danabot | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
231s
max time network
231s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

danabot banker bootkit botnet discovery persistence trojan

Malware Config

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Danabot family
danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll	family_danabot

Blocklisted process makes network request 7 IoCs

Processes:

rundll32.exe

flow pid process

82 1752 rundll32.exe
84 1752 rundll32.exe
85 1752 rundll32.exe
90 1752 rundll32.exe
91 1752 rundll32.exe
92 1752 rundll32.exe
93 1752 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

1356 regsvr32.exe
1752 rundll32.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1032 900 WerFault.exe DanaBot.exe

flow	pid	process
82	1752	rundll32.exe
84	1752	rundll32.exe
85	1752	rundll32.exe
90	1752	rundll32.exe
91	1752	rundll32.exe
92	1752	rundll32.exe
93	1752	rundll32.exe

pid	process
1356	regsvr32.exe
1752	rundll32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

pid	pid_target	process	target process
1032	900	WerFault.exe	DanaBot.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DanaBot.exerundll32.exeMEMZ.exeMEMZ.exeMEMZ.exeregsvr32.exeLoveYou.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exenotepad.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DanaBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LoveYou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
2988	msedge.exe
2988	msedge.exe
2516	msedge.exe
2516	msedge.exe
848	identity_helper.exe
848	identity_helper.exe
2444	msedge.exe
2444	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
1412	msedge.exe
2008	MEMZ.exe
2008	MEMZ.exe
2008	MEMZ.exe
2008	MEMZ.exe
3432	MEMZ.exe
3432	MEMZ.exe
2008	MEMZ.exe
2008	MEMZ.exe
2008	MEMZ.exe
2008	MEMZ.exe
3432	MEMZ.exe
3432	MEMZ.exe
2264	MEMZ.exe
2264	MEMZ.exe
3432	MEMZ.exe
2008	MEMZ.exe
3432	MEMZ.exe
2008	MEMZ.exe
1128	MEMZ.exe
1128	MEMZ.exe
2264	MEMZ.exe
2264	MEMZ.exe
3432	MEMZ.exe
1748	MEMZ.exe
3432	MEMZ.exe
1748	MEMZ.exe
2008	MEMZ.exe
2008	MEMZ.exe
2008	MEMZ.exe
1748	MEMZ.exe
1748	MEMZ.exe
2008	MEMZ.exe
3432	MEMZ.exe
3432	MEMZ.exe
2264	MEMZ.exe
2264	MEMZ.exe
1128	MEMZ.exe
1128	MEMZ.exe
3432	MEMZ.exe
3432	MEMZ.exe
2008	MEMZ.exe
2008	MEMZ.exe
1748	MEMZ.exe
1748	MEMZ.exe
1748	MEMZ.exe
1748	MEMZ.exe
2008	MEMZ.exe
3432	MEMZ.exe
2008	MEMZ.exe
3432	MEMZ.exe
1128	MEMZ.exe
2264	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

2516 msedge.exe
2516 msedge.exe
2516 msedge.exe
2516 msedge.exe
2516 msedge.exe
2516 msedge.exe
2516 msedge.exe
2516 msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid process

3048 MEMZ.exe
2008 MEMZ.exe
3432 MEMZ.exe
2264 MEMZ.exe
1128 MEMZ.exe
1748 MEMZ.exe
4468 MEMZ.exe

pid	process
3048	MEMZ.exe
2008	MEMZ.exe
3432	MEMZ.exe
2264	MEMZ.exe
1128	MEMZ.exe
1748	MEMZ.exe
4468	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2516 wrote to memory of 3940	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3940	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 3952	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 2988	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 2988	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe
PID 2516 wrote to memory of 1224	2516	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a4b946f8,0x7ff9a4b94708,0x7ff9a4b94718
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,14419051529376188803,5321929623131779238,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5444 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3148

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:900
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.exe@900
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1356
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll,f0
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 460
  2⤵
  - Program crash
  PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 900 -ip 900
1⤵
PID:4984

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\LoveYou.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\LoveYou.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2664

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3048
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2008
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3432
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2264
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1128
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1748
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MEMZ.exe" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4468
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2a547422-02e3-4619-80bf-0c034d2043be.tmp

Filesize
6KB

MD5
1010ea230a127f8cd5c0be8a95ec8812

SHA1
5b9c2eb72f2812237af1d361dd309525deeb2e30

SHA256
f9340a4f3e1da70593c516466406afaf3c5fbbadfde0d40a2a508a0c0ba056a1

SHA512
6c263c99ff8fb6c64550c9063314b5881814bfbb78cd4c977d71999b4ac1d0b5f015e78d4979bb7df36517732964edd02fd07376d1b726a9594b6873c782b659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5a3d4368-59c0-4632-9e06-66339612950c.tmp

Filesize
1KB

MD5
0196d2196d71c477a1f78fbdb6beca16

SHA1
6033b4a8bed30963fbb2d9ddff0c2d2ea530d7c6

SHA256
c475f0f1c6c9fddebeb9d47cd3dd34d80184228818e95e0433603765ba98cbba

SHA512
0e629c0bdbc617b336e3c9fa15ea890c1bdd3eee7083776ededf6d4ecf68925fe8e7a103b1e3f9656d99756c2882e64c83821276e3471a345fdca526779fb03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
19KB

MD5
0b684c927d56c8f2a269fad2ce708bca

SHA1
b24881109b33ba68168308333840e1c7b03e7775

SHA256
0a1174c0168a1a056fc5a67ef229a4255b750131f9bfde84f8226f88a8f1f9fa

SHA512
68da39e77fde0e0e75a529e7452230230c99cebb61ac763d81136de4ee4b150442a076d96d0f9c4f431def094a225ec621b656c326e44e2b8e3d340278fba471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c9bd71e12da62c2dc05e40efe3c11f74

SHA1
8fdb8e1b70c0751d6239f9b2e0868b71a92ae03d

SHA256
90d3a36e648480b4d9a900176c5037764af75d3e1a8bb935b6dc76ad23e9ce4c

SHA512
ba407a62c7d0f488d69565fc6cca7889c3bc50fcf03ed8ea3e8fdd742a2c8daf129e837c73cb358b5a48ca2c63cfa667f5f4ec9e2fed900d3c254e1e800ff60c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e989488ee22fde83ab5cd93dd98a1d73

SHA1
b328cd928076323fc804b7a1ef71b658284e18cd

SHA256
a510bd68af52045c3198144be3d6453e43c0145fa888d63802d1255850b93d7c

SHA512
352eee651eb6d5f3db363c5b19c48bd141b49977fae1ca4fe44b9af570ebd31195dc66785b586874d32afc0f6b47696897f790170b703a9bc0da37b3fffd3225

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
dd206986bfdd70ed07ec54b03c9ebc9b

SHA1
105f2e51ade310ea60a7c2cb11ce16dd480f81c2

SHA256
af184d0cceb2b815b953fb24970efe52c159fc7b30b9b0dcfb2b54a90376e971

SHA512
3717fe8d2d7c878b6fbc98c25e484659602c1aa50cf76c5df5af07e93132098831cd8a9c1b73b7114da656f848b8e104190d1b48863413e08e1027dd7728fc75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b782d650b6745e52e4cf18ad655e6614

SHA1
0cf35c044590d0b3b8cf710c7229226538213954

SHA256
8805b5a94705db869c7379433d2df4ed29b6777cbcbb7a5d013705e07b4a36f5

SHA512
16e4bc6b88a9e648711b57be8c76812194324ade931f871db8cb3b486916d896198f56bf7cc4066a4ec5390d0cf6efccd25e10bb49c006e7cd7198585cf2aba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
39472468edf12a72c52fc189aec9030b

SHA1
22db2bf6b8af3602ad7e1f731053c60a8870a2d5

SHA256
2dc2eeba1f13568e230150c414b3f9386d21de32c2150ec337e39437b24ff0cd

SHA512
513f2f945fc3bd5bcb3e3ce83ef1066fb2300c5b41e8bf5da365793c57e3b70b28dd136e5aa2bf1cbbbe4e7cb522536f0947b4140f50ee174f65b6d45c080d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4c182ec1145a10fa611c3b8168e5fe75

SHA1
ec89a52d20c6489853c1e93add43d7dd91abc53b

SHA256
87ca33c3bf1711bc98e9a87b5a5d4b441a0a5d0ba06950938823b42ba9cfcb91

SHA512
d8cd3753645d73c33f35782674743a8e3101db102f5cc8052057f3d5871715049e5d748c4502574140bbf439fb9aab08b6df3f8d58f42a89a3dc957cd5371a6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
656ac8628b42ffe51ee4ffb2fa4cd80e

SHA1
c27c853a24577e72fde3f2c962371d84dc43a82d

SHA256
0879ad3c54eae01d03ad34300464555706631257575dd035d2f5db4cc017d8e6

SHA512
896d1f10771c8059392050d998bb7b31713525d3a3a54eccc3d9c210f6c3ccdbd0531dcef61e94d2002118538c6a31a124517add26a9089b2ab6dbd0f0a9f649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58266f.TMP

Filesize
874B

MD5
485a4d6094d09b4664ac07e4c4b6d8ec

SHA1
e33a2f5fa1ba8bf7c47d0a3fa1bbb6bdad1727d9

SHA256
cd5bb581965a122571a9dcbdd4ce8b41ae235f38d6ac1a3c9179178fb789f7ae

SHA512
95a6a7c0b5513cb4717d608d73183b7f0d01200e2bdb1233c0c643674c0618709ef0d1e33fc32d267b12c68fec81bbacf9c6d49a037c0cb7dc0b5638ab4432f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
246a7e242748bf2d2adec00ba6229264

SHA1
44bd193c1c2ea4dc4ad2a00132e53cbd42bb5b3f

SHA256
f6763c5622e21fa19adcb45f107b30ddcb652783b9abd0b58ae14009e6960318

SHA512
99d61eb8d635b5cca5a07cbd6f3eefe4b45fc2fddf112e15208dba9911e34b52d5f94a7622198e187db4f277a9e48279f7627360576b7ca70685d81eb2dde38e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
791e52b3f00e8947fb685a23107c54ac

SHA1
b953e59f5a4146d74c60eac48dfac31a86a34555

SHA256
1bedf787ba7b4db549079ee2f7cd3bfcc2a18997b29ebdda4609e47d76aeea95

SHA512
c235305b4bf174d0f1a6c917fe6359e3a2c8ab7f4ba5da372bb2c0acc6242feda95b606e9bf1244e1094079e9db86130e802db37ab529115c24dd3dd4f7c07ab

Download Submit
C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll

Filesize
2.4MB

MD5
7e76f7a5c55a5bc5f5e2d7a9e886782b

SHA1
fc500153dba682e53776bef53123086f00c0e041

SHA256
abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

SHA512
0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
\??\pipe\LOCAL\crashpad_2516_XAVRTPOZEIYBYAQY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/900-373-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/1752-376-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/1752-389-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download