klok.exe

General
Target

klok.exe

Filesize

5MB

Completed

18-04-2021 09:40

Score
10 /10
MD5

f8206a65ddbdaf77b5f8be6599081cff

SHA1

c9929afc9c726e69a3aaaebb1810a93877d99e69

SHA256

baef74c9dbf470ffbe0261de0843db69a6037c167cf003f5703b905d3ad6c3a3

Malware Config

Extracted

Family danabot
Version 1827
Botnet 3
C2

23.106.123.185:443

192.210.198.12:443

23.254.225.170:443

23.106.123.141:443

Attributes
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
rsa_pubkey.plain
rsa_pubkey.plain
Signatures 12

Filter: none

Collection
Credential Access
Discovery
  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Blocklisted process makes network request
    RUNDLL32.EXE

    Reported IOCs

    flowpidprocess
    112788RUNDLL32.EXE
  • Deletes itself
    rundll32.exe

    Reported IOCs

    pidprocess
    2732rundll32.exe
  • Loads dropped DLL
    rundll32.exeRUNDLL32.EXE

    Reported IOCs

    pidprocess
    2732rundll32.exe
    2788RUNDLL32.EXE
    2788RUNDLL32.EXE
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    RUNDLL32.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0RUNDLL32.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringRUNDLL32.EXE
  • Suspicious behavior: EnumeratesProcesses
    powershell.exeRUNDLL32.EXEpowershell.exe

    Reported IOCs

    pidprocess
    1236powershell.exe
    1236powershell.exe
    1236powershell.exe
    2788RUNDLL32.EXE
    2788RUNDLL32.EXE
    208powershell.exe
    208powershell.exe
    208powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2732rundll32.exe
    Token: SeDebugPrivilege2788RUNDLL32.EXE
    Token: SeDebugPrivilege1236powershell.exe
    Token: SeDebugPrivilege208powershell.exe
  • Suspicious use of FindShellTrayWindow
    RUNDLL32.EXE

    Reported IOCs

    pidprocess
    2788RUNDLL32.EXE
  • Suspicious use of WriteProcessMemory
    klok.exerundll32.exeRUNDLL32.EXEpowershell.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3876 wrote to memory of 27323876klok.exerundll32.exe
    PID 3876 wrote to memory of 27323876klok.exerundll32.exe
    PID 3876 wrote to memory of 27323876klok.exerundll32.exe
    PID 2732 wrote to memory of 27882732rundll32.exeRUNDLL32.EXE
    PID 2732 wrote to memory of 27882732rundll32.exeRUNDLL32.EXE
    PID 2732 wrote to memory of 27882732rundll32.exeRUNDLL32.EXE
    PID 2788 wrote to memory of 12362788RUNDLL32.EXEpowershell.exe
    PID 2788 wrote to memory of 12362788RUNDLL32.EXEpowershell.exe
    PID 2788 wrote to memory of 12362788RUNDLL32.EXEpowershell.exe
    PID 2788 wrote to memory of 2082788RUNDLL32.EXEpowershell.exe
    PID 2788 wrote to memory of 2082788RUNDLL32.EXEpowershell.exe
    PID 2788 wrote to memory of 2082788RUNDLL32.EXEpowershell.exe
    PID 208 wrote to memory of 2280208powershell.exenslookup.exe
    PID 208 wrote to memory of 2280208powershell.exenslookup.exe
    PID 208 wrote to memory of 2280208powershell.exenslookup.exe
    PID 2788 wrote to memory of 31282788RUNDLL32.EXEschtasks.exe
    PID 2788 wrote to memory of 31282788RUNDLL32.EXEschtasks.exe
    PID 2788 wrote to memory of 31282788RUNDLL32.EXEschtasks.exe
    PID 2788 wrote to memory of 15522788RUNDLL32.EXEschtasks.exe
    PID 2788 wrote to memory of 15522788RUNDLL32.EXEschtasks.exe
    PID 2788 wrote to memory of 15522788RUNDLL32.EXEschtasks.exe
Processes 8
  • C:\Users\Admin\AppData\Local\Temp\klok.exe
    "C:\Users\Admin\AppData\Local\Temp\klok.exe"
    Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\KLOKEX~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\klok.exe
      Deletes itself
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\KLOKEX~1.DLL,QhAyfI0=
        Blocklisted process makes network request
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp7F09.tmp.ps1"
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:1236
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp9293.tmp.ps1"
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          Suspicious use of WriteProcessMemory
          PID:208
          • C:\Windows\SysWOW64\nslookup.exe
            "C:\Windows\system32\nslookup.exe" -type=any localhost
            PID:2280
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
          PID:3128
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
          PID:1552
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                      MD5

                      47eebe401625bbc55e75dbfb72e9e89a

                      SHA1

                      db3b2135942d2532c59b9788253638eb77e5995e

                      SHA256

                      f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

                      SHA512

                      590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      MD5

                      539fb631c37f16a58f066fca8d734f47

                      SHA1

                      54d7f6258bc85ad1229c198e1cfea8ae248ffab5

                      SHA256

                      3f3ef7c6e292aabbf6454ec96c87f8d548c11db5fc34d9b8e368a905e4b60bf4

                      SHA512

                      c767f0f70336f8da3f7e89f45e5ae23b656e79c5d78b3bbac3690e7228d5cb477eac9fbe3803fd61549ce3083c0b0a67015806c7ad7485ee31b2b8d5b141809c

                    • C:\Users\Admin\AppData\Local\Temp\KLOKEX~1.DLL

                      MD5

                      c82a4b861572d2434ab145431c3ce718

                      SHA1

                      3c53a19110c1d0e5bbabfb33d90830f3458bfd63

                      SHA256

                      ceb45d4c7e40229621d326faf8ff2de10c105130d0a4cc5427c28616ec270cf6

                      SHA512

                      c6e5531f27f2790bdbeb282c07cb4f26900e93ff6676397a5784cd6730ef9b1c4c8921d70539212eb96c177c72de4fcc89c05f3861f06f626d9ed7f5ad99fdb7

                    • C:\Users\Admin\AppData\Local\Temp\tmp7F09.tmp.ps1

                      MD5

                      43af04329596e11746589096ff125911

                      SHA1

                      d5a2c443657225095ddd32acd017cbbbf5f3325d

                      SHA256

                      b6d532d5f0bfb87f13ab270cff2af9cd60032f296971d71c483308fde9b8ffcb

                      SHA512

                      e72ad57e83ae351cbcae261bbeab31cead3a8538280e7fe583d8893a6dd9bb77e7cf942ffbded5ccff0780db391f7b7b7bf12edf9e3a32dd57c8f3eae7b14032

                    • C:\Users\Admin\AppData\Local\Temp\tmp7F0A.tmp

                      MD5

                      c416c12d1b2b1da8c8655e393b544362

                      SHA1

                      fb1a43cd8e1c556c2d25f361f42a21293c29e447

                      SHA256

                      0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

                      SHA512

                      cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

                    • C:\Users\Admin\AppData\Local\Temp\tmp9293.tmp.ps1

                      MD5

                      1ac11ad0943bfa534b222aa96c878a9c

                      SHA1

                      10f120d023c892171a0d774cd030d8c59335d92e

                      SHA256

                      57e77ff2e3210c306b50a5e55a323fd616f10169cb2b5ad331e6bfd086bec682

                      SHA512

                      0163193d5acaa8ed891ce3b286608a5d055b67b757baf5040d26b432d635dbec108c428d8c293f0f750cf45e9db98e2db712558effbb55be7dbe3e7170eb6224

                    • C:\Users\Admin\AppData\Local\Temp\tmp92A4.tmp

                      MD5

                      1860260b2697808b80802352fe324782

                      SHA1

                      f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

                      SHA256

                      0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

                      SHA512

                      d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

                    • \Users\Admin\AppData\Local\Temp\KLOKEX~1.DLL

                      MD5

                      c82a4b861572d2434ab145431c3ce718

                      SHA1

                      3c53a19110c1d0e5bbabfb33d90830f3458bfd63

                      SHA256

                      ceb45d4c7e40229621d326faf8ff2de10c105130d0a4cc5427c28616ec270cf6

                      SHA512

                      c6e5531f27f2790bdbeb282c07cb4f26900e93ff6676397a5784cd6730ef9b1c4c8921d70539212eb96c177c72de4fcc89c05f3861f06f626d9ed7f5ad99fdb7

                    • \Users\Admin\AppData\Local\Temp\KLOKEX~1.DLL

                      MD5

                      c82a4b861572d2434ab145431c3ce718

                      SHA1

                      3c53a19110c1d0e5bbabfb33d90830f3458bfd63

                      SHA256

                      ceb45d4c7e40229621d326faf8ff2de10c105130d0a4cc5427c28616ec270cf6

                      SHA512

                      c6e5531f27f2790bdbeb282c07cb4f26900e93ff6676397a5784cd6730ef9b1c4c8921d70539212eb96c177c72de4fcc89c05f3861f06f626d9ed7f5ad99fdb7

                    • \Users\Admin\AppData\Local\Temp\KLOKEX~1.DLL

                      MD5

                      c82a4b861572d2434ab145431c3ce718

                      SHA1

                      3c53a19110c1d0e5bbabfb33d90830f3458bfd63

                      SHA256

                      ceb45d4c7e40229621d326faf8ff2de10c105130d0a4cc5427c28616ec270cf6

                      SHA512

                      c6e5531f27f2790bdbeb282c07cb4f26900e93ff6676397a5784cd6730ef9b1c4c8921d70539212eb96c177c72de4fcc89c05f3861f06f626d9ed7f5ad99fdb7

                    • memory/208-172-0x0000000000DA2000-0x0000000000DA3000-memory.dmp

                    • memory/208-170-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

                    • memory/208-168-0x0000000007A90000-0x0000000007A91000-memory.dmp

                    • memory/208-165-0x0000000007670000-0x0000000007671000-memory.dmp

                    • memory/208-182-0x0000000000DA3000-0x0000000000DA4000-memory.dmp

                    • memory/208-156-0x0000000000000000-mapping.dmp

                    • memory/1236-134-0x00000000075D0000-0x00000000075D1000-memory.dmp

                    • memory/1236-135-0x00000000074B0000-0x00000000074B1000-memory.dmp

                    • memory/1236-136-0x0000000007C70000-0x0000000007C71000-memory.dmp

                    • memory/1236-137-0x0000000007E50000-0x0000000007E51000-memory.dmp

                    • memory/1236-138-0x0000000007EC0000-0x0000000007EC1000-memory.dmp

                    • memory/1236-139-0x0000000007C00000-0x0000000007C01000-memory.dmp

                    • memory/1236-140-0x00000000082D0000-0x00000000082D1000-memory.dmp

                    • memory/1236-133-0x0000000004A60000-0x0000000004A61000-memory.dmp

                    • memory/1236-142-0x0000000004A32000-0x0000000004A33000-memory.dmp

                    • memory/1236-143-0x0000000008600000-0x0000000008601000-memory.dmp

                    • memory/1236-130-0x0000000000000000-mapping.dmp

                    • memory/1236-145-0x00000000086D0000-0x00000000086D1000-memory.dmp

                    • memory/1236-150-0x0000000009D30000-0x0000000009D31000-memory.dmp

                    • memory/1236-151-0x00000000092B0000-0x00000000092B1000-memory.dmp

                    • memory/1236-152-0x00000000070D0000-0x00000000070D1000-memory.dmp

                    • memory/1236-155-0x0000000004A33000-0x0000000004A34000-memory.dmp

                    • memory/1236-141-0x0000000004A30000-0x0000000004A31000-memory.dmp

                    • memory/1552-185-0x0000000000000000-mapping.dmp

                    • memory/2280-180-0x0000000000000000-mapping.dmp

                    • memory/2732-115-0x0000000000000000-mapping.dmp

                    • memory/2732-127-0x0000000000E30000-0x0000000000F7A000-memory.dmp

                    • memory/2732-126-0x00000000050E1000-0x0000000005740000-memory.dmp

                    • memory/2788-125-0x00000000044D0000-0x0000000004A8A000-memory.dmp

                    • memory/2788-169-0x00000000003E0000-0x00000000003E1000-memory.dmp

                    • memory/2788-129-0x0000000004A90000-0x0000000004A91000-memory.dmp

                    • memory/2788-122-0x0000000000000000-mapping.dmp

                    • memory/2788-128-0x0000000004EE1000-0x0000000005540000-memory.dmp

                    • memory/3128-184-0x0000000000000000-mapping.dmp

                    • memory/3876-117-0x0000000000B10000-0x0000000000BBE000-memory.dmp

                    • memory/3876-116-0x0000000000400000-0x0000000000B01000-memory.dmp

                    • memory/3876-114-0x00000000014E0000-0x0000000001BD6000-memory.dmp