Analysis
-
max time kernel
139s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 13:34
Static task
static1
General
-
Target
sample.html
-
Size
18KB
-
MD5
83adf2a9493d0711fcfdaa64b040bb6c
-
SHA1
fe0b6838b520a6fe0d4c0d75275c08d06ae236bd
-
SHA256
ee67bbba7c125f2a45b79476ff5e41f29b364f2f22c659aa76f44ef17ae3d7d3
-
SHA512
c09c190494dc72214b418126dec222640f4654168f7c530cdd70b9331acba797cad51250631e8b5dc9675b0717195514acd5f535d39e256447aef99bf16936f6
-
SSDEEP
384:rCgPDpmReVoOs4Si9ylKeGMVU8HhhbBqbM7rS2LjFrSnT+SVJCBXQL:rHPBVoOs4SmyI1M5BhbEb67FrSnFJQQL
Malware Config
Extracted
danabot
51.178.195.151
51.222.39.81
149.255.35.125
38.68.50.179
51.77.7.204
Signatures
-
Danabot x86 payload 1 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\DOWNLO~1\DanaBot.dll family_danabot -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 141 6088 rundll32.exe 159 6088 rundll32.exe 161 6088 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
DanaBot.exeDanaBot.exeDanaBot.exepid process 3668 DanaBot.exe 532 DanaBot.exe 5076 DanaBot.exe -
Loads dropped DLL 4 IoCs
Processes:
regsvr32.exerundll32.exepid process 5444 regsvr32.exe 5444 regsvr32.exe 6088 rundll32.exe 6088 rundll32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5128 3668 WerFault.exe DanaBot.exe 4596 532 WerFault.exe DanaBot.exe 4272 5076 WerFault.exe DanaBot.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2288054676-1871194608-3559553667-1000\{BBFE23BE-B314-4A26-8E70-AFD1A916C56E} msedge.exe -
NTFS ADS 3 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 535764.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 790904.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 927076.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepid process 960 msedge.exe 960 msedge.exe 2408 msedge.exe 2408 msedge.exe 3144 identity_helper.exe 3144 identity_helper.exe 5216 msedge.exe 5216 msedge.exe 4536 msedge.exe 4536 msedge.exe 2044 msedge.exe 2044 msedge.exe 4828 msedge.exe 4828 msedge.exe 5976 msedge.exe 5976 msedge.exe 5976 msedge.exe 5976 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
Processes:
msedge.exepid process 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe -
Suspicious use of FindShellTrayWindow 57 IoCs
Processes:
msedge.exepid process 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
msedge.exepid process 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe 2408 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2408 wrote to memory of 1604 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1604 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 1128 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 960 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 960 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe PID 2408 wrote to memory of 3784 2408 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc824f46f8,0x7ffc824f4708,0x7ffc824f47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5840 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5796 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6508 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6840 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6616 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\DanaBot.exe"C:\Users\Admin\Downloads\DanaBot.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@36683⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f04⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 4563⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6188 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6228 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\DanaBot.exe"C:\Users\Admin\Downloads\DanaBot.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 1523⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,10178869790284337698,5171582831524023614,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1380 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3668 -ip 36681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 532 -ip 5321⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\DanaBot.exe"C:\Users\Admin\Downloads\DanaBot.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5076 -ip 50761⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55e2f0fe48e7ee1aad1c24db5c01c354a
SHA15bfeb862e107dd290d87385dc9369bd7a1006b36
SHA256f13b3ebe8d71bd0086d5bb82364c35f59a95d32b39753af251e8639360e291a9
SHA512140d026437fd5e8a874cd00b03950c8f010e1a0732a0a1cc5bdde477e7f8315ccb95790bb4c15b8dbaab9468ad532eb885b6c429300a64e39412d976d079324e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57e0880992c640aca08737893588a0010
SHA16ceec5cb125a52751de8aeda4bab7112f68ae0fe
SHA2568649a39877c190ec740a5422284ec5f9ff509b30b2d7896635476873dd8824e2
SHA51252bd0a38ca7f43b26731966035045b1cbd8b60b2d81bdf9aad791cf444da8af8b722ebf3cb364a6e660bebdf23084eb0e30bc23562575b704801669817549f8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD564fae7031b743389daeabff991cd0705
SHA11271563b9bafab90b4e7a2980dca38f6a8b2a031
SHA256e98b9181e4738b0fd61cdb0327836f5c6d22d67415251abba5dbb03f3f7925d8
SHA512e3785bfdab4b0a3f3f12d9b660ce3b01cc121c75c6f8c78f200093bef8a50c8685e0280f9744c7f2c6b3854615fe317ed69fad7f3a2c13b0a586cc4a1b1350ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD584c32081eed58a9fb705df8803476725
SHA1ae01b6f28ed808226db71c0ec8aab692001e518c
SHA256f17f31af677e87f9fab2b646b7257501d36fdf99a87b229193a26ba4d3fcd187
SHA51298ffc6856d82fc92cd3d52b57544d6ab5641924202b0d48ade9cfc1fbbae35ecfb8b3215b1daebffa5bd5ad82c2081d64f334b3374f5d2ca5897d83067bcf1b5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57dd162ff3e5c9ec60bb5d855e4bcb5f9
SHA1fee8bfaef79b75fc021ff6090a3bde7f8464be7d
SHA256a6f5915c91fffb4deda9f78bef60878f99e0129d1ef89f833222059b6a74bb52
SHA512a04cce28f9eef6e593f693d32bc5e461766d85e0aac7df1010172f9caf0498c67f7db0ccf1e5fa93f08c99792e451f3cac73bd957e56b38a0db2239308062324
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD59b2b49de34849e78ee1c28963979f87c
SHA1804965d11b88e09c943d9cd6779976c1159a1c32
SHA256da3bb2ad9bb019c14f548d61ee847ce2283726c37d7d321c3f86f0f4192a8bad
SHA51216a2c25d39455d835bfbd931e27e75ea237de94f9b2dc11c6277c5fd1aaa2ebafb65a904d938f6efdb736960392840890be80d81bf3a716ce56465b1e42644bd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5d73ea6b758ccf54ab50441dd9465fa57
SHA1052fc8864c8206a48c373c987f60d3f0dad83158
SHA256cbc3ae5cc06a20883e5b35875a232512b146768e0d2742fdf7df1a32d17c71a5
SHA5124dc54f8ad33075140fa0671343a1045b4876c4c5dc4348f96d9793eb0fab72e38ae5d2daec6adca04f418bc9ada43c765fcac67bb9217dcb97685cba3515b43e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b5ff7e293d86739f3200893d35f2fd53
SHA1c56adf7f6b37abf3c7e3309b46bab1427b9dfad8
SHA2564c42d8267c5181bf48fbc3743697575dcaee953fb8bffbb42ef2c91b6255380d
SHA5121689047423d62e347a30c4018683d2d253fee8a9af0b602bc69565d877886b57234f1ca4d18fb1f7b1b5f5e9ad2e30c2e624dc7eb0ba68f0f42e798c70e59fd5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52707afd884bfab2f3d9c6728db6ee6fd
SHA1bcca949bcd87102dbbee6362e69f2beaf8111ac4
SHA2565de7332fe2b1321b6f551cae0f9e0e0bc8e2f7016a39ce02c501bff63130a2a8
SHA512b246523e312808798442da72989d1f42cfe707f6c780cd11299459a7ce1192034f25db8590e9472b71359395c714a7e6cbde858a8bb56555478ddbe440b2d78e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD553db29a3b40e011253308296502dc22a
SHA1adfafa907e3224ce8286ea3f7ad08c7beade6e7a
SHA2562e6cc614cd2cd6df172f8ccc57743d2af17910eb68ed3bec62d87a40522a5f02
SHA51269ea4d89da2985f0d89e44eb7c3ba06752e6aec65a0c9ee1b98f5bac7b6f3bcd9551813022902a2ca491e1f8ab2c883590031013f5e778deae03671167838f5b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD58f18e0b4abed9fdfe8026b9ce902ad36
SHA1eb5f59526b678c1c127e6fc002f8e552e65f69a6
SHA25642cb07c7ac4cbd66311e6ba1ed47faaf3ef9b8d957e10b3291575ad70e03e27f
SHA512fc56f429ea90d24e42836492810a5c553298b706c0e7b36705daf001f3c3d54678d472f43c92033749c932a7fc2a786a79cb66ca73d4a08f8251eff26da704e7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5ccd4bd8098aefb0672825e0e0db65f57
SHA1e6e412ad8c555d3dafccf2eb116ea13455f2e594
SHA256d706f9e78aaf2bced62e856d12a36d40df9354ab3ee2332bf510c5a112003558
SHA5126e86663241713ab16f2d34796b9334aece9126658e99186defc84cdc27fd9b2f71f299d89cfaa35d6d5dadaddd705da3b55b4720f50b55b820ef9a266fc57e43
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD56ad485a43f8caaa96a910ca5cf193a1f
SHA1d2f032b5b60e0749838c80ad86c6507e785ba76d
