Resubmissions
21-11-2024 08:59
241121-kx44aazrhv 321-11-2024 08:54
241121-kt7d8svncp 1021-11-2024 08:52
241121-kspsssvnbj 321-11-2024 08:49
241121-kq1saazrdw 3Analysis
-
max time kernel
277s -
max time network
279s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 08:54
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
danabot
51.178.195.151
51.222.39.81
149.255.35.125
38.68.50.179
51.77.7.204
Signatures
-
Danabot family
-
Danabot x86 payload 1 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
resource yara_rule behavioral1/files/0x0008000000023e41-270.dat family_danabot -
Blocklisted process makes network request 10 IoCs
flow pid Process 81 2308 rundll32.exe 83 2308 rundll32.exe 84 2308 rundll32.exe 85 2308 rundll32.exe 86 2308 rundll32.exe 87 2308 rundll32.exe 88 2308 rundll32.exe 89 2308 rundll32.exe 91 2308 rundll32.exe 93 2308 rundll32.exe -
Drops startup file 26 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.a.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe Axam.exe -
Executes dropped EXE 12 IoCs
pid Process 2732 Axam.exe 180 Axam.exe 2360 Axam.exe 8 Axam.exe 3392 Axam.exe 2448 Axam.exe 2324 Axam.exe 1012 Axam.exe 4836 Axam.exe 1344 Axam.exe 892 Axam.exe 4520 Axam.exe -
Loads dropped DLL 2 IoCs
pid Process 2464 regsvr32.exe 2308 rundll32.exe -
Adds Run key to start application 2 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe" Axam.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microzoft_Ofiz = "C:\\Windows\\KdzEregli.exe" Amus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe" Axam.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\KMD\My Shared Folder\Axam.exe Axam.exe File created C:\Program Files (x86)\Morpheus\My Shared Folder\Blaster.exe Axam.exe File created C:\Program Files (x86)\Grokster\My Grokster\XXX_HOTSEX.exe Axam.exe File created C:\Program Files (x86)\limewire\Shared\Super Mario.exe Axam.exe File created C:\Program Files (x86)\Morpheus\My Shared Folder\Blaster.exe Axam.exe File created C:\Program Files (x86)\Grokster\My Grokster\XXX_HOTSEX.exe Axam.exe File created C:\Program Files (x86)\Kazaa\My Shared Folder\Invisible_man.exe Axam.exe File created C:\Program Files (x86)\Edonkey2000\Incoming\setup_flash.exe Axam.exe File created C:\Program Files (x86)\Kazaa\My Shared Folder\Invisible_man.exe Axam.exe File created C:\Program Files (x86)\KaZaA Lite\My Shared Folder\AjeedNASA.exe Axam.exe File created C:\Program Files (x86)\Grokster\My Grokster\XXX_HOTSEX.exe Axam.exe File created C:\Program Files (x86)\Edonkey2000\Incoming\setup_flash.exe Axam.exe File created C:\Program Files (x86)\BearShare\Shared\fxbgbear.exe Axam.exe File created C:\Program Files (x86)\Grokster\My Grokster\XXX_HOTSEX.exe Axam.exe File created C:\Program Files (x86)\KaZaA Lite\My Shared Folder\AjeedNASA.exe Axam.exe File created C:\Program Files (x86)\Edonkey2000\Incoming\setup_flash.exe Axam.exe File created C:\Program Files (x86)\KMD\My Shared Folder\Axam.exe Axam.exe File created C:\Program Files (x86)\BearShare\Shared\fxbgbear.exe Axam.exe File created C:\Program Files (x86)\Edonkey2000\Incoming\setup_flash.exe Axam.exe File created C:\Program Files (x86)\BearShare\Shared\fxbgbear.exe Axam.exe File created C:\Program Files (x86)\KMD\My Shared Folder\Axam.exe Axam.exe File created C:\Program Files (x86)\Edonkey2000\Incoming\setup_flash.exe Axam.exe File created C:\Program Files (x86)\Morpheus\My Shared Folder\Blaster.exe Axam.a.exe File created C:\Program Files (x86)\Grokster\My Grokster\XXX_HOTSEX.exe Axam.exe File created C:\Program Files (x86)\Kazaa\My Shared Folder\Invisible_man.exe Axam.exe File created C:\Program Files (x86)\limewire\Shared\Super Mario.exe Axam.exe File created C:\Program Files (x86)\Grokster\My Grokster\XXX_HOTSEX.exe Axam.exe File created C:\Program Files (x86)\limewire\Shared\Super Mario.exe Axam.exe File created C:\Program Files (x86)\Edonkey2000\Incoming\setup_flash.exe Axam.exe File created C:\Program Files (x86)\BearShare\Shared\fxbgbear.exe Axam.exe File created C:\Program Files (x86)\BearShare\Shared\fxbgbear.exe Axam.exe File created C:\Program Files (x86)\Morpheus\My Shared Folder\Blaster.exe Axam.exe File created C:\Program Files (x86)\Morpheus\My Shared Folder\Blaster.exe Axam.exe File created C:\Program Files (x86)\KMD\My Shared Folder\Axam.exe Axam.exe File created C:\Program Files (x86)\Kazaa\My Shared Folder\Invisible_man.exe Axam.a.exe File created C:\Program Files (x86)\Kazaa\My Shared Folder\Invisible_man.exe Axam.exe File created C:\Program Files (x86)\BearShare\Shared\fxbgbear.exe Axam.exe File created C:\Program Files (x86)\KaZaA Lite\My Shared Folder\AjeedNASA.exe Axam.exe File created C:\Program Files (x86)\BearShare\Shared\fxbgbear.exe Axam.exe File created C:\Program Files (x86)\Grokster\My Grokster\XXX_HOTSEX.exe Axam.exe File created C:\Program Files (x86)\Kazaa\My Shared Folder\Invisible_man.exe Axam.exe File created C:\Program Files (x86)\KaZaA Lite\My Shared Folder\AjeedNASA.exe Axam.a.exe File created C:\Program Files (x86)\Grokster\My Grokster\XXX_HOTSEX.exe Axam.a.exe File created C:\Program Files (x86)\Kazaa\My Shared Folder\Invisible_man.exe Axam.exe File created C:\Program Files (x86)\limewire\Shared\Super Mario.exe Axam.exe File created C:\Program Files (x86)\KMD\My Shared Folder\Axam.exe Axam.exe File created C:\Program Files (x86)\Grokster\My Grokster\XXX_HOTSEX.exe Axam.exe File created C:\Program Files (x86)\limewire\Shared\Super Mario.exe Axam.exe File created C:\Program Files (x86)\Edonkey2000\Incoming\setup_flash.exe Axam.exe File created C:\Program Files (x86)\limewire\Shared\Super Mario.exe Axam.exe File created C:\Program Files (x86)\limewire\Shared\Super Mario.exe Axam.exe File created C:\Program Files (x86)\KaZaA Lite\My Shared Folder\AjeedNASA.exe Axam.exe File created C:\Program Files (x86)\Kazaa\My Shared Folder\Invisible_man.exe Axam.exe File created C:\Program Files (x86)\Edonkey2000\Incoming\setup_flash.exe Axam.exe File created C:\Program Files (x86)\KaZaA Lite\My Shared Folder\AjeedNASA.exe Axam.exe File created C:\Program Files (x86)\BearShare\Shared\fxbgbear.exe Axam.exe File created C:\Program Files (x86)\KMD\My Shared Folder\Axam.exe Axam.exe File created C:\Program Files (x86)\Morpheus\My Shared Folder\Blaster.exe Axam.exe File created C:\Program Files (x86)\Morpheus\My Shared Folder\Blaster.exe Axam.exe File created C:\Program Files (x86)\Edonkey2000\Incoming\setup_flash.exe Axam.exe File created C:\Program Files (x86)\KMD\My Shared Folder\Axam.exe Axam.exe File created C:\Program Files (x86)\limewire\Shared\Super Mario.exe Axam.a.exe File created C:\Program Files (x86)\KaZaA Lite\My Shared Folder\AjeedNASA.exe Axam.exe File created C:\Program Files (x86)\Morpheus\My Shared Folder\Blaster.exe Axam.exe -
Drops file in Windows directory 20 IoCs
description ioc Process File created C:\Windows\Ankara.exe Amus.exe File opened for modification C:\Windows\Anti_Virus.exe Amus.exe File opened for modification C:\Windows\KdzEregli.exe Amus.exe File created C:\Windows\Cekirge.exe Amus.exe File opened for modification C:\Windows\Meydanbasi.exe Amus.exe File created C:\Windows\Pire.exe Amus.exe File opened for modification C:\Windows\Cekirge.exe Amus.exe File opened for modification C:\Windows\Adapazari.exe Amus.exe File created C:\Windows\Messenger.exe Amus.exe File opened for modification C:\Windows\My_Pictures.exe Amus.exe File created C:\Windows\Pide.exe Amus.exe File opened for modification C:\Windows\Ankara.exe Amus.exe File created C:\Windows\Adapazari.exe Amus.exe File created C:\Windows\Anti_Virus.exe Amus.exe File opened for modification C:\Windows\Messenger.exe Amus.exe File created C:\Windows\Meydanbasi.exe Amus.exe File opened for modification C:\Windows\Pide.exe Amus.exe File opened for modification C:\Windows\Pire.exe Amus.exe File created C:\Windows\KdzEregli.exe Amus.exe File created C:\Windows\My_Pictures.exe Amus.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1548 1224 WerFault.exe 123 -
