danabot | 5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f

Analysis

max time kernel
150s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
17-12-2022 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe
Size

214KB
MD5

e05542960134ab0160c8c7f7a17aca89
SHA1

58ece723af6a27e0125b846ea6b3edd5f64fe241
SHA256

5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f
SHA512

dc24e81ea1aee15e756347728914ee49b52ccb335ce1dc5e256d4e14a69ef1eb108aeb5067090edafb2c0fc1a8b8c7ecd8798a0c37721c79c5ea38c508f363e2
SSDEEP

3072:n5j8GLg0XpaaTR2R/5uxsppYxiq8LszNKq/o40zwUzQRKF+:5JLg0XMRY6Ip8gzUQo40M2b

Score

10^/10

danabot rhadamanthys banker stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detect rhadamanthys stealer shellcode 2 IoCs

resource	yara_rule
behavioral1/memory/4980-574-0x0000000001100000-0x000000000111D000-memory.dmp	family_rhadamanthys
behavioral1/memory/4140-594-0x00000000029C0000-0x00000000029DD000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4308 created 2500	4308	6E5B.exe	34

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1212	21EF.exe
4536	Eewfhetyyyrtfpd.exe
4308	6E5B.exe

Deletes itself 1 IoCs

pid	Process
2952	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
4308	6E5B.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4980	ngentask.exe
4980	ngentask.exe
4980	ngentask.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1212 set thread context of 4192	1212	21EF.exe	68
PID 4308 set thread context of 4980	4308	6E5B.exe	73

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ngentask.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ngentask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	ngentask.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	ngentask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ngentask.exe

Checks processor information in registry 2 TTPs 43 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	21EF.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	21EF.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	21EF.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	21EF.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	21EF.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	21EF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2952	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
328	5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe
328	5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found
2952	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2952	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
328	5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	Eewfhetyyyrtfpd.exe
Token: SeShutdownPrivilege	4980	ngentask.exe
Token: SeCreatePagefilePrivilege	4980	ngentask.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4536	Eewfhetyyyrtfpd.exe
4192	rundll32.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4536	Eewfhetyyyrtfpd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2952	Process not Found
2952	Process not Found

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 1212	2952	Process not Found	66
PID 2952 wrote to memory of 1212	2952	Process not Found	66
PID 2952 wrote to memory of 1212	2952	Process not Found	66
PID 1212 wrote to memory of 4536	1212	21EF.exe	67
PID 1212 wrote to memory of 4536	1212	21EF.exe	67
PID 1212 wrote to memory of 4536	1212	21EF.exe	67
PID 1212 wrote to memory of 4192	1212	21EF.exe	68
PID 1212 wrote to memory of 4192	1212	21EF.exe	68
PID 1212 wrote to memory of 4192	1212	21EF.exe	68
PID 1212 wrote to memory of 4192	1212	21EF.exe	68
PID 2952 wrote to memory of 4308	2952	Process not Found	70
PID 2952 wrote to memory of 4308	2952	Process not Found	70
PID 2952 wrote to memory of 4308	2952	Process not Found	70
PID 4308 wrote to memory of 656	4308	6E5B.exe	71
PID 4308 wrote to memory of 656	4308	6E5B.exe	71
PID 4308 wrote to memory of 656	4308	6E5B.exe	71
PID 4308 wrote to memory of 3988	4308	6E5B.exe	72
PID 4308 wrote to memory of 3988	4308	6E5B.exe	72
PID 4308 wrote to memory of 3988	4308	6E5B.exe	72
PID 4308 wrote to memory of 4980	4308	6E5B.exe	73
PID 4308 wrote to memory of 4980	4308	6E5B.exe	73
PID 4308 wrote to memory of 4980	4308	6E5B.exe	73
PID 4308 wrote to memory of 4980	4308	6E5B.exe	73
PID 4308 wrote to memory of 4980	4308	6E5B.exe	73
PID 4308 wrote to memory of 4140	4308	6E5B.exe	74
PID 4308 wrote to memory of 4140	4308	6E5B.exe	74
PID 4308 wrote to memory of 4140	4308	6E5B.exe	74
PID 4308 wrote to memory of 4140	4308	6E5B.exe	74