SHA256090b6fea014cf092c38e96cdc2473f9ea44a698f4ef9c197c14704392fc3bf3f
SHA512d4d7ccea06cc195835f3d11be7e2f13654d77e2a5c1c4d2cd604ba6897a1c15f5ceb5612a0d304c9cf2047a75f01358169f6421418119f49d5ad0a95623c7346
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5cdb78dea8058f04d4a361faa2aec5dac
SHA11403254a3598ec092425f9ae9bb48e1da2338137
SHA256d16f6c4479c2d57501514d448b1acff423c8459cf6920a686b772b08a666a18e
SHA5127e1601b268a8fab19df814b2e9743b2bc9ca4ec0da356949f36e5a8c999d457fd49fd1da39e009d95923cd00a7a506aae55e71542f6b813359c61fcd82f440c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD54d0d3ea44fba4980a0230dfb75e794d9
SHA1be88ad656857533e3fee1d5278faadf131fb07d7
SHA256bd4df628af284068d7b303fa5250e405a9175c380b6f0c7392b2755e4eb82a53
SHA51274cc4771a4cbddf316f9e1bad3472b25d20049d699317a7eb10fdcb1bf0bccc40dabedd8b374b25b71c01b42fcb0fbf1cfdfe38f3d876c81b0cb8507ef121993
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e5ad.TMPFilesize
538B
MD5ed16798b982c6c4dc338613da36def3e
SHA140fcfa5d49a1e5c7522858c0c9250dfe8e82bdf1
SHA2562f3d30ef1b1325a7da620654de6e7c0d972ef89d374ddc0c42233f98ec50f79e
SHA512cbd5594c504a0da21c46135804d4ba69d2520365642ee21decc88073150130dd411faaf3d6864ff08ee8c40114ac9f800f338fc4804154de0408ae9d2d214338
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5d63004f5ae6ad68d08a7550c1726a58b
SHA1fe3e60d95f85a9bda7f3584ca86da4ac7f414709
SHA256523a8863378b9aff9cd6a7c033b06bb4a9ddbb821cdd7c0601439e1e1303fba4
SHA512a4aba8f7b2ef591e64afc2e202abb056f3212f822c7b15670c16772191563a60514855c8e19cb188de934fdde7a2250be6fc4108c991b78dbbe89232b55abe21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD503c8160fb0256f135477dbc453ae600c
SHA17559b11123fd2d35eb624b555cf8ff4b83cac50e
SHA2565580be9c5a32841bfc3c002f62e604076c36a7985e2742bf4b297087dac00dd0
SHA51274bb1b011c1c4f42ead905a6416cfa9fde8448e9f96b870cbc7663857c000d73aa6b3bed49b35eede27fa93510d1183295c070990f9abadc3230f294a3f4e2bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5b92e10593bb0da5f0637636b2057efd2
SHA11c4a01b8ed1731521a3c49bd823a68f290ebabd9
SHA256ba0ba4de4edefc9a24e98861be50fdede64658b2e65789b7a4de6c47a4f9779e
SHA512309b26fe39eb117c6c8846377e75715e1ed76edb02dfe9a652eb8a4125187e5f3dea53d33ea76b85f33673572655020a4eae066a4e598fb8968bd70d46ae8c26
-
C:\Users\Admin\DOWNLO~1\DanaBot.dllFilesize
2.4MB
MD57e76f7a5c55a5bc5f5e2d7a9e886782b
SHA1fc500153dba682e53776bef53123086f00c0e041
SHA256abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3
SHA5120318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24
-
C:\Users\Admin\Downloads\Unconfirmed 927076.crdownloadFilesize
2.7MB
MD548d8f7bbb500af66baa765279ce58045
SHA12cdb5fdeee4e9c7bd2e5f744150521963487eb71
SHA256db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1
SHA512aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd
-
\??\pipe\LOCAL\crashpad_2408_UHHDQHFCKMNYQVFPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/532-651-0x0000000002770000-0x00000000029EB000-memory.dmpFilesize
2.5MB
-
memory/532-662-0x0000000000400000-0x0000000000AAD000-memory.dmpFilesize
6.7MB
-
memory/532-652-0x0000000000400000-0x0000000000AAD000-memory.dmpFilesize
6.7MB
-
memory/3668-603-0x00000000029B0000-0x0000000002C3D000-memory.dmpFilesize
2.6MB
-
memory/3668-592-0x0000000000400000-0x0000000000AAD000-memory.dmpFilesize
6.7MB
-
memory/3668-591-0x00000000029B0000-0x0000000002C3D000-memory.dmpFilesize
2.6MB
-
memory/3668-602-0x0000000000400000-0x0000000000AAD000-memory.dmpFilesize
6.7MB
-
memory/3668-590-0x0000000002720000-0x00000000029A8000-memory.dmpFilesize
2.5MB
-
memory/5076-678-0x0000000002710000-0x000000000298D000-memory.dmpFilesize
2.5MB
-
memory/5076-679-0x0000000000400000-0x0000000000AAD000-memory.dmpFilesize
6.7MB
-
memory/5076-682-0x0000000000400000-0x0000000000AAD000-memory.dmpFilesize
6.7MB
-
memory/5444-597-0x0000000002240000-0x00000000024AB000-memory.dmpFilesize
2.4MB
-
memory/5444-598-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/6088-626-0x0000000002600000-0x000000000286B000-memory.dmpFilesize
2.4MB
-
memory/6088-601-0x0000000002600000-0x000000000286B000-memory.dmpFilesize
2.4MB
-
memory/6088-672-0x0000000002600000-0x000000000286B000-memory.dmpFilesize
2.4MB