danabot | ecd639c075963258a06911cdc0c872da6dda52f7a05bb07a77092a611f6cf57c

Analysis

max time kernel
145s
max time network
146s
platform
windows10_x64
resource
win10-en-20210920
submitted
19-10-2021 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecd639c075963258a06911cdc0c872da6dda52f7a05bb07a77092a611f6cf57c.exe
Size

1.2MB
MD5

dd0d7e268ef863bfc4a1b241543dcb81
SHA1

2de8d381f4152641f10e7a404137f939224c564a
SHA256

ecd639c075963258a06911cdc0c872da6dda52f7a05bb07a77092a611f6cf57c
SHA512

bb8b23cd5288b8cb0d57089bc72ddeda1db5fe4389e5109a7c683437366b87dcd15b3b5d86716df404a4983ec45e417d71168b92db46dc49cee4eca6105a887b

Score

10^/10

danabot 4 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ECD639~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\ECD639~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\ECD639~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\ECD639~1.DLL	DanabotLoader2021
behavioral1/memory/4484-126-0x0000000004260000-0x00000000043C6000-memory.dmp	DanabotLoader2021
behavioral1/memory/1664-137-0x0000000000A80000-0x0000000000BE6000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\ECD639~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\ECD639~1.DLL	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 3788 created 4012 3788 WerFault.exe rundll32.exe
PID 3152 created 1664 3152 WerFault.exe RUNDLL32.EXE
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

32 4012 rundll32.exe
35 4484 RUNDLL32.EXE
37 4484 RUNDLL32.EXE
38 4484 RUNDLL32.EXE
39 4484 RUNDLL32.EXE
40 4484 RUNDLL32.EXE
Loads dropped DLL 5 IoCs

Processes:

rundll32.exeRUNDLL32.EXERUNDLL32.EXE

pid process

4012 rundll32.exe
4484 RUNDLL32.EXE
4484 RUNDLL32.EXE
1664 RUNDLL32.EXE
1664 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 3788 created 4012	3788	WerFault.exe	rundll32.exe
PID 3152 created 1664	3152	WerFault.exe	RUNDLL32.EXE

flow	pid	process
32	4012	rundll32.exe
35	4484	RUNDLL32.EXE
37	4484	RUNDLL32.EXE
38	4484	RUNDLL32.EXE
39	4484	RUNDLL32.EXE
40	4484	RUNDLL32.EXE

pid	process
4012	rundll32.exe
4484	RUNDLL32.EXE
4484	RUNDLL32.EXE
1664	RUNDLL32.EXE
1664	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 1664 set thread context of 2632 1664 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3788 4012 WerFault.exe rundll32.exe
3152 1664 WerFault.exe RUNDLL32.EXE

description	pid	process	target process
PID 1664 set thread context of 2632	1664	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

pid	pid_target	process	target process
3788	4012	WerFault.exe	rundll32.exe
3152	1664	WerFault.exe	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 42 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TypedURLs	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\54584D57722D6343F9118A763D5251144B14F1DF	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\54584D57722D6343F9118A763D5251144B14F1DF\Blob = 03000000010000001400000054584d57722d6343f9118a763d5251144b14f1df2000000001000000b0020000308202ac30820215a00302010202080a4f3ba55d564d1b300d06092a864886f70d01010b050030733132303006035504030c294d6963726f736f667420526f6f7420436572746966696361746520417574686f726b74792032303130311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3139313032333135313231335a170d3233313032323135313231335a30733132303006035504030c294d6963726f736f667420526f6f7420436572746966696361746520417574686f726b74792032303130311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100f147d6831f11510bc698087428b91990f9971e4a78e2e0d686ae3fb94f2716774aabd2c4d16c58db311ab7f18f9cc0d117e08eb892f989fb991328f4636b560084e21de40e803fe26321fbdc6ded754f50dcc8dd5d537fc029142c2f03934cb5c98ee4dee87c7bb3600f4bb45578b20fe39a6bc263c719a5b204ac781f2b13630203010001a3493047300f0603551d130101ff040530030101ff30340603551d11042d302b82294d6963726f736f667420526f6f7420436572746966696361746520417574686f726b74792032303130300d06092a864886f70d01010b05000381810040c1abea74252c77b2c094a89adc49da2af77faeaaf8fed14126632545b5b613ccbe6549c805eb5c9e57abce9f1c44e48dec819aec4cdd3ff47d94847b69716678269b539ae5febe73d658e1bc16361915ef1afd141871b44517ff46e6e4f330c900b0f750b6984c2c1afa8be594f00a77d6ae47ec52d9a9b2cc65de71643d80	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

WerFault.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exe

pid	process
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
3788	WerFault.exe
4484	RUNDLL32.EXE
4484	RUNDLL32.EXE
4484	RUNDLL32.EXE
4484	RUNDLL32.EXE
4484	RUNDLL32.EXE
4484	RUNDLL32.EXE
1124	powershell.exe
1124	powershell.exe
1664	RUNDLL32.EXE
1664	RUNDLL32.EXE
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
3152	WerFault.exe
1124	powershell.exe
2888	powershell.exe
2888	powershell.exe
2888	powershell.exe
4484	RUNDLL32.EXE
4484	RUNDLL32.EXE
1680	powershell.exe
1680	powershell.exe
1680	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

WerFault.exepowershell.exeWerFault.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	3788	WerFault.exe
Token: SeBackupPrivilege	3788	WerFault.exe
Token: SeDebugPrivilege	3788	WerFault.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	3152	WerFault.exe
Token: SeDebugPrivilege	4484	RUNDLL32.EXE
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

2632 rundll32.exe
4484 RUNDLL32.EXE

pid	process
2632	rundll32.exe
4484	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

ecd639c075963258a06911cdc0c872da6dda52f7a05bb07a77092a611f6cf57c.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 3592 wrote to memory of 4012	3592	ecd639c075963258a06911cdc0c872da6dda52f7a05bb07a77092a611f6cf57c.exe	rundll32.exe
PID 3592 wrote to memory of 4012	3592	ecd639c075963258a06911cdc0c872da6dda52f7a05bb07a77092a611f6cf57c.exe	rundll32.exe
PID 3592 wrote to memory of 4012	3592	ecd639c075963258a06911cdc0c872da6dda52f7a05bb07a77092a611f6cf57c.exe	rundll32.exe
PID 4012 wrote to memory of 4484	4012	rundll32.exe	RUNDLL32.EXE
PID 4012 wrote to memory of 4484	4012	rundll32.exe	RUNDLL32.EXE
PID 4012 wrote to memory of 4484	4012	rundll32.exe	RUNDLL32.EXE
PID 4484 wrote to memory of 1124	4484	RUNDLL32.EXE	powershell.exe
PID 4484 wrote to memory of 1124	4484	RUNDLL32.EXE	powershell.exe
PID 4484 wrote to memory of 1124	4484	RUNDLL32.EXE	powershell.exe
PID 4484 wrote to memory of 1664	4484	RUNDLL32.EXE	RUNDLL32.EXE
PID 4484 wrote to memory of 1664	4484	RUNDLL32.EXE	RUNDLL32.EXE
PID 4484 wrote to memory of 1664	4484	RUNDLL32.EXE	RUNDLL32.EXE
PID 1664 wrote to memory of 2632	1664	RUNDLL32.EXE	rundll32.exe
PID 1664 wrote to memory of 2632	1664	RUNDLL32.EXE	rundll32.exe
PID 1664 wrote to memory of 2632	1664	RUNDLL32.EXE	rundll32.exe
PID 2632 wrote to memory of 4176	2632	rundll32.exe	ctfmon.exe
PID 2632 wrote to memory of 4176	2632	rundll32.exe	ctfmon.exe
PID 4484 wrote to memory of 2888	4484	RUNDLL32.EXE	powershell.exe
PID 4484 wrote to memory of 2888	4484	RUNDLL32.EXE	powershell.exe
PID 4484 wrote to memory of 2888	4484	RUNDLL32.EXE	powershell.exe
PID 4484 wrote to memory of 1680	4484	RUNDLL32.EXE	powershell.exe
PID 4484 wrote to memory of 1680	4484	RUNDLL32.EXE	powershell.exe
PID 4484 wrote to memory of 1680	4484	RUNDLL32.EXE	powershell.exe
PID 1680 wrote to memory of 2832	1680	powershell.exe	nslookup.exe
PID 1680 wrote to memory of 2832	1680	powershell.exe	nslookup.exe
PID 1680 wrote to memory of 2832	1680	powershell.exe	nslookup.exe
PID 4484 wrote to memory of 2892	4484	RUNDLL32.EXE	schtasks.exe
PID 4484 wrote to memory of 2892	4484	RUNDLL32.EXE	schtasks.exe
PID 4484 wrote to memory of 2892	4484	RUNDLL32.EXE	schtasks.exe
PID 4484 wrote to memory of 2400	4484	RUNDLL32.EXE	schtasks.exe
PID 4484 wrote to memory of 2400	4484	RUNDLL32.EXE	schtasks.exe
PID 4484 wrote to memory of 2400	4484	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\ecd639c075963258a06911cdc0c872da6dda52f7a05bb07a77092a611f6cf57c.exe
"C:\Users\Admin\AppData\Local\Temp\ecd639c075963258a06911cdc0c872da6dda52f7a05bb07a77092a611f6cf57c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ECD639~1.DLL,s C:\Users\Admin\AppData\Local\Temp\ECD639~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\ECD639~1.DLL,bCVHR3E4R0hF
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\ECD639~1.DLL
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\ECD639~1.DLL,SxwuSg==
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 19638
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 796
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpEBF2.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp3F1.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:2832

