danabot | a9eb1cd336e4a7edec114ade335a3c0903b4b52253f0bcb02c7b08edb0120151

Analysis

max time kernel
142s
max time network
125s
platform
windows10_x64
resource
win10-en-20211014
submitted
19-10-2021 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9eb1cd336e4a7edec114ade335a3c0903b4b52253f0bcb02c7b08edb0120151.exe
Size

1.2MB
MD5

8b56a82dc8855741c7389261da25f65c
SHA1

8d0f50cd24f4964f232e39370655294e0489e873
SHA256

a9eb1cd336e4a7edec114ade335a3c0903b4b52253f0bcb02c7b08edb0120151
SHA512

40cab2bdceac8dcc1eb9486e3becc94ebfd1ca3a55f6fdd993b277bcd647c017236b6b04790edcc275c9385b91b3bec121a7ebca5370c07cf1e60b8bd50ea6eb

Score

10^/10

danabot 4 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL	DanabotLoader2021
behavioral1/memory/3104-122-0x0000000004190000-0x00000000042F6000-memory.dmp	DanabotLoader2021
behavioral1/memory/1276-128-0x00000000041A0000-0x0000000004306000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL	DanabotLoader2021
behavioral1/memory/964-138-0x00000000040F0000-0x0000000004256000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL	DanabotLoader2021

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

23 3104 rundll32.exe
24 1276 RUNDLL32.EXE
Loads dropped DLL 7 IoCs

Processes:

rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

pid process

3104 rundll32.exe
3104 rundll32.exe
1276 RUNDLL32.EXE
1276 RUNDLL32.EXE
964 RUNDLL32.EXE
964 RUNDLL32.EXE
2292 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
23	3104	rundll32.exe
24	1276	RUNDLL32.EXE

pid	process
3104	rundll32.exe
3104	rundll32.exe
1276	RUNDLL32.EXE
1276	RUNDLL32.EXE
964	RUNDLL32.EXE
964	RUNDLL32.EXE
2292	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 964 set thread context of 1292 964 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 964 set thread context of 1292	964	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

Checks processor information in registry 2 TTPs 38 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5CD3F531A988DDED9F25870A5C3DBB46D8A649BE	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5CD3F531A988DDED9F25870A5C3DBB46D8A649BE\Blob = 0300000001000000140000005cd3f531a988dded9f25870a5c3dbb46d8a649be2000000001000000610200003082025d308201c6a00302010202081abf810e729d65cb300d06092a864886f70d01010b05003057311b301906035504030c12476c6f62616d5369676e20526f6f742043413110300e060355040b0c07526f6f7420434131193017060355040a0c10476c6f62616c5369676e206e762d7361310b3009060355040613024245301e170d3139313031373233353333335a170d3233313031363233353333335a3057311b301906035504030c12476c6f62616d5369676e20526f6f742043413110300e060355040b0c07526f6f7420434131193017060355040a0c10476c6f62616c5369676e206e762d7361310b300906035504061302424530819f300d06092a864886f70d010101050003818d00308189028181009919345a3a24804e6f12ddbf2bd988f8b5abbb3738b40c08acf3087cd53af84c50c4bf8b27d5b8537b0ab78ff9941208ff992c71d5e39025d09f87c0fd079adb9afbed05cc0c9c33d67b97ca2e66117761cb49d54f441e7fc2049a8bf2124af5a9a64f1cb4c0d4e6def081105221bd7444c28e200050a668a642e410d8fb34650203010001a3323030300f0603551d130101ff040530030101ff301d0603551d11041630148212476c6f62616d5369676e20526f6f74204341300d06092a864886f70d01010b0500038181006923648a20c1ee00a1156fdb8f44ffbc0b01ecd3d0df7f484e770fc02df5c24c94148384732d8a992f09b0af804c7d3fd20db3a3c8df582ae586110ef147a2920f67ed7c2841eb40a707f4c318a749c6f9276d6520a5d392fde26810ddc819e6b3604ee06f1bf3fec110856101c94d9d846eac3d3a9d59c4ae8824ea823c267b	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

RUNDLL32.EXEpowershell.exeRUNDLL32.EXEpowershell.exepowershell.exe

pid	process
1276	RUNDLL32.EXE
1276	RUNDLL32.EXE
1276	RUNDLL32.EXE
1276	RUNDLL32.EXE
1276	RUNDLL32.EXE
1276	RUNDLL32.EXE
696	powershell.exe
964	RUNDLL32.EXE
964	RUNDLL32.EXE
696	powershell.exe
3596	powershell.exe
696	powershell.exe
3596	powershell.exe
3596	powershell.exe
1276	RUNDLL32.EXE
1276	RUNDLL32.EXE
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	1276	RUNDLL32.EXE
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

1292 rundll32.exe
1276 RUNDLL32.EXE

pid	process
1292	rundll32.exe
1276	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

a9eb1cd336e4a7edec114ade335a3c0903b4b52253f0bcb02c7b08edb0120151.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 1420 wrote to memory of 3104	1420	a9eb1cd336e4a7edec114ade335a3c0903b4b52253f0bcb02c7b08edb0120151.exe	rundll32.exe
PID 1420 wrote to memory of 3104	1420	a9eb1cd336e4a7edec114ade335a3c0903b4b52253f0bcb02c7b08edb0120151.exe	rundll32.exe
PID 1420 wrote to memory of 3104	1420	a9eb1cd336e4a7edec114ade335a3c0903b4b52253f0bcb02c7b08edb0120151.exe	rundll32.exe
PID 3104 wrote to memory of 1276	3104	rundll32.exe	RUNDLL32.EXE
PID 3104 wrote to memory of 1276	3104	rundll32.exe	RUNDLL32.EXE
PID 3104 wrote to memory of 1276	3104	rundll32.exe	RUNDLL32.EXE
PID 1276 wrote to memory of 696	1276	RUNDLL32.EXE	powershell.exe
PID 1276 wrote to memory of 696	1276	RUNDLL32.EXE	powershell.exe
PID 1276 wrote to memory of 696	1276	RUNDLL32.EXE	powershell.exe
PID 1276 wrote to memory of 964	1276	RUNDLL32.EXE	RUNDLL32.EXE
PID 1276 wrote to memory of 964	1276	RUNDLL32.EXE	RUNDLL32.EXE
PID 1276 wrote to memory of 964	1276	RUNDLL32.EXE	RUNDLL32.EXE
PID 964 wrote to memory of 1292	964	RUNDLL32.EXE	rundll32.exe
PID 964 wrote to memory of 1292	964	RUNDLL32.EXE	rundll32.exe
PID 964 wrote to memory of 1292	964	RUNDLL32.EXE	rundll32.exe
PID 1276 wrote to memory of 2292	1276	RUNDLL32.EXE	RUNDLL32.EXE
PID 1276 wrote to memory of 2292	1276	RUNDLL32.EXE	RUNDLL32.EXE
PID 1276 wrote to memory of 2292	1276	RUNDLL32.EXE	RUNDLL32.EXE
PID 1292 wrote to memory of 2100	1292	rundll32.exe	ctfmon.exe
PID 1292 wrote to memory of 2100	1292	rundll32.exe	ctfmon.exe
PID 1276 wrote to memory of 3596	1276	RUNDLL32.EXE	powershell.exe
PID 1276 wrote to memory of 3596	1276	RUNDLL32.EXE	powershell.exe
PID 1276 wrote to memory of 3596	1276	RUNDLL32.EXE	powershell.exe
PID 1276 wrote to memory of 1996	1276	RUNDLL32.EXE	powershell.exe
PID 1276 wrote to memory of 1996	1276	RUNDLL32.EXE	powershell.exe
PID 1276 wrote to memory of 1996	1276	RUNDLL32.EXE	powershell.exe
PID 1996 wrote to memory of 396	1996	powershell.exe	nslookup.exe
PID 1996 wrote to memory of 396	1996	powershell.exe	nslookup.exe
PID 1996 wrote to memory of 396	1996	powershell.exe	nslookup.exe
PID 1276 wrote to memory of 3164	1276	RUNDLL32.EXE	schtasks.exe
PID 1276 wrote to memory of 3164	1276	RUNDLL32.EXE	schtasks.exe
PID 1276 wrote to memory of 3164	1276	RUNDLL32.EXE	schtasks.exe
PID 1276 wrote to memory of 404	1276	RUNDLL32.EXE	schtasks.exe
PID 1276 wrote to memory of 404	1276	RUNDLL32.EXE	schtasks.exe
PID 1276 wrote to memory of 404	1276	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\a9eb1cd336e4a7edec114ade335a3c0903b4b52253f0bcb02c7b08edb0120151.exe
"C:\Users\Admin\AppData\Local\Temp\a9eb1cd336e4a7edec114ade335a3c0903b4b52253f0bcb02c7b08edb0120151.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL,s C:\Users\Admin\AppData\Local\Temp\A9EB1C~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL,OjEJbEE=
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL,hD1GM08=
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17659
5⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:2100

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start
4⤵
- Loads dropped DLL
PID:2292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpA57.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp7865.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:396

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3164

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
2def7e89943100cf26d70ef373b1260e

SHA1
d90f028ae9ac9f8edc26445639752acbcacc70e7

SHA256
178020d76bd88c4681056aeb6a693e8db6afe0f6283466c687c0ca0d04ed1549

SHA512
a65902089d46d2dcaca02caa028cc288e287de7a315ab631c532cf8c584850c2c896d3e8820ff338ab86e177b79d828c4fe1c8606e690477714a1afd65750624

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
57076c6fbfff82087622ad855d32fc4d

SHA1
2133fdb06012fbdcd6dcaa9df932b93724a7ccdd

SHA256
9e68db2bfd0e1a6003bd4faf2a8f45162df0ca0bfd4b1be110bf0d3e60a02203

SHA512
5479063829974b34edc5fdb5a87fef746ebc57a415757c809d89ec9a6e396d637c851e16d288a4650cae0ed218d76bcddcaf684fd61934ae67420ea0687cc0cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
f7a808b5711f58fb4f85476c1bb24ac3

SHA1
fbdf9670d622e8fc3446ad4f53fbbd83016f03d1

SHA256
de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec

SHA512
866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a515abc3a7c07e296470b2398b875920

SHA1
d7017c97e80f137dc9842a5dfca444e1a9297515

SHA256
f784d5ec5a8292823774d2cf705dd56814ea5bee9b99a11a1f5cbd30475b4b99

SHA512
f561b3acc68dfb5fa4bc1b6cc2abaf54ec6cde083f9929e48f1bfe2f91e5b5db7ddcc1176e67888752cb2c41f0c511b9decc38459d18edf5bed6c5e7c711da39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f7ba2a23dc407b64b7336ce960c89aad

SHA1
b94621a6a9b36f1e2875c4ea7da294b88298a710

SHA256
a08ca6238116cad1ecd2e8c882b86c59ffa93ec04591c8ea5d15bdaa9b695e1e

SHA512
b14d2c49ffbda59c0c7014b0f8e72c85b4dca734383c90368a788c683a28d7b73c30498877c7677beb0574f8b427f5b1e2ce199313abd283b3921eed82b9860a

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL
MD5
d0e8c0a34872739a5b0e2e890e2d5006

SHA1
4c2579d388b87254ee845c1bc1b8f41fc6318a86

SHA256
6072022c6faa7fc9e7228016e826d3d2a772d685925a8cb1a6492990f756e8f1

SHA512
0f5ca437981ce52804fe1280b4d5e2444e6913d621f79e62dee91ee9fd3762a406d6396a8eb90b072aec1208207f8e9e30d65c8eadb8b7bf52d3b52e463cce0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7865.tmp.ps1
MD5
3af5dfe434a0e22b6d6bbe08c4314d7d

SHA1
1c7515fbb2bac79c50548c277c5b80178932fdd4

SHA256
5eb2dac0cc1cd904480135189dca56c0e3da1cd0925b144b3b4929309f813c01

SHA512
693b5a7b42b8b6c4dacb3d0b5bf08b1ed9f4b8f3605a068e9e4da06c4f861000b206680b3284615db411d59ac0227919f3fcd3c28ec3014b17f577a7c34f5543

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7866.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA57.tmp.ps1
MD5
62f08a38e49ffab50a62c0b8ca583b9a

SHA1
e5559fec48702606c69a3fdf447fd612f0f8c076

SHA256
f9ec8819a9bd63e6d9dfae6a7e45dc6afe7693e903f811775f75e2aa040f2697

SHA512
388803ef04196a787f91512a460b6052ffe75f98b6b2c569a2808827592a71a0371da1e98a51846e6376374503a67a9c9cb43f13b6368ef0a3d8a460d77fb92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA68.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL
MD5
d0e8c0a34872739a5b0e2e890e2d5006

SHA1
4c2579d388b87254ee845c1bc1b8f41fc6318a86

SHA256
6072022c6faa7fc9e7228016e826d3d2a772d685925a8cb1a6492990f756e8f1

SHA512
0f5ca437981ce52804fe1280b4d5e2444e6913d621f79e62dee91ee9fd3762a406d6396a8eb90b072aec1208207f8e9e30d65c8eadb8b7bf52d3b52e463cce0b

Download Submit
\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL
MD5
d0e8c0a34872739a5b0e2e890e2d5006

SHA1
4c2579d388b87254ee845c1bc1b8f41fc6318a86

SHA256
6072022c6faa7fc9e7228016e826d3d2a772d685925a8cb1a6492990f756e8f1

SHA512
0f5ca437981ce52804fe1280b4d5e2444e6913d621f79e62dee91ee9fd3762a406d6396a8eb90b072aec1208207f8e9e30d65c8eadb8b7bf52d3b52e463cce0b

Download Submit
\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL
MD5
d0e8c0a34872739a5b0e2e890e2d5006

SHA1
4c2579d388b87254ee845c1bc1b8f41fc6318a86

SHA256
6072022c6faa7fc9e7228016e826d3d2a772d685925a8cb1a6492990f756e8f1

SHA512
0f5ca437981ce52804fe1280b4d5e2444e6913d621f79e62dee91ee9fd3762a406d6396a8eb90b072aec1208207f8e9e30d65c8eadb8b7bf52d3b52e463cce0b

Download Submit
\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL
MD5
d0e8c0a34872739a5b0e2e890e2d5006

SHA1
4c2579d388b87254ee845c1bc1b8f41fc6318a86

SHA256
6072022c6faa7fc9e7228016e826d3d2a772d685925a8cb1a6492990f756e8f1

SHA512
0f5ca437981ce52804fe1280b4d5e2444e6913d621f79e62dee91ee9fd3762a406d6396a8eb90b072aec1208207f8e9e30d65c8eadb8b7bf52d3b52e463cce0b

Download Submit
\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL
MD5
d0e8c0a34872739a5b0e2e890e2d5006

SHA1
4c2579d388b87254ee845c1bc1b8f41fc6318a86

SHA256
6072022c6faa7fc9e7228016e826d3d2a772d685925a8cb1a6492990f756e8f1

SHA512
0f5ca437981ce52804fe1280b4d5e2444e6913d621f79e62dee91ee9fd3762a406d6396a8eb90b072aec1208207f8e9e30d65c8eadb8b7bf52d3b52e463cce0b

Download Submit
\Users\Admin\AppData\Local\Temp\A9EB1C~1.DLL
MD5
d0e8c0a34872739a5b0e2e890e2d5006

SHA1
4c2579d388b87254ee845c1bc1b8f41fc6318a86

SHA256
6072022c6faa7fc9e7228016e826d3d2a772d685925a8cb1a6492990f756e8f1

SHA512
0f5ca437981ce52804fe1280b4d5e2444e6913d621f79e62dee91ee9fd3762a406d6396a8eb90b072aec1208207f8e9e30d65c8eadb8b7bf52d3b52e463cce0b

Download Submit
memory/396-453-0x0000000000000000-mapping.dmp

Download
memory/404-458-0x0000000000000000-mapping.dmp

Download
memory/696-193-0x0000000008C90000-0x0000000008CC3000-memory.dmp

Filesize
204KB

Download
memory/696-211-0x0000000006673000-0x0000000006674000-memory.dmp

Filesize
4KB

Download
memory/696-171-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/696-133-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/696-140-0x0000000006520000-0x0000000006521000-memory.dmp

Filesize
4KB

Download
memory/696-141-0x0000000006CB0000-0x0000000006CB1000-memory.dmp

Filesize
4KB

Download
memory/696-176-0x0000000007D30000-0x0000000007D31000-memory.dmp

Filesize
4KB

Download
memory/696-167-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/696-144-0x0000000006670000-0x0000000006671000-memory.dmp

Filesize
4KB

Download
memory/696-145-0x0000000006672000-0x0000000006673000-memory.dmp

Filesize
4KB

Download
memory/696-183-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/696-165-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/696-164-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/696-200-0x0000000007DD0000-0x0000000007DD1000-memory.dmp

Filesize
4KB

Download
memory/696-204-0x000000007FBC0000-0x000000007FBC1000-memory.dmp

Filesize
4KB

Download
memory/696-207-0x0000000008DC0000-0x0000000008DC1000-memory.dmp

Filesize
4KB

Download
memory/696-170-0x00000000074C0000-0x00000000074C1000-memory.dmp

Filesize
4KB

Download
memory/696-134-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/696-132-0x0000000000000000-mapping.dmp

Download
memory/696-154-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/964-151-0x0000000005900000-0x0000000005A40000-memory.dmp

Filesize
1.2MB

Download
memory/964-158-0x0000000005900000-0x0000000005A40000-memory.dmp

Filesize
1.2MB

Download
memory/964-157-0x0000000005900000-0x0000000005A40000-memory.dmp

Filesize
1.2MB

Download
memory/964-153-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/964-138-0x00000000040F0000-0x0000000004256000-memory.dmp

Filesize
1.4MB

Download
memory/964-150-0x0000000005900000-0x0000000005A40000-memory.dmp

Filesize
1.2MB

Download
memory/964-148-0x0000000005900000-0x0000000005A40000-memory.dmp

Filesize
1.2MB

Download
memory/964-147-0x0000000005900000-0x0000000005A40000-memory.dmp

Filesize
1.2MB

Download
memory/964-146-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/964-143-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/964-142-0x0000000004851000-0x0000000005835000-memory.dmp

Filesize
15.9MB

Download
memory/964-135-0x0000000000000000-mapping.dmp

Download
memory/1276-130-0x0000000004881000-0x0000000005865000-memory.dmp

Filesize
15.9MB

Download
memory/1276-125-0x0000000000000000-mapping.dmp

Download
memory/1276-128-0x00000000041A0000-0x0000000004306000-memory.dmp

Filesize
1.4MB

Download
memory/1276-131-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/1292-159-0x00007FF689DB5FD0-mapping.dmp

Download
memory/1292-162-0x00000000002A0000-0x0000000000440000-memory.dmp

Filesize
1.6MB

Download
memory/1292-168-0x0000026EF6550000-0x0000026EF6702000-memory.dmp

Filesize
1.7MB

Download
memory/1292-161-0x0000026EF6360000-0x0000026EF6362000-memory.dmp

Filesize
8KB

Download
memory/1292-163-0x0000026EF6360000-0x0000026EF6362000-memory.dmp

Filesize
8KB

Download
memory/1420-115-0x0000000004C5B000-0x0000000004D4D000-memory.dmp

Filesize
968KB

Download
memory/1420-117-0x0000000000400000-0x0000000002E86000-memory.dmp

Filesize
42.5MB

Download
memory/1420-116-0x0000000004D50000-0x0000000004E59000-memory.dmp

Filesize
1.0MB

Download
memory/1996-454-0x0000000003263000-0x0000000003264000-memory.dmp

Filesize
4KB

Download
memory/1996-406-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/1996-408-0x0000000003262000-0x0000000003263000-memory.dmp

Filesize
4KB

Download
memory/1996-385-0x0000000000000000-mapping.dmp

Download
memory/2100-166-0x0000000000000000-mapping.dmp

Download
memory/2292-152-0x0000000000000000-mapping.dmp

Download
memory/3104-123-0x00000000049B1000-0x0000000005995000-memory.dmp

Filesize
15.9MB

Download
memory/3104-124-0x0000000004440000-0x0000000004441000-memory.dmp

Filesize
4KB

Download
memory/3104-122-0x0000000004190000-0x00000000042F6000-memory.dmp

Filesize
1.4MB

Download
memory/3104-118-0x0000000000000000-mapping.dmp

Download
memory/3164-457-0x0000000000000000-mapping.dmp

Download
memory/3596-265-0x0000000006963000-0x0000000006964000-memory.dmp

Filesize
4KB

Download
memory/3596-178-0x0000000006962000-0x0000000006963000-memory.dmp

Filesize
4KB

Download
memory/3596-169-0x0000000000000000-mapping.dmp

Download
memory/3596-177-0x0000000006960000-0x0000000006961000-memory.dmp

Filesize
4KB

Download
memory/3596-173-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/3596-172-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download