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Axam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Axam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DanaBot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anap.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Axam.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Axam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Axam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Axam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Axam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Axam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Axam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Axam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Axam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Axam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Axam.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa" Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command Axam.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa" Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*" Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1" Axam.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*" Axam.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa" Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa" Axam.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa" Axam.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*" Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*" Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa" Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1" Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe Axam.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*" Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa" Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1" Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon Axam.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1" Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1" Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*" Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa" Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon Axam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa" Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe Axam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell Axam.a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open Axam.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1" Axam.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2116 msedge.exe 2116 msedge.exe 1692 msedge.exe 1692 msedge.exe 1932 identity_helper.exe 1932 identity_helper.exe 376 msedge.exe 376 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4068 msedge.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe 4848 Axam.a.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 764 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 764 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 1872 Amus.exe 4848 Axam.a.exe 2732 Axam.exe 180 Axam.exe 2360 Axam.exe 8 Axam.exe 3392 Axam.exe 2448 Axam.exe 2324 Axam.exe 1012 Axam.exe 4836 Axam.exe 1344 Axam.exe 892 Axam.exe 4520 Axam.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1692 wrote to memory of 2128 1692 msedge.exe 83 PID 1692 wrote to memory of 2128 1692 msedge.exe 83 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 4984 1692 msedge.exe 85 PID 1692 wrote to memory of 2116 1692 msedge.exe 86 PID 1692 wrote to memory of 2116 1692 msedge.exe 86 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87 PID 1692 wrote to memory of 4664 1692 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff553246f8,0x7fff55324708,0x7fff553247182⤵PID:2128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:82⤵PID:4664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:5004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:82⤵PID:4836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4800 /prefetch:82⤵PID:1564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:12⤵PID:1368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵PID:2996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵PID:4836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:12⤵PID:4720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:12⤵PID:2032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,16189267098592236744,13928906103622443127,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6204 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4068
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1652
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1404
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4460
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"1⤵
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.exe@12242⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2308
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 4602⤵
- Program crash
PID:1548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1224 -ip 12241⤵PID:1972
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt1⤵PID:1320
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Amus.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Amus.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1872
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x510 0x4cc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:764
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Anap.a.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Anap.a.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2460
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Axam.a.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Axam.a.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4848
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Brontok.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2732
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Bugsoft.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:180
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Lacon.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2360
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3392
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NJRat.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2448
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2324
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1012
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4836
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Ana.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1344
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Hydra.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:892
-
C:\Users\Admin\AppData\Roaming\Axam.exe"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Hydra.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
302B
MD53565a089a0f8b2b5afb04ec4379b44dc
SHA14075ac633db35b158e4142860a2fd4f331780f9c
SHA256941689078f2ed21767fd0aa5ad330df33b8a0ac96acccb2020f307558d6087cb
SHA512112538d7d1af9c02536db20acfc6cea3225341d0f1468ad49ab980a65c74c9111fbf2514776e4e40bd2fbb13d1703dc47cc647b780dc503be99f6fa712c925a5
-
Filesize
453B
MD53c134fc18e7bdaf02d63571d193799ad
SHA17e6f22569d16202195410f29e6c74d093f1fa930
SHA256087f1acb6ed4d7563daaf6f0e1110dc7b3d5b4d6130ba19389cdf3eb90e9d347
SHA5125b02fda689e01d570fced10841daea8f543467b9a0ea138149c486c6d9fd56a0684901af16cbf2b3ad7f1d0b6cf6b08bc36288afcec4d5552b5863ef854570d6
-
Filesize
604B
MD59ec5dcbc21f0309fc9c7c545063986b5
SHA1eaea4f607aeefc9f6081d4b122ebaec421e7029b
SHA256273c2c218dd1d27bca1ad23115deb50ee860332b724f7a1b1aa906e055d0d38d
SHA512e2044e50dd09b7df76b76ae96f1fbfea85a73e5055891df4b464b8cf981f5ef623fa660f6b5c3beda289d4166cb39a38e3153a1ed6e4e74fda7ea0914a3ea935
-
Filesize
755B
MD5c73f3203dbe2960f84a494e1662db2c9
SHA127835a0be12637153e54411bea70546c1de82770
SHA25660683424722818828849fcd2e3893265de28c94d660d64b8cb1d1f31a20026c2
SHA5124cbb057b8d9760f0e16bfc110405f2f239c52b0559a59759e310266fc6bf96e84fd5798a30bcbea56e748890ce335825845e0df1c269ca03501cf7f32e0cb1cc
-
Filesize
906B
MD573e598672cece33b0c27f3a2f8d3501d
SHA1cb1955298a70cd5cc2f55fe127a56dfc6fbbccfc
SHA2560250e34f90f6e94dde2cab734f5ac2cb9c6aa9fe1b91d7e9e651f20645296363
SHA5124094ba8f8b335133b836702d58c6660d2edc74d869f5bbcc1bc5a4a30f4f60e79ed4937464f0ec2f10daa4b1d866ade04c179b14450d0cb3f73ccf4b2c00fcb6
-
Filesize
1KB
MD53b1cc48b2addf796ebde1c6d0c020bea
SHA153b249bef441ad8dff4f5a90ef149ab10803cfdf
SHA256d8c19dae05edffa4dd0957dcfa45eac44273842b1364c5a999a0a21c1108ccf8
SHA512525cac7d2070540abdfa8b6ea43631610f9c7440346f319b90c1826d73d7d125d165a2718a04f82eac1b47202afa1b6c6f2576af0fa76b03f9058bd21fa90f77
-
Filesize
1KB
MD564fd1f107fe39a118a1e0df6a2231c21
SHA11757c6e25e245eebd74994acefc148a55ca85675
SHA256a671cbd881a552e34f8c7594f6dbfd1442d5a702ed914fead3cd0fcc5f37d51e
SHA512450e1a6ef677bd192fac285af9aa2e71267d1a8ba138fd3a5a1da9f3267540fa951a1e9c4e2b3bf724f326d5c20eb51113005660c7865158ad0669089c16b53f
-
Filesize
1KB
MD5d1a3d2a396b79cd871f99665b134a49a
SHA12ab15e630b751e94d72362f2b55f60c4d7f35f40
SHA2567ba07c3784813a0f9cc1ff90f54c5517e288bde40d5ccbe8b098af4975c16ee6
SHA512d88ddaa9e3e9213e7f9bc19da72011e51c66199b10557e79e2edc5e50f0879a51216817a9dbede8807c8ec8b8b9457482f49ad00576c0c214e0bac2d034b79c7
-
Filesize
1KB
MD5865a45b31cb7baefb3b71ae51eb67308
SHA142094765f9627e713f573b2e6a203183068a6159
SHA25699f2f70a9e34a9c63f6107b8308e41b83139f62b72a2f2ffd2394b0063ec79e2
SHA51270ba8d348e1954b90a078ff47b9d63ca7663b9ae7c0c8e32f50b53acfd928465f91cb36760a1560d80d33ca07e7e815e18905b0b104ae52de80e5a58fdc73d1f
-
Filesize
1KB
MD5f66b8249919fa2b7bb00beddfffa2f9a
SHA1321e81d7eead2350c57600ebc6ff0a9b4a4e06b2
SHA2568ebb03500bb9833bda093b9d8ababd2bb633a0b97913765e05191ea51ac4adcc
SHA5121034bb1e17c26c928a9b2cbb5f7615754af844883980922adf7f81e10821e6851780d49ee4edc8de955cc3d50e84f4ad7b57b90c96d9ca7f4f63acabd9449d9f
-
Filesize
1KB
MD5b7922b0709a026f2188f725dae20b6e8
SHA14b91513018aa95f062f4ed4b5b9f88032b7ccbe2
SHA2560e81b90f3c97c85cdd3b4734667ecd140045cd795e89b6b3fb28bdbc1d0fc015
SHA51202f6afa56f7ec2fb4664d0e9522a5a5d0a1912e4f830d8b4bc9c186322d0fc21cfa0f2e65567057ba8da1cf1dbd44e886b9b393a0fe47a7b60665d36b6790fe1
-
Filesize
1KB
MD5f97e2548b10247a8f61605db9a7f5946
SHA16ef69ffb824a6842f6bedb2f800cf3e31ca0135a
SHA2563cd268a890a1e10796a4d9c43e7d678baf8ff25b614c8cf45f23f18c0bd3fbff
SHA512e4a68819058b08e55000462a177f137575ebb741c021ce8ae471335bbc0678e095e6fb4e499ba7e3ec18deead014d83b2fea7c2f378ec67888aaf0ebef0734b0
-
Filesize
152B
MD5d7cb450b1315c63b1d5d89d98ba22da5
SHA1694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA25638355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8
-
Filesize
152B
MD537f660dd4b6ddf23bc37f5c823d1c33a
SHA11c35538aa307a3e09d15519df6ace99674ae428b
SHA2564e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD53e6c62c7af266183a4ccfd16266487f1
SHA1eb3e5604b47e246d1da72b031fc900d1804d06ed
SHA2567fa48e73b1191b9dfd1961cd04655846558adb123ebfc0257455975392e5ce32
SHA5129749df82ca288d17d117eee5a3791a82b968c75c0fff799fc7f94380e0308cda29229f82191d7c3335a83073ca4e87478dfd00e09779eec57910f54a127cb832
-
Filesize
573B
MD5a6d346f58cbec0a6e4015327b25f1537
SHA1750056e65a8b1c20b1a6051f5adcdf35821a6ac1
SHA2561a715b1b5b62ef83ca8c62a18eddb3b5b6b738be2c654ab7a38cf22fdc8bea56
SHA51274e563217a28cd6427739731f51ba2e35ee060c8ae6959d458d06a0416e17ffc6a49f8d0bbcb8d17cef144a45c36eb9f3b92305389ab0cfc5043f530d9f28d89
-
Filesize
5KB
MD513fa65aa57bae63ddd4722f53c73e401
SHA1eb452d24b8791133f7384bc3e7986eb246570a0f
SHA256d988b4737a1afe1b4ff50229fa2db258a56ce14a22060072aaf28fb03f9af7a1
SHA5128f5041653a2d3413d756a8c0a240bd243337aa2e60a0296bb98db17f4cf33548c1adbc7052a183881a03f68effe2481381cc24893b8ea9ad2a02ad8d8ca7d80e
-
Filesize
6KB
MD5ae1a84a2fe2dc794e8954fc9eeba79af
SHA1a3c83d6318148c149f38209af567fea2635e1500
SHA256647e9246ba8ab5bd0d7d649563f3646868713b2ccb9856099afc244cc9fbb58b
SHA512b945720b312d6c0c58585edc38ccaee0706d27e074556d41661b7f9dcb31d4a16d39a765f2273d86ac224527b61c7fad3696fe875666311eb4101d76f4bca717
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD56e7bcb276bdd59fefa899dda72b2254a
SHA1f3b5eed26ccbe215c828218e93e0806a107a2d98
SHA2561c4fd7871619ff138175a152c42631355925bbf714e9dd51a0ae9f315045fafe
SHA5125d152b8e0c81b5ac09ed51cc47849ec49a5cd1ed3d69c3c2d75f1bd578d56c7f05faea7067d8ce2fc0e214f16e9b243e520df87a74c1f73f00c918334dd92a48
-
Filesize
11KB
MD510a9cfc613bdb2f9907f50b73458435e
SHA10925ab9398ecc8297199e4af2b509b4e5ea1f2c5
SHA2563b7c7e973988b675a125b994c71d4699937d39c4a8d516969842a0c7a027900a
SHA5123f286b93896c7dad4637f64672b1995132fe5d4a962bfaf7930267163db7ac45b27d780b431e3bd8cc9e262f829d0fe02f946827fe7b2cc65541edea2950c8cd
-
Filesize
11KB
MD50fbf8022619ba56c545b20d172bf3b87
SHA1752e5ce51f0cf9192b8fa1d28a7663b46e3577ff
SHA2564ae7d63ec497143c2acde1ba79f1d9eed80086a420b6f0a07b1e2917da0a6c74
SHA512e8d44147609d04a1a158066d89b739c00b507c8ff208dac72fdc2a42702d336c057ae4b77c305f4ccdfe089665913098d84a3160a834aaebe41f95f4b4bfddeb
-
Filesize
2.4MB
MD57e76f7a5c55a5bc5f5e2d7a9e886782b
SHA1fc500153dba682e53776bef53123086f00c0e041
SHA256abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3
SHA5120318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24
-
Filesize
50KB
MD547abd68080eee0ea1b95ae31968a3069
SHA1ffbdf4b2224b92bd78779a7c5ac366ccb007c14d
SHA256b5fc4fd50e4ba69f0c8c8e5c402813c107c605cab659960ac31b3c8356c4e0ec
SHA512c9dfabffe582b29e810db8866f8997af1bd3339fa30e79575377bde970fcad3e3b6e9036b3a88d0c5f4fa3545eea8904d9faabf00142d5775ea5508adcd4dc0a