Analysis
-
max time kernel
231s -
max time network
231s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 03:18
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
danabot
51.178.195.151
51.222.39.81
149.255.35.125
38.68.50.179
51.77.7.204
Signatures
-
Danabot family
-
Danabot x86 payload 1 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
resource yara_rule behavioral1/files/0x0008000000023e88-370.dat family_danabot -
Blocklisted process makes network request 7 IoCs
flow pid Process 82 1752 rundll32.exe 84 1752 rundll32.exe 85 1752 rundll32.exe 90 1752 rundll32.exe 91 1752 rundll32.exe 92 1752 rundll32.exe 93 1752 rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 1356 regsvr32.exe 1752 rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1032 900 WerFault.exe 124 -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DanaBot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LoveYou.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2988 msedge.exe 2988 msedge.exe 2516 msedge.exe 2516 msedge.exe 848 identity_helper.exe 848 identity_helper.exe 2444 msedge.exe 2444 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 1412 msedge.exe 2008 MEMZ.exe 2008 MEMZ.exe 2008 MEMZ.exe 2008 MEMZ.exe 3432 MEMZ.exe 3432 MEMZ.exe 2008 MEMZ.exe 2008 MEMZ.exe 2008 MEMZ.exe 2008 MEMZ.exe 3432 MEMZ.exe 3432 MEMZ.exe 2264 MEMZ.exe 2264 MEMZ.exe 3432 MEMZ.exe 2008 MEMZ.exe 3432 MEMZ.exe 2008 MEMZ.exe 1128 MEMZ.exe 1128 MEMZ.exe 2264 MEMZ.exe 2264 MEMZ.exe 3432 MEMZ.exe 1748 MEMZ.exe 3432 MEMZ.exe 1748 MEMZ.exe 2008 MEMZ.exe 2008 MEMZ.exe 2008 MEMZ.exe 1748 MEMZ.exe 1748 MEMZ.exe 2008 MEMZ.exe 3432 MEMZ.exe 3432 MEMZ.exe 2264 MEMZ.exe 2264 MEMZ.exe 1128 MEMZ.exe 1128 MEMZ.exe 3432 MEMZ.exe 3432 MEMZ.exe 2008 MEMZ.exe 2008 MEMZ.exe 1748 MEMZ.exe 1748 MEMZ.exe 1748 MEMZ.exe 1748 MEMZ.exe 2008 MEMZ.exe 3432 MEMZ.exe 2008 MEMZ.exe 3432 MEMZ.exe 1128 MEMZ.exe 2264 MEMZ.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe 2516 msedge.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3048 MEMZ.exe 2008 MEMZ.exe 3432 MEMZ.exe 2264 MEMZ.exe 1128 MEMZ.exe 1748 MEMZ.exe 4468 MEMZ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2516 wrote to memory of 3940 2516 msedge.exe 84 PID 2516 wrote to memory of 3940 2516 msedge.exe 84 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 3952 2516 msedge.exe 85 PID 2516 wrote to memory of 2988 2516 msedge.exe 86 PID 2516 wrote to memory of 2988 2516 msedge.exe 86 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87 PID 2516 wrote to memory of 1224 2516 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a4b946f8,0x7ff9a4b94708,0x7ff9a4b947182⤵PID:3940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵PID:3952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:82⤵PID:1224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:4880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:82⤵PID:3596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵PID:3392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵PID:3044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵PID:1820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:3012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5772 /prefetch:82⤵PID:376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵PID:3080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5444 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1412
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1668
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:584
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3148
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"1⤵
- System Location Discovery: System Language Discovery
PID:900 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.exe@9002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1752
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 4602⤵
- Program crash
PID:1032
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 900 -ip 9001⤵PID:4984
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\LoveYou.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\LoveYou.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2664
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3048 -
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2008
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3432
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2264
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1128
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1748
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /main2⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4468 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵
- System Location Discovery: System Language Discovery
PID:2524
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD599afa4934d1e3c56bbce114b356e8a99
