Analysis
-
max time kernel
128s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-04-2021 09:38
Static task
static1
Behavioral task
behavioral1
Sample
klok.exe
Resource
win7v20210410
General
-
Target
klok.exe
-
Size
6.0MB
-
MD5
f8206a65ddbdaf77b5f8be6599081cff
-
SHA1
c9929afc9c726e69a3aaaebb1810a93877d99e69
-
SHA256
baef74c9dbf470ffbe0261de0843db69a6037c167cf003f5703b905d3ad6c3a3
-
SHA512
ffedbbe897519d928586c1b09e9c7d4930ad6d98de36093d27f903c5b0572ddb10c065c3a05e13829cfe93932bb77f62812c3f99553c0a84f7a8a863f575deb6
Malware Config
Extracted
danabot
1827
3
23.106.123.185:443
192.210.198.12:443
23.254.225.170:443
23.106.123.141:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
RUNDLL32.EXEflow pid process 11 2788 RUNDLL32.EXE -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 2732 rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 2732 rundll32.exe 2788 RUNDLL32.EXE 2788 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exeRUNDLL32.EXEpowershell.exepid process 1236 powershell.exe 1236 powershell.exe 1236 powershell.exe 2788 RUNDLL32.EXE 2788 RUNDLL32.EXE 208 powershell.exe 208 powershell.exe 208 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2732 rundll32.exe Token: SeDebugPrivilege 2788 RUNDLL32.EXE Token: SeDebugPrivilege 1236 powershell.exe Token: SeDebugPrivilege 208 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 2788 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
klok.exerundll32.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 3876 wrote to memory of 2732 3876 klok.exe rundll32.exe PID 3876 wrote to memory of 2732 3876 klok.exe rundll32.exe PID 3876 wrote to memory of 2732 3876 klok.exe rundll32.exe PID 2732 wrote to memory of 2788 2732 rundll32.exe RUNDLL32.EXE PID 2732 wrote to memory of 2788 2732 rundll32.exe RUNDLL32.EXE PID 2732 wrote to memory of 2788 2732 rundll32.exe RUNDLL32.EXE PID 2788 wrote to memory of 1236 2788 RUNDLL32.EXE powershell.exe PID 2788 wrote to memory of 1236 2788 RUNDLL32.EXE powershell.exe PID 2788 wrote to memory of 1236 2788 RUNDLL32.EXE powershell.exe PID 2788 wrote to memory of 208 2788 RUNDLL32.EXE powershell.exe PID 2788 wrote to memory of 208 2788 RUNDLL32.EXE powershell.exe PID 2788 wrote to memory of 208 2788 RUNDLL32.EXE powershell.exe PID 208 wrote to memory of 2280 208 powershell.exe nslookup.exe PID 208 wrote to memory of 2280 208 powershell.exe nslookup.exe PID 208 wrote to memory of 2280 208 powershell.exe nslookup.exe PID 2788 wrote to memory of 3128 2788 RUNDLL32.EXE schtasks.exe PID 2788 wrote to memory of 3128 2788 RUNDLL32.EXE schtasks.exe PID 2788 wrote to memory of 3128 2788 RUNDLL32.EXE schtasks.exe PID 2788 wrote to memory of 1552 2788 RUNDLL32.EXE schtasks.exe PID 2788 wrote to memory of 1552 2788 RUNDLL32.EXE schtasks.exe PID 2788 wrote to memory of 1552 2788 RUNDLL32.EXE schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\klok.exe"C:\Users\Admin\AppData\Local\Temp\klok.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\KLOKEX~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\klok.exe2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\KLOKEX~1.DLL,QhAyfI0=3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp7F09.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp9293.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
47eebe401625bbc55e75dbfb72e9e89a
SHA1db3b2135942d2532c59b9788253638eb77e5995e
SHA256f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3
SHA512590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
539fb631c37f16a58f066fca8d734f47
SHA154d7f6258bc85ad1229c198e1cfea8ae248ffab5
SHA2563f3ef7c6e292aabbf6454ec96c87f8d548c11db5fc34d9b8e368a905e4b60bf4
SHA512c767f0f70336f8da3f7e89f45e5ae23b656e79c5d78b3bbac3690e7228d5cb477eac9fbe3803fd61549ce3083c0b0a67015806c7ad7485ee31b2b8d5b141809c
-
C:\Users\Admin\AppData\Local\Temp\KLOKEX~1.DLLMD5
c82a4b861572d2434ab145431c3ce718
SHA13c53a19110c1d0e5bbabfb33d90830f3458bfd63
SHA256ceb45d4c7e40229621d326faf8ff2de10c105130d0a4cc5427c28616ec270cf6
SHA512c6e5531f27f2790bdbeb282c07cb4f26900e93ff6676397a5784cd6730ef9b1c4c8921d70539212eb96c177c72de4fcc89c05f3861f06f626d9ed7f5ad99fdb7
-
C:\Users\Admin\AppData\Local\Temp\tmp7F09.tmp.ps1MD5
43af04329596e11746589096ff125911
SHA1d5a2c443657225095ddd32acd017cbbbf5f3325d
SHA256b6d532d5f0bfb87f13ab270cff2af9cd60032f296971d71c483308fde9b8ffcb
SHA512e72ad57e83ae351cbcae261bbeab31cead3a8538280e7fe583d8893a6dd9bb77e7cf942ffbded5ccff0780db391f7b7b7bf12edf9e3a32dd57c8f3eae7b14032
-
C:\Users\Admin\AppData\Local\Temp\tmp7F0A.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\tmp9293.tmp.ps1MD5
1ac11ad0943bfa534b222aa96c878a9c
SHA110f120d023c892171a0d774cd030d8c59335d92e
SHA25657e77ff2e3210c306b50a5e55a323fd616f10169cb2b5ad331e6bfd086bec682
SHA5120163193d5acaa8ed891ce3b286608a5d055b67b757baf5040d26b432d635dbec108c428d8c293f0f750cf45e9db98e2db712558effbb55be7dbe3e7170eb6224
-
C:\Users\Admin\AppData\Local\Temp\tmp92A4.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
\Users\Admin\AppData\Local\Temp\KLOKEX~1.DLLMD5
c82a4b861572d2434ab145431c3ce718
SHA13c53a19110c1d0e5bbabfb33d90830f3458bfd63
SHA256ceb45d4c7e40229621d326faf8ff2de10c105130d0a4cc5427c28616ec270cf6
SHA512c6e5531f27f2790bdbeb282c07cb4f26900e93ff6676397a5784cd6730ef9b1c4c8921d70539212eb96c177c72de4fcc89c05f3861f06f626d9ed7f5ad99fdb7
-
\Users\Admin\AppData\Local\Temp\KLOKEX~1.DLLMD5
c82a4b861572d2434ab145431c3ce718
SHA13c53a19110c1d0e5bbabfb33d90830f3458bfd63
SHA256ceb45d4c7e40229621d326faf8ff2de10c105130d0a4cc5427c28616ec270cf6
SHA512c6e5531f27f2790bdbeb282c07cb4f26900e93ff6676397a5784cd6730ef9b1c4c8921d70539212eb96c177c72de4fcc89c05f3861f06f626d9ed7f5ad99fdb7
-
\Users\Admin\AppData\Local\Temp\KLOKEX~1.DLLMD5
c82a4b861572d2434ab145431c3ce718
SHA13c53a19110c1d0e5bbabfb33d90830f3458bfd63
SHA256ceb45d4c7e40229621d326faf8ff2de10c105130d0a4cc5427c28616ec270cf6
SHA512c6e5531f27f2790bdbeb282c07cb4f26900e93ff6676397a5784cd6730ef9b1c4c8921d70539212eb96c177c72de4fcc89c05f3861f06f626d9ed7f5ad99fdb7
-
memory/208-168-0x0000000007A90000-0x0000000007A91000-memory.dmpFilesize
4KB
-
memory/208-170-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB
-
memory/208-165-0x0000000007670000-0x0000000007671000-memory.dmpFilesize
4KB
-
memory/208-172-0x0000000000DA2000-0x0000000000DA3000-memory.dmpFilesize
4KB
-
memory/208-156-0x0000000000000000-mapping.dmp
-
memory/208-182-0x0000000000DA3000-0x0000000000DA4000-memory.dmpFilesize
4KB
-
memory/1236-140-0x00000000082D0000-0x00000000082D1000-memory.dmpFilesize
4KB
-
memory/1236-133-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/1236-136-0x0000000007C70000-0x0000000007C71000-memory.dmpFilesize
4KB
-
memory/1236-137-0x0000000007E50000-0x0000000007E51000-memory.dmpFilesize
4KB
-
memory/1236-138-0x0000000007EC0000-0x0000000007EC1000-memory.dmpFilesize
4KB
-
memory/1236-139-0x0000000007C00000-0x0000000007C01000-memory.dmpFilesize
4KB
-
memory/1236-130-0x0000000000000000-mapping.dmp
-
memory/1236-141-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/1236-142-0x0000000004A32000-0x0000000004A33000-memory.dmpFilesize
4KB
-
memory/1236-143-0x0000000008600000-0x0000000008601000-memory.dmpFilesize
4KB
-
memory/1236-134-0x00000000075D0000-0x00000000075D1000-memory.dmpFilesize
4KB
-
memory/1236-145-0x00000000086D0000-0x00000000086D1000-memory.dmpFilesize
4KB
-
memory/1236-150-0x0000000009D30000-0x0000000009D31000-memory.dmpFilesize
4KB
-
memory/1236-151-0x00000000092B0000-0x00000000092B1000-memory.dmpFilesize
4KB
-
memory/1236-152-0x00000000070D0000-0x00000000070D1000-memory.dmpFilesize
4KB
-
memory/1236-135-0x00000000074B0000-0x00000000074B1000-memory.dmpFilesize
4KB
-
memory/1236-155-0x0000000004A33000-0x0000000004A34000-memory.dmpFilesize
4KB
-
memory/1552-185-0x0000000000000000-mapping.dmp
-
memory/2280-180-0x0000000000000000-mapping.dmp
-
memory/2732-127-0x0000000000E30000-0x0000000000F7A000-memory.dmpFilesize
1.3MB
-
memory/2732-115-0x0000000000000000-mapping.dmp
-
memory/2732-126-0x00000000050E1000-0x0000000005740000-memory.dmpFilesize
6.4MB
-
memory/2788-125-0x00000000044D0000-0x0000000004A8A000-memory.dmpFilesize
5.7MB
-
memory/2788-169-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/2788-122-0x0000000000000000-mapping.dmp
-
memory/2788-129-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/2788-128-0x0000000004EE1000-0x0000000005540000-memory.dmpFilesize
6.4MB
-
memory/3128-184-0x0000000000000000-mapping.dmp
-
memory/3876-117-0x0000000000B10000-0x0000000000BBE000-memory.dmpFilesize
696KB
-
memory/3876-116-0x0000000000400000-0x0000000000B01000-memory.dmpFilesize
7.0MB
-
memory/3876-114-0x00000000014E0000-0x0000000001BD6000-memory.dmpFilesize
7.0MB