danabot | 83c713b4f6938fb03c8ddbbfd0830b90aa9dc33cc8309f8866396860e4b59243

Analysis

max time kernel
125s
max time network
141s
platform
windows7_x64
resource
win7v20210410
submitted
03-05-2021 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae672455_by_Libranalysis.exe
Size

1.0MB
MD5

ae672455612bde0a10259c441ffc97b3
SHA1

378527fc598c402982fc0816282fef5e97318a76
SHA256

83c713b4f6938fb03c8ddbbfd0830b90aa9dc33cc8309f8866396860e4b59243
SHA512

f366df4117ff648b3d205dd0c5713054a6733bc86e70018065514d0075c87c50b188a95a159dd6ccda72bce22f3baf5797e3cfc470ac150bf47e6c74851fbe81

Score

10^/10

danabot 3 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

23.106.123.185:443

192.210.198.12:443

192.236.147.83:443

37.220.31.94:443

Attributes

embedded_hash
AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 9 IoCs

Processes:

RUNDLL32.EXEWScript.exe

flow	pid	process
17	660	RUNDLL32.EXE
20	536	WScript.exe
22	536	WScript.exe
24	536	WScript.exe
26	536	WScript.exe
28	536	WScript.exe
29	660	RUNDLL32.EXE
32	660	RUNDLL32.EXE
33	660	RUNDLL32.EXE

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Ama.exe.comAma.exe.comhhbkyjfkvkjm.exe

pid process

316 Ama.exe.com
1480 Ama.exe.com
1316 hhbkyjfkvkjm.exe

pid	process
316	Ama.exe.com
1480	Ama.exe.com
1316	hhbkyjfkvkjm.exe

Loads dropped DLL 11 IoCs

Processes:

cmd.exeAma.exe.comrundll32.exeRUNDLL32.EXE

pid	process
1980	cmd.exe
1480	Ama.exe.com
1480	Ama.exe.com
1504	rundll32.exe
1504	rundll32.exe
1504	rundll32.exe
1504	rundll32.exe
660	RUNDLL32.EXE
660	RUNDLL32.EXE
660	RUNDLL32.EXE
660	RUNDLL32.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

RUNDLL32.EXE

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini RUNDLL32.EXE
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini	RUNDLL32.EXE

flow	ioc
6	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ama.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ama.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ama.exe.com

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Ama.exe.comWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Ama.exe.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Ama.exe.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

292 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

description pid process

Token: SeDebugPrivilege 1504 rundll32.exe
Token: SeDebugPrivilege 660 RUNDLL32.EXE

pid	process
292	PING.EXE

description	pid	process
Token: SeDebugPrivilege	1504	rundll32.exe
Token: SeDebugPrivilege	660	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

ae672455_by_Libranalysis.execmd.execmd.exeAma.exe.comAma.exe.comhhbkyjfkvkjm.exerundll32.exe

description	pid	process	target process
PID 308 wrote to memory of 1192	308	ae672455_by_Libranalysis.exe	svchost.exe
PID 308 wrote to memory of 1192	308	ae672455_by_Libranalysis.exe	svchost.exe
PID 308 wrote to memory of 1192	308	ae672455_by_Libranalysis.exe	svchost.exe
PID 308 wrote to memory of 1192	308	ae672455_by_Libranalysis.exe	svchost.exe
PID 308 wrote to memory of 2020	308	ae672455_by_Libranalysis.exe	cmd.exe
PID 308 wrote to memory of 2020	308	ae672455_by_Libranalysis.exe	cmd.exe
PID 308 wrote to memory of 2020	308	ae672455_by_Libranalysis.exe	cmd.exe
PID 308 wrote to memory of 2020	308	ae672455_by_Libranalysis.exe	cmd.exe
PID 2020 wrote to memory of 1980	2020	cmd.exe	cmd.exe
PID 2020 wrote to memory of 1980	2020	cmd.exe	cmd.exe
PID 2020 wrote to memory of 1980	2020	cmd.exe	cmd.exe
PID 2020 wrote to memory of 1980	2020	cmd.exe	cmd.exe
PID 1980 wrote to memory of 1540	1980	cmd.exe	findstr.exe
PID 1980 wrote to memory of 1540	1980	cmd.exe	findstr.exe
PID 1980 wrote to memory of 1540	1980	cmd.exe	findstr.exe
PID 1980 wrote to memory of 1540	1980	cmd.exe	findstr.exe
PID 1980 wrote to memory of 316	1980	cmd.exe	Ama.exe.com
PID 1980 wrote to memory of 316	1980	cmd.exe	Ama.exe.com
PID 1980 wrote to memory of 316	1980	cmd.exe	Ama.exe.com
PID 1980 wrote to memory of 316	1980	cmd.exe	Ama.exe.com
PID 1980 wrote to memory of 292	1980	cmd.exe	PING.EXE
PID 1980 wrote to memory of 292	1980	cmd.exe	PING.EXE
PID 1980 wrote to memory of 292	1980	cmd.exe	PING.EXE
PID 1980 wrote to memory of 292	1980	cmd.exe	PING.EXE
PID 316 wrote to memory of 1480	316	Ama.exe.com	Ama.exe.com
PID 316 wrote to memory of 1480	316	Ama.exe.com	Ama.exe.com
PID 316 wrote to memory of 1480	316	Ama.exe.com	Ama.exe.com
PID 316 wrote to memory of 1480	316	Ama.exe.com	Ama.exe.com
PID 1480 wrote to memory of 1316	1480	Ama.exe.com	hhbkyjfkvkjm.exe
PID 1480 wrote to memory of 1316	1480	Ama.exe.com	hhbkyjfkvkjm.exe
PID 1480 wrote to memory of 1316	1480	Ama.exe.com	hhbkyjfkvkjm.exe
PID 1480 wrote to memory of 1316	1480	Ama.exe.com	hhbkyjfkvkjm.exe
PID 1480 wrote to memory of 2016	1480	Ama.exe.com	WScript.exe
PID 1480 wrote to memory of 2016	1480	Ama.exe.com	WScript.exe
PID 1480 wrote to memory of 2016	1480	Ama.exe.com	WScript.exe
PID 1480 wrote to memory of 2016	1480	Ama.exe.com	WScript.exe
PID 1316 wrote to memory of 1504	1316	hhbkyjfkvkjm.exe	rundll32.exe
PID 1316 wrote to memory of 1504	1316	hhbkyjfkvkjm.exe	rundll32.exe
PID 1316 wrote to memory of 1504	1316	hhbkyjfkvkjm.exe	rundll32.exe
PID 1316 wrote to memory of 1504	1316	hhbkyjfkvkjm.exe	rundll32.exe
PID 1316 wrote to memory of 1504	1316	hhbkyjfkvkjm.exe	rundll32.exe
PID 1316 wrote to memory of 1504	1316	hhbkyjfkvkjm.exe	rundll32.exe
PID 1316 wrote to memory of 1504	1316	hhbkyjfkvkjm.exe	rundll32.exe
PID 1504 wrote to memory of 660	1504	rundll32.exe	RUNDLL32.EXE
PID 1504 wrote to memory of 660	1504	rundll32.exe	RUNDLL32.EXE
PID 1504 wrote to memory of 660	1504	rundll32.exe	RUNDLL32.EXE
PID 1504 wrote to memory of 660	1504	rundll32.exe	RUNDLL32.EXE
PID 1504 wrote to memory of 660	1504	rundll32.exe	RUNDLL32.EXE
PID 1504 wrote to memory of 660	1504	rundll32.exe	RUNDLL32.EXE
PID 1504 wrote to memory of 660	1504	rundll32.exe	RUNDLL32.EXE
PID 1480 wrote to memory of 536	1480	Ama.exe.com	WScript.exe
PID 1480 wrote to memory of 536	1480	Ama.exe.com	WScript.exe
PID 1480 wrote to memory of 536	1480	Ama.exe.com	WScript.exe
PID 1480 wrote to memory of 536	1480	Ama.exe.com	WScript.exe

C:\Users\Admin\AppData\Local\Temp\ae672455_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\ae672455_by_Libranalysis.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
2⤵
PID:1192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Avvenne.pst
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^OrbGtAtgShJATMzcwdgeFqmrVYufAJzwsUiIUTHcvjNANrHaHsmcZKvOExKyxOOpTIoYFKAiISGzjZdSsN$" Crudelta.pst
4⤵
PID:1540

C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.com
Ama.exe.com p
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.com
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.com p
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\hhbkyjfkvkjm.exe
"C:\Users\Admin\AppData\Local\Temp\hhbkyjfkvkjm.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\HHBKYJ~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\HHBKYJ~1.EXE
7⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\HHBKYJ~1.DLL,OwoxjBwXAw==
8⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lbvmfghxbvq.vbs"
6⤵
PID:2016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\nemjsckvrk.vbs"
6⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:536

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
69419470e1af9fbeae42d105f813f3ac

SHA1
753e7dc2b4d94440ace22aa71e65961272649afe

SHA256
ba54b325f59297c9a62a999de3fbbe461441dd33c869d648dbcf4e1ccaa94dd3

SHA512
d3fc01f1e2d0e48ae6bd40d6b1256730632de8664cf4e8a8a8490fe465f0e5cd9d53c85ebfc45f5baabeb30dc604757704b4b5d3c35bae4f04b02b77f15f3b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G2KS51P3\json[1].json
MD5
149c2823b7eadbfb0a82388a2ab9494f

SHA1
415fe979ce5fd0064d2557a48745a3ed1a3fbf9c

SHA256
06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869

SHA512
f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G2KS51P3\json[1].json
MD5
149c2823b7eadbfb0a82388a2ab9494f

SHA1
415fe979ce5fd0064d2557a48745a3ed1a3fbf9c

SHA256
06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869

SHA512
f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4FB.tmp
MD5
149c2823b7eadbfb0a82388a2ab9494f

SHA1
415fe979ce5fd0064d2557a48745a3ed1a3fbf9c

SHA256
06fa5d4e7fbfb1efdc19baa034601a894b21cf729785732853ced4bb40aca869

SHA512
f8fb6b7c93c4ab37f6e250ba8ac5c82f6e17fe52156cab81d34e91107d1da716b744bfe02ee0306497a3876d5352af789a1e66dab10e11e22065bac3050475fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHBKYJ~1.DLL
MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHBKYJ~1.EXE
MD5
eb8602732e7c8f8d2c055249c3784561

SHA1
8301959b248222c39521074cd1a55a98f1540a79

SHA256
7b2fd2b8a39683717b5a5208dd5272aae5aad3d23fc87aae862633d7e6c8150e

SHA512
5f6a63239dca93c9ba8cfbe0117477708bfb48da10173404dab16c69e302c2164220fc8ed48d133e0bcca9ec8183bb2e284e187e1aca617715628e2a276e652b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hhbkyjfkvkjm.exe
MD5
eb8602732e7c8f8d2c055249c3784561

SHA1
8301959b248222c39521074cd1a55a98f1540a79

SHA256
7b2fd2b8a39683717b5a5208dd5272aae5aad3d23fc87aae862633d7e6c8150e

SHA512
5f6a63239dca93c9ba8cfbe0117477708bfb48da10173404dab16c69e302c2164220fc8ed48d133e0bcca9ec8183bb2e284e187e1aca617715628e2a276e652b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbvmfghxbvq.vbs
MD5
65277442bd570c539c52611aa7f76209

SHA1
22a850868e6d07eff136200563a854d404727656

SHA256
6c1c1c50721868937bb700410b812ee447ff62567810bc763a45e68b2fd70e58

SHA512
b60f7e3908f2e444449805062a3e4544d8f9221eb491c32e50844d664efba82181cc8958f3b54667e704dc89bb85be1a5c6564795da2dcba43a8dbf1f5a03d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nemjsckvrk.vbs
MD5
0a3b0826eafde4e6f733a367b3edcc2d

SHA1
72c1c8e09593b2acd52f1cd6b36db55e7a20d6f2

SHA256
134f877a7e5be15bcf05ad3c3bd29ab282b2677aa6ea55fee43fa5cdaf57c26c

SHA512
33dac19d6edac549df377217123867b758417ad958bf1f954cddd5143606757b2808b0ff52890496a1f2af79dc109fb3159234c7d0e587de2aeb431b623acf12

Download Submit
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Arcate.pst
MD5
cb84d48d8a79791bee0d1e52740ccb92

SHA1
902e3d817e09274d47c1d00fc10e0e831a0a4964

SHA256
f253dece3b82426eecbd65c4f34d9a5dcb02a8710c83fc4a48d9edc8f6b89f65

SHA512
20d0dccc6e80dc44c2beba3c0dceaf23e886e68b3b36de6675a8357f27a60da8dde0e7df4450a8491ae1dee1e8c4c8d6f1cf37231326cdd86793bf2088f01a68

Download Submit
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Avvenne.pst
MD5
3a9d03cccbf783554b8350fff9bbc8df

SHA1
636b49abfcadb9c4242772c65b1a4d6485df1cea

SHA256
e1f3771ea85d11ed1ce2f3686c087f5e53b94b6165d4105a8dc76f03ef8cbd1b

SHA512
c3c620e1e34fcfcbdfa7d84ab015c070a40265b67f40d9a7d857a4f695d6a05ab660dac767f1e9d6f9e667b5c040b9e807c610ade9cfa6f7931e3cd1c476fb8b

Download Submit
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Crudelta.pst
MD5
0d540d5ad9aae4b04416a647d36e6b8f

SHA1
1dc0f743995d6706927c2b01d5fa6860fb4ac118

SHA256
31c317f12b408beed5e0da60734a083797d0d0a599710875352cccab59970049

SHA512
d723b84e6fa7752a4bc2afa74aee80f88a3d0d6fb9c62462866738a37c7f77dfa7f8c590670afadd26dcdbdd9415d51de7df424a9c0eaf3b7af9458a3646ebbd

Download Submit
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ora.pst
MD5
3ca4dc18e084c073dbd4976dc9dfb602

SHA1
6a2f962587ab39e0ad7322d71ad590612052d466

SHA256
115b36d44dd6636f4fe7659c898d2440194ae6a6d9073e28475269c65fd53c17

SHA512
6d5a8285a010f250a2b8117b6f1b4cdab5d625f56feb3fe4aaff3036436db22d207ce823232881e93dcbae0cb5625f05c4227f4d3a7726334765c391b78b5fb4

Download Submit
C:\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\p
MD5
cb84d48d8a79791bee0d1e52740ccb92

SHA1
902e3d817e09274d47c1d00fc10e0e831a0a4964

SHA256
f253dece3b82426eecbd65c4f34d9a5dcb02a8710c83fc4a48d9edc8f6b89f65

SHA512
20d0dccc6e80dc44c2beba3c0dceaf23e886e68b3b36de6675a8357f27a60da8dde0e7df4450a8491ae1dee1e8c4c8d6f1cf37231326cdd86793bf2088f01a68

Download Submit
\Users\Admin\AppData\Local\Temp\HHBKYJ~1.DLL
MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
\Users\Admin\AppData\Local\Temp\HHBKYJ~1.DLL
MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
\Users\Admin\AppData\Local\Temp\HHBKYJ~1.DLL
MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
\Users\Admin\AppData\Local\Temp\HHBKYJ~1.DLL
MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
\Users\Admin\AppData\Local\Temp\HHBKYJ~1.DLL
MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
\Users\Admin\AppData\Local\Temp\HHBKYJ~1.DLL
MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
\Users\Admin\AppData\Local\Temp\HHBKYJ~1.DLL
MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
\Users\Admin\AppData\Local\Temp\HHBKYJ~1.DLL
MD5
ce2816dd27b6f679acfbfbad58c5ac6e

SHA1
2a1b1d7fa0b4f61ff178b197766943bb338bbe8c

SHA256
90f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27

SHA512
1f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e

Download Submit
\Users\Admin\AppData\Local\Temp\hhbkyjfkvkjm.exe
MD5
eb8602732e7c8f8d2c055249c3784561

SHA1
8301959b248222c39521074cd1a55a98f1540a79

SHA256
7b2fd2b8a39683717b5a5208dd5272aae5aad3d23fc87aae862633d7e6c8150e

SHA512
5f6a63239dca93c9ba8cfbe0117477708bfb48da10173404dab16c69e302c2164220fc8ed48d133e0bcca9ec8183bb2e284e187e1aca617715628e2a276e652b

Download Submit
\Users\Admin\AppData\Local\Temp\hhbkyjfkvkjm.exe
MD5
eb8602732e7c8f8d2c055249c3784561

SHA1
8301959b248222c39521074cd1a55a98f1540a79

SHA256
7b2fd2b8a39683717b5a5208dd5272aae5aad3d23fc87aae862633d7e6c8150e

SHA512
5f6a63239dca93c9ba8cfbe0117477708bfb48da10173404dab16c69e302c2164220fc8ed48d133e0bcca9ec8183bb2e284e187e1aca617715628e2a276e652b

Download Submit
\Users\Admin\AppData\Roaming\JlgUrBigQNgWUUeZSjyhQQddkdpgQSSCZanePlRSrGnkCObAsrxjUczSTXIMaT\Ama.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/292-71-0x0000000000000000-mapping.dmp

Download
memory/308-60-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/316-69-0x0000000000000000-mapping.dmp

Download
memory/536-115-0x0000000000000000-mapping.dmp

Download
memory/660-110-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/660-111-0x0000000002B61000-0x00000000031BF000-memory.dmp

Filesize
6.4MB

Download
memory/660-101-0x0000000000000000-mapping.dmp

Download
memory/660-107-0x00000000022D0000-0x000000000288A000-memory.dmp

Filesize
5.7MB

Download
memory/1192-61-0x0000000000000000-mapping.dmp

Download
memory/1316-82-0x0000000000000000-mapping.dmp

Download
memory/1316-90-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1316-89-0x0000000000400000-0x0000000000DF2000-memory.dmp

Filesize
9.9MB

Download
memory/1316-88-0x0000000002CA0000-0x0000000003395000-memory.dmp

Filesize
7.0MB

Download
memory/1480-78-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1480-74-0x0000000000000000-mapping.dmp

Download
memory/1504-91-0x0000000000000000-mapping.dmp

Download
memory/1504-109-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1504-108-0x00000000029E1000-0x000000000303F000-memory.dmp

Filesize
6.4MB

Download
memory/1504-100-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/1504-98-0x0000000000900000-0x0000000000EBA000-memory.dmp

Filesize
5.7MB

Download
memory/1540-65-0x0000000000000000-mapping.dmp

Download
memory/1980-64-0x0000000000000000-mapping.dmp

Download
memory/2016-84-0x0000000000000000-mapping.dmp

Download
memory/2020-62-0x0000000000000000-mapping.dmp

Download