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2500
- C:\Windows\SYSWOW64\fontview.exe
  "C:\Windows\SYSWOW64\fontview.exe"
  2⤵
  PID:4140

C:\Users\Admin\AppData\Local\Temp\5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe
"C:\Users\Admin\AppData\Local\Temp\5c2f63b8821678ad4328e01f7b4512febdd8cff2ba762d6577744844514fbc3f.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:328

C:\Users\Admin\AppData\Local\Temp\21EF.exe
C:\Users\Admin\AppData\Local\Temp\21EF.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe
  "C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4536
- C:\Windows\syswow64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:4192

C:\Users\Admin\AppData\Local\Temp\6E5B.exe
C:\Users\Admin\AppData\Local\Temp\6E5B.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
  2⤵
  PID:656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
  2⤵
  PID:3988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:4980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21EF.exe

Filesize
5.6MB

MD5
7bca245090dace95e87bb3d9b230c4d7

SHA1
83e13902c00fd1a621dcd96a36c8862ff0b61606

SHA256
ba21117d135d43225c06751e0b8ac91522b765442984d097cedcd7386ab81dac

SHA512
f306d838e4380c516aed968aaea87524d4ccf6bad9a17d85a3f8f8fa6d90042b8b2d8e67d3aff4bda63ee5759a6369a7d5aca3aaa97e0d5c5f8149c79ecb2abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\21EF.exe

Filesize
5.6MB

MD5
7bca245090dace95e87bb3d9b230c4d7

SHA1
83e13902c00fd1a621dcd96a36c8862ff0b61606

SHA256
ba21117d135d43225c06751e0b8ac91522b765442984d097cedcd7386ab81dac

SHA512
f306d838e4380c516aed968aaea87524d4ccf6bad9a17d85a3f8f8fa6d90042b8b2d8e67d3aff4bda63ee5759a6369a7d5aca3aaa97e0d5c5f8149c79ecb2abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E5B.exe

Filesize
1.4MB

MD5
1ea8aaf997bbebac62ec8031d9304100

SHA1
e8b7a1aeae449fc28310c8244bc6940d94adabb6

SHA256
bf52f8def7e804055268e9f17bd8fc91edea479e7d719f9335035bfc71ef21bd

SHA512
04217d1f733e56ce32aa96758941ebd6171242f7ff3f7ed8694247aae61a9b6d1b2fa1d0477612acda5a60a32f47af690dce7fdc4c388d337ddf5fce12335b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E5B.exe

Filesize
1.4MB

MD5
1ea8aaf997bbebac62ec8031d9304100

SHA1
e8b7a1aeae449fc28310c8244bc6940d94adabb6

SHA256
bf52f8def7e804055268e9f17bd8fc91edea479e7d719f9335035bfc71ef21bd

SHA512
04217d1f733e56ce32aa96758941ebd6171242f7ff3f7ed8694247aae61a9b6d1b2fa1d0477612acda5a60a32f47af690dce7fdc4c388d337ddf5fce12335b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe

Filesize
2.4MB

MD5
e7053575255acd45d4213d866123dbaf

SHA1
95fa5a2178eb1dd6a445685b3ab2905c11045d0c

SHA256
794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b

SHA512
e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe

Filesize
2.4MB

MD5
e7053575255acd45d4213d866123dbaf

SHA1
95fa5a2178eb1dd6a445685b3ab2905c11045d0c

SHA256
794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b

SHA512
e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401

Download Submit
\Users\Admin\AppData\Local\Temp\advapi32.dll

Filesize
262KB

MD5
564c99014ae888f17308f74816badcd6

SHA1
2611cec6d45c980cf51d08f0551a8cbdceee415a

SHA256
45a3a376d60c8b6fe1f231fd2119d1226d76a5d8682e7129635e67589252e628

SHA512
e5843a3e716b9aefebe19b9bda79cec5098f67dffea384b67afa8c13305a92a7b7fb5fd4a4f8664efd2a193fbdee5077f3d6da3789fa75352cf5f8c57e77870f

