danabot | 6f9ceec310ada7c427dd089f4bfc0016974a0e07faccb8d7dce51eb33a0210e4

Resubmissions

14-09-2021 08:51

210914-ksanwaaddn 10

13-09-2021 13:58

210913-q947psdgf5 10

Analysis

max time kernel
121s
max time network
136s
platform
windows10_x64
resource
win10-en
submitted
13-09-2021 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mixshop_20210913-152925.exe
Size

302KB
MD5

2562972dd8803380fc754bd9eb897342
SHA1

3f3460ca64a8ff5f67639a9d153fcbde2ada63c0
SHA256

6f9ceec310ada7c427dd089f4bfc0016974a0e07faccb8d7dce51eb33a0210e4
SHA512

9599f56d90627e33893f61a5385b87b1045b004100f5920624388f48cbe60140a41bdad0b88dd971b2e67dd06854519faf5d2a88a474157ddd9fcce86b721b35

Score

10^/10

danabot banker discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

danabot

23.229.29.48:443

5.9.224.204:443

192.255.166.212:443

Attributes

embedded_hash
0E1A7A1479C37094441FA911262B322A

rsa_pubkey.plain

rsa_privkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RYRAXQ~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\RYRAXQ~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\RYRAXQ~1.DLL	DanabotLoader2021
behavioral2/memory/2436-171-0x00000000042C0000-0x0000000004423000-memory.dmp	DanabotLoader2021

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

37 3504 WScript.exe
39 3504 WScript.exe
41 3504 WScript.exe
43 3504 WScript.exe
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

File.exefulzie.exewakingvp.exeIntelRapid.exeEstremita.exe.comEstremita.exe.comipconfig.exeryraxqoyd.exe

pid process

3656 File.exe
3988 fulzie.exe
2892 wakingvp.exe
400 IntelRapid.exe
1200 Estremita.exe.com
1668 Estremita.exe.com
4028 ipconfig.exe
3876 ryraxqoyd.exe

flow	pid	process
37	3504	WScript.exe
39	3504	WScript.exe
41	3504	WScript.exe
43	3504	WScript.exe

pid	process
3656	File.exe
3988	fulzie.exe
2892	wakingvp.exe
400	IntelRapid.exe
1200	Estremita.exe.com
1668	Estremita.exe.com
4028	ipconfig.exe
3876	ryraxqoyd.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IntelRapid.exefulzie.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fulzie.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fulzie.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe

Drops startup file 1 IoCs

Processes:

fulzie.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk fulzie.exe
Loads dropped DLL 4 IoCs

Processes:

File.exewakingvp.exerundll32.exe

pid process

3656 File.exe
2892 wakingvp.exe
2436 rundll32.exe
2436 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	fulzie.exe

pid	process
3656	File.exe
2892	wakingvp.exe
2436	rundll32.exe
2436	rundll32.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\picoid\fulzie.exe	themida
C:\Users\Admin\AppData\Local\Temp\picoid\fulzie.exe	themida
behavioral2/memory/3988-137-0x00007FF69FDD0000-0x00007FF6A0745000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral2/memory/400-146-0x00007FF621C60000-0x00007FF6225D5000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

fulzie.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fulzie.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

fulzie.exeIntelRapid.exe

pid process

3988 fulzie.exe
400 IntelRapid.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Estremita.exe.com

description pid process target process

PID 1668 set thread context of 4028 1668 Estremita.exe.com ipconfig.exe

flow	ioc
16	ip-api.com

pid	process
3988	fulzie.exe
400	IntelRapid.exe

description	pid	process	target process
PID 1668 set thread context of 4028	1668	Estremita.exe.com	ipconfig.exe

Drops file in Program Files directory 3 IoCs

Processes:

File.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	File.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	File.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	File.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\picoid\wakingvp.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\picoid\wakingvp.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\picoid\wakingvp.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\picoid\wakingvp.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mixshop_20210913-152925.exeipconfig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mixshop_20210913-152925.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ipconfig.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ipconfig.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mixshop_20210913-152925.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3252 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

4028 ipconfig.exe
Modifies registry class 1 IoCs

Processes:

ipconfig.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings ipconfig.exe

pid	process
3252	timeout.exe

pid	process
4028	ipconfig.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings	ipconfig.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1408 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

