danabot | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Joke

Analysis

max time kernel
459s
max time network
462s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 17:57

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Joke

Score

10^/10

danabot banker botnet discovery trojan upx

Malware Config

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Danabot x86 payload 1 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
botnet

Processes:

resource yara_rule

C:\Users\Admin\DOWNLO~1\DanaBot.dll family_danabot
Blocklisted process makes network request 10 IoCs

Processes:

rundll32.exe

flow pid process

57 5092 rundll32.exe
74 5092 rundll32.exe
78 5092 rundll32.exe
79 5092 rundll32.exe
88 5092 rundll32.exe
91 5092 rundll32.exe
92 5092 rundll32.exe
93 5092 rundll32.exe
94 5092 rundll32.exe
95 5092 rundll32.exe
Downloads MZ/PE file
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

DB.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DB.EXE
Executes dropped EXE 6 IoCs

Processes:

DanaBot.exeAV.EXEAV2.EXEDB.EXEEN.EXESB.EXE

pid process

1764 DanaBot.exe
4984 AV.EXE
396 AV2.EXE
1440 DB.EXE
1460 EN.EXE
3156 SB.EXE
Loads dropped DLL 3 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

4028 regsvr32.exe
4028 regsvr32.exe
5092 rundll32.exe

resource	yara_rule
C:\Users\Admin\DOWNLO~1\DanaBot.dll	family_danabot

flow	pid	process
57	5092	rundll32.exe
74	5092	rundll32.exe
78	5092	rundll32.exe
79	5092	rundll32.exe
88	5092	rundll32.exe
91	5092	rundll32.exe
92	5092	rundll32.exe
93	5092	rundll32.exe
94	5092	rundll32.exe
95	5092	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DB.EXE

pid	process
1764	DanaBot.exe
4984	AV.EXE
396	AV2.EXE
1440	DB.EXE
1460	EN.EXE
3156	SB.EXE

pid	process
4028	regsvr32.exe
4028	regsvr32.exe
5092	rundll32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DB.EXE	upx
C:\Users\Admin\AppData\Local\Temp\EN.EXE	upx
behavioral1/memory/1460-1128-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1440-1127-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1460-1157-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ChilledWindows.exe

description	ioc	process
File opened (read-only)	\??\B:	ChilledWindows.exe
File opened (read-only)	\??\I:	ChilledWindows.exe
File opened (read-only)	\??\L:	ChilledWindows.exe
File opened (read-only)	\??\Q:	ChilledWindows.exe
File opened (read-only)	\??\R:	ChilledWindows.exe
File opened (read-only)	\??\A:	ChilledWindows.exe
File opened (read-only)	\??\E:	ChilledWindows.exe
File opened (read-only)	\??\G:	ChilledWindows.exe
File opened (read-only)	\??\P:	ChilledWindows.exe
File opened (read-only)	\??\W:	ChilledWindows.exe
File opened (read-only)	\??\M:	ChilledWindows.exe
File opened (read-only)	\??\V:	ChilledWindows.exe
File opened (read-only)	\??\X:	ChilledWindows.exe
File opened (read-only)	\??\Y:	ChilledWindows.exe
File opened (read-only)	\??\U:	ChilledWindows.exe
File opened (read-only)	\??\H:	ChilledWindows.exe
File opened (read-only)	\??\J:	ChilledWindows.exe
File opened (read-only)	\??\K:	ChilledWindows.exe
File opened (read-only)	\??\N:	ChilledWindows.exe
File opened (read-only)	\??\O:	ChilledWindows.exe
File opened (read-only)	\??\S:	ChilledWindows.exe
File opened (read-only)	\??\T:	ChilledWindows.exe
File opened (read-only)	\??\Z:	ChilledWindows.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

54 raw.githubusercontent.com
55 raw.githubusercontent.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3268 1764 WerFault.exe DanaBot.exe

flow	ioc
54	raw.githubusercontent.com
55	raw.githubusercontent.com

pid	pid_target	process	target process
3268	1764	WerFault.exe	DanaBot.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133640710640241125"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeChilledWindows.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{B9DC045C-F543-4C77-8B9F-C0160F1D5EC4}	ChilledWindows.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4224 WINWORD.EXE
4224 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1472 chrome.exe
1472 chrome.exe
1188 chrome.exe
1188 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1472 chrome.exe
1472 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe
Token: SeShutdownPrivilege	1472	chrome.exe
Token: SeCreatePagefilePrivilege	1472	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe
1472	chrome.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

WINWORD.EXE

pid	process
4224	WINWORD.EXE
4224	WINWORD.EXE
4224	WINWORD.EXE
4224	WINWORD.EXE
4224	WINWORD.EXE
4224	WINWORD.EXE
4224	WINWORD.EXE
4224	WINWORD.EXE
4224	WINWORD.EXE
4224	WINWORD.EXE
4224	WINWORD.EXE
4224	WINWORD.EXE
4224	WINWORD.EXE
4224	WINWORD.EXE
4224	WINWORD.EXE
4224	WINWORD.EXE
4224	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1472 wrote to memory of 2472	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 2472	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 1760	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 2308	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 2308	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe
PID 1472 wrote to memory of 3412	1472	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Joke
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff8c3bab58,0x7fff8c3bab68,0x7fff8c3bab78
2⤵
PID:2472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1896,i,4910245315662097679,3617226081922550675,131072 /prefetch:2
2⤵
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1896,i,4910245315662097679,3617226081922550675,131072 /prefetch:8
2⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1896,i,4910245315662097679,3617226081922550675,131072 /prefetch:8
2⤵
PID:3412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1896,i,4910245315662097679,3617226081922550675,131072 /prefetch:1
2⤵
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1896,i,4910245315662097679,3617226081922550675,131072 /prefetch:1
2⤵
PID:372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 --field-trial-handle=1896,i,4910245315662097679,3617226081922550675,131072 /prefetch:8
2⤵
PID:224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1896,i,4910245315662097679,3617226081922550675,131072 /prefetch:8
2⤵
PID:4560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4052 --field-trial-handle=1896,i,4910245315662097679,3617226081922550675,131072 /prefetch:8
2⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4828 --field-trial-handle=1896,i,4910245315662097679,3617226081922550675,131072 /prefetch:8
2⤵
PID:3532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4840 --field-trial-handle=1896,i,4910245315662097679,3617226081922550675,131072 /prefetch:8
2⤵
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1896,i,4910245315662097679,3617226081922550675,131072 /prefetch:8
2⤵
PID:440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5156 --field-trial-handle=1896,i,4910245315662097679,3617226081922550675,131072 /prefetch:8
2⤵
PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5100 --field-trial-handle=1896,i,4910245315662097679,3617226081922550675,131072 /prefetch:8
2⤵
PID:4468

C:\Users\Admin\Downloads\DanaBot.exe
"C:\Users\Admin\Downloads\DanaBot.exe"
2⤵
- Executes dropped EXE
PID:1764

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\DanaBot.exe@1764
3⤵
- Loads dropped DLL
PID:4028

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\DanaBot.dll,f0
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 464
3⤵
- Program crash
PID:3268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 --field-trial-handle=1896,i,4910245315662097679,3617226081922550675,131072 /prefetch:8
2⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1896,i,4910245315662097679,3617226081922550675,131072 /prefetch:8
2⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4068 --field-trial-handle=1896,i,4910245315662097679,3617226081922550675,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1188

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1764 -ip 1764
1⤵
PID:1100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4276

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Time.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Time.exe"
1⤵
PID:1012

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CrazyNCS.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CrazyNCS.exe"
1⤵
PID:3300

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Popup.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Popup.exe"
1⤵
PID:3492

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe"
1⤵
- Enumerates connected drives
- Modifies registry class
PID:3512

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a4 0x49c
1⤵
PID:1880

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BonziKill.txt
1⤵
PID:4620

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Frankenstein.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4224

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Ana.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Ana.exe"
1⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\AV.EXE
"C:\Users\Admin\AppData\Local\Temp\AV.EXE"
2⤵
- Executes dropped EXE
PID:4984

C:\Users\Admin\AppData\Local\Temp\AV2.EXE
"C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
2⤵
- Executes dropped EXE
PID:396

C:\Users\Admin\AppData\Local\Temp\DB.EXE
"C:\Users\Admin\AppData\Local\Temp\DB.EXE"
2⤵
- Checks BIOS information in registry
- Executes dropped EXE
PID:1440

C:\Windows\SysWOW64\cmd.exe
/c C:\Users\Admin\AppData\Local\Temp\~unins4031.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
3⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\EN.EXE
"C:\Users\Admin\AppData\Local\Temp\EN.EXE"
2⤵
- Executes dropped EXE
PID:1460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EN.EXE > nul
3⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\SB.EXE
"C:\Users\Admin\AppData\Local\Temp\SB.EXE"
2⤵
- Executes dropped EXE
PID:3156

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
70044f79b5977e951a55726e51cfa29f

