danabot | 4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7

General

Target

4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Size

4.4MB
MD5

49a30a20e0376301f0dfb1793e04a2e2
SHA1

c7ffa147528a459e457055292c495284a018f07b
SHA256

4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7
SHA512

fa966e0c2f49e8740122168d6a27d56c3cdd1416cce39a695795f74e695919ad550186b156bec3113b86e3f693071eee57ab60585fa8a7514bef0a573a9c6fe7
SSDEEP

98304:WZ0FeOexKrUi33OKsV0ZIJyQA2bsv2letgbaIisfRrl84:WZ0FeOeorZ3eKsV0CJ02o2egbgO

Score

10^/10

danabot banker trojan

Malware Config

Extracted

Family

danabot

C2

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Executes dropped EXE 1 IoCs

Processes:

Orwtaofpwtre.exe

pid process

5020 Orwtaofpwtre.exe

pid	process
5020	Orwtaofpwtre.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

chrome.exe

pid process

4440 chrome.exe

pid	process
4440	chrome.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe

description	pid	process	target process
PID 1616 set thread context of 4004	1616	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

648 4004 WerFault.exe rundll32.exe
3488 4440 WerFault.exe chrome.exe

pid	pid_target	process	target process
648	4004	WerFault.exe	rundll32.exe
3488	4440	WerFault.exe	chrome.exe

Checks processor information in registry 2 TTPs 46 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exerundll32.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

rundll32.exechrome.exechrome.exe

pid process

4004 rundll32.exe
4004 rundll32.exe
2668 chrome.exe
2668 chrome.exe
4440 chrome.exe
4440 chrome.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Orwtaofpwtre.exe

description pid process

Token: SeDebugPrivilege 5020 Orwtaofpwtre.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Orwtaofpwtre.exechrome.exe

pid process

5020 Orwtaofpwtre.exe
4440 chrome.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Orwtaofpwtre.exe

pid process

5020 Orwtaofpwtre.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

chrome.exe

pid process

4440 chrome.exe

pid	process
4004	rundll32.exe
4004	rundll32.exe
2668	chrome.exe
2668	chrome.exe
4440	chrome.exe
4440	chrome.exe

description	pid	process
Token: SeDebugPrivilege	5020	Orwtaofpwtre.exe

pid	process
5020	Orwtaofpwtre.exe
4440	chrome.exe

pid	process
5020	Orwtaofpwtre.exe

pid	process
4440	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exechrome.exe

description	pid	process	target process
PID 1616 wrote to memory of 5020	1616	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe	Orwtaofpwtre.exe
PID 1616 wrote to memory of 5020	1616	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe	Orwtaofpwtre.exe
PID 1616 wrote to memory of 5020	1616	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe	Orwtaofpwtre.exe
PID 4440 wrote to memory of 4636	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4636	4440	chrome.exe	chrome.exe
PID 1616 wrote to memory of 4004	1616	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe	rundll32.exe
PID 1616 wrote to memory of 4004	1616	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe	rundll32.exe
PID 1616 wrote to memory of 4004	1616	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe	rundll32.exe
PID 1616 wrote to memory of 4004	1616	4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe	rundll32.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4548	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2668	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 2668	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4472	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4472	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4472	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4472	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4472	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4472	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4472	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4472	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4472	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4472	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4472	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4472	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4472	4440	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe
"C:\Users\Admin\AppData\Local\Temp\4adf50b94e6915d1ca4e3e06cbb861518d881f209ff392584de57a7bd90ec2b7.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\Orwtaofpwtre.exe
"C:\Users\Admin\AppData\Local\Temp\Orwtaofpwtre.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5020

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1320
3⤵
- Program crash
PID:648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a2174f50,0x7ff8a2174f60,0x7ff8a2174f70
2⤵
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,3290870685030241995,17552645513039146597,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1792 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,3290870685030241995,17552645513039146597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2312 /prefetch:8
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,3290870685030241995,17552645513039146597,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1652 /prefetch:2
2⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,3290870685030241995,17552645513039146597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3560 /prefetch:8
2⤵
PID:3792

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4440 -s 3660
2⤵
- Program crash
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4004 -ip 4004
1⤵
PID:1288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4404

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 4440 -ip 4440
1⤵
PID:204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Orwtaofpwtre.exe
Filesize
1.2MB

MD5
50e03c260a0f6db796aa22d7443aa105

SHA1
573a47d22475dc990d57cdd33b0952b721e4ddd9

SHA256
5b71ae23c39fbcd56d58ad59d4b13b0346f1f162bc5089b3ea4be35c0e621065

SHA512
4528944754d4f6fae49d63c30377913ea4cf6741a37da8c91fc8ad1006fde8065de9aa96c5de03c84b78a27aecffbf43de9daa94f25408c866c605394a71d434

Download Submit
C:\Users\Admin\AppData\Local\Temp\Orwtaofpwtre.exe
Filesize
1.2MB

MD5
50e03c260a0f6db796aa22d7443aa105

SHA1
573a47d22475dc990d57cdd33b0952b721e4ddd9

SHA256
5b71ae23c39fbcd56d58ad59d4b13b0346f1f162bc5089b3ea4be35c0e621065

SHA512
4528944754d4f6fae49d63c30377913ea4cf6741a37da8c91fc8ad1006fde8065de9aa96c5de03c84b78a27aecffbf43de9daa94f25408c866c605394a71d434

Download Submit
\??\pipe\crashpad_4440_DYSNGVXQRDAPOGXO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1616-143-0x0000000006DE0000-0x0000000006F20000-memory.dmp

Filesize
1.2MB

Download
memory/1616-142-0x0000000006DE0000-0x0000000006F20000-memory.dmp

Filesize
1.2MB

Download
memory/1616-137-0x0000000006DE0000-0x0000000006F20000-memory.dmp

Filesize
1.2MB

Download
memory/1616-138-0x0000000006DE0000-0x0000000006F20000-memory.dmp

Filesize
1.2MB

Download
memory/1616-139-0x0000000006DE0000-0x0000000006F20000-memory.dmp

Filesize
1.2MB

Download
memory/1616-140-0x0000000006DE0000-0x0000000006F20000-memory.dmp

Filesize
1.2MB

Download
memory/1616-141-0x0000000006DE0000-0x0000000006F20000-memory.dmp

Filesize
1.2MB

Download
memory/1616-135-0x0000000006450000-0x0000000006B76000-memory.dmp

Filesize
7.1MB

Download
memory/1616-145-0x0000000006450000-0x0000000006B76000-memory.dmp

Filesize
7.1MB

Download
memory/1616-136-0x0000000006DE0000-0x0000000006F20000-memory.dmp

Filesize
1.2MB

Download
memory/4004-144-0x0000000000000000-mapping.dmp

Download
memory/4004-146-0x0000000001290000-0x0000000001896000-memory.dmp

Filesize
6.0MB

Download
memory/4004-147-0x0000000003380000-0x0000000003AA6000-memory.dmp

Filesize
7.1MB

Download
memory/4004-148-0x0000000003380000-0x0000000003AA6000-memory.dmp

Filesize
7.1MB

Download
memory/4004-149-0x0000000003B70000-0x0000000003CB0000-memory.dmp

Filesize
1.2MB

Download
memory/4004-150-0x0000000003B70000-0x0000000003CB0000-memory.dmp

Filesize
1.2MB

Download
memory/4004-153-0x0000000003B70000-0x0000000003CB0000-memory.dmp

Filesize
1.2MB

Download
memory/4004-152-0x0000000003B70000-0x0000000003CB0000-memory.dmp

Filesize
1.2MB

Download
memory/4004-154-0x0000000003380000-0x0000000003AA6000-memory.dmp

Filesize
7.1MB

Download
memory/5020-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads