danabot | 0a3c1d6736893714d0e5552795fb8ba026ba2bd3f5e34afd975b9d463c1e46fe

Analysis

max time kernel
122s
max time network
130s
platform
windows10_x64
resource
win10v20210408
submitted
21-07-2021 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de9a1e3fbb72d4a01fabee53230f2017.exe
Size

442KB
MD5

de9a1e3fbb72d4a01fabee53230f2017
SHA1

b7c3bad04551b68b408ef4eb3f9be2fab836d3db
SHA256

0a3c1d6736893714d0e5552795fb8ba026ba2bd3f5e34afd975b9d463c1e46fe
SHA512

e6f563f845c504a12aafab4dc7c773370157ac957d9de1bedf46a210c8def8bc93246cff4132efa7253ee6ee7846519ac540f65d301f7e734188a29101049b0b

Score

10^/10

danabot 4 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exerundll32.exeRUNDLL32.EXE

flow pid process

31 3928 WScript.exe
33 3928 WScript.exe
35 3928 WScript.exe
37 3928 WScript.exe
40 1016 rundll32.exe
41 2864 RUNDLL32.EXE
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

4.exevpn.exeSmartClock.exemxkrgpabkikg.exe

pid process

3700 4.exe
3844 vpn.exe
3264 SmartClock.exe
2724 mxkrgpabkikg.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 4 IoCs

Processes:

de9a1e3fbb72d4a01fabee53230f2017.exerundll32.exeRUNDLL32.EXE

pid process

900 de9a1e3fbb72d4a01fabee53230f2017.exe
1016 rundll32.exe
2864 RUNDLL32.EXE
2864 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com

flow	pid	process
31	3928	WScript.exe
33	3928	WScript.exe
35	3928	WScript.exe
37	3928	WScript.exe
40	1016	rundll32.exe
41	2864	RUNDLL32.EXE

pid	process
3700	4.exe
3844	vpn.exe
3264	SmartClock.exe
2724	mxkrgpabkikg.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
900	de9a1e3fbb72d4a01fabee53230f2017.exe
1016	rundll32.exe
2864	RUNDLL32.EXE
2864	RUNDLL32.EXE

flow	ioc
11	ip-api.com

Drops file in Program Files directory 4 IoCs

Processes:

de9a1e3fbb72d4a01fabee53230f2017.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	de9a1e3fbb72d4a01fabee53230f2017.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	de9a1e3fbb72d4a01fabee53230f2017.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	de9a1e3fbb72d4a01fabee53230f2017.exe
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 30 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXEvpn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vpn.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vpn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE

Modifies registry class 1 IoCs

Processes:

vpn.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings vpn.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	vpn.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXEWScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EDDA0EC09B752565EFCA15862DDC3F0C44108561\Blob = 030000000100000014000000edda0ec09b752565efca15862ddc3f0c441085612000000001000000c3020000308202bf30820228a00302010202086240f33936000538300d06092a864886f70d01010b050030793139303706035504030c3056653072695369676e20556e6976657273616c20526f6f742043657274696669636174696f6e20417574686f72697479311b3019060355040b0c1222286329203230303820566572695369676e31123010060355040a0c0922566572695369676e310b3009060355040613025553301e170d3139303732323137303431355a170d3233303732313137303431355a30793139303706035504030c3056653072695369676e20556e6976657273616c20526f6f742043657274696669636174696f6e20417574686f72697479311b3019060355040b0c1222286329203230303820566572695369676e31123010060355040a0c0922566572695369676e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100a176901f461a2ee031ad18569c04d2b8c36b7dcfe703299b08bb1207315b1e872cedca738269d6db8b1bccdaec0e430f3959f3b95611ab9a80836a9d308d472d3b85524052def50873eabc180d0d99e808a37bc4e624777eb28a9d41755ccf8b38f7bae09342b66bc149e22bc671f7e3957b96ba8a1e6a47fcc1532ee72fbdb30203010001a350304e300f0603551d130101ff040530030101ff303b0603551d1104343032823056653072695369676e20556e6976657273616c20526f6f742043657274696669636174696f6e20417574686f72697479300d06092a864886f70d01010b0500038181001c5cfcb290528332dc5d2ceacc82cbf00381a07a3d738703429a92df55b602d720f85d367fca2b97aa3217b25888d2fb37161736247ef328c654e9feab5f361d0b8451cea4c9933629b6dcd029d65e1282b11ada14bf072bb3a64c656180912c09f2bb6843c777b439ae16341bf36bd0461e8b48154427b4bfa49cfaa6e8437d	RUNDLL32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EDDA0EC09B752565EFCA15862DDC3F0C44108561	RUNDLL32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

3264 SmartClock.exe

pid	process
3264	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

pid	process
2864	RUNDLL32.EXE
2864	RUNDLL32.EXE
2864	RUNDLL32.EXE
2864	RUNDLL32.EXE
2864	RUNDLL32.EXE
2864	RUNDLL32.EXE
3644	powershell.exe
3644	powershell.exe
3644	powershell.exe
2864	RUNDLL32.EXE
2864	RUNDLL32.EXE
2704	powershell.exe
2704	powershell.exe
2704	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2864 RUNDLL32.EXE
Token: SeDebugPrivilege 3644 powershell.exe
Token: SeDebugPrivilege 2704 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RUNDLL32.EXE

pid process

2864 RUNDLL32.EXE

description	pid	process
Token: SeDebugPrivilege	2864	RUNDLL32.EXE
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

de9a1e3fbb72d4a01fabee53230f2017.exe4.exevpn.exemxkrgpabkikg.exerundll32.exeRUNDLL32.EXEpowershell.exe

description	pid	process	target process
PID 900 wrote to memory of 3700	900	de9a1e3fbb72d4a01fabee53230f2017.exe	4.exe
PID 900 wrote to memory of 3700	900	de9a1e3fbb72d4a01fabee53230f2017.exe	4.exe
PID 900 wrote to memory of 3700	900	de9a1e3fbb72d4a01fabee53230f2017.exe	4.exe
PID 900 wrote to memory of 3844	900	de9a1e3fbb72d4a01fabee53230f2017.exe	vpn.exe
PID 900 wrote to memory of 3844	900	de9a1e3fbb72d4a01fabee53230f2017.exe	vpn.exe
PID 900 wrote to memory of 3844	900	de9a1e3fbb72d4a01fabee53230f2017.exe	vpn.exe
PID 3700 wrote to memory of 3264	3700	4.exe	SmartClock.exe
PID 3700 wrote to memory of 3264	3700	4.exe	SmartClock.exe
PID 3700 wrote to memory of 3264	3700	4.exe	SmartClock.exe
PID 3844 wrote to memory of 2724	3844	vpn.exe	mxkrgpabkikg.exe
PID 3844 wrote to memory of 2724	3844	vpn.exe	mxkrgpabkikg.exe
PID 3844 wrote to memory of 2724	3844	vpn.exe	mxkrgpabkikg.exe
PID 3844 wrote to memory of 1328	3844	vpn.exe	WScript.exe
PID 3844 wrote to memory of 1328	3844	vpn.exe	WScript.exe
PID 3844 wrote to memory of 1328	3844	vpn.exe	WScript.exe
PID 2724 wrote to memory of 1016	2724	mxkrgpabkikg.exe	rundll32.exe
PID 2724 wrote to memory of 1016	2724	mxkrgpabkikg.exe	rundll32.exe
PID 2724 wrote to memory of 1016	2724	mxkrgpabkikg.exe	rundll32.exe
PID 3844 wrote to memory of 3928	3844	vpn.exe	WScript.exe
PID 3844 wrote to memory of 3928	3844	vpn.exe	WScript.exe
PID 3844 wrote to memory of 3928	3844	vpn.exe	WScript.exe
PID 1016 wrote to memory of 2864	1016	rundll32.exe	RUNDLL32.EXE
PID 1016 wrote to memory of 2864	1016	rundll32.exe	RUNDLL32.EXE
PID 1016 wrote to memory of 2864	1016	rundll32.exe	RUNDLL32.EXE
PID 2864 wrote to memory of 3644	2864	RUNDLL32.EXE	powershell.exe
PID 2864 wrote to memory of 3644	2864	RUNDLL32.EXE	powershell.exe
PID 2864 wrote to memory of 3644	2864	RUNDLL32.EXE	powershell.exe
PID 2864 wrote to memory of 2704	2864	RUNDLL32.EXE	powershell.exe
PID 2864 wrote to memory of 2704	2864	RUNDLL32.EXE	powershell.exe
PID 2864 wrote to memory of 2704	2864	RUNDLL32.EXE	powershell.exe
PID 2704 wrote to memory of 2936	2704	powershell.exe	nslookup.exe
PID 2704 wrote to memory of 2936	2704	powershell.exe	nslookup.exe
PID 2704 wrote to memory of 2936	2704	powershell.exe	nslookup.exe
PID 2864 wrote to memory of 2648	2864	RUNDLL32.EXE	schtasks.exe
PID 2864 wrote to memory of 2648	2864	RUNDLL32.EXE	schtasks.exe
PID 2864 wrote to memory of 2648	2864	RUNDLL32.EXE	schtasks.exe
PID 2864 wrote to memory of 584	2864	RUNDLL32.EXE	schtasks.exe
PID 2864 wrote to memory of 584	2864	RUNDLL32.EXE	schtasks.exe
PID 2864 wrote to memory of 584	2864	RUNDLL32.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\de9a1e3fbb72d4a01fabee53230f2017.exe
"C:\Users\Admin\AppData\Local\Temp\de9a1e3fbb72d4a01fabee53230f2017.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3700

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3264

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3844

C:\Users\Admin\AppData\Local\Temp\mxkrgpabkikg.exe
"C:\Users\Admin\AppData\Local\Temp\mxkrgpabkikg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\MXKRGP~1.TMP,S C:\Users\Admin\AppData\Local\Temp\MXKRGP~1.EXE
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\MXKRGP~1.TMP,tVVgMjdONw==
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpEB0D.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1134.tmp.ps1"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
7⤵
PID:2936

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:2648

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
6⤵
PID:584

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jahdqpixjc.vbs"
3⤵
PID:1328

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lptbdtagwg.vbs"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:3928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Jvgzbfh.tmp
MD5
bbf0cc3f730ca83be014722696956267

SHA1
b4c8822a67d708da1cbb60e5285ccdc9b00b8f61

SHA256
da2edd3aca68dbf630edf299e9ff0b1d38c66f9c649530af771ea5e6538ca149

SHA512
cf278195eebaf23165542ab3aa4b0d72dc519890ed8187233dcc98a1989d73c16f805a1640291e31d2ddb325ce296ab8dddb61b99663f8b86abe9013dea22e85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
52e41fd31aa1f0398c8d832706f6f034

SHA1
4ea2e5460a11d9a8a08dc6d5fe0e51f95ad7b081

SHA256
089274921e67b3a61748f4e73c9745302f9dbc4cc75f53efb45e99caa0c769c3

SHA512
b96eaac4fdfa9e3fe499229c39ff8c878e182437af320d8af8f31018e98051660965c80f64305127dd192b89bb080a9c41a5ab08778bddb6ecceaf5f1ad8e7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MXKRGP~1.TMP
MD5
00ff83979f4cc5eaf1aa08e4cd33edc6

SHA1
5f6a6d4d1b34b7f5a46591fe027092c6cc9b3194

SHA256
f04c14adc92fcb5c10a00484e705397b5597930c7915cd5a1147b4c742f439da

SHA512
64d6158cf9c9c1004bc53391b676e8b8c29264fc6756e47cc13fbc1049a9c58a43af871e4426d9650eb2f447b8599284e770df67ca6a7a2a3fbccd862d007aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
0e6d7e62faedce395b8085c567bb846b

SHA1
fbe0b111cc601bc68dc324085d0b89d638189d98

SHA256
fdffc0be815c57615e37f49cbed111dfc9449071041a2836e7d69b110c7bdfdf

SHA512
022087868ed8b4f9dea1d76a14b821350692d35d32100bcd6608c661a077431d665dd610b346bd8a565c6f0e86c6a240abe796593b9aac64882555aee7a47dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
0e6d7e62faedce395b8085c567bb846b

SHA1
fbe0b111cc601bc68dc324085d0b89d638189d98

SHA256
fdffc0be815c57615e37f49cbed111dfc9449071041a2836e7d69b110c7bdfdf

SHA512
022087868ed8b4f9dea1d76a14b821350692d35d32100bcd6608c661a077431d665dd610b346bd8a565c6f0e86c6a240abe796593b9aac64882555aee7a47dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
4c378f599a8970479566727dbd830cb9

SHA1
e1a5c9e28775f5d01f5e2bd0e8ba867f5e6c0e8d

SHA256
f7bff342c5b9c9f5260dcfad39f4efb34219a303a8fde835a5ce657b9f593c10

SHA512
b01b466e8e802c6e1eb8a9992459fd6c8c4447a854ea7a7001410665cf42eeebba06365a1dd6268ef0f31a01246eb912a17a0f63f47dad3018a8518ddd7ce0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
4c378f599a8970479566727dbd830cb9

SHA1
e1a5c9e28775f5d01f5e2bd0e8ba867f5e6c0e8d

SHA256
f7bff342c5b9c9f5260dcfad39f4efb34219a303a8fde835a5ce657b9f593c10

SHA512
b01b466e8e802c6e1eb8a9992459fd6c8c4447a854ea7a7001410665cf42eeebba06365a1dd6268ef0f31a01246eb912a17a0f63f47dad3018a8518ddd7ce0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jahdqpixjc.vbs
MD5
2fb10a60030b0223a30b2d671d65706a

SHA1
964fb4db6e0925f5336a09f9d09a780e59861702

SHA256
b7f6e1b0c22a8f1124cf041ac8fb2e1e2f362b5677dbc81c2f469b4c78f3e3bd

SHA512
22c181c42f057ec8faa628faf0acf2e4dd6817b10c18df70b8f156478e6515906ca0662677a6cb37722023ce01bd23d048bba8edc7092ca5bb55253c2203710f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lptbdtagwg.vbs
MD5
e864294a7f814685c673950601f83863

SHA1
96a8d171b8b958b790c06e7b13ed4dccc176e676

SHA256
7cd1519328dd8af0d88fa4fc39266f64a9663d9eb80e7e0e702356c5030da89b

SHA512
feaa80f52999389cf39b3b5656e21f06b1ea847be5a043acee35db4231f1e8a033dabb4dc081afcb13bcbb3f0c2bcaa30de944f8f584b2bca13bcf7790de2d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxkrgpabkikg.exe
MD5
6651b94fca97496297e88b8f4fa9de77

SHA1
6a32236977388626a6f6c378a1d3b6291f9b7b31

SHA256
ba8e97e341fadadb0789c21d7d78b98b5194e3cfeff41c8c7e22b422321c5417

SHA512
95343f8ac9dc4a1fdbc6d5ccff8074d4615e0f7e4d84c9025db1313234ef6de799f7637bef4198cae80653b1aa14ff2caa16f704a158e30886c65df8302129aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxkrgpabkikg.exe
MD5
6651b94fca97496297e88b8f4fa9de77

SHA1
6a32236977388626a6f6c378a1d3b6291f9b7b31

SHA256
ba8e97e341fadadb0789c21d7d78b98b5194e3cfeff41c8c7e22b422321c5417

SHA512
95343f8ac9dc4a1fdbc6d5ccff8074d4615e0f7e4d84c9025db1313234ef6de799f7637bef4198cae80653b1aa14ff2caa16f704a158e30886c65df8302129aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1134.tmp.ps1
MD5
825be8e983e1ecdfe8a77ae62b6dda56

SHA1
1c6fa5f0f7dee255fcbb0cddfc706472e2837331

SHA256
b0c4d19fc5a88ef20d910657ec2d3e8989ffa25ab607ea20439877c7d2e325e9

SHA512
d21d46f3497284b7d2b69e245f1074988e82379ba1b8c27c48331991c3b71cbb4542a2a0836d1385a813f1293aa9df4f3de629a581859ce6374e1abf91f9c3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1135.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB0D.tmp.ps1
MD5
941dbb1fd56031559cd5ba9fa1e264ab

SHA1
8dc7cb72d52c8ccb31a80a82c568e70003a17153

SHA256
9205ef79226f698e5a0ac66afa0e9d324aee5af03815b783fdf30eb45a29a0f3

SHA512
4dde3efcaa10987d4c1eb4fa833cd8f9e7a00aee900257794ebf2d0afd342ae87260029080b7e76f587f8348ec52eefe0715818545b2b611e22d01d27690031c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEB0E.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
0e6d7e62faedce395b8085c567bb846b

SHA1
fbe0b111cc601bc68dc324085d0b89d638189d98

SHA256
fdffc0be815c57615e37f49cbed111dfc9449071041a2836e7d69b110c7bdfdf

SHA512
022087868ed8b4f9dea1d76a14b821350692d35d32100bcd6608c661a077431d665dd610b346bd8a565c6f0e86c6a240abe796593b9aac64882555aee7a47dc2

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
0e6d7e62faedce395b8085c567bb846b

SHA1
fbe0b111cc601bc68dc324085d0b89d638189d98

SHA256
fdffc0be815c57615e37f49cbed111dfc9449071041a2836e7d69b110c7bdfdf

SHA512
022087868ed8b4f9dea1d76a14b821350692d35d32100bcd6608c661a077431d665dd610b346bd8a565c6f0e86c6a240abe796593b9aac64882555aee7a47dc2

Download Submit
\Users\Admin\AppData\Local\Temp\MXKRGP~1.TMP
MD5
00ff83979f4cc5eaf1aa08e4cd33edc6

SHA1
5f6a6d4d1b34b7f5a46591fe027092c6cc9b3194

SHA256
f04c14adc92fcb5c10a00484e705397b5597930c7915cd5a1147b4c742f439da

SHA512
64d6158cf9c9c1004bc53391b676e8b8c29264fc6756e47cc13fbc1049a9c58a43af871e4426d9650eb2f447b8599284e770df67ca6a7a2a3fbccd862d007aa6

Download Submit
\Users\Admin\AppData\Local\Temp\MXKRGP~1.TMP
MD5
00ff83979f4cc5eaf1aa08e4cd33edc6

SHA1
5f6a6d4d1b34b7f5a46591fe027092c6cc9b3194

SHA256
f04c14adc92fcb5c10a00484e705397b5597930c7915cd5a1147b4c742f439da

SHA512
64d6158cf9c9c1004bc53391b676e8b8c29264fc6756e47cc13fbc1049a9c58a43af871e4426d9650eb2f447b8599284e770df67ca6a7a2a3fbccd862d007aa6

Download Submit
\Users\Admin\AppData\Local\Temp\MXKRGP~1.TMP
MD5
00ff83979f4cc5eaf1aa08e4cd33edc6

SHA1
5f6a6d4d1b34b7f5a46591fe027092c6cc9b3194

SHA256
f04c14adc92fcb5c10a00484e705397b5597930c7915cd5a1147b4c742f439da

SHA512
64d6158cf9c9c1004bc53391b676e8b8c29264fc6756e47cc13fbc1049a9c58a43af871e4426d9650eb2f447b8599284e770df67ca6a7a2a3fbccd862d007aa6

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8DC0.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/584-206-0x0000000000000000-mapping.dmp

Download
memory/1016-136-0x0000000000000000-mapping.dmp

Download
memory/1016-142-0x0000000005130000-0x00000000063C6000-memory.dmp

Filesize
18.6MB

Download
memory/1328-133-0x0000000000000000-mapping.dmp

Download
memory/2648-205-0x0000000000000000-mapping.dmp

Download
memory/2704-204-0x0000000000ED3000-0x0000000000ED4000-memory.dmp

Filesize
4KB

Download
memory/2704-187-0x0000000007750000-0x0000000007751000-memory.dmp

Filesize
4KB

Download
memory/2704-192-0x0000000008050000-0x0000000008051000-memory.dmp

Filesize
4KB

Download
memory/2704-178-0x0000000000000000-mapping.dmp

Download
memory/2704-188-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/2704-189-0x0000000000ED2000-0x0000000000ED3000-memory.dmp

Filesize
4KB

Download
memory/2724-139-0x0000000000400000-0x0000000002C5E000-memory.dmp

Filesize
40.4MB

Download
memory/2724-135-0x0000000004A40000-0x0000000004B41000-memory.dmp

Filesize
1.0MB

Download
memory/2724-130-0x0000000000000000-mapping.dmp

Download
memory/2864-150-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/2864-151-0x00000000044F0000-0x0000000005786000-memory.dmp

Filesize
18.6MB

Download
memory/2864-145-0x0000000000000000-mapping.dmp

Download
memory/2864-148-0x0000000003E20000-0x0000000003F7F000-memory.dmp

Filesize
1.4MB

Download
memory/2936-201-0x0000000000000000-mapping.dmp

Download
memory/3264-123-0x0000000000000000-mapping.dmp

Download
memory/3264-128-0x0000000000AE0000-0x0000000000B06000-memory.dmp

Filesize
152KB

Download
memory/3264-129-0x0000000000400000-0x000000000089C000-memory.dmp

Filesize
4.6MB

Download
memory/3644-162-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

Filesize
4KB

Download
memory/3644-161-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/3644-164-0x00000000084A0000-0x00000000084A1000-memory.dmp

Filesize
4KB

Download
memory/3644-165-0x0000000008360000-0x0000000008361000-memory.dmp

Filesize
4KB

Download
memory/3644-152-0x0000000000000000-mapping.dmp

Download
memory/3644-167-0x0000000008460000-0x0000000008461000-memory.dmp

Filesize
4KB

Download
memory/3644-172-0x0000000009B00000-0x0000000009B01000-memory.dmp

Filesize
4KB

Download
memory/3644-173-0x00000000090A0000-0x00000000090A1000-memory.dmp

Filesize
4KB

Download
memory/3644-174-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/3644-175-0x0000000006D33000-0x0000000006D34000-memory.dmp

Filesize
4KB

Download
memory/3644-155-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/3644-163-0x0000000007A60000-0x0000000007A61000-memory.dmp

Filesize
4KB

Download
memory/3644-160-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/3644-156-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/3644-159-0x00000000071B0000-0x00000000071B1000-memory.dmp

Filesize
4KB

Download
memory/3644-158-0x0000000006D32000-0x0000000006D33000-memory.dmp

Filesize
4KB

Download
memory/3644-157-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/3700-126-0x0000000000400000-0x000000000089C000-memory.dmp

Filesize
4.6MB

Download
memory/3700-121-0x00000000009A0000-0x0000000000AEA000-memory.dmp

Filesize
1.3MB

Download
memory/3700-115-0x0000000000000000-mapping.dmp

Download
memory/3844-127-0x0000000000400000-0x000000000089D000-memory.dmp

Filesize
4.6MB

Download
memory/3844-122-0x0000000000D10000-0x0000000000D34000-memory.dmp

Filesize
144KB

Download
memory/3844-118-0x0000000000000000-mapping.dmp

Download
memory/3928-140-0x0000000000000000-mapping.dmp

Download