400 IntelRapid.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Estremita.exe.com

pid process

1668 Estremita.exe.com
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Estremita.exe.comEstremita.exe.com

pid process

1200 Estremita.exe.com
1200 Estremita.exe.com
1200 Estremita.exe.com
1668 Estremita.exe.com
1668 Estremita.exe.com
1668 Estremita.exe.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Estremita.exe.comEstremita.exe.com

pid process

1200 Estremita.exe.com
1200 Estremita.exe.com
1200 Estremita.exe.com
1668 Estremita.exe.com
1668 Estremita.exe.com
1668 Estremita.exe.com

pid	process
1408	PING.EXE

pid	process
400	IntelRapid.exe

pid	process
1668	Estremita.exe.com

pid	process
1200	Estremita.exe.com
1200	Estremita.exe.com
1200	Estremita.exe.com
1668	Estremita.exe.com
1668	Estremita.exe.com
1668	Estremita.exe.com

pid	process
1200	Estremita.exe.com
1200	Estremita.exe.com
1200	Estremita.exe.com
1668	Estremita.exe.com
1668	Estremita.exe.com
1668	Estremita.exe.com

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

mixshop_20210913-152925.execmd.exeFile.exewakingvp.execmd.execmd.exefulzie.exeEstremita.exe.comEstremita.exe.comipconfig.exeryraxqoyd.exe

description	pid	process	target process
PID 3732 wrote to memory of 3656	3732	mixshop_20210913-152925.exe	File.exe
PID 3732 wrote to memory of 3656	3732	mixshop_20210913-152925.exe	File.exe
PID 3732 wrote to memory of 3656	3732	mixshop_20210913-152925.exe	File.exe
PID 3732 wrote to memory of 3016	3732	mixshop_20210913-152925.exe	cmd.exe
PID 3732 wrote to memory of 3016	3732	mixshop_20210913-152925.exe	cmd.exe
PID 3732 wrote to memory of 3016	3732	mixshop_20210913-152925.exe	cmd.exe
PID 3016 wrote to memory of 3252	3016	cmd.exe	timeout.exe
PID 3016 wrote to memory of 3252	3016	cmd.exe	timeout.exe
PID 3016 wrote to memory of 3252	3016	cmd.exe	timeout.exe
PID 3656 wrote to memory of 3988	3656	File.exe	fulzie.exe
PID 3656 wrote to memory of 3988	3656	File.exe	fulzie.exe
PID 3656 wrote to memory of 2892	3656	File.exe	wakingvp.exe
PID 3656 wrote to memory of 2892	3656	File.exe	wakingvp.exe
PID 3656 wrote to memory of 2892	3656	File.exe	wakingvp.exe
PID 2892 wrote to memory of 2272	2892	wakingvp.exe	cmd.exe
PID 2892 wrote to memory of 2272	2892	wakingvp.exe	cmd.exe
PID 2892 wrote to memory of 2272	2892	wakingvp.exe	cmd.exe
PID 2272 wrote to memory of 3192	2272	cmd.exe	cmd.exe
PID 2272 wrote to memory of 3192	2272	cmd.exe	cmd.exe
PID 2272 wrote to memory of 3192	2272	cmd.exe	cmd.exe
PID 3192 wrote to memory of 3884	3192	cmd.exe	findstr.exe
PID 3192 wrote to memory of 3884	3192	cmd.exe	findstr.exe
PID 3192 wrote to memory of 3884	3192	cmd.exe	findstr.exe
PID 3988 wrote to memory of 400	3988	fulzie.exe	IntelRapid.exe
PID 3988 wrote to memory of 400	3988	fulzie.exe	IntelRapid.exe
PID 3192 wrote to memory of 1200	3192	cmd.exe	Estremita.exe.com
PID 3192 wrote to memory of 1200	3192	cmd.exe	Estremita.exe.com
PID 3192 wrote to memory of 1200	3192	cmd.exe	Estremita.exe.com
PID 3192 wrote to memory of 1408	3192	cmd.exe	PING.EXE
PID 3192 wrote to memory of 1408	3192	cmd.exe	PING.EXE
PID 3192 wrote to memory of 1408	3192	cmd.exe	PING.EXE
PID 1200 wrote to memory of 1668	1200	Estremita.exe.com	Estremita.exe.com
PID 1200 wrote to memory of 1668	1200	Estremita.exe.com	Estremita.exe.com
PID 1200 wrote to memory of 1668	1200	Estremita.exe.com	Estremita.exe.com
PID 1668 wrote to memory of 4028	1668	Estremita.exe.com	ipconfig.exe
PID 1668 wrote to memory of 4028	1668	Estremita.exe.com	ipconfig.exe
PID 1668 wrote to memory of 4028	1668	Estremita.exe.com	ipconfig.exe
PID 1668 wrote to memory of 4028	1668	Estremita.exe.com	ipconfig.exe
PID 4028 wrote to memory of 3876	4028	ipconfig.exe	ryraxqoyd.exe
PID 4028 wrote to memory of 3876	4028	ipconfig.exe	ryraxqoyd.exe
PID 4028 wrote to memory of 3876	4028	ipconfig.exe	ryraxqoyd.exe
PID 4028 wrote to memory of 3624	4028	ipconfig.exe	WScript.exe
PID 4028 wrote to memory of 3624	4028	ipconfig.exe	WScript.exe
PID 4028 wrote to memory of 3624	4028	ipconfig.exe	WScript.exe
PID 4028 wrote to memory of 3504	4028	ipconfig.exe	WScript.exe
PID 4028 wrote to memory of 3504	4028	ipconfig.exe	WScript.exe
PID 4028 wrote to memory of 3504	4028	ipconfig.exe	WScript.exe
PID 3876 wrote to memory of 2436	3876	ryraxqoyd.exe	rundll32.exe
PID 3876 wrote to memory of 2436	3876	ryraxqoyd.exe	rundll32.exe
PID 3876 wrote to memory of 2436	3876	ryraxqoyd.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\mixshop_20210913-152925.exe
"C:\Users\Admin\AppData\Local\Temp\mixshop_20210913-152925.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Users\Admin\AppData\Local\Temp\picoid\fulzie.exe
    "C:\Users\Admin\AppData\Local\Temp\picoid\fulzie.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Drops startup file
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
      "C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: AddClipboardFormatListener
      PID:400
- - C:\Users\Admin\AppData\Local\Temp\picoid\wakingvp.exe
    "C:\Users\Admin\AppData\Local\Temp\picoid\wakingvp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c cmd < Giu.vst
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3192
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^xUlNXJkiuCtOHCFKpjDKUUxBRFKQlgBZHHJmaqfsJHlshynlliqvvnNmAJWsYcXSwtiqTyaoWjqjKehMumFehtDoUpZItXagJafpYnsyOSmlnAPbcpkmPVEXBYyJy$" Ape.vst
        6⤵
        
        PID:3884
      - C:\Users\Admin\AppData\Roaming\Estremita.exe.com
        
        Estremita.exe.com o
        6⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Users\Admin\AppData\Roaming\Estremita.exe.com
        
        C:\Users\Admin\AppData\Roaming\Estremita.exe.com o
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\ipconfig.exe
        
        C:\Users\Admin\AppData\Roaming\ipconfig.exe
        8⤵
        Executes dropped EXE
        Checks processor information in registry
        Gathers network information
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\ryraxqoyd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ryraxqoyd.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\RYRAXQ~1.DLL,s C:\Users\Admin\AppData\Local\Temp\RYRAXQ~1.EXE
        10⤵
        Loads dropped DLL
        
        PID:2436
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ivuwpki.vbs"
        9⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bvdjqbtxp.vbs"
        9⤵
        Blocklisted process makes network request
        Modifies system certificate store
        
        PID:3504
      - C:\Windows\SysWOW64\PING.EXE
        
        ping GSNTPAWQ
        6⤵
        Runs ping.exe
        
        PID:1408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\QOCxIROjlGiGV & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\mixshop_20210913-152925.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\timeout.exe
    timeout 4
    3⤵
    - Delays execution with timeout.exe
    PID:3252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

MD5
7f34e20c034ccec9634a41d2b407dc12

SHA1
8c81c4c22460f5ba8bdaa47a694c9b852e90a32b

SHA256
cb54a84a3dfc7589c08eacacaca5cb293c719a849eecda7ae74dddb50f144ce3

SHA512
841f939fdddbb66ad89fa3e2dff9e1de93d19a065dc895379fb1d67cd84614105aed43371e1a9ec6e8dcdef2e6ed61f45346c4f0583a4ace8e1ba59fd0da5539

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

MD5
7f34e20c034ccec9634a41d2b407dc12

SHA1
8c81c4c22460f5ba8bdaa47a694c9b852e90a32b

SHA256
cb54a84a3dfc7589c08eacacaca5cb293c719a849eecda7ae74dddb50f144ce3

SHA512
841f939fdddbb66ad89fa3e2dff9e1de93d19a065dc895379fb1d67cd84614105aed43371e1a9ec6e8dcdef2e6ed61f45346c4f0583a4ace8e1ba59fd0da5539

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOCxIROjlGiGV\BDWRVB~1.ZIP

MD5
884422cb14f5d8e12d586b0bf7faae18

SHA1
c353290487207d1bbd17461a29bafe4741fd278e

SHA256
6ee2a2d268e6685e1ee72433955122b3445f13d158b7d162af0d62d9d457f61b

SHA512
3ab752a04bd2e719251204ecfc10d0382bce911d6272231718064947e06b2ba5963a661efdb2df5198810cc1ec617aaede13e1d6783d8bc80e23fdcd418edb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOCxIROjlGiGV\XPFBLN~1.ZIP

MD5
b1dc2a037e79c5179b0298df81e42e83

SHA1
2ea5b9c1c7bc82a72e24e2441d2d24575b8bf254

SHA256
232169f36c1da2a822ec8b1d88afd1f3f0fa42e9fb39a34dd7b72f8449d41ccd

SHA512
e7ca32df18c2a861b1ba4c4ad5a276f79cfbe5e3c204e2a3b74594beaa75003f9d99cfe759831725b4b9ecfb0b791819c5d0a7d2ef8a672eebe92b4514129350

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOCxIROjlGiGV\_Files\_INFOR~1.TXT

MD5
77ad6dc8985ac81d6da4475d7ed0aef5

SHA1
890f98adcdca64fac7ade5f4fe4c7f79def2ea35

SHA256
c1dd408a47f7ecfd4559013e13ee5b8622a00edfa711a958516e9799f2b5d072

SHA512
e9d3ae82bbfc9bc6c74bb880f4194fed3272e5284dcae5c7ac223c4dceb557386fe839e12951ad1e56d47c47e48fb6fc49004daf798ee22910491e7b4b0209e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOCxIROjlGiGV\_Files\_SCREE~1.JPE

MD5
42467260b05e20e8b8d65472643eb357

SHA1
5be6c9a0585ddc0ccc9a2b9fadd07edb031ecb78

SHA256
d9171b2ae9346be6432ec383857d5c2aa33b1aa860aae6725fe9e4068a18369a

SHA512
4b7557916ed8a0aff952dccbd950da46b3b1e57856de16895dd9f4c9e987f2110e675129d342f7e292acaa6a8a2860807498edf560a4f804cd0641880d757fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOCxIROjlGiGV\files_\SCREEN~1.JPG

MD5
42467260b05e20e8b8d65472643eb357

SHA1
5be6c9a0585ddc0ccc9a2b9fadd07edb031ecb78

SHA256
d9171b2ae9346be6432ec383857d5c2aa33b1aa860aae6725fe9e4068a18369a

SHA512
4b7557916ed8a0aff952dccbd950da46b3b1e57856de16895dd9f4c9e987f2110e675129d342f7e292acaa6a8a2860807498edf560a4f804cd0641880d757fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOCxIROjlGiGV\files_\SYSTEM~1.TXT

MD5
77ad6dc8985ac81d6da4475d7ed0aef5

SHA1
890f98adcdca64fac7ade5f4fe4c7f79def2ea35

SHA256
c1dd408a47f7ecfd4559013e13ee5b8622a00edfa711a958516e9799f2b5d072

SHA512
e9d3ae82bbfc9bc6c74bb880f4194fed3272e5284dcae5c7ac223c4dceb557386fe839e12951ad1e56d47c47e48fb6fc49004daf798ee22910491e7b4b0209e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYRAXQ~1.DLL

MD5
a0dae4244f0f5026bed2e9278625755e

SHA1
76f281d7af2ccfa8490dbe68db1270fde7f31370

SHA256
692af75aeb5fb43368e58d02421a5891f7b0b6dc61279c06a141dd3bd82fd123

SHA512
71b0f978704b1d28ae71cbf65ae64e6e7f7456b1ccf0d528f161e8d74d7ca2dac38fa45afab7fe12455637f7ac90e19d280ecaa86f2dabecc8209d8ae3c03fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvdjqbtxp.vbs

MD5
d0d21c5e1b6c89c32c1fe0c3355828b9

SHA1
14f01ddbafa13318db7b0d10614b71152254c2ff

SHA256
053c6772db10e8c9da260812e739e9897d9c832a99a555bbc3609ebae081e9a1

SHA512
da9b6e52d3ffb30545a8b882faad5dc3d9cf34baf8c383538f6ac82e1c09cc4dda914ce32c46f1b0c78eb67b8b7dc19ea2e0638877c81535f7ba52bc54a66022

Download Submit
C:\Users\Admin\AppData\Local\Temp\ivuwpki.vbs

MD5
839bb42c8356b256c745ca38adf9250b

SHA1
7441259e79dbca36c0d8d107b552bc189e181677

SHA256
6c9decad3ae430aba9300b99537158d45358ad3f281e56a8072e8b8756d0fa97

SHA512
1c7e35359bf0e4b09060c0f2bc414960b602ede1e4d68dfe17526304d4aaded7c305855b84d20785da803f057fc1172d9f7a4cfcdb5e2f342326a506260401a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\picoid\fulzie.exe

MD5
cb7ffa834897d1835bd1e9c6e653a8ba

SHA1
3cd8ff0009d3ad54359d42adf3b1087066c9c557

SHA256
b2363cf62317c1f49d26c2cb5b3f9b9c8f1613bea21040aedd17709038a7f957

SHA512
b0133effd60d993dd20354d3f6d14e53e547aa4da9582223d282537608c07562dcd1b85e395bdf8bcda1c2422daeb8457ce87563dccb562bad49d747fea8f0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\picoid\fulzie.exe

MD5
cb7ffa834897d1835bd1e9c6e653a8ba

SHA1
3cd8ff0009d3ad54359d42adf3b1087066c9c557

SHA256
b2363cf62317c1f49d26c2cb5b3f9b9c8f1613bea21040aedd17709038a7f957

SHA512
b0133effd60d993dd20354d3f6d14e53e547aa4da9582223d282537608c07562dcd1b85e395bdf8bcda1c2422daeb8457ce87563dccb562bad49d747fea8f0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\picoid\wakingvp.exe

MD5
a528555dff61a67168646ec8c542cb98

SHA1
74db3485a17d22befa1a7ba4d090434e47007fb1

SHA256
0513f7eee6e496728165e72393dc910e3319efce1a624e231ab47a6b57009570

SHA512
561aac7278d0411a163dbfc63149ba42f645d058545003168b95939fecdfe6b2e6a520fcedf80648f63481b3d9c1690c49d3919d7675e9463f3fee1d2535f77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\picoid\wakingvp.exe

MD5
a528555dff61a67168646ec8c542cb98

SHA1
74db3485a17d22befa1a7ba4d090434e47007fb1

SHA256
0513f7eee6e496728165e72393dc910e3319efce1a624e231ab47a6b57009570

SHA512
561aac7278d0411a163dbfc63149ba42f645d058545003168b95939fecdfe6b2e6a520fcedf80648f63481b3d9c1690c49d3919d7675e9463f3fee1d2535f77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryraxqoyd.exe

MD5
8146d6f4f4b63957db8891d739465029

SHA1
cb1b4ba4d8d7dd5befe73ca72dbbf9bc34668f28

SHA256
364827c2a907d41d8e89e59a88e2956ccb52320f026f4f519416a5d623ee4c4d

SHA512
c2f17eea076c71e17b5989959f2c9b66967a19e3769dbb2960a8e414e03cb58e7e64a5b712a40bc4875473bfd5881c4d794505ee6555e5b963fcc68d892ca064

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryraxqoyd.exe

MD5
8146d6f4f4b63957db8891d739465029

SHA1
cb1b4ba4d8d7dd5befe73ca72dbbf9bc34668f28

SHA256
364827c2a907d41d8e89e59a88e2956ccb52320f026f4f519416a5d623ee4c4d

SHA512
c2f17eea076c71e17b5989959f2c9b66967a19e3769dbb2960a8e414e03cb58e7e64a5b712a40bc4875473bfd5881c4d794505ee6555e5b963fcc68d892ca064

Download Submit
C:\Users\Admin\AppData\Roaming\Ape.vst

MD5
0f95d588ea95ba041d1e1ab00ab5985a

SHA1
59b0f6f218ca27e6bb4a8f709a9bb5c322caa5d9

SHA256
e785765db1d69967274f7556a1bb7f58d03ac7a42ce30c898f8b82b5967a836c

SHA512
0f0bc00fb441342f01574eb95fd2ea82c01dfe358476226af2de5038b6529dab71da430b2394efb229eea75e6ea2a58f625d8d92cadb497a8cdbcfbe82b53d8a

Download Submit
C:\Users\Admin\AppData\Roaming\Estremita.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\Estremita.exe.com

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\Giu.vst

MD5
6b8f8744aed55fed3f2a4d8641a51b38

SHA1
7bb78b0d2cfaa007b004d664975fab47f8e61573

SHA256
dca7e57053322373679c95f82885555615554b4b6d614b271f733c1c32dccf08

SHA512
60e92939d82e6a6458c7928012d89c988b5b4d35fc5d4d1dfded22855dbb638c952dd4bf293360dc2ec89407b58d8cc47bd1cc19caa181ec84bbc8d933802aad

Download Submit
C:\Users\Admin\AppData\Roaming\Guardo.vst

MD5
ba3ab0710c08184730d023649fb798a7

SHA1
9681e1f7cbf4f69a4067993b64faf85faa6beb08

SHA256
69ff4fcbd902b901ade16bb5702560b0a13ee0b353f9cc16d90fe995e5b01498

SHA512
ea744158004880f643e947abeae924a58b4f95426970f688a8083b2d5a44fa566919e3271f5ede1e0c48de4aec43e50383f723fbe71915a96c3f1ced50c07b5a

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

MD5
cb7ffa834897d1835bd1e9c6e653a8ba

SHA1
3cd8ff0009d3ad54359d42adf3b1087066c9c557

SHA256
b2363cf62317c1f49d26c2cb5b3f9b9c8f1613bea21040aedd17709038a7f957

SHA512
b0133effd60d993dd20354d3f6d14e53e547aa4da9582223d282537608c07562dcd1b85e395bdf8bcda1c2422daeb8457ce87563dccb562bad49d747fea8f0f0

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

MD5
cb7ffa834897d1835bd1e9c6e653a8ba

SHA1
3cd8ff0009d3ad54359d42adf3b1087066c9c557

SHA256
b2363cf62317c1f49d26c2cb5b3f9b9c8f1613bea21040aedd17709038a7f957

SHA512
b0133effd60d993dd20354d3f6d14e53e547aa4da9582223d282537608c07562dcd1b85e395bdf8bcda1c2422daeb8457ce87563dccb562bad49d747fea8f0f0

Download Submit
C:\Users\Admin\AppData\Roaming\ipconfig.exe

MD5
a69ba0e84d1a6b853acf752969d3f937

SHA1
ff1bee9468afc6c4ff82cba3f5ae13842ea07f0c

SHA256
01cbe910e5d343c25e9066ccc7f8777a79b0d3e210aa2fb7e4428ab259712469

SHA512
fd4fa4b978b746638bd847fce9dfa9bc9c0ab5c91fb989e9aeea147a4a35e2326586ec04d80bdab6b21d06b2f41e870e9f588aeca27fc3473e3fca0973e60eca

Download Submit
C:\Users\Admin\AppData\Roaming\ipconfig.exe

MD5
a69ba0e84d1a6b853acf752969d3f937

SHA1
ff1bee9468afc6c4ff82cba3f5ae13842ea07f0c

SHA256
01cbe910e5d343c25e9066ccc7f8777a79b0d3e210aa2fb7e4428ab259712469

SHA512
fd4fa4b978b746638bd847fce9dfa9bc9c0ab5c91fb989e9aeea147a4a35e2326586ec04d80bdab6b21d06b2f41e870e9f588aeca27fc3473e3fca0973e60eca

Download Submit
C:\Users\Admin\AppData\Roaming\o

MD5
ba3ab0710c08184730d023649fb798a7

SHA1
9681e1f7cbf4f69a4067993b64faf85faa6beb08

SHA256
69ff4fcbd902b901ade16bb5702560b0a13ee0b353f9cc16d90fe995e5b01498

SHA512
ea744158004880f643e947abeae924a58b4f95426970f688a8083b2d5a44fa566919e3271f5ede1e0c48de4aec43e50383f723fbe71915a96c3f1ced50c07b5a

Download Submit
\Users\Admin\AppData\Local\Temp\RYRAXQ~1.DLL

MD5
a0dae4244f0f5026bed2e9278625755e

SHA1
76f281d7af2ccfa8490dbe68db1270fde7f31370

SHA256
692af75aeb5fb43368e58d02421a5891f7b0b6dc61279c06a141dd3bd82fd123

SHA512
71b0f978704b1d28ae71cbf65ae64e6e7f7456b1ccf0d528f161e8d74d7ca2dac38fa45afab7fe12455637f7ac90e19d280ecaa86f2dabecc8209d8ae3c03fb3

Download Submit
\Users\Admin\AppData\Local\Temp\RYRAXQ~1.DLL

MD5
a0dae4244f0f5026bed2e9278625755e

SHA1
76f281d7af2ccfa8490dbe68db1270fde7f31370

SHA256
692af75aeb5fb43368e58d02421a5891f7b0b6dc61279c06a141dd3bd82fd123

SHA512
71b0f978704b1d28ae71cbf65ae64e6e7f7456b1ccf0d528f161e8d74d7ca2dac38fa45afab7fe12455637f7ac90e19d280ecaa86f2dabecc8209d8ae3c03fb3

Download Submit
\Users\Admin\AppData\Local\Temp\nsm70A3.tmp\nsExec.dll

MD5
09c2e27c626d6f33018b8a34d3d98cb6

SHA1
8d6bf50218c8f201f06ecf98ca73b74752a2e453

SHA256
114c6941a8b489416c84563e94fd266ea5cad2b518db45cd977f1f9761e00cb1

SHA512
883454bef7b6de86d53af790755ae624f756b48b23970f865558ba03a5aecfa8d15f14700e92b3c51546e738c93e53dc50b8a45f79ef3f00aa84382853440954

Download Submit
\Users\Admin\AppData\Local\Temp\nsz6C1E.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/400-146-0x00007FF621C60000-0x00007FF6225D5000-memory.dmp

Filesize
9.5MB

Download
memory/400-141-0x0000000000000000-mapping.dmp

Download
memory/1200-147-0x0000000000000000-mapping.dmp

Download
memory/1408-149-0x0000000000000000-mapping.dmp

Download
memory/1668-151-0x0000000000000000-mapping.dmp

Download
memory/1668-155-0x0000000001390000-0x0000000001392000-memory.dmp

Filesize
8KB

Download
memory/2272-136-0x0000000000000000-mapping.dmp

Download
memory/2436-167-0x0000000000000000-mapping.dmp

Download
memory/2436-171-0x00000000042C0000-0x0000000004423000-memory.dmp

Filesize
1.4MB

Download
memory/2892-132-0x0000000000000000-mapping.dmp

Download
memory/3016-120-0x0000000000000000-mapping.dmp

Download
memory/3192-139-0x0000000000000000-mapping.dmp

Download
memory/3252-128-0x0000000000000000-mapping.dmp

Download
memory/3504-165-0x0000000000000000-mapping.dmp

Download
memory/3624-161-0x0000000000000000-mapping.dmp

Download
memory/3656-117-0x0000000000000000-mapping.dmp

Download
memory/3732-115-0x0000000002170000-0x000000000221E000-memory.dmp

Filesize
696KB

Download
memory/3732-116-0x0000000000400000-0x000000000216A000-memory.dmp

Filesize
29.4MB

Download
memory/3876-163-0x0000000003FF0000-0x00000000040F7000-memory.dmp

Filesize
1.0MB

Download
memory/3876-164-0x0000000000400000-0x0000000002235000-memory.dmp

Filesize
30.2MB

Download
memory/3876-158-0x0000000000000000-mapping.dmp

Download
memory/3884-140-0x0000000000000000-mapping.dmp

Download
memory/3988-129-0x0000000000000000-mapping.dmp

Download
memory/3988-137-0x00007FF69FDD0000-0x00007FF6A0745000-memory.dmp

Filesize
9.5MB

Download
memory/4028-156-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4028-153-0x000000000040591E-mapping.dmp

Download