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2892

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 792
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
2def7e89943100cf26d70ef373b1260e

SHA1
d90f028ae9ac9f8edc26445639752acbcacc70e7

SHA256
178020d76bd88c4681056aeb6a693e8db6afe0f6283466c687c0ca0d04ed1549

SHA512
a65902089d46d2dcaca02caa028cc288e287de7a315ab631c532cf8c584850c2c896d3e8820ff338ab86e177b79d828c4fe1c8606e690477714a1afd65750624

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
b8fc9f9adfce2c5853c36db3ba6c3bb6

SHA1
e7614ea4d915e6b29c7e0539f0782eba2da18451

SHA256
64a29b297a6f161fe3cf510d79118123c2c352c6b28ae32053b34f15fad13f3d

SHA512
ce449f683e9499d3db5cb27232e0bef1d2532c30d6f0eb650dc7a8e74cb74406873632b39f0da01f9b7e854c708d60af7b5696db32956c72124086fb641f1f77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
f7a808b5711f58fb4f85476c1bb24ac3

SHA1
fbdf9670d622e8fc3446ad4f53fbbd83016f03d1

SHA256
de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec

SHA512
866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d5c47c44bf394f74ce551503e7fc7d9d

SHA1
6a31922041bffa3b80a73f9dc0eb92ff13394b0b

SHA256
36df70ae34a08524600d1d636d48a6c3325de4257499aee4dca92b3c58c56904

SHA512
59a79b67651155f4a2250d01bbbdd9818bbd13aa7d1b02e4b456521f9ae7a7af0738786d9436d27f73fe0856aecbfd03408b4feddbad983ec1ba20f601071745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fd9732c7292cf1a70d439696cbcc19f1

SHA1
a9337e0f1adc779b5528d8b195622780eff89ec4

SHA256
994b8dbf200009e9d0b47c4c900723884ba66498c86f05c6e0898b0d1bccac54

SHA512
9e02f51614ddd929caa2f37fcbeea2074f822baf040b1ad5a6495ce339a0aa3bcbb6012e24aad56b7dc31fe6854ce95770e2ddf015bbd0143b90c0ec2a5d3df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECD639~1.DLL
MD5
a700c525ddabf4aeb0c4bdd097c8fcb5

SHA1
077f234b94ab74f3a1e210338d88ee6d9486a3cb

SHA256
b9732bec3d3c22da6c21dbce7a57519c25de425353ab9b4c126c1aa7121aec35

SHA512
3bc9dc71a7927fb4d7bb725f15bac936d5e267a6619d103de39ebcbcc3c7bfcc9a2caeb36a8a6f1f615ceee9543f3324a89ce773afe88f25f208016aa8c63e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F1.tmp.ps1
MD5
5eb90a6940e33cf70c0d28be9dcf7b93

SHA1
56071ff5435b601a254b7d59061d1541b6c6a525

SHA256
9af0ef476c8e4ba6c2e91506266d08526fc5117fcf89888f69f42361b429a58c

SHA512
8e123fb62d803cfe88f03f5fe1f4756ae90ced0b262e5492d72e35fd20c158c0f174da5fb75110ca90559561ece8bb6d63a1bf8c61b57d35cca26f814b6731f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F2.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEBF2.tmp.ps1
MD5
07cb3b4b1a13d0321b578216a5d522ab

SHA1
9f6ae4a666647a602f93527e7d7768cfb3222567

SHA256
23ee9edadc85749dc56a7941fb16fd59ef60e4175e6a9e3db68c36dbc312f20d

SHA512
be2c8cc25796a2b6f1eae797e0831afaca3818f15aa315509708b6b7cccb6531a32d915989ff2dc888327247a82e148f01ad46862cd89755bcdc63e7ff3fc6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEBF3.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
\Users\Admin\AppData\Local\Temp\ECD639~1.DLL
MD5
a700c525ddabf4aeb0c4bdd097c8fcb5

SHA1
077f234b94ab74f3a1e210338d88ee6d9486a3cb

SHA256
b9732bec3d3c22da6c21dbce7a57519c25de425353ab9b4c126c1aa7121aec35

SHA512
3bc9dc71a7927fb4d7bb725f15bac936d5e267a6619d103de39ebcbcc3c7bfcc9a2caeb36a8a6f1f615ceee9543f3324a89ce773afe88f25f208016aa8c63e19

Download Submit
\Users\Admin\AppData\Local\Temp\ECD639~1.DLL
MD5
a700c525ddabf4aeb0c4bdd097c8fcb5

SHA1
077f234b94ab74f3a1e210338d88ee6d9486a3cb

SHA256
b9732bec3d3c22da6c21dbce7a57519c25de425353ab9b4c126c1aa7121aec35

SHA512
3bc9dc71a7927fb4d7bb725f15bac936d5e267a6619d103de39ebcbcc3c7bfcc9a2caeb36a8a6f1f615ceee9543f3324a89ce773afe88f25f208016aa8c63e19

Download Submit
\Users\Admin\AppData\Local\Temp\ECD639~1.DLL
MD5
a700c525ddabf4aeb0c4bdd097c8fcb5

SHA1
077f234b94ab74f3a1e210338d88ee6d9486a3cb

SHA256
b9732bec3d3c22da6c21dbce7a57519c25de425353ab9b4c126c1aa7121aec35

SHA512
3bc9dc71a7927fb4d7bb725f15bac936d5e267a6619d103de39ebcbcc3c7bfcc9a2caeb36a8a6f1f615ceee9543f3324a89ce773afe88f25f208016aa8c63e19

Download Submit
\Users\Admin\AppData\Local\Temp\ECD639~1.DLL
MD5
a700c525ddabf4aeb0c4bdd097c8fcb5

SHA1
077f234b94ab74f3a1e210338d88ee6d9486a3cb

SHA256
b9732bec3d3c22da6c21dbce7a57519c25de425353ab9b4c126c1aa7121aec35

SHA512
3bc9dc71a7927fb4d7bb725f15bac936d5e267a6619d103de39ebcbcc3c7bfcc9a2caeb36a8a6f1f615ceee9543f3324a89ce773afe88f25f208016aa8c63e19

Download Submit
\Users\Admin\AppData\Local\Temp\ECD639~1.DLL
MD5
a700c525ddabf4aeb0c4bdd097c8fcb5

SHA1
077f234b94ab74f3a1e210338d88ee6d9486a3cb

SHA256
b9732bec3d3c22da6c21dbce7a57519c25de425353ab9b4c126c1aa7121aec35

SHA512
3bc9dc71a7927fb4d7bb725f15bac936d5e267a6619d103de39ebcbcc3c7bfcc9a2caeb36a8a6f1f615ceee9543f3324a89ce773afe88f25f208016aa8c63e19

Download Submit
memory/1124-138-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download
memory/1124-160-0x00000000083F0000-0x00000000083F1000-memory.dmp

Filesize
4KB

Download
memory/1124-130-0x0000000000000000-mapping.dmp

Download
memory/1124-133-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/1124-192-0x0000000009360000-0x0000000009393000-memory.dmp

