493f842ee8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\F628.exe
Filesize
255KB

MD5
cd7f488588b891094c27999d19388be9

SHA1
8f6d5e96247d0bd8c04842727f08b9fdaf879d06

SHA256
2a9262660a612c10017d661e2cd82a2e1dabef943542e83bc0f72426622a761a

SHA512
b8d90f7b60d90d269239da9b8845d84e546da2135aa3f444e84efd52b347cc96d46440ed2f728489e281ffad1cf220697c6bfa57137c9f3e44632102a408d188

Download Submit
C:\Users\Admin\AppData\Local\Temp\F628.exe
Filesize
255KB

MD5
cd7f488588b891094c27999d19388be9

SHA1
8f6d5e96247d0bd8c04842727f08b9fdaf879d06

SHA256
2a9262660a612c10017d661e2cd82a2e1dabef943542e83bc0f72426622a761a

SHA512
b8d90f7b60d90d269239da9b8845d84e546da2135aa3f444e84efd52b347cc96d46440ed2f728489e281ffad1cf220697c6bfa57137c9f3e44632102a408d188

Download Submit
C:\Users\Admin\AppData\Roaming\sjawueu
Filesize
269KB

MD5
d0db6fb4dda23fb89836dafd6017a8fc

SHA1
6f3d8768e07a42736c7f0e157d9393bd44ed03b6

SHA256
b251c7a53d746aed311efcb379be6b78bfedfb782c11f8e5cc8fc5402eb8db94

SHA512
6522683a962d14d12b07ca8a9b71fc933c19ef3e127ccafefd78a1bc350bb061138355f73b8a761c65ebcf851ece54f101bc57df723f4336faa727e463708cce

Download Submit
C:\Users\Admin\AppData\Roaming\sjawueu
Filesize
269KB

MD5
d0db6fb4dda23fb89836dafd6017a8fc

SHA1
6f3d8768e07a42736c7f0e157d9393bd44ed03b6

SHA256
b251c7a53d746aed311efcb379be6b78bfedfb782c11f8e5cc8fc5402eb8db94

SHA512
6522683a962d14d12b07ca8a9b71fc933c19ef3e127ccafefd78a1bc350bb061138355f73b8a761c65ebcf851ece54f101bc57df723f4336faa727e463708cce

Download Submit
memory/1160-180-0x00000000004A0000-0x00000000004A3000-memory.dmp

Filesize
12KB

Download
memory/1160-168-0x0000000000410000-0x0000000000413000-memory.dmp

Filesize
12KB

Download
memory/1160-177-0x00000000004A0000-0x00000000004A3000-memory.dmp

Filesize
12KB

Download
memory/1160-176-0x0000000000490000-0x0000000000493000-memory.dmp

Filesize
12KB

Download
memory/1160-175-0x0000000000480000-0x0000000000483000-memory.dmp

Filesize
12KB

Download
memory/1160-174-0x0000000000470000-0x0000000000473000-memory.dmp

Filesize
12KB

Download
memory/1160-173-0x0000000000460000-0x0000000000463000-memory.dmp

Filesize
12KB

Download
memory/1160-172-0x0000000000450000-0x0000000000453000-memory.dmp

Filesize
12KB

Download
memory/1160-171-0x0000000000440000-0x0000000000443000-memory.dmp

Filesize
12KB

Download
memory/1160-170-0x0000000000430000-0x0000000000433000-memory.dmp

Filesize
12KB

Download
memory/1160-169-0x0000000000420000-0x0000000000423000-memory.dmp

Filesize
12KB

Download
memory/1160-165-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/1160-167-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1160-166-0x00000000001F0000-0x00000000001F3000-memory.dmp

Filesize
12KB

Download
memory/1160-155-0x0000000000000000-mapping.dmp

Download
memory/1160-156-0x0000000000170000-0x0000000000173000-memory.dmp

Filesize
12KB

Download
memory/1160-164-0x00000000001D0000-0x00000000001D3000-memory.dmp

Filesize
12KB

Download
memory/1160-163-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1160-159-0x0000000000180000-0x0000000000183000-memory.dmp

Filesize
12KB

Download
memory/1160-161-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/1160-160-0x0000000000190000-0x0000000000193000-memory.dmp

Filesize
12KB

Download
memory/1160-162-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/1212-157-0x0000000002DDD000-0x0000000002DF2000-memory.dmp

Filesize
84KB

Download
memory/1212-158-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/2152-141-0x0000000000000000-mapping.dmp

Download
memory/2536-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/2536-132-0x0000000002D52000-0x0000000002D67000-memory.dmp

Filesize
84KB

Download
memory/2536-134-0x0000000000400000-0x0000000002C31000-memory.dmp

Filesize
40.2MB

Download
memory/2536-135-0x0000000000400000-0x0000000002C31000-memory.dmp

Filesize
40.2MB

Download
memory/3384-187-0x0000000000400000-0x0000000002C31000-memory.dmp

Filesize
40.2MB

Download
memory/3384-181-0x0000000002D72000-0x0000000002D88000-memory.dmp

Filesize
88KB

Download
memory/3384-182-0x0000000000400000-0x0000000002C31000-memory.dmp

Filesize
40.2MB

Download
memory/3456-153-0x0000000000400000-0x0000000002D3E000-memory.dmp

Filesize
41.2MB

Download
memory/3456-195-0x0000000005630000-0x00000000060EC000-memory.dmp

Filesize
10.7MB

Download
memory/3456-184-0x0000000000400000-0x0000000002D3E000-memory.dmp

Filesize
41.2MB

Download
memory/3456-193-0x00000000062C0000-0x0000000006400000-memory.dmp

Filesize
1.2MB

Download
memory/3456-143-0x0000000000400000-0x0000000002D3E000-memory.dmp

Filesize
41.2MB

Download
memory/3456-136-0x0000000000000000-mapping.dmp

Download
memory/3456-142-0x0000000000400000-0x0000000002D3E000-memory.dmp

Filesize
41.2MB

Download
memory/3456-194-0x00000000062C0000-0x0000000006400000-memory.dmp

Filesize
1.2MB

Download
memory/3456-192-0x00000000062C0000-0x0000000006400000-memory.dmp

Filesize
1.2MB

Download
memory/3456-185-0x0000000005630000-0x00000000060EC000-memory.dmp

Filesize
10.7MB

Download
memory/3456-139-0x0000000002EC6000-0x0000000002FE7000-memory.dmp

Filesize
1.1MB

Download
memory/3456-140-0x0000000004B40000-0x0000000004E0C000-memory.dmp

Filesize
2.8MB

Download
memory/3456-191-0x00000000062C0000-0x0000000006400000-memory.dmp

Filesize
1.2MB

Download
memory/3456-186-0x0000000005630000-0x00000000060EC000-memory.dmp

Filesize
10.7MB

Download
memory/3456-154-0x0000000000400000-0x0000000002D3E000-memory.dmp

Filesize
41.2MB

Download
memory/3456-188-0x0000000005630000-0x00000000060EC000-memory.dmp

Filesize
10.7MB

Download
memory/3456-189-0x00000000062C0000-0x0000000006400000-memory.dmp

Filesize
1.2MB

Download
memory/3456-190-0x00000000062C0000-0x0000000006400000-memory.dmp

Filesize
1.2MB

Download
memory/4700-148-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/4700-147-0x0000000002F83000-0x0000000002F98000-memory.dmp

Filesize
84KB

Download
memory/4700-152-0x0000000002F83000-0x0000000002F98000-memory.dmp

Filesize
84KB

Download
memory/4700-144-0x0000000000000000-mapping.dmp

Download
memory/4700-149-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download