danabot | 71bc38f1873dde28c4a2a7605527adc649ffa6510b907b2698990fd5ee49f5c8

Analysis

max time kernel
151s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
20-07-2021 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3577889cdae96c45ac86d0fabe6723b0.exe
Size

636KB
MD5

3577889cdae96c45ac86d0fabe6723b0
SHA1

814ba96911f17ded4808b2776ebb43db3d3d2656
SHA256

71bc38f1873dde28c4a2a7605527adc649ffa6510b907b2698990fd5ee49f5c8
SHA512

bd7490bf182762ba0acee9f49e486c94c4b9c67e029f47b0782b9223f0a88d497e24a9f54b220e7f095a1f2f6149d6981e816adeacf9e7971b6e3ed7c48e866d

Score

10^/10

danabot 4 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exerundll32.exeRUNDLL32.EXE

flow pid process

54 2956 WScript.exe
58 2956 WScript.exe
60 2956 WScript.exe
62 2956 WScript.exe
73 2884 rundll32.exe
76 204 RUNDLL32.EXE
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

QGMDJMHPWckEJ.exevpn.exe4.exeCheope.exe.comCheope.exe.comSmartClock.exemybrpmu.exe

pid process

3884 QGMDJMHPWckEJ.exe
756 vpn.exe
2864 4.exe
2956 Cheope.exe.com
3784 Cheope.exe.com
3712 SmartClock.exe
1792 mybrpmu.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 4 IoCs

Processes:

QGMDJMHPWckEJ.exerundll32.exeRUNDLL32.EXE

pid process

3884 QGMDJMHPWckEJ.exe
2884 rundll32.exe
2884 rundll32.exe
204 RUNDLL32.EXE
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 ip-api.com

flow	pid	process
54	2956	WScript.exe
58	2956	WScript.exe
60	2956	WScript.exe
62	2956	WScript.exe
73	2884	rundll32.exe
76	204	RUNDLL32.EXE

pid	process
3884	QGMDJMHPWckEJ.exe
756	vpn.exe
2864	4.exe
2956	Cheope.exe.com
3784	Cheope.exe.com
3712	SmartClock.exe
1792	mybrpmu.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
3884	QGMDJMHPWckEJ.exe
2884	rundll32.exe
2884	rundll32.exe
204	RUNDLL32.EXE

flow	ioc
34	ip-api.com

Drops file in Program Files directory 4 IoCs

Processes:

QGMDJMHPWckEJ.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	QGMDJMHPWckEJ.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	QGMDJMHPWckEJ.exe
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	QGMDJMHPWckEJ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Cheope.exe.comRUNDLL32.EXE3577889cdae96c45ac86d0fabe6723b0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Cheope.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3577889cdae96c45ac86d0fabe6723b0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3577889cdae96c45ac86d0fabe6723b0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Cheope.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE

Modifies registry class 1 IoCs

Processes:

Cheope.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Cheope.exe.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Cheope.exe.com

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exeRUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\54AE86E30785445097D18549FABB94427E1B1331	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\54AE86E30785445097D18549FABB94427E1B1331\Blob = 03000000010000001400000054ae86e30785445097d18549fabb94427e1b1331200000000100000026020000308202223082018ba00302010202080bf62f67053ccc34300d06092a864886f70d01010b05003030312e302c06035504030c254d693263726f736f667420526f6f7420436572746966696361746520417574686f72697479301e170d3139303732313132333830375a170d3233303732303132333830375a3030312e302c06035504030c254d693263726f736f667420526f6f7420436572746966696361746520417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c6464c5aad4dd65c124ea2990c9d4eeaacfe45651f29fb6d0f21ce700587fd8673023fbb21384545a22cf4b8b2e62d53665497931c01b0e8b8b5d7ceeac33782c3a6c3bf139262b8122016be57568420032430c1771e1767dbcf207e1bdd4df55bdcd110d5823f21d011c3f912e6a08e5767d3226c804ab312e90aeda728003d0203010001a3453043300f0603551d130101ff040530030101ff30300603551d110429302782254d693263726f736f667420526f6f7420436572746966696361746520417574686f72697479300d06092a864886f70d01010b050003818100933b53b0c1e6bdbc8e281441710742195f4d1a76c1a716164276c7a33d2d3125ed6c19834ef8d91d556a0f248d4cd2c99c7d6497333c8f4fe961b99cdb3ab7d1676a3f96d5dee56c1661b85fc90e6a7c319a8bdb93d87aa2fb129766e53844fff22ceae91d39b19faa5d8004bac5004bba83b99b15dc28889e2c518898256374	RUNDLL32.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1416 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

3712 SmartClock.exe

pid	process
1416	PING.EXE

pid	process
3712	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

RUNDLL32.EXEpowershell.exe

pid	process
204	RUNDLL32.EXE
204	RUNDLL32.EXE
204	RUNDLL32.EXE
204	RUNDLL32.EXE
204	RUNDLL32.EXE
204	RUNDLL32.EXE
3612	powershell.exe
3612	powershell.exe
3612	powershell.exe
204	RUNDLL32.EXE
204	RUNDLL32.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RUNDLL32.EXEpowershell.exe

description pid process

Token: SeDebugPrivilege 204 RUNDLL32.EXE
Token: SeDebugPrivilege 3612 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

204 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	204	RUNDLL32.EXE
Token: SeDebugPrivilege	3612	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

3577889cdae96c45ac86d0fabe6723b0.exeQGMDJMHPWckEJ.exevpn.execmd.execmd.exeCheope.exe.com4.exeCheope.exe.commybrpmu.exerundll32.exeRUNDLL32.EXE

description	pid	process	target process
PID 3980 wrote to memory of 3884	3980	3577889cdae96c45ac86d0fabe6723b0.exe	QGMDJMHPWckEJ.exe
PID 3980 wrote to memory of 3884	3980	3577889cdae96c45ac86d0fabe6723b0.exe	QGMDJMHPWckEJ.exe
PID 3980 wrote to memory of 3884	3980	3577889cdae96c45ac86d0fabe6723b0.exe	QGMDJMHPWckEJ.exe
PID 3884 wrote to memory of 756	3884	QGMDJMHPWckEJ.exe	vpn.exe
PID 3884 wrote to memory of 756	3884	QGMDJMHPWckEJ.exe	vpn.exe
PID 3884 wrote to memory of 756	3884	QGMDJMHPWckEJ.exe	vpn.exe
PID 3884 wrote to memory of 2864	3884	QGMDJMHPWckEJ.exe	4.exe
PID 3884 wrote to memory of 2864	3884	QGMDJMHPWckEJ.exe	4.exe
PID 3884 wrote to memory of 2864	3884	QGMDJMHPWckEJ.exe	4.exe
PID 756 wrote to memory of 764	756	vpn.exe	cmd.exe
PID 756 wrote to memory of 764	756	vpn.exe	cmd.exe
PID 756 wrote to memory of 764	756	vpn.exe	cmd.exe
PID 764 wrote to memory of 3356	764	cmd.exe	cmd.exe
PID 764 wrote to memory of 3356	764	cmd.exe	cmd.exe
PID 764 wrote to memory of 3356	764	cmd.exe	cmd.exe
PID 3356 wrote to memory of 3352	3356	cmd.exe	findstr.exe
PID 3356 wrote to memory of 3352	3356	cmd.exe	findstr.exe
PID 3356 wrote to memory of 3352	3356	cmd.exe	findstr.exe
PID 3356 wrote to memory of 2956	3356	cmd.exe	Cheope.exe.com
PID 3356 wrote to memory of 2956	3356	cmd.exe	Cheope.exe.com
PID 3356 wrote to memory of 2956	3356	cmd.exe	Cheope.exe.com
PID 3356 wrote to memory of 1416	3356	cmd.exe	PING.EXE
PID 3356 wrote to memory of 1416	3356	cmd.exe	PING.EXE
PID 3356 wrote to memory of 1416	3356	cmd.exe	PING.EXE
PID 2956 wrote to memory of 3784	2956	Cheope.exe.com	Cheope.exe.com
PID 2956 wrote to memory of 3784	2956	Cheope.exe.com	Cheope.exe.com
PID 2956 wrote to memory of 3784	2956	Cheope.exe.com	Cheope.exe.com
PID 2864 wrote to memory of 3712	2864	4.exe	SmartClock.exe
PID 2864 wrote to memory of 3712	2864	4.exe	SmartClock.exe
PID 2864 wrote to memory of 3712	2864	4.exe	SmartClock.exe
PID 3784 wrote to memory of 1792	3784	Cheope.exe.com	mybrpmu.exe
PID 3784 wrote to memory of 1792	3784	Cheope.exe.com	mybrpmu.exe
PID 3784 wrote to memory of 1792	3784	Cheope.exe.com	mybrpmu.exe
PID 3784 wrote to memory of 3400	3784	Cheope.exe.com	WScript.exe
PID 3784 wrote to memory of 3400	3784	Cheope.exe.com	WScript.exe
PID 3784 wrote to memory of 3400	3784	Cheope.exe.com	WScript.exe
PID 1792 wrote to memory of 2884	1792	mybrpmu.exe	rundll32.exe
PID 1792 wrote to memory of 2884	1792	mybrpmu.exe	rundll32.exe
PID 1792 wrote to memory of 2884	1792	mybrpmu.exe	rundll32.exe
PID 3784 wrote to memory of 2956	3784	Cheope.exe.com	WScript.exe
PID 3784 wrote to memory of 2956	3784	Cheope.exe.com	WScript.exe
PID 3784 wrote to memory of 2956	3784	Cheope.exe.com	WScript.exe
PID 2884 wrote to memory of 204	2884	rundll32.exe	RUNDLL32.EXE
PID 2884 wrote to memory of 204	2884	rundll32.exe	RUNDLL32.EXE
PID 2884 wrote to memory of 204	2884	rundll32.exe	RUNDLL32.EXE
PID 204 wrote to memory of 3612	204	RUNDLL32.EXE	powershell.exe
PID 204 wrote to memory of 3612	204	RUNDLL32.EXE	powershell.exe
PID 204 wrote to memory of 3612	204	RUNDLL32.EXE	powershell.exe
PID 204 wrote to memory of 2804	204	RUNDLL32.EXE	powershell.exe
PID 204 wrote to memory of 2804	204	RUNDLL32.EXE	powershell.exe
PID 204 wrote to memory of 2804	204	RUNDLL32.EXE	powershell.exe

C:\Users\Admin\AppData\Local\Temp\3577889cdae96c45ac86d0fabe6723b0.exe
"C:\Users\Admin\AppData\Local\Temp\3577889cdae96c45ac86d0fabe6723b0.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\QGMDJMHPWckEJ.exe
"C:\Users\Admin\AppData\Local\Temp\QGMDJMHPWckEJ.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3884

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Narcotico.mpg
4⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^hPzBSAzErWqivIhideydXrkRLKibeyeZLrCfJgdYSSNmkzflOaKfcWKpDCPozVBXTwvauYbeMubyfLGaxWJKcMEOzaLinoFWsPGpXXrPUIDgnFURVbNvjQCuvHZOhd$" Sua.mpg
6⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cheope.exe.com
Cheope.exe.com T
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cheope.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cheope.exe.com T
7⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3784

C:\Users\Admin\AppData\Local\Temp\mybrpmu.exe
"C:\Users\Admin\AppData\Local\Temp\mybrpmu.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\MYBRPM~1.TMP,S C:\Users\Admin\AppData\Local\Temp\mybrpmu.exe
9⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\MYBRPM~1.TMP,UDcZa1FpMjZP
10⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp61A4.tmp.ps1"
11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp6FDF.tmp.ps1"
11⤵
PID:2804

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hwwpfwqkkkk.vbs"
8⤵
PID:3400

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bhxbbxeyjxvm.vbs"
8⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:2956

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
6⤵
- Runs ping.exe
PID:1416

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2864

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Jvgzbfh.tmp
MD5
8303b2caddfa02d1e3bd7796fc8f36e0

SHA1
b1b02156710b146139620b5fb8bf90ab8a3de615

SHA256
b1228441b57de321998f4697c8d62dd7ad676e032b52a7539171f10dafe7765d

SHA512
09f16b9281154f91c68b3609fe4468786be41005b3ce3af6997f11b7610a73ef61b8168ff093a375cae439f5231f1708bc33b05a9d566bdf5c74a590681773df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cheope.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cheope.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cheope.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chi.mpg
MD5
9ded2c093bd49c32b9f1f06265aad843

SHA1
3c0c5581544628f6c47fd54dc21189f7a6999c5b

SHA256
f815800751e3b1be3be88e4a586654fac0bc459cf85080c3eccfad8395472fa5

SHA512
8ac2b6bc0dbdf7858fc8a92c1d2c2cdf17deb92ebcffd2ce7cdebbee35c2683a0e706843d0a4daa4f069614b55e06799c9d47e121aabae6ad32551fa630fa12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Narcotico.mpg
MD5
7435f0e8e46ca0dc11d2a3d7ed31a2ea

SHA1
a74f19d3e59d6c1c6a7812b1f3a7beaae1af4a9d

SHA256
c7ec9ee50643fe5757eb476e391bc30ee5bcb2b5c6537bdf29a05e8ce3b17ef5

SHA512
2f158c1ad931ea784ee6e52c1997875cad44666c61763ce3388780f806664eee31aa528d0bcdf067f978ff65500d11725312baf3f4c1a0c1de4eb09d6f444816

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sua.mpg
MD5
15db6ccd633040cf4269f4a5daa60267

SHA1
7a8af5e0756cccf7928a3d933159088c00548dbb

SHA256
41f682dc4f24157205acf41d09080db3fcc8e85e8bc54b356125a6f90c2806e1

SHA512
6e32668bb461ea1115070c4a1dd67e85252fb375bef80a34a9eceb11d9680dc3b97e912e849d551983f195d23c2301e1120193445364861746304a1c6d084783

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\T
MD5
9ded2c093bd49c32b9f1f06265aad843

SHA1
3c0c5581544628f6c47fd54dc21189f7a6999c5b

SHA256
f815800751e3b1be3be88e4a586654fac0bc459cf85080c3eccfad8395472fa5

SHA512
8ac2b6bc0dbdf7858fc8a92c1d2c2cdf17deb92ebcffd2ce7cdebbee35c2683a0e706843d0a4daa4f069614b55e06799c9d47e121aabae6ad32551fa630fa12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Voto.mpg
MD5
3283e74b35b87067c626c6debc4c647c

SHA1
25aa5813f536679b608be59cb83c49f1ddc45355

SHA256
304e165665671e909c9bd719acef33b3d6029462aa0079f075b1effc5b58ed01

SHA512
3a1b73cb5162fb697d74db74be4613a3c195a45adf6f17a5df6ed1a2fc4923cafbf349f053f9c8fbebce356503df4270e8ba94f621ae9931e550185dc44d26b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MYBRPM~1.TMP
MD5
7421975d09f0de9fc505ba95c37e5794

SHA1
052e5981f44c5451d896f6383df93bcdf5235fe5

SHA256
643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd

SHA512
7fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
e2f1b31cc8c64668a1d4711c750876ab

SHA1
1dcb8f1569067ebd1ced9e72a881ba17fcc6cf8c

SHA256
92244cebe7800839e76728597d74a91d028b17224d72f0077ceea2e6b5682359

SHA512
bfa842c0faa4e8d9b2744098829e4ce01266678316decb7bebf18a029f9e58e7ec354218e65bca786c7fc6249a85694b7e1de00f8286c377b19f5e6f436c74bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
e2f1b31cc8c64668a1d4711c750876ab

SHA1
1dcb8f1569067ebd1ced9e72a881ba17fcc6cf8c

SHA256
92244cebe7800839e76728597d74a91d028b17224d72f0077ceea2e6b5682359

SHA512
bfa842c0faa4e8d9b2744098829e4ce01266678316decb7bebf18a029f9e58e7ec354218e65bca786c7fc6249a85694b7e1de00f8286c377b19f5e6f436c74bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
4fad87e905527200767b4d75a67475a2

SHA1
3c6ed14acd0e3500e1a732891db335c14160f94a

SHA256
873574405be6ca9e0c85ec516a1736c9a85ffe6f185f7113102763fe52fbd767

SHA512
14e3ea68ea1a8fc1966c3cd416fb9275f8b7b34cfaec5a29a5e2c1d95439a2a03a11d4071b05aa6264c263d0459be4cd00a42853ae8a4fc9729580000c725d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
4fad87e905527200767b4d75a67475a2

SHA1
3c6ed14acd0e3500e1a732891db335c14160f94a

SHA256
873574405be6ca9e0c85ec516a1736c9a85ffe6f185f7113102763fe52fbd767

SHA512
14e3ea68ea1a8fc1966c3cd416fb9275f8b7b34cfaec5a29a5e2c1d95439a2a03a11d4071b05aa6264c263d0459be4cd00a42853ae8a4fc9729580000c725d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\QGMDJMHPWckEJ.exe
MD5
68886f96b3223730b1e228f42aecc5cf

SHA1
35ccef06783fcc868c1de8fd444580394038c15c

SHA256
4be474229fe8b4ca351b87683e5377ccdc48b0b18c4c14b9063ffb49b7cb5e74

SHA512
a3b083bdb1e7ecf3ae6311e6f9ee6fa3a1c7026c3b979a77fd9814a821d2a1c403952102525fab395abdd51469c3b54114e6a9103e695e03785d769c7a27669c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QGMDJMHPWckEJ.exe
MD5
68886f96b3223730b1e228f42aecc5cf

SHA1
35ccef06783fcc868c1de8fd444580394038c15c

SHA256
4be474229fe8b4ca351b87683e5377ccdc48b0b18c4c14b9063ffb49b7cb5e74

SHA512
a3b083bdb1e7ecf3ae6311e6f9ee6fa3a1c7026c3b979a77fd9814a821d2a1c403952102525fab395abdd51469c3b54114e6a9103e695e03785d769c7a27669c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhxbbxeyjxvm.vbs
MD5
69c3f3ec0ab3cc367fd03e9145cf8505

SHA1
275d0e92d788d4e394674bb5e054a04fa8640eb2

SHA256
5bc893b2005c18bc06077d59771959e8c19b988545558c0a83d316d40cfa1a20

SHA512
fca3076e4838fce48e078c45b8ff23b046b8e6d7266864e64e54e934f4fb6b3e581fc04439864adbc16acd01f67edd6c69669b4f436f18a8eb9187c240df8180

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwwpfwqkkkk.vbs
MD5
fe96591d3e854de7786a32a224508255

SHA1
8a55e91fd59b661c3a8944e157a2791892aa4d69

SHA256
5dfe2abb54138904a47019d8f9eeb11c25e5759957f484756e05439bd67632e3

SHA512
fd39966ea53ccd3570140e05bfd1f7546f854195f65129ee727f6991cbb2947d2f355165b088d7f9f1e326dd7169f17c263d1d966d688efadd5ea46ae0319d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\mybrpmu.exe
MD5
beaf0a675545d76f6393f0e92656639b

SHA1
d7444795cfdedc9ae3381b60e6bbe91bd8a470e1

SHA256
d4f252125ce1b59def2ae9a8bed16302c4c4c13f54eb41217ef189cccce06a72

SHA512
78f0c8b52d4afdc2d559c7e996621b9e7b7f0a25ecc1342e548e4b5c97a8ef45956435331842fb3cf4c64877e5ec49d0b821374f0d781f0d85a0abd0fe0c04e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mybrpmu.exe
MD5
beaf0a675545d76f6393f0e92656639b

SHA1
d7444795cfdedc9ae3381b60e6bbe91bd8a470e1

SHA256
d4f252125ce1b59def2ae9a8bed16302c4c4c13f54eb41217ef189cccce06a72

SHA512
78f0c8b52d4afdc2d559c7e996621b9e7b7f0a25ecc1342e548e4b5c97a8ef45956435331842fb3cf4c64877e5ec49d0b821374f0d781f0d85a0abd0fe0c04e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp61A4.tmp.ps1
MD5
7d8f29a0463f89453c01bb0209734676

SHA1
13dbb6d0b3407cb7ca4487f70d8abced041bb05b

SHA256
4a6b7a0d692600b1020b1f85ff1cdd27b2cfa17932596161e5750896a5fffa5d

SHA512
93ec08997b7c638072e40ea6871276e8ff9c67017d0d8047d60ef01ede278a8733dd3a8488b548ac0b1933d4c0e0c6c425201bf88dfe41f45f13a78dc89c55a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp61A5.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
e2f1b31cc8c64668a1d4711c750876ab

SHA1
1dcb8f1569067ebd1ced9e72a881ba17fcc6cf8c

SHA256
92244cebe7800839e76728597d74a91d028b17224d72f0077ceea2e6b5682359

SHA512
bfa842c0faa4e8d9b2744098829e4ce01266678316decb7bebf18a029f9e58e7ec354218e65bca786c7fc6249a85694b7e1de00f8286c377b19f5e6f436c74bb

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
e2f1b31cc8c64668a1d4711c750876ab

SHA1
1dcb8f1569067ebd1ced9e72a881ba17fcc6cf8c

SHA256
92244cebe7800839e76728597d74a91d028b17224d72f0077ceea2e6b5682359

SHA512
bfa842c0faa4e8d9b2744098829e4ce01266678316decb7bebf18a029f9e58e7ec354218e65bca786c7fc6249a85694b7e1de00f8286c377b19f5e6f436c74bb

Download Submit
\Users\Admin\AppData\Local\Temp\MYBRPM~1.TMP
MD5
7421975d09f0de9fc505ba95c37e5794

SHA1
052e5981f44c5451d896f6383df93bcdf5235fe5

SHA256
643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd

SHA512
7fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec

Download Submit
\Users\Admin\AppData\Local\Temp\MYBRPM~1.TMP
MD5
7421975d09f0de9fc505ba95c37e5794

SHA1
052e5981f44c5451d896f6383df93bcdf5235fe5

SHA256
643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd

SHA512
7fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec

Download Submit
\Users\Admin\AppData\Local\Temp\MYBRPM~1.TMP
MD5
7421975d09f0de9fc505ba95c37e5794

SHA1
052e5981f44c5451d896f6383df93bcdf5235fe5

SHA256
643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd

SHA512
7fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec

Download Submit
\Users\Admin\AppData\Local\Temp\nsg3E09.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/204-167-0x0000000000000000-mapping.dmp

Download
memory/204-173-0x00000000051F0000-0x0000000006486000-memory.dmp

Filesize
18.6MB

Download
memory/756-120-0x0000000000000000-mapping.dmp

Download
memory/764-126-0x0000000000000000-mapping.dmp

Download
memory/1416-134-0x0000000000000000-mapping.dmp

Download
memory/1792-147-0x0000000000000000-mapping.dmp

Download
memory/1792-156-0x0000000001000000-0x00000000010FF000-memory.dmp

Filesize
1020KB

Download
memory/1792-157-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/2804-204-0x0000000000000000-mapping.dmp

Download
memory/2864-142-0x00000000001C0000-0x00000000001E6000-memory.dmp

Filesize
152KB

Download
memory/2864-122-0x0000000000000000-mapping.dmp

Download
memory/2864-143-0x0000000000400000-0x000000000089E000-memory.dmp

Filesize
4.6MB

Download
memory/2884-158-0x0000000000BB0000-0x0000000000D0C000-memory.dmp

Filesize
1.4MB

Download
memory/2884-170-0x0000000004800000-0x0000000005A96000-memory.dmp

Filesize
18.6MB

Download
memory/2884-152-0x0000000000000000-mapping.dmp

Download
memory/2956-132-0x0000000000000000-mapping.dmp

Download
memory/2956-159-0x0000000000000000-mapping.dmp

Download
memory/3352-129-0x0000000000000000-mapping.dmp

Download
memory/3356-128-0x0000000000000000-mapping.dmp

Download
memory/3400-150-0x0000000000000000-mapping.dmp

Download
memory/3612-181-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/3612-188-0x00000000078C0000-0x00000000078C1000-memory.dmp

Filesize
4KB

Download
memory/3612-203-0x00000000043C3000-0x00000000043C4000-memory.dmp

Filesize
4KB

Download
memory/3612-178-0x0000000000000000-mapping.dmp

Download
memory/3612-200-0x0000000008C90000-0x0000000008C91000-memory.dmp

Filesize
4KB

Download
memory/3612-182-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/3612-183-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download
memory/3612-184-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/3612-185-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download
memory/3612-186-0x00000000043C0000-0x00000000043C1000-memory.dmp

Filesize
4KB

Download
memory/3612-187-0x00000000043C2000-0x00000000043C3000-memory.dmp

Filesize
4KB

Download
memory/3612-199-0x0000000008BF0000-0x0000000008BF1000-memory.dmp

Filesize
4KB

Download
memory/3612-189-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/3612-190-0x0000000008000000-0x0000000008001000-memory.dmp

Filesize
4KB

Download
memory/3612-191-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/3612-198-0x0000000009660000-0x0000000009661000-memory.dmp

Filesize
4KB

Download
memory/3612-193-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/3712-144-0x0000000000400000-0x000000000089E000-memory.dmp

Filesize
4.6MB

Download
memory/3712-138-0x0000000000000000-mapping.dmp

Download
memory/3784-136-0x0000000000000000-mapping.dmp

Download
memory/3784-146-0x0000000001600000-0x000000000174A000-memory.dmp

Filesize
1.3MB

Download
memory/3884-116-0x0000000000000000-mapping.dmp

Download
memory/3980-114-0x0000000000BF0000-0x0000000000CC1000-memory.dmp

Filesize
836KB

Download
memory/3980-115-0x0000000000400000-0x0000000000908000-memory.dmp

Filesize
5.0MB

Download