Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
19-10-2021 15:10
Static task
static1
General
-
Target
ecd639c075963258a06911cdc0c872da6dda52f7a05bb07a77092a611f6cf57c.exe
-
Size
1.2MB
-
MD5
dd0d7e268ef863bfc4a1b241543dcb81
-
SHA1
2de8d381f4152641f10e7a404137f939224c564a
-
SHA256
ecd639c075963258a06911cdc0c872da6dda52f7a05bb07a77092a611f6cf57c
-
SHA512
bb8b23cd5288b8cb0d57089bc72ddeda1db5fe4389e5109a7c683437366b87dcd15b3b5d86716df404a4983ec45e417d71168b92db46dc49cee4eca6105a887b
Malware Config
Extracted
danabot
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
loader
Extracted
danabot
2052
4
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
main
Signatures
-
Danabot Loader Component 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ECD639~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\ECD639~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\ECD639~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\ECD639~1.DLL DanabotLoader2021 behavioral1/memory/4484-126-0x0000000004260000-0x00000000043C6000-memory.dmp DanabotLoader2021 behavioral1/memory/1664-137-0x0000000000A80000-0x0000000000BE6000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\ECD639~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\ECD639~1.DLL DanabotLoader2021 -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 3788 created 4012 3788 WerFault.exe rundll32.exe PID 3152 created 1664 3152 WerFault.exe RUNDLL32.EXE -
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeRUNDLL32.EXEflow pid process 32 4012 rundll32.exe 35 4484 RUNDLL32.EXE 37 4484 RUNDLL32.EXE 38 4484 RUNDLL32.EXE 39 4484 RUNDLL32.EXE 40 4484 RUNDLL32.EXE -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exeRUNDLL32.EXERUNDLL32.EXEpid process 4012 rundll32.exe 4484 RUNDLL32.EXE 4484 RUNDLL32.EXE 1664 RUNDLL32.EXE 1664 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 1664 set thread context of 2632 1664 RUNDLL32.EXE rundll32.exe -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3788 4012 WerFault.exe rundll32.exe 3152 1664 WerFault.exe RUNDLL32.EXE -
Checks processor information in registry 2 TTPs 42 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXERUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TypedURLs rundll32.exe -
Processes:
RUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\54584D57722D6343F9118A763D5251144B14F1DF RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\54584D57722D6343F9118A763D5251144B14F1DF\Blob = 03000000010000001400000054584d57722d6343f9118a763d5251144b14f1df2000000001000000b0020000308202ac30820215a00302010202080a4f3ba55d564d1b300d06092a864886f70d01010b050030733132303006035504030c294d6963726f736f667420526f6f7420436572746966696361746520417574686f726b74792032303130311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3139313032333135313231335a170d3233313032323135313231335a30733132303006035504030c294d6963726f736f667420526f6f7420436572746966696361746520417574686f726b74792032303130311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d0030818902818100f147d6831f11510bc698087428b91990f9971e4a78e2e0d686ae3fb94f2716774aabd2c4d16c58db311ab7f18f9cc0d117e08eb892f989fb991328f4636b560084e21de40e803fe26321fbdc6ded754f50dcc8dd5d537fc029142c2f03934cb5c98ee4dee87c7bb3600f4bb45578b20fe39a6bc263c719a5b204ac781f2b13630203010001a3493047300f0603551d130101ff040530030101ff30340603551d11042d302b82294d6963726f736f667420526f6f7420436572746966696361746520417574686f726b74792032303130300d06092a864886f70d01010b05000381810040c1abea74252c77b2c094a89adc49da2af77faeaaf8fed14126632545b5b613ccbe6549c805eb5c9e57abce9f1c44e48dec819aec4cdd3ff47d94847b69716678269b539ae5febe73d658e1bc16361915ef1afd141871b44517ff46e6e4f330c900b0f750b6984c2c1afa8be594f00a77d6ae47ec52d9a9b2cc65de71643d80 RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