Filesize
204KB

Download
memory/1124-196-0x000000007E7C0000-0x000000007E7C1000-memory.dmp

Filesize
4KB

Download
memory/1124-200-0x0000000009320000-0x0000000009321000-memory.dmp

Filesize
4KB

Download
memory/1124-260-0x0000000006E13000-0x0000000006E14000-memory.dmp

Filesize
4KB

Download
memory/1124-132-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1124-131-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1124-141-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download
memory/1124-178-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1124-142-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/1124-143-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/1124-144-0x0000000006E12000-0x0000000006E13000-memory.dmp

Filesize
4KB

Download
memory/1124-166-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/1124-145-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/1124-147-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/1124-156-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

Filesize
4KB

Download
memory/1664-153-0x00000000056E0000-0x0000000005820000-memory.dmp

Filesize
1.2MB

Download
memory/1664-140-0x0000000004621000-0x0000000005605000-memory.dmp

Filesize
15.9MB

Download
memory/1664-152-0x00000000056E0000-0x0000000005820000-memory.dmp

Filesize
1.2MB

Download
memory/1664-134-0x0000000000000000-mapping.dmp

Download
memory/1664-155-0x00000000056E0000-0x0000000005820000-memory.dmp

Filesize
1.2MB

Download
memory/1664-149-0x00000000056E0000-0x0000000005820000-memory.dmp

Filesize
1.2MB

Download
memory/1664-157-0x00000000056E0000-0x0000000005820000-memory.dmp

Filesize
1.2MB

Download
memory/1664-154-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/1664-137-0x0000000000A80000-0x0000000000BE6000-memory.dmp

Filesize
1.4MB

Download
memory/1664-150-0x00000000056E0000-0x0000000005820000-memory.dmp

Filesize
1.2MB

Download
memory/1664-146-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/1664-148-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/1680-338-0x0000000006FD2000-0x0000000006FD3000-memory.dmp

Filesize
4KB

Download
memory/1680-336-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download
memory/1680-286-0x0000000000000000-mapping.dmp

Download
memory/1680-449-0x0000000006FD3000-0x0000000006FD4000-memory.dmp

Filesize
4KB

Download
memory/2400-452-0x0000000000000000-mapping.dmp

Download
memory/2632-158-0x00007FF640315FD0-mapping.dmp

Download
memory/2632-161-0x00000195EFEA0000-0x00000195EFEA2000-memory.dmp

Filesize
8KB

Download
memory/2632-165-0x00000195F0070000-0x00000195F0222000-memory.dmp

Filesize
1.7MB

Download
memory/2632-162-0x00000195EFEA0000-0x00000195EFEA2000-memory.dmp

Filesize
8KB

Download
memory/2632-164-0x0000000000D10000-0x0000000000EB0000-memory.dmp

Filesize
1.6MB

Download
memory/2832-390-0x0000000000000000-mapping.dmp

Download
memory/2888-167-0x0000000000000000-mapping.dmp

Download
memory/2888-187-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2888-169-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2888-184-0x0000000006870000-0x0000000006871000-memory.dmp

Filesize
4KB

Download
memory/2888-285-0x0000000001173000-0x0000000001174000-memory.dmp

Filesize
4KB

Download
memory/2888-168-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2888-175-0x0000000001172000-0x0000000001173000-memory.dmp

Filesize
4KB

Download
memory/2888-174-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/2892-423-0x0000000000000000-mapping.dmp

Download
memory/3592-115-0x0000000004D1D000-0x0000000004E0F000-memory.dmp

Filesize
968KB

Download
memory/3592-117-0x0000000004E30000-0x0000000004F39000-memory.dmp

Filesize
1.0MB

Download
memory/3592-118-0x0000000000400000-0x0000000002FF2000-memory.dmp

Filesize
43.9MB

Download
memory/4012-121-0x0000000005441000-0x0000000006425000-memory.dmp

Filesize
15.9MB

Download
memory/4012-122-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4012-116-0x0000000000000000-mapping.dmp

Download
memory/4176-163-0x0000000000000000-mapping.dmp

Download
memory/4484-123-0x0000000000000000-mapping.dmp

Download
memory/4484-126-0x0000000004260000-0x00000000043C6000-memory.dmp

Filesize
1.4MB

Download
memory/4484-128-0x00000000048D1000-0x00000000058B5000-memory.dmp

Filesize
15.9MB

Download
memory/4484-129-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download