Analysis Overview
SHA256
71050844beef6a2221e7a65df0f97646358b4aa41c12cadb85132c38d0a9effa
Threat Level: Known bad
The file Danger-Multitool-2.0-main.zip was found to be: Known bad.
Malicious Activity Summary
Babylonrat family
Executes dropped EXE
System Location Discovery: System Language Discovery
Unsigned PE
Opens file in notepad (likely ransom note)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 12:03
Signatures
Babylonrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 12:03
Reported
2024-11-06 12:13
Platform
win10v2004-20241007-en
Max time kernel
593s
Max time network
417s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main\Danger Multitool 2.0.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main\Danger Multitool 2.0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main\Danger Multitool 2.0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main\Danger Multitool 2.0.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main\Danger Multitool 2.0.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main\Danger Multitool 2.0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main\Danger Multitool 2.0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 12:03
Reported
2024-11-06 12:05
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Executes dropped EXE
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO08DC9A97\Danger Multitool 2.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO08DAD4C7\Danger Multitool 2.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO08D1B3C7\Danger Multitool 2.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO08DFBEC7\Danger Multitool 2.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO08D4C1D8\Danger Multitool 2.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO08D6E397\Danger Multitool 2.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO08D434E7\Danger Multitool 2.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO08DB89C7\Danger Multitool 2.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO08D735D7\Danger Multitool 2.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO08D75B29\Danger Multitool 2.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO08DB4FF7\Danger Multitool 2.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO08D2C8F7\Danger Multitool 2.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO08D42418\Danger Multitool 2.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO08D71B18\Danger Multitool 2.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO08D0A869\Danger Multitool 2.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO08DAED97\Danger Multitool 2.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zO08DD5218\Danger Multitool 2.0.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\md_auto_file\shell\edit\command | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\md_auto_file\shell\open\command | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.md | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ëžë›³Ð€è€€ | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ëžë›³Ð€è€€\ = "md_auto_file" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\md_auto_file\shell\edit | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\md_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\md_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\md_auto_file\shell\open | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\md_auto_file | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\md_auto_file\shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.md\ = "md_auto_file" | C:\Windows\system32\OpenWith.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO08D6E397\Danger Multitool 2.0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main.zip"
C:\Users\Admin\AppData\Local\Temp\7zO08D6E397\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08D6E397\Danger Multitool 2.0.exe"
C:\Users\Admin\AppData\Local\Temp\7zO08DAED97\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08DAED97\Danger Multitool 2.0.exe"
C:\Users\Admin\AppData\Local\Temp\7zO08DC9A97\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08DC9A97\Danger Multitool 2.0.exe"
C:\Users\Admin\AppData\Local\Temp\7zO08D434E7\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08D434E7\Danger Multitool 2.0.exe"
C:\Users\Admin\AppData\Local\Temp\7zO08DB4FF7\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08DB4FF7\Danger Multitool 2.0.exe"
C:\Users\Admin\AppData\Local\Temp\7zO08D2C8F7\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08D2C8F7\Danger Multitool 2.0.exe"
C:\Users\Admin\AppData\Local\Temp\7zO08DAD4C7\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08DAD4C7\Danger Multitool 2.0.exe"
C:\Users\Admin\AppData\Local\Temp\7zO08D1B3C7\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08D1B3C7\Danger Multitool 2.0.exe"
C:\Users\Admin\AppData\Local\Temp\7zO08DFBEC7\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08DFBEC7\Danger Multitool 2.0.exe"
C:\Users\Admin\AppData\Local\Temp\7zO08DB89C7\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08DB89C7\Danger Multitool 2.0.exe"
C:\Users\Admin\AppData\Local\Temp\7zO08D735D7\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08D735D7\Danger Multitool 2.0.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO08D1F228\README.md
C:\Users\Admin\AppData\Local\Temp\7zO08D42418\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08D42418\Danger Multitool 2.0.exe"
C:\Users\Admin\AppData\Local\Temp\7zO08DD5218\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08DD5218\Danger Multitool 2.0.exe"
C:\Users\Admin\AppData\Local\Temp\7zO08D71B18\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08D71B18\Danger Multitool 2.0.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\7zO08D4C1D8\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08D4C1D8\Danger Multitool 2.0.exe"
C:\Users\Admin\AppData\Local\Temp\7zO08D75B29\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08D75B29\Danger Multitool 2.0.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\UninstallEdit.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\892748945eb04daca028e0453b30bad1 /t 3184 /p 2052
C:\Users\Admin\AppData\Local\Temp\7zO08D0A869\Danger Multitool 2.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO08D0A869\Danger Multitool 2.0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zO08D6E397\Danger Multitool 2.0.exe
| MD5 | 1f491b029221bcbcc52f101effcdcd05 |
| SHA1 | 0df19428a47dc69ff5fbf09ceb89169e8e3261e8 |
| SHA256 | 6307526cdf7d6d87e41f57b43c2231e4a88cd65f974a72078ee247543c24241b |
| SHA512 | c43c633a335361001e789cee9eed489a284b9f7f535e45ef2851d9c42dcfbcfb7ac83bac34fa9304643d93fb5edefd480c851294a720b261c98fc3c1b34de6e1 |
C:\Users\Admin\AppData\Local\Temp\7zO08D1F228\README.md
| MD5 | 1578b4fd6f566e5315362ae30926a4b2 |
| SHA1 | ec02b4a2580491e426dc4f1139f8cd8c12770840 |
| SHA256 | c76414b13a2981641a279b008c131649457233d7d90429c696d46bdfbad57f01 |
| SHA512 | 611713834a549cdc3e1862d69bad6cfb7f866981b4103c98b0e56215022273580562a156213501a720134953e21b6f9f1b8795cc807394b501c019dcc7f1aebf |