danabot | 4f1af996a6a32b402d0b75a37f4412d3e2b6502ed95a4055e8a2313f83543cfa

Analysis

max time kernel
150s
max time network
155s
platform
windows10_x64
resource
win10v20210408
submitted
24-07-2021 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31e2c3b009290449dc1fe9760c14e85b.exe
Size

1.4MB
MD5

31e2c3b009290449dc1fe9760c14e85b
SHA1

fa2442c7abef11a169088d43bd104ef6d21a12d7
SHA256

4f1af996a6a32b402d0b75a37f4412d3e2b6502ed95a4055e8a2313f83543cfa
SHA512

6ae10f9e51b928a49bafef4549b51dcbd9f83671604c76fc1449ad74d956e800b1d103b20ec7762634d1ad3bef82708d89830150d74eeb229cc6ade0798aa909

Score

10^/10

danabot 4 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

Version

1987

Botnet

142.11.244.124:443

142.11.206.50:443

Attributes

embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 6 IoCs

Processes:

WScript.exerundll32.exeRUNDLL32.EXE

flow pid process

32 412 WScript.exe
34 412 WScript.exe
36 412 WScript.exe
38 412 WScript.exe
39 3200 rundll32.exe
40 3900 RUNDLL32.EXE
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

vpn.exe4.exeDisegnato.exe.comDisegnato.exe.comSmartClock.exeDisegnato.exe.comcjcoduav.exe

pid process

1640 vpn.exe
792 4.exe
1220 Disegnato.exe.com
1156 Disegnato.exe.com
1440 SmartClock.exe
3092 Disegnato.exe.com
2300 cjcoduav.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe
Loads dropped DLL 4 IoCs

Processes:

31e2c3b009290449dc1fe9760c14e85b.exerundll32.exeRUNDLL32.EXE

pid process

1404 31e2c3b009290449dc1fe9760c14e85b.exe
3200 rundll32.exe
3900 RUNDLL32.EXE
3900 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Disegnato.exe.com

description pid process target process

PID 1156 set thread context of 3092 1156 Disegnato.exe.com Disegnato.exe.com

flow	pid	process
32	412	WScript.exe
34	412	WScript.exe
36	412	WScript.exe
38	412	WScript.exe
39	3200	rundll32.exe
40	3900	RUNDLL32.EXE

pid	process
1640	vpn.exe
792	4.exe
1220	Disegnato.exe.com
1156	Disegnato.exe.com
1440	SmartClock.exe
3092	Disegnato.exe.com
2300	cjcoduav.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

pid	process
1404	31e2c3b009290449dc1fe9760c14e85b.exe
3200	rundll32.exe
3900	RUNDLL32.EXE
3900	RUNDLL32.EXE

flow	ioc
18	ip-api.com

description	pid	process	target process
PID 1156 set thread context of 3092	1156	Disegnato.exe.com	Disegnato.exe.com

Drops file in Program Files directory 4 IoCs

Processes:

31e2c3b009290449dc1fe9760c14e85b.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	31e2c3b009290449dc1fe9760c14e85b.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	31e2c3b009290449dc1fe9760c14e85b.exe
File created	C:\PROGRA~3\Jvgzbfh.tmp	rundll32.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	31e2c3b009290449dc1fe9760c14e85b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXEDisegnato.exe.com

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Disegnato.exe.com
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Disegnato.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE

Modifies registry class 1 IoCs

Processes:

Disegnato.exe.com

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Disegnato.exe.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	Disegnato.exe.com

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exeRUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\283B6DE8850D1DAA1A8DBD51E366C131FED773A4	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\283B6DE8850D1DAA1A8DBD51E366C131FED773A4\Blob = 030000000100000014000000283b6de8850d1daa1a8dbd51e366c131fed773a42000000001000000620200003082025e308201c7a0030201020208189102750cbf7b28300d06092a864886f70d01010b050030513128302606035504030c1f486f337473706f7420322e3020547275737420526f6f74204341202d20303331183016060355040a0c0f57464120486f7473706f7420322e30310b3009060355040613025553301e170d3139303732353130303730385a170d3233303732343130303730385a30513128302606035504030c1f486f337473706f7420322e3020547275737420526f6f74204341202d20303331183016060355040a0c0f57464120486f7473706f7420322e30310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100cdb7a9f9cad1c4b0c0ec9f3c9ab35de84ca6474b907d5e463942d342cc5269acfbbbe06e3d6d9d43d42c3122c72016a1029925d578d1c73f44187bf38b84b207b5d92af1e882ad454a0f0ef0a53c61cc3dd975fe4ab5662ea89d6ad94a89098f2b5d3f67d7d913bf26d4c2cc577c2fcd7fc6f75be5e796612a81c45a18e2ec630203010001a33f303d300f0603551d130101ff040530030101ff302a0603551d1104233021821f486f337473706f7420322e3020547275737420526f6f74204341202d203033300d06092a864886f70d01010b050003818100babc084fe1394d2610173c6e49fa549a7463334d4590b2c68db0a9ff8882be3da1f251745ff15c26a5aa30c0976df12e3e829d284a6a082daa8ee7acba82e3b871a20c5f4884b214197577ac4b728baa784aca3709218ffffa8d04947d83a617d4118a79e705147668ce440fd25bc6c0a03f650eae98ea785a6bad96aceeb70a	RUNDLL32.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1332 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1440 SmartClock.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

RUNDLL32.EXEpowershell.exe

pid process

3900 RUNDLL32.EXE
3900 RUNDLL32.EXE
3900 RUNDLL32.EXE
3900 RUNDLL32.EXE
3900 RUNDLL32.EXE
3900 RUNDLL32.EXE
3440 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RUNDLL32.EXEpowershell.exe

description pid process

Token: SeDebugPrivilege 3900 RUNDLL32.EXE
Token: SeDebugPrivilege 3440 powershell.exe

pid	process
1332	PING.EXE

pid	process
1440	SmartClock.exe

pid	process
3900	RUNDLL32.EXE
3900	RUNDLL32.EXE
3900	RUNDLL32.EXE
3900	RUNDLL32.EXE
3900	RUNDLL32.EXE
3900	RUNDLL32.EXE
3440	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3900	RUNDLL32.EXE
Token: SeDebugPrivilege	3440	powershell.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

31e2c3b009290449dc1fe9760c14e85b.exevpn.execmd.execmd.exeDisegnato.exe.com4.exeDisegnato.exe.comDisegnato.exe.comcjcoduav.exerundll32.exeRUNDLL32.EXE

description	pid	process	target process
PID 1404 wrote to memory of 1640	1404	31e2c3b009290449dc1fe9760c14e85b.exe	vpn.exe
PID 1404 wrote to memory of 1640	1404	31e2c3b009290449dc1fe9760c14e85b.exe	vpn.exe
PID 1404 wrote to memory of 1640	1404	31e2c3b009290449dc1fe9760c14e85b.exe	vpn.exe
PID 1404 wrote to memory of 792	1404	31e2c3b009290449dc1fe9760c14e85b.exe	4.exe
PID 1404 wrote to memory of 792	1404	31e2c3b009290449dc1fe9760c14e85b.exe	4.exe
PID 1404 wrote to memory of 792	1404	31e2c3b009290449dc1fe9760c14e85b.exe	4.exe
PID 1640 wrote to memory of 1228	1640	vpn.exe	cmd.exe
PID 1640 wrote to memory of 1228	1640	vpn.exe	cmd.exe
PID 1640 wrote to memory of 1228	1640	vpn.exe	cmd.exe
PID 1228 wrote to memory of 3296	1228	cmd.exe	cmd.exe
PID 1228 wrote to memory of 3296	1228	cmd.exe	cmd.exe
PID 1228 wrote to memory of 3296	1228	cmd.exe	cmd.exe
PID 3296 wrote to memory of 796	3296	cmd.exe	findstr.exe
PID 3296 wrote to memory of 796	3296	cmd.exe	findstr.exe
PID 3296 wrote to memory of 796	3296	cmd.exe	findstr.exe
PID 3296 wrote to memory of 1220	3296	cmd.exe	Disegnato.exe.com
PID 3296 wrote to memory of 1220	3296	cmd.exe	Disegnato.exe.com
PID 3296 wrote to memory of 1220	3296	cmd.exe	Disegnato.exe.com
PID 3296 wrote to memory of 1332	3296	cmd.exe	PING.EXE
PID 3296 wrote to memory of 1332	3296	cmd.exe	PING.EXE
PID 3296 wrote to memory of 1332	3296	cmd.exe	PING.EXE
PID 1220 wrote to memory of 1156	1220	Disegnato.exe.com	Disegnato.exe.com
PID 1220 wrote to memory of 1156	1220	Disegnato.exe.com	Disegnato.exe.com
PID 1220 wrote to memory of 1156	1220	Disegnato.exe.com	Disegnato.exe.com
PID 792 wrote to memory of 1440	792	4.exe	SmartClock.exe
PID 792 wrote to memory of 1440	792	4.exe	SmartClock.exe
PID 792 wrote to memory of 1440	792	4.exe	SmartClock.exe
PID 1156 wrote to memory of 3092	1156	Disegnato.exe.com	Disegnato.exe.com
PID 1156 wrote to memory of 3092	1156	Disegnato.exe.com	Disegnato.exe.com
PID 1156 wrote to memory of 3092	1156	Disegnato.exe.com	Disegnato.exe.com
PID 1156 wrote to memory of 3092	1156	Disegnato.exe.com	Disegnato.exe.com
PID 1156 wrote to memory of 3092	1156	Disegnato.exe.com	Disegnato.exe.com
PID 3092 wrote to memory of 2300	3092	Disegnato.exe.com	cjcoduav.exe
PID 3092 wrote to memory of 2300	3092	Disegnato.exe.com	cjcoduav.exe
PID 3092 wrote to memory of 2300	3092	Disegnato.exe.com	cjcoduav.exe
PID 3092 wrote to memory of 1220	3092	Disegnato.exe.com	WScript.exe
PID 3092 wrote to memory of 1220	3092	Disegnato.exe.com	WScript.exe
PID 3092 wrote to memory of 1220	3092	Disegnato.exe.com	WScript.exe
PID 2300 wrote to memory of 3200	2300	cjcoduav.exe	rundll32.exe
PID 2300 wrote to memory of 3200	2300	cjcoduav.exe	rundll32.exe
PID 2300 wrote to memory of 3200	2300	cjcoduav.exe	rundll32.exe
PID 3092 wrote to memory of 412	3092	Disegnato.exe.com	WScript.exe
PID 3092 wrote to memory of 412	3092	Disegnato.exe.com	WScript.exe
PID 3092 wrote to memory of 412	3092	Disegnato.exe.com	WScript.exe
PID 3200 wrote to memory of 3900	3200	rundll32.exe	RUNDLL32.EXE
PID 3200 wrote to memory of 3900	3200	rundll32.exe	RUNDLL32.EXE
PID 3200 wrote to memory of 3900	3200	rundll32.exe	RUNDLL32.EXE
PID 3900 wrote to memory of 3440	3900	RUNDLL32.EXE	powershell.exe
PID 3900 wrote to memory of 3440	3900	RUNDLL32.EXE	powershell.exe
PID 3900 wrote to memory of 3440	3900	RUNDLL32.EXE	powershell.exe

C:\Users\Admin\AppData\Local\Temp\31e2c3b009290449dc1fe9760c14e85b.exe
"C:\Users\Admin\AppData\Local\Temp\31e2c3b009290449dc1fe9760c14e85b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Arteria.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^ZgzyFwATrTeYtqBoppoMahdYKpdvCROZoFqSzfHBkUcDvLvGdmgiKlZLXcxvKtskyrPmZJPTCGAnSNBYNKyrDGgXGgUXUkQiDpnzVWHH$" Due.txt
5⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com
Disegnato.exe.com q
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com q
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com
7⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3092

C:\Users\Admin\AppData\Local\Temp\cjcoduav.exe
"C:\Users\Admin\AppData\Local\Temp\cjcoduav.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\CJCODU~1.TMP,S C:\Users\Admin\AppData\Local\Temp\cjcoduav.exe
9⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\CJCODU~1.TMP,MCYKWGxOODZV
10⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE03A.tmp.ps1"
11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qaatxmqcop.vbs"
8⤵
PID:1220

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jmeogggnu.vbs"
8⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:412

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
5⤵
- Runs ping.exe
PID:1332

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Jvgzbfh.tmp
MD5
12dc21723f70212b6811a115823b1127

SHA1
c7067295be72a164b9aaf73648536aa49df8c3a0

SHA256
59d9d829f0770f9b1284a450e02ba290a5d35d4282c3f1e85c5b58250806e574

SHA512
33204e7f0ff4ed700cc5e8d1864a4074f21792d5f47a6a6b64c925d06e9ded7abedc63fb74f21688d911b41ded65eae2146e9708bc44871a40cddf897826de45

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Arteria.txt
MD5
913049d98adc90afcba8ab6f7993c8bb

SHA1
583d54ed4a513e2de372a55f1f71085781367611

SHA256
dcea307303375d72b08178264cd7eba784b4a041ab3dd26ef1ac24f54c54c759

SHA512
530bc127160545044ef2ff8ffb89196f8a0cd48fa5b2ed3bfbb1c22e32f775fb7583e7d329ba73c7d1fda90183dc715d783a73c437f2f27bcc9cf79286e8e550

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Corano.txt
MD5
d2de7222ae7c34fcf6e547ecf217a8b6

SHA1
38c24783ffd3cc50e2cb71823fd444783b19730c

SHA256
0396fa0aa17800fb3e8430a2ee5e05e359fc95bd8c4fd764eaf937503c982c12

SHA512
1cbc8d4882919974160b8294de435f9c3088ed29aa0ff11af4ec318157472c05ae26965d775adeb5fb9a7a4254e9f0a55b4969feaac1a97abcccda48582865dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Disegnato.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Due.txt
MD5
e417e39487e093be2fa0e3c8db9b8f8e

SHA1
eb50eeeea4cc1c710599b7ccfb18566fed677a43

SHA256
3d2158cb694bc799d35128f1382da305a23b1a2fe82904394409890624409602

SHA512
a0cf7323d9db0b6b3a9ef3a363e23857b3c57cf1d52297c2e96624b07602bb3ecb488575e2f1a4b4943eeba6e277f4361e73334138350f05ac40339fe8bba56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Prediligi.txt
MD5
616bc04c44df9cdbbe25cf6abad39f12

SHA1
efffd6b11ea8251f6f2adf8481e9c2fde632c757

SHA256
6bbde48de84094d7852787c262cd7bff15be16c1adea1529d69221ad0d0e817b

SHA512
757b6be32a38d94a9d07a87af1265151fa23dbb11d81a3ca0d1d644be84c5e2c4c286acaae623e21e75b53d36389cf87e1fccc16fc6991bb80a75a1c1c258f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\q
MD5
616bc04c44df9cdbbe25cf6abad39f12

SHA1
efffd6b11ea8251f6f2adf8481e9c2fde632c757

SHA256
6bbde48de84094d7852787c262cd7bff15be16c1adea1529d69221ad0d0e817b

SHA512
757b6be32a38d94a9d07a87af1265151fa23dbb11d81a3ca0d1d644be84c5e2c4c286acaae623e21e75b53d36389cf87e1fccc16fc6991bb80a75a1c1c258f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\CJCODU~1.TMP
MD5
a432db9b4cfed957e5002cd431366268

SHA1
669d7ff42b91febbaeebdaca57d0050e1af9d9d9

SHA256
3f353236d65c83d0a61f75ecf8b0f497198f6af23d0f4814ece9b627015f1978

SHA512
6adb320dcd4b35bce9974e8a92cf758e3bca00e65cd9717ec762a885bb8047b4f411538add7a582ccad7e9d9a3bda69acfd23bcbf6fd943b7151a2a4a4b4de2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
ee6aa728713c5b63aeef1b9ac9b34f7c

SHA1
74f203a30a8c78b38f3a37df1354fccfabf48076

SHA256
5dbe065bb00fb53f418fdb9fd3e09e7e5bdf2603483f676c90d25b8071826884

SHA512
e9b58078ba21916920187506a2ea738d8bbc7716b0d5cc953774c550edc5fce4a7013ee6a889fee3fccf09e26b04900d39d15eff4c94cde7ba23257ec644e45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
ee6aa728713c5b63aeef1b9ac9b34f7c

SHA1
74f203a30a8c78b38f3a37df1354fccfabf48076

SHA256
5dbe065bb00fb53f418fdb9fd3e09e7e5bdf2603483f676c90d25b8071826884

SHA512
e9b58078ba21916920187506a2ea738d8bbc7716b0d5cc953774c550edc5fce4a7013ee6a889fee3fccf09e26b04900d39d15eff4c94cde7ba23257ec644e45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
a9c2de9801931f677ba53f6d71953078

SHA1
4f283047563c0f2e5dc525748ba8917f1a14e9de

SHA256
c503dd992af5bec203691da4df2c66d77f7575fcef7136a326f877fcaf2bc6b5

SHA512
18093a4d6bc64e3b597afc53de863b56804312a743163612ee31178f5df4b22e584070231bd5279842048085a59c3fa3e5c8bbf2364123f4281739ded54a4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
a9c2de9801931f677ba53f6d71953078

SHA1
4f283047563c0f2e5dc525748ba8917f1a14e9de

SHA256
c503dd992af5bec203691da4df2c66d77f7575fcef7136a326f877fcaf2bc6b5

SHA512
18093a4d6bc64e3b597afc53de863b56804312a743163612ee31178f5df4b22e584070231bd5279842048085a59c3fa3e5c8bbf2364123f4281739ded54a4a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjcoduav.exe
MD5
9443b97d3b0e06b3cdb6386768ad0d7f

SHA1
04d9fde8da539c50755accf8d9d904e4a6379319

SHA256
38a3fd0a14f703ec964d07c049e4bada1669260a80bc05ff73fbcdb1205dc07a

SHA512
ff2063df82a14924de6a302bb55b5aee4d4844199fa9cef90bf78087337d206c836f9400c0b38c2fa48c0c4aa75816fcf65054a0826b4a31267a9c2dcf25ca5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjcoduav.exe
MD5
9443b97d3b0e06b3cdb6386768ad0d7f

SHA1
04d9fde8da539c50755accf8d9d904e4a6379319

SHA256
38a3fd0a14f703ec964d07c049e4bada1669260a80bc05ff73fbcdb1205dc07a

SHA512
ff2063df82a14924de6a302bb55b5aee4d4844199fa9cef90bf78087337d206c836f9400c0b38c2fa48c0c4aa75816fcf65054a0826b4a31267a9c2dcf25ca5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmeogggnu.vbs
MD5
80430e1332eb1ceb25322616e02939d4

SHA1
be6579547566c5bdf431da2fc82963eb88b2a36b

SHA256
179c15fe467ba45c3ffcaf324be97e6103bbf03dde95f2d581474fd500e4245f

SHA512
bc2f981982a2bc47dfdf2f8da392709a03cb2f76e8b93e130c0fa98ee606db93e8383151230139ceed45ebdb58d76e55c6925744ade402245a61eceeb56d0e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qaatxmqcop.vbs
MD5
65ab012d3575ad8f66c00556fde64b73

SHA1
dd32cd7a0c0dedbe039451d2f16c97d63dc8b844

SHA256
ecf550a797394f40d97fa3866df5fd8e95ed73664583de8f4568b5d926ff0917

SHA512
ad98a467448ad87c352026319b5f7463f70fe332b53013f90b4ec496048d28b3689d0e21a29c9d31eb869229af113f1fa2dd1d937d58784824ca6898cfca3bb6

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
ee6aa728713c5b63aeef1b9ac9b34f7c

SHA1
74f203a30a8c78b38f3a37df1354fccfabf48076

SHA256
5dbe065bb00fb53f418fdb9fd3e09e7e5bdf2603483f676c90d25b8071826884

SHA512
e9b58078ba21916920187506a2ea738d8bbc7716b0d5cc953774c550edc5fce4a7013ee6a889fee3fccf09e26b04900d39d15eff4c94cde7ba23257ec644e45c

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
ee6aa728713c5b63aeef1b9ac9b34f7c

SHA1
74f203a30a8c78b38f3a37df1354fccfabf48076

SHA256
5dbe065bb00fb53f418fdb9fd3e09e7e5bdf2603483f676c90d25b8071826884

SHA512
e9b58078ba21916920187506a2ea738d8bbc7716b0d5cc953774c550edc5fce4a7013ee6a889fee3fccf09e26b04900d39d15eff4c94cde7ba23257ec644e45c

Download Submit
\Users\Admin\AppData\Local\Temp\CJCODU~1.TMP
MD5
a432db9b4cfed957e5002cd431366268

SHA1
669d7ff42b91febbaeebdaca57d0050e1af9d9d9

SHA256
3f353236d65c83d0a61f75ecf8b0f497198f6af23d0f4814ece9b627015f1978

SHA512
6adb320dcd4b35bce9974e8a92cf758e3bca00e65cd9717ec762a885bb8047b4f411538add7a582ccad7e9d9a3bda69acfd23bcbf6fd943b7151a2a4a4b4de2f

Download Submit
\Users\Admin\AppData\Local\Temp\CJCODU~1.TMP
MD5
a432db9b4cfed957e5002cd431366268

SHA1
669d7ff42b91febbaeebdaca57d0050e1af9d9d9

SHA256
3f353236d65c83d0a61f75ecf8b0f497198f6af23d0f4814ece9b627015f1978

SHA512
6adb320dcd4b35bce9974e8a92cf758e3bca00e65cd9717ec762a885bb8047b4f411538add7a582ccad7e9d9a3bda69acfd23bcbf6fd943b7151a2a4a4b4de2f

Download Submit
\Users\Admin\AppData\Local\Temp\CJCODU~1.TMP
MD5
a432db9b4cfed957e5002cd431366268

SHA1
669d7ff42b91febbaeebdaca57d0050e1af9d9d9

SHA256
3f353236d65c83d0a61f75ecf8b0f497198f6af23d0f4814ece9b627015f1978

SHA512
6adb320dcd4b35bce9974e8a92cf758e3bca00e65cd9717ec762a885bb8047b4f411538add7a582ccad7e9d9a3bda69acfd23bcbf6fd943b7151a2a4a4b4de2f

Download Submit
\Users\Admin\AppData\Local\Temp\nso9D31.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/412-156-0x0000000000000000-mapping.dmp

Download
memory/792-138-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/792-137-0x00000000008B0000-0x00000000009FA000-memory.dmp

Filesize
1.3MB

Download
memory/792-118-0x0000000000000000-mapping.dmp

Download
memory/796-124-0x0000000000000000-mapping.dmp

Download
memory/1156-141-0x00000000019A0000-0x00000000019A1000-memory.dmp

Filesize
4KB

Download
memory/1156-131-0x0000000000000000-mapping.dmp

Download
memory/1220-127-0x0000000000000000-mapping.dmp

Download
memory/1220-149-0x0000000000000000-mapping.dmp

Download
memory/1228-121-0x0000000000000000-mapping.dmp

Download
memory/1332-129-0x0000000000000000-mapping.dmp

Download
memory/1440-139-0x00000000023A0000-0x00000000023C6000-memory.dmp

Filesize
152KB

Download
memory/1440-140-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/1440-134-0x0000000000000000-mapping.dmp

Download
memory/1640-115-0x0000000000000000-mapping.dmp

Download
memory/2300-154-0x0000000000400000-0x0000000000987000-memory.dmp

Filesize
5.5MB

Download
memory/2300-146-0x0000000000000000-mapping.dmp

Download
memory/2300-153-0x0000000002760000-0x000000000285F000-memory.dmp

Filesize
1020KB

Download
memory/3092-142-0x00000000009C0000-0x00000000009E7000-memory.dmp

Filesize
156KB

Download
memory/3092-144-0x00000000009C0000-0x00000000009E7000-memory.dmp

Filesize
156KB

Download
memory/3200-151-0x0000000000000000-mapping.dmp

Download
memory/3200-158-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/3200-164-0x0000000005100000-0x0000000006396000-memory.dmp

Filesize
18.6MB

Download
memory/3296-123-0x0000000000000000-mapping.dmp

Download
memory/3440-172-0x0000000000000000-mapping.dmp

Download
memory/3440-176-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/3440-175-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/3900-162-0x0000000000B00000-0x0000000000C5D000-memory.dmp

Filesize
1.4MB

Download
memory/3900-170-0x00000000049A0000-0x0000000005C36000-memory.dmp

Filesize
18.6MB

Download
memory/3900-165-0x0000000005C50000-0x0000000005C51000-memory.dmp

Filesize
4KB

Download
memory/3900-159-0x0000000000000000-mapping.dmp

Download