Analysis
-
max time kernel
137s -
max time network
137s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250217-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
22/02/2025, 22:21
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
danabot
51.178.195.151
51.222.39.81
149.255.35.125
38.68.50.179
51.77.7.204
Signatures
-
Danabot family
-
Danabot x86 payload 1 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
resource yara_rule behavioral1/files/0x0007000000027ded-480.dat family_danabot -
Blocklisted process makes network request 1 IoCs
flow pid Process 73 3272 rundll32.exe -
Downloads MZ/PE file 2 IoCs
flow pid Process 51 5800 msedge.exe 51 5800 msedge.exe -
Executes dropped EXE 1 IoCs
pid Process 232 DanaBot.exe -
Loads dropped DLL 4 IoCs
pid Process 5384 regsvr32.exe 5384 regsvr32.exe 3272 rundll32.exe 3272 rundll32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 50 raw.githubusercontent.com 51 raw.githubusercontent.com -
Program crash 1 IoCs
pid pid_target Process procid_target 2284 232 WerFault.exe 115 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DanaBot.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 5800 msedge.exe 5800 msedge.exe 5032 msedge.exe 5032 msedge.exe 1560 identity_helper.exe 1560 identity_helper.exe 5344 msedge.exe 5344 msedge.exe 2732 msedge.exe 2732 msedge.exe 1504 msedge.exe 1504 msedge.exe 1504 msedge.exe 1504 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
pid Process 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe 5032 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5032 wrote to memory of 3956 5032 msedge.exe 83 PID 5032 wrote to memory of 3956 5032 msedge.exe 83 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5052 5032 msedge.exe 84 PID 5032 wrote to memory of 5800 5032 msedge.exe 85 PID 5032 wrote to memory of 5800 5032 msedge.exe 85 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 PID 5032 wrote to memory of 4740 5032 msedge.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff5e6246f8,0x7fff5e624708,0x7fff5e6247182⤵PID:3956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:22⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
PID:5800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:82⤵PID:4740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:1044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4256 /prefetch:82⤵PID:5884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6012 /prefetch:82⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:12⤵PID:3392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:12⤵PID:1856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:12⤵PID:1404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵PID:2624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵PID:1476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:12⤵PID:844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:12⤵PID:3736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2792 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:12⤵PID:3356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6224 /prefetch:82⤵PID:5188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5460 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:12⤵PID:2148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1976,7842818859797185925,7565607992839345844,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6992 /prefetch:82⤵PID:3456
-
-
C:\Users\Admin\Downloads\DanaBot.exe"C:\Users\Admin\Downloads\DanaBot.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:232 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@2323⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5384 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f04⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3272
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 4723⤵
- Program crash
PID:2284
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1640
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5152
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 232 -ip 2321⤵PID:1320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD594caeb51968eec58fdb181e3e6aea2ab
SHA1c4ef8b32f2db1ef6a7dd9a59c9338d43732e866c
SHA256934cbabc0150c227c20bf537a4294efce756aaca4492595bbf439aa3a90f9d34
SHA51242d6cfd91863c9032cc566e14abaeb09ce6e5709424f30b458ebde06b461856ff255692b9148de0cfcf2b223665ceee6ce2538713e90a6609701f49e1041391d
-
Filesize
152B
MD5ed05621b2a1e4a5665da21bfaf333a47
SHA14cd83a338b9bb2940b9cd9c3c8cc6a7638556579
SHA256bc3f423aae2852f02ecee50bc19e7c78cc61b20e0d3bb04237ec628c3cf63c5a
SHA512775d9523db85198ce510e082e2932fdcb7ef2ef1ec8d730cada441f795919399ecb3fb72b498c1c20c555aa95728a33bc45387ae43818cef51a19316bd80b2df
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD57a1db52aee336d6babb258dcb65b9155
SHA11acd904ce998c6a0dade71a325d92a9932ccf716
SHA25646bf1402c334d276a617a0c0c4b767df9d92550375239147b7cd11eda32f5527
SHA51210b1a874042f1bb1e3b7d1293dda159c9726cd30a2330f1c88b9401b1e26011b814f9a8c83f4b3327bbe904298d0aead8f974747305328652128886f57dd8008
-
Filesize
579B
MD5eaa41e447d34ee9c6bea6cf1ecc64ebd
SHA1a2a47395a06103cdcd85d3f247fd3b55bbc44d3b
SHA25662b4fb5acfee3d2deb0d1390df26172cfa2b5a17289541d7e7caa2af7c5d379c
SHA5125cd96c25eca6189037a78cf9cf4fc93771bd939420c27e9e6fb0144c3c738d3b6c1d69bdfc1bd98c140a40dab0cedee34b37adfed69fc79e5a8c601140376844
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD5a026e2bad29857a692a97c5adcb786c1
SHA1ece64944d64fd54b5ceb81b0ab528c478413eeba
SHA2561e918c8e148642130182771164330b511a866f02c3e76923f566efa6a8601475
SHA512b5a03b2582debcb7f5685bb1acfa22f35a3d7f252eca03a0d47a11428f3c06d709b26ef250b5a0b0ebf65e5044382a2961da0729c3d403a01c496d176fa7490f
-
Filesize
5KB
MD5b8aafcfde49a758d6f05217ae01248c4
SHA15d932f028f1e32181fb04adcef81cbd40ccf168b
SHA2564c436093a0cc8d6d00eab67cfb21ef92b93494d9d3f3b030f170ddd442c7c1e7
SHA512a683875a95294d85c1a5c3e9a4e0d76f7bbb66ad0e4f8b4d293bdda7a50db0fe36a7ff83b2668e31ff01a1031b746887fa74956e386e347036eb72143a8dc069
-
Filesize
6KB
MD54d11823a22f9b8a6fcfbfecba46ece94
SHA1c97eb22e03e1f4492a04fe5d2d2ffdfd0937c879
SHA25686ed19214cdc4e37ff42ebf72f10a534aaba4d5e6c2a58d389409060a3e17c90
SHA512d87f7713e710f971a6a738ba4fa1a035edf164a7a4c386a3b54b90e5d02ed3dfb95c70ccf0b760c2fa0a8c3195dca4d2488315b0322588b91faaf8a9855bc069
-
Filesize
24KB
MD5e06e0eabe13da96c0555c9f41f27680f
SHA1aeb0ff83a4000fc3425afae51862c468d640d773
SHA25641cdd39dd72d2e3b06cb3894fb08435c66cab64a4b5e6f7c42744886e60a6368
SHA5126fdc73101ec2eb9d36a7614e6e824b90af33ffc9a2249f08060f0d26bf0776d07bb65eb4f11fa2a9c07e248e7f5396d8fb5271a48b9927e2603edcf332a527aa
-
Filesize
1KB
MD580e228e6c3f831a101e380d71a429c6c
SHA115d93128b01b3bdc42cdd200df92ca8f781f2ad4
SHA25670c58e9d8565782775340c11e385149f29def83dbbd287a97306c72cb0c7230f
SHA512e84657477bbf8b2f2dbf5037cdaadd255b16883e6405d8fc241687b93716ae4e0c29020e50f65f826143fefd534676023b8121e15ac8147482e5e4f442fc1cda
-
Filesize
1KB
MD50b86a9711959eff2edf3d56e1d696a71
SHA12ee98226fb0b6e64af7ed19b287f1c8e86a81f58
SHA2561b02278926e70acb9b1c7e4064f724e4b468f1fab0a6a1dd24139134ebe27796
SHA5127c85949f5641ad99b4fc96dbb8d2ad35ccddb2cc982fdbd847e8ff876f9e3c9768bea0ceb317a886944f57f79afe9b53447736f6063f787ff92baacbfc908386
-
Filesize
1KB
MD5de9641b099d7ee6cc480bd815cfe79a6
SHA1081a957c040b629f4c7cdcd2b4756cb041cf9b0f
SHA256a22cdc30e792f78f73b9b3ab96eea8309c1ed79805eb5fcd62771062f5f29a26