SHA1
c752dc706f44ea5bcab297502d557f451ec3354b

SHA256
48681851872b5c90ca743e98c4c74de82e3e048ae5001113deec0fff40af6c15

SHA512
1df59d8e96e2dea83c467bda1a91c651b2d4a1a7227def2b81a8439dc1b7664b45dd7d2686ecd893ad2d4b5fca427f09d407996df736968c49ee7305928e3f74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
afeee970ce2f6895dcc71a264350c8d6

SHA1
93fe21d62421922c315704650f8b96f608637980

SHA256
df7d47ac0460951920ceda026b77d7c4c789f19ef548edaab665251e9100aa3d

SHA512
2f77b3a3c3fa38357f7e9f316cc4de52bb7ed800d92036fcc2a4de6a352794d82ab401e5b0e7572e56083fb1ef0ecc49024b4dcad4a3a413eaeb8cb79e0b37ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
99b962ecb5366fb5ba892b9b306708dc

SHA1
b3b427b706982df1fd24de4ac520e6ebd3239077

SHA256
79c4c4a1cca041eca737740311971b48bf97d8438ff3e844c36853c47be2bc46

SHA512
63e1100b0bad5368d395243d20536c3f4d79abdbc3ac56f5d57013879b138abacd501a696770dbc19d134511d488a115aca4233974a851aa815bf6391a66a603

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
ac4b3e36adbd5bf1d6297ae008ce8c4a

SHA1
c19faf426ca77862b4b59ba104bd7f24dec528f4

SHA256
3c8814bf5055e5a70d05869d8028d8aa76d57bbc105f164b66217fd965d2b89a

SHA512
69d5b9a337e9ba3898cd850e481eb7883cdf181af4e1b6ea483a05b1a6f473ad55dc7071312b7357706db344c57d1c901489095fcfde3b32289d6194ae6049b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
fc6d490e3fd9fc812082ac9a74ebc3bf

SHA1
cff6cfa59ad2d1323ef5c4933ee26aa52b7bbc7c

SHA256
f1d33881ba977f6b523faa23f3ecc3d178562861fecfb55bdf272b5bbb31e6e0

SHA512
8c0beb7053aa8e0d7ddf761dce39618fec1fc4bf0d05a9a2f0cb3e146a04295ae5923ce8624ff8f6329204b756e814e73a495d63a1cef49cfdd815d36adefe61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
ba6bd2b9bc0f4908c6bd02393225e0be

SHA1
a6730fc8d85d12d3ae3e57648aa71642590e2313

SHA256
7ccf473d868f5802539b4a79eb97f6e4bafe606da2678eedee151ac0154a0321

SHA512
f3a65dc05182e65af69332705587f268e728d317720327c95d285287ce1df6ecf2e1259121faad3186c2be4859a246178937631901542e72e1ea6e7581920ae4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ce80a0e576ed49692baaca2b13253953

SHA1
cd5481aeadfb48ef5a8612cae5feee11ac44101b

SHA256
1dcea09f56a7471deec959a327d6a34563862da9be37e4581d9045ccb26e9d06

SHA512
9410a2bbeffee7a943fe2f15ada40e4d15c614c30ef57aacfbeaea70a73ddafd15e5e5f8b6716baddf53396580711a1bfe73c7f52a459853301c93176d1fcaef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
482f04520109b868a50375fdd17c27f6

SHA1
1330b7432acf0b9b237d5bb315648bc4f6edee42

SHA256
11f229a6630ede93f93c63068834f86d9f596226cf6a7852a9fb89b44b7e7948

SHA512
f1e602b5eeec65a8391b862c961fedfe054022a881967f5cbc57e9c86ed522d5d069834d6afefcd0bb1d70eade10c887cfdf21bdaa0a2d517488bc3d2840483e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
4a7b9c20f6287218c6ccc85693e2df1e

SHA1
c51054ab92a63892b085e8432a4ef09f1b80ab34

SHA256
cbfea1f85464baa7e5b5d22ee391e9c314636adb393c02d109b35304e5c87e95

SHA512
60e17036ba68883271e3053d159bfec5c3ea03099631b11c67d37ff8f2fa653b8ee581f519d6f1ead7dbc224b94e76980ca42a77dfe189f8d4989b7b61736f26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
37edde5bb4f9b8a562f6a8ba978b109f

SHA1
1ed363ce0143d761230ca57af98971116f2ac47d

SHA256
882e20e566e890fd59231f34147bc2f010f0f822a021040fe4caee455b069d55

SHA512
15dc8817766ad1c76b5d4c8d8d2cb582523958098bc1194c7d0e0df1ff08f53144046f06630f28b47b92b67170a4e6eeafa0f27d99b994a0e712137bb9b73dae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
36ef04313eb8dc39695e0485e8d33bd1

SHA1
3f98beb701102319376620bc51de1996bfd45da9

SHA256
1a136e4c949e236d35133fb79503fccaa1d289a87bb063d0182e2c248b319798

SHA512
e4c159c1afcb910ac198aa37d5bec152d570fba2b51ed8fa67dc6701d4ab9268954baca16ad862bb9c41e2e2a75340d367dcf31e2dedb0e45887069e4d21b316

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
101KB

MD5
52a1964c6858a93214ebca640a52a9c0

SHA1
53dee4cb4a53e66f8f86db307f1748e54f80e186

SHA256
ede9d27855d36051e05051f3a942aa487d52d172743959eeaca6f672438d18e0

SHA512
b0cb703d14a0a3a776d0fa19ef91d77ec92c7c983d701c6f58ab919b8ae09e9af0a6bb2b7ed59157b40a890d6e08186797993d5737fb6e6f94ef648a5d490558

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
102KB

MD5
cdaa2cc23115467c51b4eabdf9ef4fcb

SHA1
373fc789ca8aa3fcb1edd727a40d1189107db810

SHA256
97ef12ea28f8e4d0d7a2d9969c3110f425ca590e89197571ae604b0cee6af78a

SHA512
0b841facf262e06df4d85141bf09c4493f4abc987e19e5c001e9ecf5037758fe49ad72882cac1ac47be198892f2527d30ed7dc1af1600dca6bdbfc6b308f279f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57ccc6.TMP
Filesize
88KB

MD5
0217108ef1b33d88c4e7f75acae5dfa8

SHA1
905e370529b2fd354936790bedda704bafe0a79a

SHA256
151ee230b63f6b7a0335dde346434c8d2fd5335f1830e82d642206a2c51a9741

SHA512
aaba659016351087b51e0e9e3f5c40ea39c1438caca253a4ee4b326f7159c794f0bc43b846152ae09e10547fe7517547b710989b72b53e2a55687b6aa657cf4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
576KB

MD5
d6077c9992ee1d3c7b6a5f1622062b2e

SHA1
43f26a601d410202dca2b4ec35d3d2d5fd5f49d9

SHA256
d5d9ec34c0f16cb423f5f1460f7a4a2c978b9399f515595020a7b2590893a80d

SHA512
7f87d5a53b9c2eae6e01e3f226b98381f88ae9edbb61b49b0483182e6d87fa0b34a4b8fac40fb4ed7ad328977992288c3b55ce10343228061abaad6c306a1df8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV.EXE
Filesize
1.1MB

MD5
f284568010505119f479617a2e7dc189

SHA1
e23707625cce0035e3c1d2255af1ed326583a1ea

SHA256
26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1

SHA512
ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV2.EXE
Filesize
368KB

MD5
014578edb7da99e5ba8dd84f5d26dfd5

SHA1
df56d701165a480e925a153856cbc3ab799c5a04

SHA256
4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529

SHA512
bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB.EXE
Filesize
243KB

MD5
c6746a62feafcb4fca301f606f7101fa

SHA1
e09cd1382f9ceec027083b40e35f5f3d184e485f

SHA256
b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6

SHA512
ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\EN.EXE
Filesize
6KB

MD5
621f2279f69686e8547e476b642b6c46

SHA1
66f486cd566f86ab16015fe74f50d4515decce88

SHA256
c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38

SHA512
068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB.EXE
Filesize
149KB

MD5
fe731b4c6684d643eb5b55613ef9ed31

SHA1
cfafe2a14f5413278304920154eb467f7c103c80

SHA256
e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496

SHA512
f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SB.EXE
Filesize
224KB

MD5
9252e1be9776af202d6ad5c093637022

SHA1
6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8

SHA256
ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6

SHA512
98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDC3CB.tmp\iso690.xsl
Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
257B

MD5
b451efa2021dc50bbf5a8f4a3bc51d2b

SHA1
eba975ce57a9b8808a41c8302edcb4fa0a9193f1

SHA256
29116d7ad2bfb4ab3e51c8cea1e5856a8a5981aac3154b9b7e968ba57042bf86

SHA512
ed5468c7126b6d03b1fa9f8541665ae9a1dba0d2d90a2ec4d5520f4e57825f178036a630a603df46dd25f465e257b770a92c6592b197528102e1e8ce8ef3eda9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
fc008b7a410529d69d32930965f62f21

