Analysis
-
max time kernel
599s -
max time network
441s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 11:25
Behavioral task
behavioral1
Sample
Danger-Multitool-2.0-main.zip
Resource
win10v2004-20241007-en
windows10-2004-x64
11 signatures
600 seconds
Behavioral task
behavioral2
Sample
Danger-Multitool-2.0-main/Danger Multitool 2.0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
600 seconds
Behavioral task
behavioral3
Sample
Danger-Multitool-2.0-main/README.md
Resource
win10v2004-20241007-en
windows10-2004-x64
3 signatures
600 seconds
General
-
Target
Danger-Multitool-2.0-main.zip
-
Size
429KB
-
MD5
0f07d3850fe266d560a925329417366f
-
SHA1
2d269af3aad6f80601b81ada4308ab563952ef9f
-
SHA256
71050844beef6a2221e7a65df0f97646358b4aa41c12cadb85132c38d0a9effa
-
SHA512
455a96bcc865038404875edfcdc1e80a95f1308020168cbe1ee32514e99b22a0ee06f3520dbd74ee29f7486de23c4f5d6a83a4843b614ee93c21af8de3eb827d
-
SSDEEP
12288:WPklW7J1s66V5QHat6vjJY/QgABfmVigB:U7K3oe/rAV4
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1864 7zFM.exe -
Executes dropped EXE 6 IoCs
pid Process 3936 Danger Multitool 2.0.exe 940 Danger Multitool 2.0.exe 2804 Danger Multitool 2.0.exe 2272 Danger Multitool 2.0.exe 1676 Danger Multitool 2.0.exe 4844 Danger Multitool 2.0.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danger Multitool 2.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danger Multitool 2.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danger Multitool 2.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danger Multitool 2.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danger Multitool 2.0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danger Multitool 2.0.exe -
Modifies registry class 18 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\⭪耀섀\ = "md_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\md_auto_file\shell\open OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\md_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 7zFM.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\.md OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\md_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\⭪耀섀 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\md_auto_file\shell\edit\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\md_auto_file\shell\open\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\md_auto_file\shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\md_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\.md\ = "md_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\md_auto_file\shell\edit OpenWith.exe -
Opens file in notepad (likely ransom note) 3 IoCs
pid Process 3444 NOTEPAD.EXE 1340 NOTEPAD.EXE 4516 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 3936 Danger Multitool 2.0.exe 3936 Danger Multitool 2.0.exe 3936 Danger Multitool 2.0.exe 3936 Danger Multitool 2.0.exe 1864 7zFM.exe 1864 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 1864 7zFM.exe 3936 Danger Multitool 2.0.exe 628 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeRestorePrivilege 1864 7zFM.exe Token: 35 1864 7zFM.exe Token: SeSecurityPrivilege 1864 7zFM.exe Token: SeShutdownPrivilege 3936 Danger Multitool 2.0.exe Token: SeDebugPrivilege 3936 Danger Multitool 2.0.exe Token: SeTcbPrivilege 3936 Danger Multitool 2.0.exe Token: SeSecurityPrivilege 1864 7zFM.exe Token: SeShutdownPrivilege 940 Danger Multitool 2.0.exe Token: SeDebugPrivilege 940 Danger Multitool 2.0.exe Token: SeTcbPrivilege 940 Danger Multitool 2.0.exe Token: SeSecurityPrivilege 1864 7zFM.exe Token: SeShutdownPrivilege 2804 Danger Multitool 2.0.exe Token: SeDebugPrivilege 2804 Danger Multitool 2.0.exe Token: SeTcbPrivilege 2804 Danger Multitool 2.0.exe Token: SeSecurityPrivilege 1864 7zFM.exe Token: SeShutdownPrivilege 2272 Danger Multitool 2.0.exe Token: SeDebugPrivilege 2272 Danger Multitool 2.0.exe Token: SeTcbPrivilege 2272 Danger Multitool 2.0.exe Token: SeSecurityPrivilege 1864 7zFM.exe Token: SeSecurityPrivilege 1864 7zFM.exe Token: SeSecurityPrivilege 1864 7zFM.exe Token: SeSecurityPrivilege 1864 7zFM.exe Token: SeSecurityPrivilege 1864 7zFM.exe Token: SeSecurityPrivilege 1864 7zFM.exe Token: SeShutdownPrivilege 1676 Danger Multitool 2.0.exe Token: SeDebugPrivilege 1676 Danger Multitool 2.0.exe Token: SeTcbPrivilege 1676 Danger Multitool 2.0.exe Token: SeSecurityPrivilege 1864 7zFM.exe Token: SeSecurityPrivilege 1864 7zFM.exe Token: SeSecurityPrivilege 1864 7zFM.exe Token: SeShutdownPrivilege 4844 Danger Multitool 2.0.exe Token: SeDebugPrivilege 4844 Danger Multitool 2.0.exe Token: SeTcbPrivilege 4844 Danger Multitool 2.0.exe Token: SeSecurityPrivilege 1864 7zFM.exe Token: SeSecurityPrivilege 1864 7zFM.exe Token: SeSecurityPrivilege 1864 7zFM.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 1864 7zFM.exe 4516 NOTEPAD.EXE 1864 7zFM.exe -
Suspicious use of SetWindowsHookEx 42 IoCs
pid Process 3936 Danger Multitool 2.0.exe 1448 OpenWith.exe 508 OpenWith.exe 2296 OpenWith.exe 5088 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe 628 OpenWith.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 1864 wrote to memory of 3936 1864 7zFM.exe 93 PID 1864 wrote to memory of 3936 1864 7zFM.exe 93 PID 1864 wrote to memory of 3936 1864 7zFM.exe 93 PID 1864 wrote to memory of 940 1864 7zFM.exe 98 PID 1864 wrote to memory of 940 1864 7zFM.exe 98 PID 1864 wrote to memory of 940 1864 7zFM.exe 98 PID 1864 wrote to memory of 2804 1864 7zFM.exe 99 PID 1864 wrote to memory of 2804 1864 7zFM.exe 99 PID 1864 wrote to memory of 2804 1864 7zFM.exe 99 PID 1864 wrote to memory of 2272 1864 7zFM.exe 100 PID 1864 wrote to memory of 2272 1864 7zFM.exe 100 PID 1864 wrote to memory of 2272 1864 7zFM.exe 100 PID 628 wrote to memory of 3444 628 OpenWith.exe 108 PID 628 wrote to memory of 3444 628 OpenWith.exe 108 PID 1864 wrote to memory of 1676 1864 7zFM.exe 110 PID 1864 wrote to memory of 1676 1864 7zFM.exe 110 PID 1864 wrote to memory of 1676 1864 7zFM.exe 110 PID 1864 wrote to memory of 1672 1864 7zFM.exe 111 PID 1864 wrote to memory of 1672 1864 7zFM.exe 111 PID 1864 wrote to memory of 1340 1864 7zFM.exe 112 PID 1864 wrote to memory of 1340 1864 7zFM.exe 112 PID 1864 wrote to memory of 4844 1864 7zFM.exe 113 PID 1864 wrote to memory of 4844 1864 7zFM.exe 113 PID 1864 wrote to memory of 4844 1864 7zFM.exe 113 PID 1864 wrote to memory of 4516 1864 7zFM.exe 114 PID 1864 wrote to memory of 4516 1864 7zFM.exe 114
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Danger-Multitool-2.0-main.zip"1⤵
- Deletes itself
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\7zO8479C5C7\Danger Multitool 2.0.exe"C:\Users\Admin\AppData\Local\Temp\7zO8479C5C7\Danger Multitool 2.0.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3936
-
-
C:\Users\Admin\AppData\Local\Temp\7zO847CD4D7\Danger Multitool 2.0.exe"C:\Users\Admin\AppData\Local\Temp\7zO847CD4D7\Danger Multitool 2.0.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Users\Admin\AppData\Local\Temp\7zO847F00D7\Danger Multitool 2.0.exe"C:\Users\Admin\AppData\Local\Temp\7zO847F00D7\Danger Multitool 2.0.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Users\Admin\AppData\Local\Temp\7zO847D1FE7\Danger Multitool 2.0.exe"C:\Users\Admin\AppData\Local\Temp\7zO847D1FE7\Danger Multitool 2.0.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
C:\Users\Admin\AppData\Local\Temp\7zO847E0359\Danger Multitool 2.0.exe"C:\Users\Admin\AppData\Local\Temp\7zO847E0359\Danger Multitool 2.0.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zO84754079\Danger Multitool 2.0.exe"2⤵PID:1672
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO847E1F19\README.md2⤵
- Opens file in notepad (likely ransom note)
PID:1340
-
-
C:\Users\Admin\AppData\Local\Temp\7zO8477CE29\Danger Multitool 2.0.exe"C:\Users\Admin\AppData\Local\Temp\7zO8477CE29\Danger Multitool 2.0.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO84780929\README.md2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4516
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1448
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:508
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2296
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5088
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO8479AEA8\README.md2⤵
- Opens file in notepad (likely ransom note)
PID:3444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
733KB
MD51f491b029221bcbcc52f101effcdcd05
SHA10df19428a47dc69ff5fbf09ceb89169e8e3261e8
SHA2566307526cdf7d6d87e41f57b43c2231e4a88cd65f974a72078ee247543c24241b
SHA512c43c633a335361001e789cee9eed489a284b9f7f535e45ef2851d9c42dcfbcfb7ac83bac34fa9304643d93fb5edefd480c851294a720b261c98fc3c1b34de6e1
-
Filesize
158B
MD51578b4fd6f566e5315362ae30926a4b2
SHA1ec02b4a2580491e426dc4f1139f8cd8c12770840
SHA256c76414b13a2981641a279b008c131649457233d7d90429c696d46bdfbad57f01
SHA512611713834a549cdc3e1862d69bad6cfb7f866981b4103c98b0e56215022273580562a156213501a720134953e21b6f9f1b8795cc807394b501c019dcc7f1aebf
-
Filesize
102B
MD5465c856d600061594cba9f813b0629cc
SHA129349baf5aa8df424ef7e44dc1b0e86fa1b8f684
SHA2569dd175f267198be5af72d33d9b0ca7a3473aa72bd6ae59b7d4ec100f6b2752cf
SHA512e8047e0b4ca0f6bba79d50ee8ab1112d5df57035f4af76d6f32971e8715f63a121d8d6453a8769e11588fa8e8599908dcab357900c6da4cdb348aef69eaab336