SHA51264174694f4020520a12b2441d84ad3506b3dbe0cfde7c413e028e805ec9b4e5da7d74d2f505a7da9ea4f40327dab89b897335944447a930c7232a087301b6e1b
-
Filesize
1KB
MD5aff5ee3011ab2a5860012bce336eef30
SHA1f22eb2b4ac8e512dddb7c2c3e885535cf3714fcc
SHA256da4bfeef895c35ccc50d579c4ad381b5e689fdd8ec97e3384c04b080c477dd58
SHA51206010c1008c733abef1db85c691a1f835579171f46e44ce8d1c3c59554b8bef06cb8b57999fbe17a2b6866dae7f876e877733d0b3246683ee2d28e4f96a135b4
-
Filesize
1KB
MD52dcf06452d6396fe48edf5834b792a9f
SHA16ac59477207d3c34fc0af73ae4197d687b5f5758
SHA256167918a910b1057e77a79ad37a8b1b270144ea567ae5327ca1772afdc12aa90d
SHA51268f832b98a21b1022d6a0c5fab04730ed6812ccf9508e7bdf3376428a8f9fb5aeda9e3308363f9654171a66b1e57bcbbee6a68056d72f85e8d3a6dedca56588e
-
Filesize
1KB
MD57e89104e1e2c5e878d9ce1709d8e5275
SHA1c3136114ef73ec7a5adf4585566363992abbba6f
SHA2566aa69921b90c198258f43aff086562e5063db300c335700307677d1efefe775b
SHA512f74445e638c126bb571975f1155f8002778eed6191c1c89d9f75556b827261232c45f80b46afe1e53bed252f53bb0fc807e0637fa31d4f7a9901ef3b4397398c
-
Filesize
874B
MD55784d3e757557f5d3738894e52f2976f
SHA155ea410fd1f7bd9ebbb72f5d2dff531291b9322e
SHA256f2a55cc47f65c0c0613424c72386dcc1a5aff369c07cf9103b9ab905c7242de4
SHA512e154300423b03ab8e66864edf89fd6e167a862f4055cc7325f70319f3bf7a04a348a60ef3e21cb913df0b6a8208079081a61f54c41b69e7d6ef5934a06746f78
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5b3c514285fb8a5d1b8e1bc24ba19ad9a
SHA1a1e6d9e57d99cad93400001f7a47b6f1c3380d0a
SHA25629ca85b05830b7c219d7d51a272afc9b285e2211c7c70821aaf1d1adeee959c8
SHA512775fbb1aac8bc187b98e82421f95a746d29a894a3d791e08153df27e2e4179327e618bdb278cd7284c804cc222e0268cd0aa462a248db6208a7347c37e5c0891
-
Filesize
11KB
MD553e328d2ecfe3ed8f83e9793e6bd7417
SHA108805532af46b6287e77b9ad51025484d4bbdcc0
SHA2568490c542e428df26a14c44eec4cc099bcbcf02a842639ae71dc2537a054856d2
SHA512eaf6c1c83a5a479a88e2f0d3d46fcbdac5cec7283b34ffc52bd8b38627f091fbc540952de2b76c221b1aad1ed1dae94d67672b9ceb31a0dec4bb1a26a7e1bd7e
-
Filesize
10KB
MD5b3c77753066ed8e455e691956805b9ec
SHA1f9827b961104d6d66119f91ea198e5d56c2a72c7
SHA256553a897a33bd60d8e2b5e572a71e9f13d1dcfe1adde4d2ba6bc616e12aea0c1f
SHA512f35a0d10706350b48a8fc65091befb2e0e2d437ec732deeb306747f06572c8c8e477375ce7ee2322cf408adf86cd44b0d478dce36da36630853cd3d21f1ddbb1
-
Filesize
11KB
MD5f05a376783c4bf1fe81bd720c8e53f11
SHA177e3b4a9bcc71c38134dba751e5dd9bb9baa788d
SHA256ef5fe9c94759a0ab0728260a768ceee813acaf009aa2e0c3ed042f31d9ce9d60
SHA5125f9c153b62439881f9b71bd5b5b422a8a9a6fc2924e75d8f289fef60e5749f6647563dc316d7e4c2bb1c94e7fe9ba5501d6c3756368ba60649b20f35f4b19fa0
-
Filesize
10KB
MD560ad66aec0f1071770421f002db57599
SHA108e4d7883d7ac9edef97176f2606fb5dfa892cc5
SHA2563bd88e380c801dfd8284b07ea93804d917a12b6140ec579a217f9c598f8d331f
SHA512a04096ca9d66af3099b70a791dbdadff22d040dbab2c4385a44653830445bbc3eef8d1f7897fe428b5e4bbbd28673db071f2c38b2c45ac724b774286d0c19c3d
-
Filesize
2.4MB
MD57e76f7a5c55a5bc5f5e2d7a9e886782b
SHA1fc500153dba682e53776bef53123086f00c0e041
SHA256abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3
SHA5120318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24
-
Filesize
102KB
MD5510f114800418d6b7bc60eebd1631730
SHA1acb5bc4b83a7d383c161917d2de137fd6358aabd
SHA256f62125428644746f081ca587ffa9449513dd786d793e83003c1f9607ca741c89
SHA5126fe51c58a110599ea5d7f92b4b17bc2746876b4b5b504e73d339776f9dfa1c9154338d6793e8bf75b18f31eb677afd3e0c1bd33e40ac58e8520acbb39245af1a
-
Filesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a
-
Filesize
2.7MB
MD548d8f7bbb500af66baa765279ce58045
SHA12cdb5fdeee4e9c7bd2e5f744150521963487eb71
SHA256db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1
SHA512aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd