Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-06-2024 14:15
Behavioral task
behavioral1
Sample
DANGER.rar
Resource
win11-20240508-en
Behavioral task
behavioral2
Sample
DANGER/requirements.txt
Resource
win11-20240611-en
Behavioral task
behavioral3
Sample
DANGER/src/DANGER.exe
Resource
win11-20240508-en
Behavioral task
behavioral4
Sample
main.pyc
Resource
win11-20240508-en
Behavioral task
behavioral5
Sample
DANGER/start.bat
Resource
win11-20240611-en
General
-
Target
DANGER.rar
-
Size
40.2MB
-
MD5
76adde3d64df2822df260224c268510e
-
SHA1
9723bde0bc4d86bc17546c5cd6a93d792eb62e27
-
SHA256
9f7b01b4f6ddbff787b1af1e1b5ed7301e8cfef0f6387797cc30cd00dcebe1c2
-
SHA512
c9bfc0d20df95ca4ce07d1ec5f5ffd541b7604d25f10d06e73675b3205cc18a7ac6d0f97f9d88a5d285e701104c3bc5ae8b81bc4506b564f75b875dd9cf2cf3c
-
SSDEEP
786432:vlIwXHQJJybz7AsqoboYLqkRWLGNSeCt0vFIzjiK8JgjeJZ69SkBv6o:vqwXHQXmXAsq4PLqkRrLCevFIzjiK8Jw
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 1764 WINWORD.EXE 1764 WINWORD.EXE 536 WINWORD.EXE 536 WINWORD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 416 OpenWith.exe -
Suspicious use of SetWindowsHookEx 39 IoCs
Processes:
OpenWith.exeWINWORD.EXEWINWORD.EXEpid process 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 416 OpenWith.exe 1764 WINWORD.EXE 1764 WINWORD.EXE 536 WINWORD.EXE 536 WINWORD.EXE 1764 WINWORD.EXE 536 WINWORD.EXE 1764 WINWORD.EXE 536 WINWORD.EXE 536 WINWORD.EXE 1764 WINWORD.EXE 1764 WINWORD.EXE 1764 WINWORD.EXE 536 WINWORD.EXE 536 WINWORD.EXE 536 WINWORD.EXE 536 WINWORD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\DANGER.rar1⤵
- Modifies registry class
PID:2320
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:416
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:536
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1764
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize471B
MD5ecf64da67bdcb5a1667699e145278b12
SHA1f075d38e976968daf0dc36bb6892887a6f919cf7
SHA256d6ff01235e59d33b55b19b729eae670d5536d72cec4566c9a23d6a00cf211d7a
SHA512f46ae7db1f401fb07e3501375666f7d709394b349e3f67e1f8885c357d6d79976244b8823fef3da87e8b0c504c2dba9748ca9b46871d78327611e5d4caa0b0ff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize412B
MD5a45a25b621af613e3736602effff04ba
SHA19b408a50dcfd90db085a90223fca63ae4bc0d5e7
SHA25659e898b8ddb25da9b9df1d2b2e6ec311148220c28e3e25ec418e1e587edbcb5c
SHA512929da2eda6f510fe97e3078e3681c44fa17af70b75aec4703f6fb0714d8c463990f292738121bd77141a30afa4394b98a37e1d309686e7976767305713db0e8e
-
Filesize
21B
MD5f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
Filesize
417B
MD5c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
Filesize
87B
MD5e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
Filesize
14B
MD56ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
Filesize
21KB
MD5390c3fcb62bb5a6e7b94333ca3128348
SHA184eabbca1e06138bef449dfd8fd188c7bc2ff17e
SHA2562fe660b516ae958e99f4aef2e189db907b213635ab7b9e0226aca53763f8a904
SHA512fbe93219519e998e9ccab495416205eaa4c6268653c7157371ae9b7c155d51e8f3481e21d47136d385a0f842769ee9165e212efd19a5495922075ccc8e1ead27
-
Filesize
24KB
MD5b00f3f56c104c94e03cd2ad8452c14e7
SHA151b78e45015e0d9d62fbdf31b75a22535a107204
SHA256ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50
SHA51293e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525
-
Filesize
1KB
MD5accb7dff66cb32a4c343fdcaa32d4bff
SHA196ec7cdfe905d3a7a40daf51d1ece8e050c009a0
SHA256b2dd482cb590066cab02fc330c3b1defc3eb7f2e8965e52d9e29bd061c5a0fd4
SHA512ae8604dfbdd4130f31e9872442be06ced6974ad848dbfcad3f2b7a0ec2b5254a4d299dd5cc68ef03ff2a3885c4212ec1c8c1616317e42e18d782fe4bf7ed5267
-
Filesize
202B
MD54566d1d70073cd75fe35acb78ff9d082
SHA1f602ecc057a3c19aa07671b34b4fdd662aa033cc
SHA256fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0
SHA512b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8
-
Filesize
162B
MD5e1d4c08162af8f8e7889113dbfefaff8
SHA12d6b9caf61e38baca1463496bfc8cb6ad0cc0c2f
SHA25625174dde1c81e87b98910aab5b8254306f75bc15d56326cab13b3c0d0d642b23
SHA51277f8d01b6106dd83c0a5432a15fff10080b3e075e1443e8d0c322b473cf75324b5f675fe949c1030c833ada7bbfb4adb2bc20cd842d6e3c38cde281f3eff274a