WerFault.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exepid process 3788 WerFault.exe 3788 WerFault.exe 3788 WerFault.exe 3788 WerFault.exe 3788 WerFault.exe 3788 WerFault.exe 3788 WerFault.exe 3788 WerFault.exe 3788 WerFault.exe 3788 WerFault.exe 3788 WerFault.exe 3788 WerFault.exe 4484 RUNDLL32.EXE 4484 RUNDLL32.EXE 4484 RUNDLL32.EXE 4484 RUNDLL32.EXE 4484 RUNDLL32.EXE 4484 RUNDLL32.EXE 1124 powershell.exe 1124 powershell.exe 1664 RUNDLL32.EXE 1664 RUNDLL32.EXE 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 3152 WerFault.exe 1124 powershell.exe 2888 powershell.exe 2888 powershell.exe 2888 powershell.exe 4484 RUNDLL32.EXE 4484 RUNDLL32.EXE 1680 powershell.exe 1680 powershell.exe 1680 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
WerFault.exepowershell.exeWerFault.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeRestorePrivilege 3788 WerFault.exe Token: SeBackupPrivilege 3788 WerFault.exe Token: SeDebugPrivilege 3788 WerFault.exe Token: SeDebugPrivilege 1124 powershell.exe Token: SeDebugPrivilege 3152 WerFault.exe Token: SeDebugPrivilege 4484 RUNDLL32.EXE Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 2632 rundll32.exe 4484 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
ecd639c075963258a06911cdc0c872da6dda52f7a05bb07a77092a611f6cf57c.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exedescription pid process target process PID 3592 wrote to memory of 4012 3592 ecd639c075963258a06911cdc0c872da6dda52f7a05bb07a77092a611f6cf57c.exe rundll32.exe PID 3592 wrote to memory of 4012 3592 ecd639c075963258a06911cdc0c872da6dda52f7a05bb07a77092a611f6cf57c.exe rundll32.exe PID 3592 wrote to memory of 4012 3592 ecd639c075963258a06911cdc0c872da6dda52f7a05bb07a77092a611f6cf57c.exe rundll32.exe PID 4012 wrote to memory of 4484 4012 rundll32.exe RUNDLL32.EXE PID 4012 wrote to memory of 4484 4012 rundll32.exe RUNDLL32.EXE PID 4012 wrote to memory of 4484 4012 rundll32.exe RUNDLL32.EXE PID 4484 wrote to memory of 1124 4484 RUNDLL32.EXE powershell.exe PID 4484 wrote to memory of 1124 4484 RUNDLL32.EXE powershell.exe PID 4484 wrote to memory of 1124 4484 RUNDLL32.EXE powershell.exe PID 4484 wrote to memory of 1664 4484 RUNDLL32.EXE RUNDLL32.EXE PID 4484 wrote to memory of 1664 4484 RUNDLL32.EXE RUNDLL32.EXE PID 4484 wrote to memory of 1664 4484 RUNDLL32.EXE RUNDLL32.EXE PID 1664 wrote to memory of 2632 1664 RUNDLL32.EXE rundll32.exe PID 1664 wrote to memory of 2632 1664 RUNDLL32.EXE rundll32.exe PID 1664 wrote to memory of 2632 1664 RUNDLL32.EXE rundll32.exe PID 2632 wrote to memory of 4176 2632 rundll32.exe ctfmon.exe PID 2632 wrote to memory of 4176 2632 rundll32.exe ctfmon.exe PID 4484 wrote to memory of 2888 4484 RUNDLL32.EXE powershell.exe PID 4484 wrote to memory of 2888 4484 RUNDLL32.EXE powershell.exe PID 4484 wrote to memory of 2888 4484 RUNDLL32.EXE powershell.exe PID 4484 wrote to memory of 1680 4484 RUNDLL32.EXE powershell.exe PID 4484 wrote to memory of 1680 4484 RUNDLL32.EXE powershell.exe PID 4484 wrote to memory of 1680 4484 RUNDLL32.EXE powershell.exe PID 1680 wrote to memory of 2832 1680 powershell.exe nslookup.exe PID 1680 wrote to memory of 2832 1680 powershell.exe nslookup.exe PID 1680 wrote to memory of 2832 1680 powershell.exe nslookup.exe PID 4484 wrote to memory of 2892 4484 RUNDLL32.EXE schtasks.exe PID 4484 wrote to memory of 2892 4484 RUNDLL32.EXE schtasks.exe PID 4484 wrote to memory of 2892 4484 RUNDLL32.EXE schtasks.exe PID 4484 wrote to memory of 2400 4484 RUNDLL32.EXE schtasks.exe PID 4484 wrote to memory of 2400 4484 RUNDLL32.EXE schtasks.exe PID 4484 wrote to memory of 2400 4484 RUNDLL32.EXE schtasks.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecd639c075963258a06911cdc0c872da6dda52f7a05bb07a77092a611f6cf57c.exe"C:\Users\Admin\AppData\Local\Temp\ecd639c075963258a06911cdc0c872da6dda52f7a05bb07a77092a611f6cf57c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ECD639~1.DLL,s C:\Users\Admin\AppData\Local\Temp\ECD639~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\ECD639~1.DLL,bCVHR3E4R0hF3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4484 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\ECD639~1.DLL4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1124 -
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\ECD639~1.DLL,SxwuSg==4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 196385⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\ctfmon.exectfmon.exe6⤵PID:4176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 7965⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpEBF2.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp3F1.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵PID:2832
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵PID:2892
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵PID:2400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 7923⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
2def7e89943100cf26d70ef373b1260e
SHA1d90f028ae9ac9f8edc26445639752acbcacc70e7
SHA256178020d76bd88c4681056aeb6a693e8db6afe0f6283466c687c0ca0d04ed1549
SHA512a65902089d46d2dcaca02caa028cc288e287de7a315ab631c532cf8c584850c2c896d3e8820ff338ab86e177b79d828c4fe1c8606e690477714a1afd65750624
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
b8fc9f9adfce2c5853c36db3ba6c3bb6
SHA1e7614ea4d915e6b29c7e0539f0782eba2da18451
SHA25664a29b297a6f161fe3cf510d79118123c2c352c6b28ae32053b34f15fad13f3d
SHA512ce449f683e9499d3db5cb27232e0bef1d2532c30d6f0eb650dc7a8e74cb74406873632b39f0da01f9b7e854c708d60af7b5696db32956c72124086fb641f1f77
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
f7a808b5711f58fb4f85476c1bb24ac3
SHA1fbdf9670d622e8fc3446ad4f53fbbd83016f03d1
SHA256de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec
SHA512866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
d5c47c44bf394f74ce551503e7fc7d9d
SHA16a31922041bffa3b80a73f9dc0eb92ff13394b0b
SHA25636df70ae34a08524600d1d636d48a6c3325de4257499aee4dca92b3c58c56904
SHA51259a79b67651155f4a2250d01bbbdd9818bbd13aa7d1b02e4b456521f9ae7a7af0738786d9436d27f73fe0856aecbfd03408b4feddbad983ec1ba20f601071745
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
fd9732c7292cf1a70d439696cbcc19f1
SHA1a9337e0f1adc779b5528d8b195622780eff89ec4
SHA256994b8dbf200009e9d0b47c4c900723884ba66498c86f05c6e0898b0d1bccac54
SHA5129e02f51614ddd929caa2f37fcbeea2074f822baf040b1ad5a6495ce339a0aa3bcbb6012e24aad56b7dc31fe6854ce95770e2ddf015bbd0143b90c0ec2a5d3df2
-
C:\Users\Admin\AppData\Local\Temp\ECD639~1.DLLMD5
a700c525ddabf4aeb0c4bdd097c8fcb5
SHA1077f234b94ab74f3a1e210338d88ee6d9486a3cb
SHA256b9732bec3d3c22da6c21dbce7a57519c25de425353ab9b4c126c1aa7121aec35
SHA5123bc9dc71a7927fb4d7bb725f15bac936d5e267a6619d103de39ebcbcc3c7bfcc9a2caeb36a8a6f1f615ceee9543f3324a89ce773afe88f25f208016aa8c63e19
-
C:\Users\Admin\AppData\Local\Temp\tmp3F1.tmp.ps1MD5
5eb90a6940e33cf70c0d28be9dcf7b93
SHA156071ff5435b601a254b7d59061d1541b6c6a525
SHA2569af0ef476c8e4ba6c2e91506266d08526fc5117fcf89888f69f42361b429a58c
SHA5128e123fb62d803cfe88f03f5fe1f4756ae90ced0b262e5492d72e35fd20c158c0f174da5fb75110ca90559561ece8bb6d63a1bf8c61b57d35cca26f814b6731f2
-
C:\Users\Admin\AppData\Local\Temp\tmp3F2.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
C:\Users\Admin\AppData\Local\Temp\tmpEBF2.tmp.ps1MD5
07cb3b4b1a13d0321b578216a5d522ab
SHA19f6ae4a666647a602f93527e7d7768cfb3222567
SHA25623ee9edadc85749dc56a7941fb16fd59ef60e4175e6a9e3db68c36dbc312f20d
SHA512be2c8cc25796a2b6f1eae797e0831afaca3818f15aa315509708b6b7cccb6531a32d915989ff2dc888327247a82e148f01ad46862cd89755bcdc63e7ff3fc6ce
-
C:\Users\Admin\AppData\Local\Temp\tmpEBF3.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
\Users\Admin\AppData\Local\Temp\ECD639~1.DLLMD5
a700c525ddabf4aeb0c4bdd097c8fcb5
SHA1077f234b94ab74f3a1e210338d88ee6d9486a3cb
SHA256b9732bec3d3c22da6c21dbce7a57519c25de425353ab9b4c126c1aa7121aec35
SHA5123bc9dc71a7927fb4d7bb725f15bac936d5e267a6619d103de39ebcbcc3c7bfcc9a2caeb36a8a6f1f615ceee9543f3324a89ce773afe88f25f208016aa8c63e19
-
\Users\Admin\AppData\Local\Temp\ECD639~1.DLLMD5
a700c525ddabf4aeb0c4bdd097c8fcb5
SHA1077f234b94ab74f3a1e210338d88ee6d9486a3cb
SHA256b9732bec3d3c22da6c21dbce7a57519c25de425353ab9b4c126c1aa7121aec35
SHA5123bc9dc71a7927fb4d7bb725f15bac936d5e267a6619d103de39ebcbcc3c7bfcc9a2caeb36a8a6f1f615ceee9543f3324a89ce773afe88f25f208016aa8c63e19
-
\Users\Admin\AppData\Local\Temp\ECD639~1.DLLMD5
a700c525ddabf4aeb0c4bdd097c8fcb5
SHA1077f234b94ab74f3a1e210338d88ee6d9486a3cb
SHA256b9732bec3d3c22da6c21dbce7a57519c25de425353ab9b4c126c1aa7121aec35
SHA5123bc9dc71a7927fb4d7bb725f15bac936d5e267a6619d103de39ebcbcc3c7bfcc9a2caeb36a8a6f1f615ceee9543f3324a89ce773afe88f25f208016aa8c63e19
-
\Users\Admin\AppData\Local\Temp\ECD639~1.DLLMD5
a700c525ddabf4aeb0c4bdd097c8fcb5
SHA1077f234b94ab74f3a1e210338d88ee6d9486a3cb
SHA256b9732bec3d3c22da6c21dbce7a57519c25de425353ab9b4c126c1aa7121aec35
SHA5123bc9dc71a7927fb4d7bb725f15bac936d5e267a6619d103de39ebcbcc3c7bfcc9a2caeb36a8a6f1f615ceee9543f3324a89ce773afe88f25f208016aa8c63e19
-
\Users\Admin\AppData\Local\Temp\ECD639~1.DLLMD5
a700c525ddabf4aeb0c4bdd097c8fcb5
SHA1077f234b94ab74f3a1e210338d88ee6d9486a3cb
SHA256b9732bec3d3c22da6c21dbce7a57519c25de425353ab9b4c126c1aa7121aec35
SHA5123bc9dc71a7927fb4d7bb725f15bac936d5e267a6619d103de39ebcbcc3c7bfcc9a2caeb36a8a6f1f615ceee9543f3324a89ce773afe88f25f208016aa8c63e19
-
memory/1124-138-0x0000000007450000-0x0000000007451000-memory.dmpFilesize
4KB
-
memory/1124-160-0x00000000083F0000-0x00000000083F1000-memory.dmpFilesize
4KB
-
memory/1124-130-0x0000000000000000-mapping.dmp
-
memory/1124-133-0x0000000001290000-0x0000000001291000-memory.dmpFilesize
4KB
-
memory/1124-192-0x0000000009360000-0x0000000009393000-memory.dmpFilesize
204KB
-
memory/1124-196-0x000000007E7C0000-0x000000007E7C1000-memory.dmpFilesize
4KB
-
memory/1124-200-0x0000000009320000-0x0000000009321000-memory.dmpFilesize
4KB
-
memory/1124-260-0x0000000006E13000-0x0000000006E14000-memory.dmpFilesize
4KB
-
memory/1124-132-0x0000000000F50000-0x0000000000F51000-memory.dmpFilesize
4KB
-
memory/1124-131-0x0000000000F50000-0x0000000000F51000-memory.dmpFilesize
4KB
-
memory/1124-141-0x00000000071D0000-0x00000000071D1000-memory.dmpFilesize
4KB
-
memory/1124-178-0x0000000000F50000-0x0000000000F51000-memory.dmpFilesize
4KB
-
memory/1124-142-0x0000000007370000-0x0000000007371000-memory.dmpFilesize
4KB
-
memory/1124-143-0x0000000006E10000-0x0000000006E11000-memory.dmpFilesize
4KB
-
memory/1124-144-0x0000000006E12000-0x0000000006E13000-memory.dmpFilesize
4KB
-
memory/1124-166-0x0000000008350000-0x0000000008351000-memory.dmpFilesize
4KB
-
memory/1124-145-0x0000000007C60000-0x0000000007C61000-memory.dmpFilesize
4KB
-
memory/1124-147-0x0000000007CD0000-0x0000000007CD1000-memory.dmpFilesize
4KB
-
memory/1124-156-0x0000000007AA0000-0x0000000007AA1000-memory.dmpFilesize
4KB
-
memory/1664-153-0x00000000056E0000-0x0000000005820000-memory.dmpFilesize
1.2MB
-
memory/1664-140-0x0000000004621000-0x0000000005605000-memory.dmpFilesize
15.9MB
-
memory/1664-152-0x00000000056E0000-0x0000000005820000-memory.dmpFilesize
1.2MB
-
memory/1664-134-0x0000000000000000-mapping.dmp
-
memory/1664-155-0x00000000056E0000-0x0000000005820000-memory.dmpFilesize
1.2MB
-
memory/1664-149-0x00000000056E0000-0x0000000005820000-memory.dmpFilesize
1.2MB
-
memory/1664-157-0x00000000056E0000-0x0000000005820000-memory.dmpFilesize
1.2MB
-
memory/1664-154-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/1664-137-0x0000000000A80000-0x0000000000BE6000-memory.dmpFilesize
1.4MB
-
memory/1664-150-0x00000000056E0000-0x0000000005820000-memory.dmpFilesize
1.2MB
-
memory/1664-146-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/1664-148-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/1680-338-0x0000000006FD2000-0x0000000006FD3000-memory.dmpFilesize
4KB
-
memory/1680-336-0x0000000006FD0000-0x0000000006FD1000-memory.dmpFilesize
4KB
-
memory/1680-286-0x0000000000000000-mapping.dmp
-
memory/1680-449-0x0000000006FD3000-0x0000000006FD4000-memory.dmpFilesize
4KB
-
memory/2400-452-0x0000000000000000-mapping.dmp
-
memory/2632-158-0x00007FF640315FD0-mapping.dmp
-
memory/2632-161-0x00000195EFEA0000-0x00000195EFEA2000-memory.dmpFilesize
8KB
-
memory/2632-165-0x00000195F0070000-0x00000195F0222000-memory.dmpFilesize
1.7MB
-
memory/2632-162-0x00000195EFEA0000-0x00000195EFEA2000-memory.dmpFilesize
8KB
-
memory/2632-164-0x0000000000D10000-0x0000000000EB0000-memory.dmpFilesize
1.6MB
-
memory/2832-390-0x0000000000000000-mapping.dmp
-
memory/2888-167-0x0000000000000000-mapping.dmp
-
memory/2888-187-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/2888-169-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/2888-184-0x0000000006870000-0x0000000006871000-memory.dmpFilesize
4KB
-
memory/2888-285-0x0000000001173000-0x0000000001174000-memory.dmpFilesize
4KB
-
memory/2888-168-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/2888-175-0x0000000001172000-0x0000000001173000-memory.dmpFilesize
4KB
-
memory/2888-174-0x0000000001170000-0x0000000001171000-memory.dmpFilesize
4KB
-
memory/2892-423-0x0000000000000000-mapping.dmp
-
memory/3592-115-0x0000000004D1D000-0x0000000004E0F000-memory.dmpFilesize
968KB
-
memory/3592-117-0x0000000004E30000-0x0000000004F39000-memory.dmpFilesize
1.0MB
-
memory/3592-118-0x0000000000400000-0x0000000002FF2000-memory.dmpFilesize
43.9MB
-
memory/4012-121-0x0000000005441000-0x0000000006425000-memory.dmpFilesize
15.9MB
-
memory/4012-122-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/4012-116-0x0000000000000000-mapping.dmp
-
memory/4176-163-0x0000000000000000-mapping.dmp
-
memory/4484-123-0x0000000000000000-mapping.dmp
-
memory/4484-126-0x0000000004260000-0x00000000043C6000-memory.dmpFilesize
1.4MB
-
memory/4484-128-0x00000000048D1000-0x00000000058B5000-memory.dmpFilesize
15.9MB
-
memory/4484-129-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB