Analysis
-
max time kernel
584s -
max time network
559s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
17-07-2024 01:06
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/archive/refs/heads/master.zip
Malware Config
Extracted
danabot
51.178.195.151
51.222.39.81
149.255.35.125
38.68.50.179
51.77.7.204
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Danabot x86 payload 1 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Blocklisted process makes network request 10 IoCs
-
Drops startup file 32 IoCs
-
Executes dropped EXE 15 IoCs
-
Loads dropped DLL 4 IoCs
-
Adds Run key to start application 2 TTPs 17 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 20 IoCs
-
Program crash 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 64 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 40 IoCs
-
Suspicious use of SetWindowsHookEx 18 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/archive/refs/heads/master.zip1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8001546f8,0x7ff800154708,0x7ff8001547182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5492 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5604 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,16914261702663421340,8215809987518603627,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"1⤵
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.exe@60322⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\TEMP1_~1.ZIP\THE-MA~1\BANKIN~1\DanaBot.dll,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 9484⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 4642⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6032 -ip 60321⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Email-Worm\Amus.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Email-Worm\Amus.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f8 0x5081⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Email-Worm\Anap.a.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Email-Worm\Anap.a.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Email-Worm\Axam.a.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Email-Worm\Axam.a.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Email-Worm\BubbleBoy.html1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8001546f8,0x7ff800154708,0x7ff8001547182⤵
-
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Email-Worm\Brontok.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Email-Worm\Funsoul.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Email-Worm\Happy99.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Email-Worm\ILOVEYOU.vbs"1⤵
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Email-Worm\Klez.e.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault3bb4bb44h00f6h4985h86b5h037b8259ead81⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\masum.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\debug\PASSWD.LOG1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Email-Worm\MyPics.a.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Email-Worm\NakedWife.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master (1).zip\The-MALWARE-Repo-master\Trojan\000.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Windows\system32\cmd.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Windows\system32\cmd.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38df855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3596 -ip 35961⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
302B
MD53565a089a0f8b2b5afb04ec4379b44dc
SHA14075ac633db35b158e4142860a2fd4f331780f9c
SHA256941689078f2ed21767fd0aa5ad330df33b8a0ac96acccb2020f307558d6087cb
SHA512112538d7d1af9c02536db20acfc6cea3225341d0f1468ad49ab980a65c74c9111fbf2514776e4e40bd2fbb13d1703dc47cc647b780dc503be99f6fa712c925a5
-
Filesize
453B
MD53c134fc18e7bdaf02d63571d193799ad
SHA17e6f22569d16202195410f29e6c74d093f1fa930
SHA256087f1acb6ed4d7563daaf6f0e1110dc7b3d5b4d6130ba19389cdf3eb90e9d347
SHA5125b02fda689e01d570fced10841daea8f543467b9a0ea138149c486c6d9fd56a0684901af16cbf2b3ad7f1d0b6cf6b08bc36288afcec4d5552b5863ef854570d6
-
Filesize
604B
MD59ec5dcbc21f0309fc9c7c545063986b5
SHA1eaea4f607aeefc9f6081d4b122ebaec421e7029b
SHA256273c2c218dd1d27bca1ad23115deb50ee860332b724f7a1b1aa906e055d0d38d
SHA512e2044e50dd09b7df76b76ae96f1fbfea85a73e5055891df4b464b8cf981f5ef623fa660f6b5c3beda289d4166cb39a38e3153a1ed6e4e74fda7ea0914a3ea935
-
Filesize
755B
MD5c73f3203dbe2960f84a494e1662db2c9
SHA127835a0be12637153e54411bea70546c1de82770
SHA25660683424722818828849fcd2e3893265de28c94d660d64b8cb1d1f31a20026c2
SHA5124cbb057b8d9760f0e16bfc110405f2f239c52b0559a59759e310266fc6bf96e84fd5798a30bcbea56e748890ce335825845e0df1c269ca03501cf7f32e0cb1cc
-
Filesize
906B
MD573e598672cece33b0c27f3a2f8d3501d
SHA1cb1955298a70cd5cc2f55fe127a56dfc6fbbccfc
SHA2560250e34f90f6e94dde2cab734f5ac2cb9c6aa9fe1b91d7e9e651f20645296363
SHA5124094ba8f8b335133b836702d58c6660d2edc74d869f5bbcc1bc5a4a30f4f60e79ed4937464f0ec2f10daa4b1d866ade04c179b14450d0cb3f73ccf4b2c00fcb6
-
Filesize
1KB
MD53b1cc48b2addf796ebde1c6d0c020bea
SHA153b249bef441ad8dff4f5a90ef149ab10803cfdf
SHA256d8c19dae05edffa4dd0957dcfa45eac44273842b1364c5a999a0a21c1108ccf8
SHA512525cac7d2070540abdfa8b6ea43631610f9c7440346f319b90c1826d73d7d125d165a2718a04f82eac1b47202afa1b6c6f2576af0fa76b03f9058bd21fa90f77
-
Filesize
1KB
MD564fd1f107fe39a118a1e0df6a2231c21
SHA11757c6e25e245eebd74994acefc148a55ca85675
SHA256a671cbd881a552e34f8c7594f6dbfd1442d5a702ed914fead3cd0fcc5f37d51e
SHA512450e1a6ef677bd192fac285af9aa2e71267d1a8ba138fd3a5a1da9f3267540fa951a1e9c4e2b3bf724f326d5c20eb51113005660c7865158ad0669089c16b53f
-
Filesize
1KB
MD5d1a3d2a396b79cd871f99665b134a49a
SHA12ab15e630b751e94d72362f2b55f60c4d7f35f40
SHA2567ba07c3784813a0f9cc1ff90f54c5517e288bde40d5ccbe8b098af4975c16ee6
SHA512d88ddaa9e3e9213e7f9bc19da72011e51c66199b10557e79e2edc5e50f0879a51216817a9dbede8807c8ec8b8b9457482f49ad00576c0c214e0bac2d034b79c7
-
Filesize
1KB
MD5865a45b31cb7baefb3b71ae51eb67308
SHA142094765f9627e713f573b2e6a203183068a6159
SHA25699f2f70a9e34a9c63f6107b8308e41b83139f62b72a2f2ffd2394b0063ec79e2
SHA51270ba8d348e1954b90a078ff47b9d63ca7663b9ae7c0c8e32f50b53acfd928465f91cb36760a1560d80d33ca07e7e815e18905b0b104ae52de80e5a58fdc73d1f
-
Filesize
1KB
MD5f66b8249919fa2b7bb00beddfffa2f9a
SHA1321e81d7eead2350c57600ebc6ff0a9b4a4e06b2
SHA2568ebb03500bb9833bda093b9d8ababd2bb633a0b97913765e05191ea51ac4adcc
SHA5121034bb1e17c26c928a9b2cbb5f7615754af844883980922adf7f81e10821e6851780d49ee4edc8de955cc3d50e84f4ad7b57b90c96d9ca7f4f63acabd9449d9f
-
Filesize
1KB
MD5b7922b0709a026f2188f725dae20b6e8
SHA14b91513018aa95f062f4ed4b5b9f88032b7ccbe2
SHA2560e81b90f3c97c85cdd3b4734667ecd140045cd795e89b6b3fb28bdbc1d0fc015
SHA51202f6afa56f7ec2fb4664d0e9522a5a5d0a1912e4f830d8b4bc9c186322d0fc21cfa0f2e65567057ba8da1cf1dbd44e886b9b393a0fe47a7b60665d36b6790fe1
-
Filesize
1KB
MD5f97e2548b10247a8f61605db9a7f5946
SHA16ef69ffb824a6842f6bedb2f800cf3e31ca0135a
SHA2563cd268a890a1e10796a4d9c43e7d678baf8ff25b614c8cf45f23f18c0bd3fbff
SHA512e4a68819058b08e55000462a177f137575ebb741c021ce8ae471335bbc0678e095e6fb4e499ba7e3ec18deead014d83b2fea7c2f378ec67888aaf0ebef0734b0
-
Filesize
2KB
MD570f1b79dbc67e18f03a8ccb43fd1f26c
SHA117810bd14fdf097d6cb6b33b5e8f91506c0d5049
SHA256c7745cfbe269513787a15c12e8e660b604733ae13f3df90b932c9d2aad827300
SHA512c6483cb7eec581a248e810314b67b81677130c8b4e29688911cb3a2b1c967242abed36d3c0c8b971fee67b7198b1c988dfe8bc16eca89f7413ff40151c4b15d6
-
Filesize
2KB
MD5778dde4a011f182dcb7c714c44eb476d
SHA1ea5e86c47b4446f1e7cd3fecf31572af0a2c46b5
SHA25699714f76e76ce0ee69c5b26a88e795a9c100856131226e12e8b7894bb9fb26e2
SHA5123b9cdc4f025c6e3d7fa61e2d6aafb7d2f796bbe01c7a4561fda0890c37ce281b76fa175ef7fc7f4f92d868e2c8cac5a4fd1b3e664ff5a93670c778ed86032952
-
Filesize
2KB
MD58ded210487270f9a7481f9c588ad6c73
SHA1e0cf84eb5c3b7e5860fee3a3632431c21bd90b37
SHA2562a1617e7b39e564314c792a36b8fb20df3af55cd0b3ce9d7753081c991ca0855
SHA5121701aa2a480b44e90af73983dbec183d110007f9e8769c3620b8727224fcf38294049a5d743a824dd121f26ea161c3fd8d6c3af4fbc9fa75119f132b0f9c30cd
-
Filesize
152B
MD52f842025e22e522658c640cfc7edc529
SHA14c2b24b02709acdd159f1b9bbeb396e52af27033
SHA2561191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e
SHA5126e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05
-
Filesize
152B
MD554aadd2d8ec66e446f1edb466b99ba8d
SHA1a94f02b035dc918d8d9a46e6886413f15be5bff0
SHA2561971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e
SHA5127e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994
-
Filesize
255B
MD5d11edf9e08a127c768843acea41d0bc5
SHA1ff1af9b39de4a3f547407fd9864ffdd2bb6c7354
SHA256217e4d9d1412e45abf7a653f72a5ab8b53bc8fc6f377f52a042668a41abc7478
SHA51292c3f0def567b0e2f2523ed25eb9d4abff06070b8be744fea4a6678f25f292439d7bc0c8015eaa6281b7f43149eebb3d3821cd6d6436598481113694b11ddea3
-
Filesize
6KB
MD5751e7953e3a25d8c3067285cd9b62861
SHA148ecdfae2f3b58e3b697e00c2a6c72d75a51c6c3
SHA256756e19476fe329906f69bc0f222cef409b6a61a72ba41d0326c85e018462ff72
SHA512ad68e5377ddb1c8e26502e6cfe97f5e38e46f02fc1101f8f46ca646cc7d71cb035a07f4c54158cf8760eb8ad652d7f90e259bdc33d8403d673799ebb370e4646
-
Filesize
6KB
MD5166fe9918527a509beb3f425a4e00752
SHA19fea49bf2a160f811b38c3548c30e76760a99bd9
SHA256136f4d2b4cab095a28b85385ab538e4c51f1b153dbabc898ad232bd375829aed
SHA512243c14234af7ef906ed1689853ae4f945657bd1d9fa0f7e3f6c46aae1743f0a04d3f342071e14e78e8f8a771085cba69920128203f4e62c54818b1d69c099402
-
Filesize
6KB
MD534a0408fdd4f637721d4e1e1e4c9a62a
SHA1e7e031ada8fad4e6cbad897378365378d4c832f9
SHA256b2588aa5289421e5739611d1af4cd83ca363d324aa31abed989ef9577df5827c
SHA512a819f21e03d158821b6435c0a965b0b6b7ba54748f95798672eb9a86949a3db88e6c6c1ffce9452095fe9674056bcdba14b9a7ad75079b9e12b3f5e01f14b0f5
-
Filesize
6KB
MD5ee73dddec43810e6fbc41123706720cd
SHA184c3189aebb97902dace3b68baff61330d4c42a6
SHA2566b5db3b53dcc80668e90d9f80f76412b5a590e99ecd34b592a7d23d6dd6d7785
SHA51292bdbc08f953ba4817b038c9300ca93001e7e927ecd978f02a8115ad8f32e3cf96e8d1fa1ed483b38f753ac4af4c588cae80c665b192eb07de9d64b23795fa8e
-
Filesize
6KB
MD5d0acf2f3be46e1619b64f4a593ca382c
SHA166c1405fc95828cc4cfb0208e735468879497634
SHA2567874b581ae2fc7c8cc6362f0b8188a42885cc29ff4027259857c513817b2cad0
SHA512baaf47517ad437b768c934e736937d97c097e3250477757086f12d24073f084ea310ecab3670e702d1c94d867ca69cebd41041b544b29a4d2b5450371d371c49
-
Filesize
371B
MD562782c7127707440f8fccf6c2bd9481c
SHA1bd06133a2bdcc116a123efb4e8f9adcbd2678781
SHA2568a195d6dd01d3871c9113395538858f4ca66667846c92ef9a12971f56d3b1612
SHA51275cadc5bee7de9aaf03383d928b7e2bcbd8a1816542571ef721aa7238d79bc73f39d34c63e5226768e445f06eb4ddc476b7b0390261cb9aa68f3d6b686b6bed7
-
Filesize
367B
MD5a65daba765c9a78200e79a9470af23be
SHA1b3101551975d62c1362073c299d1c1eb4b60d253
SHA2563285ff0578bc450d875bb37a072b3f277395e08d65bf920697fcbec6d4ac007a
SHA5129efb81b4ab18f0a71ad128c2b854deed10e317a86bd2d5b9e4a0e0fc6092e6ad32379134daf86d9d90a82d44e0857f2849f5b5256ecd2edc32b5db329a72ca1e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5c9030358b7c7b0f4786dc66b088455b5
SHA109acb861c9e3a0e8921c8c5338dda22c0518c40d
SHA256566940b67b02cf7bfbc5205ea6de4967070fa078adb831afb4791ad7e1028829
SHA5120bb9def3f3bedbe12e119c5d8240ec72ea4a12c3e61986a69e172cb83b3a121c20f5f8b3d763b46460fb510a37cae7966977ac8d9eaddd825ba3c0275657b521
-
Filesize
12KB
MD55412de8d5ecf836df80288883756e2f4
SHA13532e7658cc967d2767e3eb755f9a224791f5307
SHA2567b845137578e5355d076855053e8e8d987291670d676acbad11870ebef124789
SHA5128e69c45d2d3785e5e92fc774868f9e754e5e4dd848b65a419cd0e43dcb6940070daff127b34b2dfabb9615af180fb52e3b18c3ff988c8a654701c4975b51c22a
-
Filesize
12KB
MD53ae9531974154ebf2afc5784bc5e38a0
SHA11704ccf7e147d8908c8234a7c5e2075cfcc10819
SHA2565027fd42e8ada383886ffa39fcfa6da39147790a769d8e349bc58001a00ed977
SHA512f56f77f8647528fcbd328a7fe01bad0ac5a2e7c132bb600957d1b06f29260267775298a5a9eeecee75ce9230863059a02b8890cc3930535d5bb53d3590f9790b
-
Filesize
2.4MB
MD57e76f7a5c55a5bc5f5e2d7a9e886782b
SHA1fc500153dba682e53776bef53123086f00c0e041
SHA256abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3
SHA5120318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24
-
Filesize
11KB
MD50fbf8022619ba56c545b20d172bf3b87
SHA1752e5ce51f0cf9192b8fa1d28a7663b46e3577ff
SHA2564ae7d63ec497143c2acde1ba79f1d9eed80086a420b6f0a07b1e2917da0a6c74
SHA512e8d44147609d04a1a158066d89b739c00b507c8ff208dac72fdc2a42702d336c057ae4b77c305f4ccdfe089665913098d84a3160a834aaebe41f95f4b4bfddeb
-
Filesize
50KB
MD547abd68080eee0ea1b95ae31968a3069
SHA1ffbdf4b2224b92bd78779a7c5ac366ccb007c14d
SHA256b5fc4fd50e4ba69f0c8c8e5c402813c107c605cab659960ac31b3c8356c4e0ec
SHA512c9dfabffe582b29e810db8866f8997af1bd3339fa30e79575377bde970fcad3e3b6e9036b3a88d0c5f4fa3545eea8904d9faabf00142d5775ea5508adcd4dc0a
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
6.7MB
-
Filesize
2.4MB
-
Filesize
48KB