Download Submit
memory/328-145-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-144-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-129-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-130-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-131-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-132-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-133-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-134-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-135-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-136-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-137-0x00000000006B1000-0x00000000006C1000-memory.dmp

Filesize
64KB

Download
memory/328-138-0x0000000000550000-0x000000000069A000-memory.dmp

Filesize
1.3MB

Download
memory/328-139-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-140-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/328-141-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-142-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-143-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-121-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-120-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-146-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-147-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-148-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-149-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-150-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-151-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-152-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-153-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-122-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-155-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-156-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/328-127-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-123-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-124-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-125-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-128-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-154-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/328-126-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-189-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-171-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-163-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-190-0x0000000000D70000-0x00000000012ED000-memory.dmp

Filesize
5.5MB

Download
memory/1212-169-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-170-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-164-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-172-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-173-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-162-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-161-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-157-0x0000000000000000-mapping.dmp

Download
memory/1212-177-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-178-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-179-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-180-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-181-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-182-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-183-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-184-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-185-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-186-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-187-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-188-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-192-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-160-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-168-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-198-0x0000000000400000-0x00000000009BE000-memory.dmp

Filesize
5.7MB

Download
memory/1212-191-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-165-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-194-0x0000000002B90000-0x000000000314D000-memory.dmp

Filesize
5.7MB

Download
memory/1212-175-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-159-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-268-0x0000000006BF0000-0x0000000007315000-memory.dmp

Filesize
7.1MB

Download
memory/1212-450-0x0000000000400000-0x00000000009BE000-memory.dmp

Filesize
5.7MB

Download
memory/1212-174-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-393-0x0000000006BF0000-0x0000000007315000-memory.dmp

Filesize
7.1MB

Download
memory/1212-176-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-387-0x0000000000400000-0x00000000009BE000-memory.dmp

Filesize
5.7MB

Download
memory/1212-386-0x0000000000D70000-0x00000000012ED000-memory.dmp

Filesize
5.5MB

Download
memory/4140-593-0x0000000002600000-0x0000000002629000-memory.dmp

Filesize
164KB

Download
memory/4140-594-0x00000000029C0000-0x00000000029DD000-memory.dmp

Filesize
116KB

Download
memory/4140-555-0x0000000002600000-0x0000000002629000-memory.dmp

Filesize
164KB

Download
memory/4140-517-0x0000000000000000-mapping.dmp

Download
memory/4192-334-0x0000000000400000-0x0000000000A05000-memory.dmp

Filesize
6.0MB

Download
memory/4192-357-0x0000000004460000-0x0000000004B85000-memory.dmp

Filesize
7.1MB

Download
memory/4192-384-0x0000000000400000-0x0000000000A05000-memory.dmp

Filesize
6.0MB

Download
memory/4192-275-0x0000000000A95FB0-mapping.dmp

Download
memory/4192-385-0x0000000004460000-0x0000000004B85000-memory.dmp

Filesize
7.1MB

Download
memory/4308-422-0x0000000002520000-0x0000000002649000-memory.dmp

Filesize
1.2MB

Download
memory/4308-554-0x000000000FA00000-0x000000000FC6F000-memory.dmp

Filesize
2.4MB

Download
memory/4308-511-0x0000000002520000-0x0000000002649000-memory.dmp

Filesize
1.2MB

Download
memory/4308-388-0x0000000000000000-mapping.dmp

Download
memory/4308-452-0x000000000FA00000-0x000000000FC6F000-memory.dmp

Filesize
2.4MB

Download
memory/4536-215-0x0000000000000000-mapping.dmp

Download
memory/4980-620-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4980-512-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4980-574-0x0000000001100000-0x000000000111D000-memory.dmp

Filesize
116KB

Download
memory/4980-575-0x00000000032E0000-0x00000000034B0000-memory.dmp

Filesize
1.8MB

Download