SHA13f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA25608e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA51276686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da
-
Filesize
152B
MD5443a627d539ca4eab732bad0cbe7332b
SHA186b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA2561e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2a547422-02e3-4619-80bf-0c034d2043be.tmp
Filesize6KB
MD51010ea230a127f8cd5c0be8a95ec8812
SHA15b9c2eb72f2812237af1d361dd309525deeb2e30
SHA256f9340a4f3e1da70593c516466406afaf3c5fbbadfde0d40a2a508a0c0ba056a1
SHA5126c263c99ff8fb6c64550c9063314b5881814bfbb78cd4c977d71999b4ac1d0b5f015e78d4979bb7df36517732964edd02fd07376d1b726a9594b6873c782b659
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5a3d4368-59c0-4632-9e06-66339612950c.tmp
Filesize1KB
MD50196d2196d71c477a1f78fbdb6beca16
SHA16033b4a8bed30963fbb2d9ddff0c2d2ea530d7c6
SHA256c475f0f1c6c9fddebeb9d47cd3dd34d80184228818e95e0433603765ba98cbba
SHA5120e629c0bdbc617b336e3c9fa15ea890c1bdd3eee7083776ededf6d4ecf68925fe8e7a103b1e3f9656d99756c2882e64c83821276e3471a345fdca526779fb03b
-
Filesize
19KB
MD50b684c927d56c8f2a269fad2ce708bca
SHA1b24881109b33ba68168308333840e1c7b03e7775
SHA2560a1174c0168a1a056fc5a67ef229a4255b750131f9bfde84f8226f88a8f1f9fa
SHA51268da39e77fde0e0e75a529e7452230230c99cebb61ac763d81136de4ee4b150442a076d96d0f9c4f431def094a225ec621b656c326e44e2b8e3d340278fba471
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5c9bd71e12da62c2dc05e40efe3c11f74
SHA18fdb8e1b70c0751d6239f9b2e0868b71a92ae03d
SHA25690d3a36e648480b4d9a900176c5037764af75d3e1a8bb935b6dc76ad23e9ce4c
SHA512ba407a62c7d0f488d69565fc6cca7889c3bc50fcf03ed8ea3e8fdd742a2c8daf129e837c73cb358b5a48ca2c63cfa667f5f4ec9e2fed900d3c254e1e800ff60c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5e989488ee22fde83ab5cd93dd98a1d73
SHA1b328cd928076323fc804b7a1ef71b658284e18cd
SHA256a510bd68af52045c3198144be3d6453e43c0145fa888d63802d1255850b93d7c
SHA512352eee651eb6d5f3db363c5b19c48bd141b49977fae1ca4fe44b9af570ebd31195dc66785b586874d32afc0f6b47696897f790170b703a9bc0da37b3fffd3225
-
Filesize
573B
MD5dd206986bfdd70ed07ec54b03c9ebc9b
SHA1105f2e51ade310ea60a7c2cb11ce16dd480f81c2
SHA256af184d0cceb2b815b953fb24970efe52c159fc7b30b9b0dcfb2b54a90376e971
SHA5123717fe8d2d7c878b6fbc98c25e484659602c1aa50cf76c5df5af07e93132098831cd8a9c1b73b7114da656f848b8e104190d1b48863413e08e1027dd7728fc75
-
Filesize
5KB
MD5b782d650b6745e52e4cf18ad655e6614
SHA10cf35c044590d0b3b8cf710c7229226538213954
SHA2568805b5a94705db869c7379433d2df4ed29b6777cbcbb7a5d013705e07b4a36f5
SHA51216e4bc6b88a9e648711b57be8c76812194324ade931f871db8cb3b486916d896198f56bf7cc4066a4ec5390d0cf6efccd25e10bb49c006e7cd7198585cf2aba7
-
Filesize
6KB
MD539472468edf12a72c52fc189aec9030b
SHA122db2bf6b8af3602ad7e1f731053c60a8870a2d5
SHA2562dc2eeba1f13568e230150c414b3f9386d21de32c2150ec337e39437b24ff0cd
SHA512513f2f945fc3bd5bcb3e3ce83ef1066fb2300c5b41e8bf5da365793c57e3b70b28dd136e5aa2bf1cbbbe4e7cb522536f0947b4140f50ee174f65b6d45c080d12
-
Filesize
1KB
MD54c182ec1145a10fa611c3b8168e5fe75
SHA1ec89a52d20c6489853c1e93add43d7dd91abc53b
SHA25687ca33c3bf1711bc98e9a87b5a5d4b441a0a5d0ba06950938823b42ba9cfcb91
SHA512d8cd3753645d73c33f35782674743a8e3101db102f5cc8052057f3d5871715049e5d748c4502574140bbf439fb9aab08b6df3f8d58f42a89a3dc957cd5371a6b
-
Filesize
1KB
MD5656ac8628b42ffe51ee4ffb2fa4cd80e
SHA1c27c853a24577e72fde3f2c962371d84dc43a82d
SHA2560879ad3c54eae01d03ad34300464555706631257575dd035d2f5db4cc017d8e6
SHA512896d1f10771c8059392050d998bb7b31713525d3a3a54eccc3d9c210f6c3ccdbd0531dcef61e94d2002118538c6a31a124517add26a9089b2ab6dbd0f0a9f649
-
Filesize
874B
MD5485a4d6094d09b4664ac07e4c4b6d8ec
SHA1e33a2f5fa1ba8bf7c47d0a3fa1bbb6bdad1727d9
SHA256cd5bb581965a122571a9dcbdd4ce8b41ae235f38d6ac1a3c9179178fb789f7ae
SHA51295a6a7c0b5513cb4717d608d73183b7f0d01200e2bdb1233c0c643674c0618709ef0d1e33fc32d267b12c68fec81bbacf9c6d49a037c0cb7dc0b5638ab4432f8
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5246a7e242748bf2d2adec00ba6229264
SHA144bd193c1c2ea4dc4ad2a00132e53cbd42bb5b3f
SHA256f6763c5622e21fa19adcb45f107b30ddcb652783b9abd0b58ae14009e6960318
SHA51299d61eb8d635b5cca5a07cbd6f3eefe4b45fc2fddf112e15208dba9911e34b52d5f94a7622198e187db4f277a9e48279f7627360576b7ca70685d81eb2dde38e
-
Filesize
11KB
MD5791e52b3f00e8947fb685a23107c54ac
SHA1b953e59f5a4146d74c60eac48dfac31a86a34555
SHA2561bedf787ba7b4db549079ee2f7cd3bfcc2a18997b29ebdda4609e47d76aeea95
SHA512c235305b4bf174d0f1a6c917fe6359e3a2c8ab7f4ba5da372bb2c0acc6242feda95b606e9bf1244e1094079e9db86130e802db37ab529115c24dd3dd4f7c07ab
-
Filesize
2.4MB
MD57e76f7a5c55a5bc5f5e2d7a9e886782b
SHA1fc500153dba682e53776bef53123086f00c0e041
SHA256abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3
SHA5120318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf