danabot | 4f1af996a6a32b402d0b75a37f4412d3e2b6502ed95a4055e8a2313f83543cfa

Analysis

max time kernel
151s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
24-07-2021 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31e2c3b009290449dc1fe9760c14e85b.exe
Size

1.4MB
MD5

31e2c3b009290449dc1fe9760c14e85b
SHA1

fa2442c7abef11a169088d43bd104ef6d21a12d7
SHA256

4f1af996a6a32b402d0b75a37f4412d3e2b6502ed95a4055e8a2313f83543cfa
SHA512

6ae10f9e51b928a49bafef4549b51dcbd9f83671604c76fc1449ad74d956e800b1d103b20ec7762634d1ad3bef82708d89830150d74eeb229cc6ade0798aa909

Score

10^/10

danabot 4 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exerundll32.exeRUNDLL32.EXE

flow pid process

31 3196 WScript.exe
33 3196 WScript.exe
35 3196 WScript.exe
37 3196 WScript.exe
40 3176 rundll32.exe
41 3288 RUNDLL32.EXE
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

vpn.exe4.exeDisegnato.exe.comDisegnato.exe.comSmartClock.exeDisegnato.exe.comnxdbwbogkyxy.exe

pid process

1516 vpn.exe
1636 4.exe
3588 Disegnato.exe.com
2716 Disegnato.exe.com
3564 SmartClock.exe
3480 Disegnato.exe.com
2340 nxdbwbogkyxy.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 4 IoCs

Processes:

31e2c3b009290449dc1fe9760c14e85b.exerundll32.exeRUNDLL32.EXE

pid process

3912 31e2c3b009290449dc1fe9760c14e85b.exe
3176 rundll32.exe
3288 RUNDLL32.EXE
3288 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Disegnato.exe.com

description pid process target process

PID 2716 set thread context of 3480 2716 Disegnato.exe.com Disegnato.exe.com

flow	pid	process
31	3196	WScript.exe
33	3196	WScript.exe
35	3196	WScript.exe
37	3196	WScript.exe
40	3176	rundll32.exe
41	3288	RUNDLL32.EXE

pid	process
1516	vpn.exe
1636	4.exe
3588	Disegnato.exe.com
2716	Disegnato.exe.com
3564	SmartClock.exe
3480	Disegnato.exe.com
2340	nxdbwbogkyxy.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
3912	31e2c3b009290449dc1fe9760c14e85b.exe
3176	rundll32.exe
3288	RUNDLL32.EXE
3288	RUNDLL32.EXE

flow	ioc
15	ip-api.com

description	pid	process	target process
PID 2716 set thread context of 3480	2716	Disegnato.exe.com	Disegnato.exe.com

Drops file in Program Files directory 4 IoCs

Processes:

31e2c3b009290449dc1fe9760c14e85b.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	31e2c3b009290449dc1fe9760c14e85b.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	31e2c3b009290449dc1fe9760c14e85b.exe
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	31e2c3b009290449dc1fe9760c14e85b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXEDisegnato.exe.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Disegnato.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Disegnato.exe.com
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE

Modifies registry class 1 IoCs

Processes:

Disegnato.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Disegnato.exe.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Disegnato.exe.com

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exeRUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\01B3F7048D0D56C5A77243AB7C23EA2B1011DE19	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\01B3F7048D0D56C5A77243AB7C23EA2B1011DE19\Blob = 03000000010000001400000001b3f7048d0d56c5a77243ab7c23ea2b1011de1920000000010000004602000030820242308201aba003020102020862f1c4f33c401503300d06092a864886f70d01010b0500304d3114301206035504030c0b476c376f62616c5369676e3120301e060355040b0c17476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a0c0a476c6f62616c5369676e301e170d3139303732353037313231305a170d3233303732343037313231305a304d3114301206035504030c0b476c376f62616c5369676e3120301e060355040b0c17476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a0c0a476c6f62616c5369676e30819f300d06092a864886f70d010101050003818d0030818902818100add2fe88dd74c972b719e5b198a10c47802fe8d590c0bb12e22a23bdd43683ecf4323343841a912dadf60c4411dd9a133a665ac65128e1b3a63139cfa6f99858013f80d081ca1c1fe016dfe6cba99fa67639a19b01be199c21d9df027515b8e919a5d46e617ec6f90df220336b94e6d089fb03f64461a024ee8fb6a096f19ded0203010001a32b3029300f0603551d130101ff040530030101ff30160603551d11040f300d820b476c376f62616c5369676e300d06092a864886f70d01010b05000381810041daa415ba43cfaf0f4e2c5e8e0a67b11f61d9a25c90073bcdaf3d31333aec1fcc1dc0b440e40f12d09faa4aed4cf9ae9c3760dc68610188175a73302a67a6c655f36d81a3967fba54a9b2b3abf90857f1142be436a3c97a1c1cb285f2b0346b5e3fd65537f9a044af4395eb440f89f4a2a9673dce94ebcab2cb5ea0100463e8	RUNDLL32.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3728 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

3564 SmartClock.exe

pid	process
3728	PING.EXE

pid	process
3564	SmartClock.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

RUNDLL32.EXEpowershell.exe

pid	process
3288	RUNDLL32.EXE
3288	RUNDLL32.EXE
3288	RUNDLL32.EXE
3288	RUNDLL32.EXE
3288	RUNDLL32.EXE
3288	RUNDLL32.EXE
2600	powershell.exe
2600	powershell.exe
2600	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RUNDLL32.EXEpowershell.exe

description pid process

Token: SeDebugPrivilege 3288 RUNDLL32.EXE
Token: SeDebugPrivilege 2600 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3288	RUNDLL32.EXE
Token: SeDebugPrivilege	2600	powershell.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

31e2c3b009290449dc1fe9760c14e85b.exevpn.execmd.execmd.exeDisegnato.exe.com4.exeDisegnato.exe.comDisegnato.exe.comnxdbwbogkyxy.exerundll32.exeRUNDLL32.EXE

description	pid	process	target process
PID 3912 wrote to memory of 1516	3912	31e2c3b009290449dc1fe9760c14e85b.exe	vpn.exe
PID 3912 wrote to memory of 1516	3912	31e2c3b009290449dc1fe9760c14e85b.exe	vpn.exe
PID 3912 wrote to memory of 1516	3912	31e2c3b009290449dc1fe9760c14e85b.exe	vpn.exe
PID 3912 wrote to memory of 1636	3912	31e2c3b009290449dc1fe9760c14e85b.exe	4.exe
PID 3912 wrote to memory of 1636	3912	31e2c3b009290449dc1fe9760c14e85b.exe	4.exe
PID 3912 wrote to memory of 1636	3912	31e2c3b009290449dc1fe9760c14e85b.exe	4.exe
PID 1516 wrote to memory of 3432	1516	vpn.exe	cmd.exe
PID 1516 wrote to memory of 3432	1516	vpn.exe	cmd.exe
PID 1516 wrote to memory of 3432	1516	vpn.exe	cmd.exe
PID 3432 wrote to memory of 220	3432	cmd.exe	cmd.exe
PID 3432 wrote to memory of 220	3432	cmd.exe	cmd.exe
PID 3432 wrote to memory of 220	3432	cmd.exe	cmd.exe
PID 220 wrote to memory of 204	220	cmd.exe	findstr.exe
PID 220 wrote to memory of 204	220	cmd.exe	findstr.exe
PID 220 wrote to memory of 204	220	cmd.exe	findstr.exe
PID 220 wrote to memory of 3588	220	cmd.exe	Disegnato.exe.com
PID 220 wrote to memory of 3588	220	cmd.exe	Disegnato.exe.com
PID 220 wrote to memory of 3588	220	cmd.exe	Disegnato.exe.com
PID 220 wrote to memory of 3728	220	cmd.exe	PING.EXE
PID 220 wrote to memory of 3728	220	cmd.exe	PING.EXE
PID 220 wrote to memory of 3728	220	cmd.exe	PING.EXE
PID 3588 wrote to memory of 2716	3588	Disegnato.exe.com	Disegnato.exe.com
PID 3588 wrote to memory of 2716	3588	Disegnato.exe.com	Disegnato.exe.com
PID 3588 wrote to memory of 2716	3588	Disegnato.exe.com	Disegnato.exe.com
PID 1636 wrote to memory of 3564	1636	4.exe	SmartClock.exe
PID 1636 wrote to memory of 3564	1636	4.exe	SmartClock.exe
PID 1636 wrote to memory of 3564	1636	4.exe	SmartClock.exe
PID 2716 wrote to memory of 3480	2716	Disegnato.exe.com	Disegnato.exe.com
PID 2716 wrote to memory of 3480	2716	Disegnato.exe.com	Disegnato.exe.com
PID 2716 wrote to memory of 3480	2716	Disegnato.exe.com	Disegnato.exe.com
PID 2716 wrote to memory of 3480	2716	Disegnato.exe.com	Disegnato.exe.com
PID 2716 wrote to memory of 3480	2716	Disegnato.exe.com	Disegnato.exe.com
PID 3480 wrote to memory of 2340	3480	Disegnato.exe.com	nxdbwbogkyxy.exe
PID 3480 wrote to memory of 2340	3480	Disegnato.exe.com	nxdbwbogkyxy.exe
PID 3480 wrote to memory of 2340	3480	Disegnato.exe.com	nxdbwbogkyxy.exe
PID 3480 wrote to memory of 2672	3480	Disegnato.exe.com	WScript.exe
PID 3480 wrote to memory of 2672	3480	Disegnato.exe.com	WScript.exe
PID 3480 wrote to memory of 2672	3480	Disegnato.exe.com	WScript.exe
PID 2340 wrote to memory of 3176	2340	nxdbwbogkyxy.exe	rundll32.exe
PID 2340 wrote to memory of 3176	2340	nxdbwbogkyxy.exe	rundll32.exe
PID 2340 wrote to memory of 3176	2340	nxdbwbogkyxy.exe	rundll32.exe
PID 3480 wrote to memory of 3196	3480	Disegnato.exe.com	WScript.exe
PID 3480 wrote to memory of 3196	3480	Disegnato.exe.com	WScript.exe
PID 3480 wrote to memory of 3196	3480	Disegnato.exe.com	WScript.exe
PID 3176 wrote to memory of 3288	3176	rundll32.exe	RUNDLL32.EXE
PID 3176 wrote to memory of 3288	3176	rundll32.exe	RUNDLL32.EXE
PID 3176 wrote to memory of 3288	3176	rundll32.exe	RUNDLL32.EXE
PID 3288 wrote to memory of 2600	3288	RUNDLL32.EXE	powershell.exe
PID 3288 wrote to memory of 2600	3288	RUNDLL32.EXE	powershell.exe
PID 3288 wrote to memory of 2600	3288	RUNDLL32.EXE	powershell.exe

C:\Users\Admin\AppData\Local\Temp\31e2c3b009290449dc1fe9760c14e85b.exe
"C:\Users\Admin\AppData\Local\Temp\31e2c3b009290449dc1fe9760c14e85b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3912

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Arteria.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ZgzyFwATrTeYtqBoppoMahdYKpdvCROZoFqSzfHBkUcDvLvGdmgiKlZLXcxvKtskyrPmZJPTCGAnSNBYNKyrDGgXGgUXUkQiDpnzVWHH$" Due.txt
5⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com
Disegnato.exe.com q
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com q
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com
7⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3480

C:\Users\Admin\AppData\Local\Temp\nxdbwbogkyxy.exe
"C:\Users\Admin\AppData\Local\Temp\nxdbwbogkyxy.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\NXDBWB~1.TMP,S C:\Users\Admin\AppData\Local\Temp\NXDBWB~1.EXE
9⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\NXDBWB~1.TMP,FhQCa1ZhWA==
10⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp5204.tmp.ps1"
11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\esgnvaqpjbfp.vbs"
8⤵
PID:2672

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hmanghbdkshb.vbs"
8⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:3196

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
5⤵
- Runs ping.exe
PID:3728

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Jvgzbfh.tmp
MD5
12dc21723f70212b6811a115823b1127

SHA1
c7067295be72a164b9aaf73648536aa49df8c3a0

SHA256
59d9d829f0770f9b1284a450e02ba290a5d35d4282c3f1e85c5b58250806e574

SHA512
33204e7f0ff4ed700cc5e8d1864a4074f21792d5f47a6a6b64c925d06e9ded7abedc63fb74f21688d911b41ded65eae2146e9708bc44871a40cddf897826de45

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arteria.txt
MD5
913049d98adc90afcba8ab6f7993c8bb

SHA1
583d54ed4a513e2de372a55f1f71085781367611

SHA256
dcea307303375d72b08178264cd7eba784b4a041ab3dd26ef1ac24f54c54c759

SHA512
530bc127160545044ef2ff8ffb89196f8a0cd48fa5b2ed3bfbb1c22e32f775fb7583e7d329ba73c7d1fda90183dc715d783a73c437f2f27bcc9cf79286e8e550

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Corano.txt
MD5
d2de7222ae7c34fcf6e547ecf217a8b6

SHA1
38c24783ffd3cc50e2cb71823fd444783b19730c

SHA256
0396fa0aa17800fb3e8430a2ee5e05e359fc95bd8c4fd764eaf937503c982c12

SHA512
1cbc8d4882919974160b8294de435f9c3088ed29aa0ff11af4ec318157472c05ae26965d775adeb5fb9a7a4254e9f0a55b4969feaac1a97abcccda48582865dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Due.txt
MD5
e417e39487e093be2fa0e3c8db9b8f8e

SHA1
eb50eeeea4cc1c710599b7ccfb18566fed677a43

SHA256
3d2158cb694bc799d35128f1382da305a23b1a2fe82904394409890624409602

SHA512
a0cf7323d9db0b6b3a9ef3a363e23857b3c57cf1d52297c2e96624b07602bb3ecb488575e2f1a4b4943eeba6e277f4361e73334138350f05ac40339fe8bba56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Prediligi.txt
MD5
616bc04c44df9cdbbe25cf6abad39f12

SHA1
efffd6b11ea8251f6f2adf8481e9c2fde632c757

SHA256
6bbde48de84094d7852787c262cd7bff15be16c1adea1529d69221ad0d0e817b

SHA512
757b6be32a38d94a9d07a87af1265151fa23dbb11d81a3ca0d1d644be84c5e2c4c286acaae623e21e75b53d36389cf87e1fccc16fc6991bb80a75a1c1c258f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\q
MD5
616bc04c44df9cdbbe25cf6abad39f12

SHA1
efffd6b11ea8251f6f2adf8481e9c2fde632c757

SHA256
6bbde48de84094d7852787c262cd7bff15be16c1adea1529d69221ad0d0e817b

SHA512
757b6be32a38d94a9d07a87af1265151fa23dbb11d81a3ca0d1d644be84c5e2c4c286acaae623e21e75b53d36389cf87e1fccc16fc6991bb80a75a1c1c258f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\NXDBWB~1.TMP
MD5
a432db9b4cfed957e5002cd431366268

SHA1
669d7ff42b91febbaeebdaca57d0050e1af9d9d9

SHA256
3f353236d65c83d0a61f75ecf8b0f497198f6af23d0f4814ece9b627015f1978

SHA512
6adb320dcd4b35bce9974e8a92cf758e3bca00e65cd9717ec762a885bb8047b4f411538add7a582ccad7e9d9a3bda69acfd23bcbf6fd943b7151a2a4a4b4de2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
ee6aa728713c5b63aeef1b9ac9b34f7c

SHA1
74f203a30a8c78b38f3a37df1354fccfabf48076

SHA256
5dbe065bb00fb53f418fdb9fd3e09e7e5bdf2603483f676c90d25b8071826884

SHA512
e9b58078ba21916920187506a2ea738d8bbc7716b0d5cc953774c550edc5fce4a7013ee6a889fee3fccf09e26b04900d39d15eff4c94cde7ba23257ec644e45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
ee6aa728713c5b63aeef1b9ac9b34f7c

SHA1
74f203a30a8c78b38f3a37df1354fccfabf48076

SHA256
5dbe065bb00fb53f418fdb9fd3e09e7e5bdf2603483f676c90d25b8071826884

SHA512
e9b58078ba21916920187506a2ea738d8bbc7716b0d5cc953774c550edc5fce4a7013ee6a889fee3fccf09e26b04900d39d15eff4c94cde7ba23257ec644e45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
a9c2de9801931f677ba53f6d71953078

SHA1
4f283047563c0f2e5dc525748ba8917f1a14e9de

SHA256
c503dd992af5bec203691da4df2c66d77f7575fcef7136a326f877fcaf2bc6b5

SHA512
18093a4d6bc64e3b597afc53de863b56804312a743163612ee31178f5df4b22e584070231bd5279842048085a59c3fa3e5c8bbf2364123f4281739ded54a4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
a9c2de9801931f677ba53f6d71953078

SHA1
4f283047563c0f2e5dc525748ba8917f1a14e9de

SHA256
c503dd992af5bec203691da4df2c66d77f7575fcef7136a326f877fcaf2bc6b5

SHA512
18093a4d6bc64e3b597afc53de863b56804312a743163612ee31178f5df4b22e584070231bd5279842048085a59c3fa3e5c8bbf2364123f4281739ded54a4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\esgnvaqpjbfp.vbs
MD5
f8f4a973f6e8012b0c74429826230862

SHA1
710e098a3ceb76f58536b620ad33e424ea875ce0

SHA256
84d948ce2cdcb143c0cebcb067ac3083729d5e7d2de63d22bcdd1ee31a26dad2

SHA512
ddf6f317a1d414b350e16a9f83dd9d1b703d8684ad5c040693316eba9ee836f10395e8ee40b0653d406c8e8678c4c7aaf75afa56bb6e6f7a042f8d85a205f6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmanghbdkshb.vbs
MD5
689b97e41a383feeb61bd223b6bde9cb

SHA1
18f175ee276e0f6d0de47cf215535ca79d2b4c09

SHA256
c14fe23e1bcac9713689bbc7c371e0c8e89c2448034603ca81088f3fd3be2fb7

SHA512
7916dc0e5cc512f91f7ec1de8f8dd29b6c6eadb88df2b05975c6698899cf536dc1c4a02d1a1d6c13ac75d5cc5ccb8b5b5a62a2a22c6a4db5445c76390aca6f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nxdbwbogkyxy.exe
MD5
4faf1c9e670e1e10f3b36b9a3b917966

SHA1
cb2b3af9162f2563d28e77917d653c22903acf4a

SHA256
c06b536be6df268422c769890fdd0f2e7f86124a736eaaa156ac5cf45a78f44e

SHA512
19e742c7e5be419f73ce26ba947adfaf443ca898e73a5b5f7ddd4d17f717eeeeae0acc56a521b9876b2b14d4579754c6102ffba2980b311c614202f662299d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nxdbwbogkyxy.exe
MD5
4faf1c9e670e1e10f3b36b9a3b917966

SHA1
cb2b3af9162f2563d28e77917d653c22903acf4a

SHA256
c06b536be6df268422c769890fdd0f2e7f86124a736eaaa156ac5cf45a78f44e

SHA512
19e742c7e5be419f73ce26ba947adfaf443ca898e73a5b5f7ddd4d17f717eeeeae0acc56a521b9876b2b14d4579754c6102ffba2980b311c614202f662299d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5204.tmp.ps1
MD5
147fcbbc50d0de8c64da0c508561602e

SHA1
7561dbe00395fe6b3a131c0e14d9a86c8e559ffb

SHA256
0c9dc17c4c248886fbf65d0a60475091d73c7a36d5ca2577632217fdaacbb2a1

SHA512
ede669593ddeb42652515e21af04d9bb7ae2b1a35dd9ebbeb706dc481b07ed8f9d9ef3459b3441058f837fc04ab64fe2987aa5df14753b5d48ba64d9559afccc

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
ee6aa728713c5b63aeef1b9ac9b34f7c

SHA1
74f203a30a8c78b38f3a37df1354fccfabf48076

SHA256
5dbe065bb00fb53f418fdb9fd3e09e7e5bdf2603483f676c90d25b8071826884

SHA512
e9b58078ba21916920187506a2ea738d8bbc7716b0d5cc953774c550edc5fce4a7013ee6a889fee3fccf09e26b04900d39d15eff4c94cde7ba23257ec644e45c

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
ee6aa728713c5b63aeef1b9ac9b34f7c

SHA1
74f203a30a8c78b38f3a37df1354fccfabf48076

SHA256
5dbe065bb00fb53f418fdb9fd3e09e7e5bdf2603483f676c90d25b8071826884

SHA512
e9b58078ba21916920187506a2ea738d8bbc7716b0d5cc953774c550edc5fce4a7013ee6a889fee3fccf09e26b04900d39d15eff4c94cde7ba23257ec644e45c

Download Submit
\Users\Admin\AppData\Local\Temp\NXDBWB~1.TMP
MD5
a432db9b4cfed957e5002cd431366268

SHA1
669d7ff42b91febbaeebdaca57d0050e1af9d9d9

SHA256
3f353236d65c83d0a61f75ecf8b0f497198f6af23d0f4814ece9b627015f1978

SHA512
6adb320dcd4b35bce9974e8a92cf758e3bca00e65cd9717ec762a885bb8047b4f411538add7a582ccad7e9d9a3bda69acfd23bcbf6fd943b7151a2a4a4b4de2f

Download Submit
\Users\Admin\AppData\Local\Temp\NXDBWB~1.TMP
MD5
a432db9b4cfed957e5002cd431366268

SHA1
669d7ff42b91febbaeebdaca57d0050e1af9d9d9

SHA256
3f353236d65c83d0a61f75ecf8b0f497198f6af23d0f4814ece9b627015f1978

SHA512
6adb320dcd4b35bce9974e8a92cf758e3bca00e65cd9717ec762a885bb8047b4f411538add7a582ccad7e9d9a3bda69acfd23bcbf6fd943b7151a2a4a4b4de2f

Download Submit
\Users\Admin\AppData\Local\Temp\NXDBWB~1.TMP
MD5
a432db9b4cfed957e5002cd431366268

SHA1
669d7ff42b91febbaeebdaca57d0050e1af9d9d9

SHA256
3f353236d65c83d0a61f75ecf8b0f497198f6af23d0f4814ece9b627015f1978

SHA512
6adb320dcd4b35bce9974e8a92cf758e3bca00e65cd9717ec762a885bb8047b4f411538add7a582ccad7e9d9a3bda69acfd23bcbf6fd943b7151a2a4a4b4de2f

Download Submit
\Users\Admin\AppData\Local\Temp\nsc18BF.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/204-124-0x0000000000000000-mapping.dmp

Download
memory/220-123-0x0000000000000000-mapping.dmp

Download
memory/1516-115-0x0000000000000000-mapping.dmp

Download
memory/1636-138-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/1636-116-0x0000000000000000-mapping.dmp

Download
memory/1636-137-0x0000000000AE0000-0x0000000000B06000-memory.dmp

Filesize
152KB

Download
memory/2340-154-0x0000000000400000-0x0000000000986000-memory.dmp

Filesize
5.5MB

Download
memory/2340-153-0x0000000002830000-0x000000000292F000-memory.dmp

Filesize
1020KB

Download
memory/2340-145-0x0000000000000000-mapping.dmp

Download
memory/2600-177-0x0000000007480000-0x0000000007481000-memory.dmp

Filesize
4KB

Download
memory/2600-180-0x0000000007CE0000-0x0000000007CE1000-memory.dmp

Filesize
4KB

Download
memory/2600-178-0x0000000007E60000-0x0000000007E61000-memory.dmp

Filesize
4KB

Download
memory/2600-179-0x00000000067A2000-0x00000000067A3000-memory.dmp

Filesize
4KB

Download
memory/2600-167-0x0000000000000000-mapping.dmp

Download
memory/2600-188-0x0000000008A40000-0x0000000008A41000-memory.dmp

Filesize
4KB

Download
memory/2600-175-0x00000000075D0000-0x00000000075D1000-memory.dmp

Filesize
4KB

Download
memory/2600-176-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/2600-174-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/2600-182-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

Filesize
4KB

Download
memory/2600-170-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/2600-173-0x0000000006C40000-0x0000000006C41000-memory.dmp

Filesize
4KB

Download
memory/2600-187-0x00000000094B0000-0x00000000094B1000-memory.dmp

Filesize
4KB

Download
memory/2600-172-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

Filesize
4KB

Download
memory/2600-171-0x00000000067A0000-0x00000000067A1000-memory.dmp

Filesize
4KB

Download
memory/2672-148-0x0000000000000000-mapping.dmp

Download
memory/2716-131-0x0000000000000000-mapping.dmp

Download
memory/2716-140-0x00000000018C0000-0x00000000018C1000-memory.dmp

Filesize
4KB

Download
memory/3176-150-0x0000000000000000-mapping.dmp

Download
memory/3176-164-0x0000000004A40000-0x0000000005CD6000-memory.dmp

Filesize
18.6MB

Download
memory/3196-155-0x0000000000000000-mapping.dmp

Download
memory/3288-165-0x0000000004600000-0x0000000005896000-memory.dmp

Filesize
18.6MB

Download
memory/3288-162-0x0000000003EB0000-0x000000000400D000-memory.dmp

Filesize
1.4MB

Download
memory/3288-159-0x0000000000000000-mapping.dmp

Download
memory/3288-166-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/3432-121-0x0000000000000000-mapping.dmp

Download
memory/3480-141-0x0000000000ED0000-0x0000000000EF7000-memory.dmp

Filesize
156KB

Download
memory/3480-143-0x0000000000ED0000-0x0000000000EF7000-memory.dmp

Filesize
156KB

Download
memory/3564-139-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/3564-134-0x0000000000000000-mapping.dmp

Download
memory/3588-127-0x0000000000000000-mapping.dmp

Download
memory/3728-130-0x0000000000000000-mapping.dmp

Download