SHA1
020c3e72ae41f7bcdc630e191ca6cd7743f08815

SHA256
d48367799b150ce5dd1607f91c820cb75d3508fe36d578413dba0a04470aeec2

SHA512
2026d1b91f75319174bd9ca0854e7477a50e6c9083a24df8fbf45f117056511f7a79f31be08be219ef31827a897ba9846d78c018ed45c0a41d6b2da17c1f483c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
4KB

MD5
454f8b2fe3e06cdc6e6309742f673a38

SHA1
e9c9e55ba9bcb96e2a0cab0758f879fe1cc1059e

SHA256
163dfd44d6579886765cd1be500b17b36d28944bb6294ddee3a336c45417a0d4

SHA512
bc60cabebce516c918b3461e13ce7f0be76547fa1a4236bbafae1a407556e8c1fae1f6e8eab1dbd53e2d4fc44c1524e185835d0e244cec76fe4895e273dc1290

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\AutoRecovery save of Frankenstein.asd
Filesize
579KB

MD5
ad7891d40f9adac5e864248508419cc3

SHA1
6c2d03012de5aa1013b94a191637bd637981a981

SHA256
b1d8c7389b88ac7412ee7f29c6b424d4d57d39a73ce1777154666c27b2fa3547

SHA512
1d56fc836ef15b1524d2bee6abc132504ce535335dd58c05dfc6e62527c2c100f9ed8a48150487ce1b9efdad42c3290bf8954c80346c464d001fe1668eefd143

Download Submit
C:\Users\Admin\DOWNLO~1\DanaBot.dll
Filesize
2.4MB

MD5
7e76f7a5c55a5bc5f5e2d7a9e886782b

SHA1
fc500153dba682e53776bef53123086f00c0e041

SHA256
abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

SHA512
0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\chilledwindows.mp4
Filesize
3.6MB

MD5
698ddcaec1edcf1245807627884edf9c

SHA1
c7fcbeaa2aadffaf807c096c51fb14c47003ac20

SHA256
cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b

SHA512
a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\tsa.crt
Filesize
1010B

MD5
6e630504be525e953debd0ce831b9aa0

SHA1
edfa47b3edf98af94954b5b0850286a324608503

SHA256
2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5

SHA512
bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 324174.crdownload
Filesize
2.7MB

MD5
48d8f7bbb500af66baa765279ce58045

SHA1
2cdb5fdeee4e9c7bd2e5f744150521963487eb71

SHA256
db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1

SHA512
aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

Download Submit
\??\pipe\crashpad_1472_KNNTIIUPTKOTFIQP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1012-405-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1012-391-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1012-396-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1012-407-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1440-1127-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1460-1128-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1460-1157-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1764-245-0x00000000029A0000-0x0000000002C2D000-memory.dmp

Filesize
2.6MB

Download
memory/1764-244-0x0000000002710000-0x0000000002994000-memory.dmp

Filesize
2.5MB

Download
memory/1764-246-0x0000000000400000-0x000000000069A000-memory.dmp

Filesize
2.6MB

Download
memory/1764-261-0x00000000029A0000-0x0000000002C2D000-memory.dmp

Filesize
2.6MB

Download
memory/1764-262-0x0000000000400000-0x000000000069A000-memory.dmp

Filesize
2.6MB

Download
memory/1764-260-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/3300-408-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3300-395-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3300-392-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3300-409-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3492-413-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3492-412-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3512-429-0x000000001F170000-0x000000001F17E000-memory.dmp

Filesize
56KB

Download
memory/3512-415-0x0000000000770000-0x0000000000BD4000-memory.dmp

Filesize
4.4MB

Download
memory/3512-427-0x000000001C130000-0x000000001C138000-memory.dmp

Filesize
32KB

Download
memory/3512-428-0x0000000021660000-0x0000000021698000-memory.dmp

Filesize
224KB

Download
memory/4028-256-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4028-255-0x00000000025C0000-0x000000000282B000-memory.dmp

Filesize
2.4MB

Download
memory/4224-501-0x00007FFF587D0000-0x00007FFF587E0000-memory.dmp

Filesize
64KB

Download
memory/4224-499-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp

Filesize
64KB

Download
memory/4224-500-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp

Filesize
64KB

Download
memory/4224-498-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp

Filesize
64KB

Download
memory/4224-497-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp

Filesize
64KB

Download
memory/4224-496-0x00007FFF5ABF0000-0x00007FFF5AC00000-memory.dmp

Filesize
64KB

Download
memory/4224-502-0x00007FFF587D0000-0x00007FFF587E0000-memory.dmp

Filesize
64KB

Download
memory/5092-292-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/5092-309-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads