danabot | 6a3f117945ca17618bb20c7dd65998710a08c4c9f9db4038f5a7290ec15dbb59

Analysis

max time kernel
144s
max time network
127s
platform
windows10_x64
resource
win10-en-20211014
submitted
20-10-2021 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a3f117945ca17618bb20c7dd65998710a08c4c9f9db4038f5a7290ec15dbb59.exe
Size

1.1MB
MD5

5af0919d45ab27038bd8a9c53be00ecd
SHA1

0a55be48b835328acc52132a393e4e457854cd08
SHA256

6a3f117945ca17618bb20c7dd65998710a08c4c9f9db4038f5a7290ec15dbb59
SHA512

1596cd2da66512220b689404ede337f3e6fd6508b686e06e019a42b4a131c89baa0430b4cc06acb8511bfd02586eecc4c22b22d2b2a9cf70478c447936c19457

Score

10^/10

danabot 4 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6A3F11~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\6A3F11~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\6A3F11~1.DLL	DanabotLoader2021
behavioral1/memory/1816-134-0x0000000000CC0000-0x0000000000E22000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\6A3F11~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\6A3F11~1.DLL	DanabotLoader2021

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

24 2760 rundll32.exe
25 2672 RUNDLL32.EXE
Loads dropped DLL 5 IoCs

Processes:

rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

pid process

2760 rundll32.exe
2672 RUNDLL32.EXE
1816 RUNDLL32.EXE
1816 RUNDLL32.EXE
2240 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
24	2760	rundll32.exe
25	2672	RUNDLL32.EXE

pid	process
2760	rundll32.exe
2672	RUNDLL32.EXE
1816	RUNDLL32.EXE
1816	RUNDLL32.EXE
2240	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 1816 set thread context of 1256 1816 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1816 set thread context of 1256	1816	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

Checks processor information in registry 2 TTPs 41 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\72015D1A3C716BECD08970A0B5E45B20BDE04C5E	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\72015D1A3C716BECD08970A0B5E45B20BDE04C5E\Blob = 03000000010000001400000072015d1a3c716becd08970a0b5e45b20bde04c5e20000000010000009f0200003082029b30820204a00302010202085567871d25bb6ab8300d06092a864886f70d01010b05003074311f301d06035504030c165468616474652054696d657374616d70696e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c65301e170d3139313032313232343135335a170d3233313032303232343135335a3074311f301d06035504030c165468616474652054696d657374616d70696e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c6530819f300d06092a864886f70d010101050003818d0030818902818100be68c7a7e8cd51e1bbc24308613f26cb55774aeb187d324da59e9660c57f0d8dc6253df78960a4f37e61feacf5f50931438572f7da115c5a10c217b64894a832c9bb28f60163bfde34e7b981bfab3558a35aa2f83360d345a38a45b02a32a14b003162e525d546f2d1da7c60f5365333bbf5ce545a193704c817e9a4129fa6e70203010001a3363034300f0603551d130101ff040530030101ff30210603551d11041a301882165468616474652054696d657374616d70696e67204341300d06092a864886f70d01010b0500038181008357f0642a1bc59da2dffc908b599fbd240973aebd7fe33e59899f606e23c4a99131782aca80a40279911a2fc61ee7cefdfc8b89e1ba4850d0cf29aac49c28285eee9dc481018af1e65ce6ca8e289f657264ea8ab38c1ba4ad4abc5f57b769bf7ef9cfb8fbfba81cdc8bbe0d7e5baf9e302d6c1c18c070ee6c4ffbc29c20a9a9	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

RUNDLL32.EXEpowershell.exeRUNDLL32.EXEpowershell.exepowershell.exe

pid	process
2672	RUNDLL32.EXE
2672	RUNDLL32.EXE
2672	RUNDLL32.EXE
2672	RUNDLL32.EXE
2672	RUNDLL32.EXE
2672	RUNDLL32.EXE
956	powershell.exe
1816	RUNDLL32.EXE
1816	RUNDLL32.EXE
956	powershell.exe
2436	powershell.exe
956	powershell.exe
2436	powershell.exe
2436	powershell.exe
2672	RUNDLL32.EXE
2672	RUNDLL32.EXE
856	powershell.exe
856	powershell.exe
856	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	2672	RUNDLL32.EXE
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

1256 rundll32.exe
2672 RUNDLL32.EXE

pid	process
1256	rundll32.exe
2672	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

6a3f117945ca17618bb20c7dd65998710a08c4c9f9db4038f5a7290ec15dbb59.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 1656 wrote to memory of 2760	1656	6a3f117945ca17618bb20c7dd65998710a08c4c9f9db4038f5a7290ec15dbb59.exe	rundll32.exe
PID 1656 wrote to memory of 2760	1656	6a3f117945ca17618bb20c7dd65998710a08c4c9f9db4038f5a7290ec15dbb59.exe	rundll32.exe
PID 1656 wrote to memory of 2760	1656	6a3f117945ca17618bb20c7dd65998710a08c4c9f9db4038f5a7290ec15dbb59.exe	rundll32.exe
PID 2760 wrote to memory of 2672	2760	rundll32.exe	RUNDLL32.EXE
PID 2760 wrote to memory of 2672	2760	rundll32.exe	RUNDLL32.EXE
PID 2760 wrote to memory of 2672	2760	rundll32.exe	RUNDLL32.EXE
PID 2672 wrote to memory of 956	2672	RUNDLL32.EXE	powershell.exe
PID 2672 wrote to memory of 956	2672	RUNDLL32.EXE	powershell.exe
PID 2672 wrote to memory of 956	2672	RUNDLL32.EXE	powershell.exe
PID 2672 wrote to memory of 1816	2672	RUNDLL32.EXE	RUNDLL32.EXE
PID 2672 wrote to memory of 1816	2672	RUNDLL32.EXE	RUNDLL32.EXE
PID 2672 wrote to memory of 1816	2672	RUNDLL32.EXE	RUNDLL32.EXE
PID 1816 wrote to memory of 1256	1816	RUNDLL32.EXE	rundll32.exe
PID 1816 wrote to memory of 1256	1816	RUNDLL32.EXE	rundll32.exe
PID 1816 wrote to memory of 1256	1816	RUNDLL32.EXE	rundll32.exe
PID 2672 wrote to memory of 2240	2672	RUNDLL32.EXE	RUNDLL32.EXE
PID 2672 wrote to memory of 2240	2672	RUNDLL32.EXE	RUNDLL32.EXE
PID 2672 wrote to memory of 2240	2672	RUNDLL32.EXE	RUNDLL32.EXE
PID 1256 wrote to memory of 3588	1256	rundll32.exe	ctfmon.exe
PID 1256 wrote to memory of 3588	1256	rundll32.exe	ctfmon.exe
PID 2672 wrote to memory of 2436	2672	RUNDLL32.EXE	powershell.exe
PID 2672 wrote to memory of 2436	2672	RUNDLL32.EXE	powershell.exe
PID 2672 wrote to memory of 2436	2672	RUNDLL32.EXE	powershell.exe
PID 2672 wrote to memory of 856	2672	RUNDLL32.EXE	powershell.exe
PID 2672 wrote to memory of 856	2672	RUNDLL32.EXE	powershell.exe
PID 2672 wrote to memory of 856	2672	RUNDLL32.EXE	powershell.exe
PID 856 wrote to memory of 2484	856	powershell.exe	nslookup.exe
PID 856 wrote to memory of 2484	856	powershell.exe	nslookup.exe
PID 856 wrote to memory of 2484	856	powershell.exe	nslookup.exe
PID 2672 wrote to memory of 3852	2672	RUNDLL32.EXE	schtasks.exe
PID 2672 wrote to memory of 3852	2672	RUNDLL32.EXE	schtasks.exe
PID 2672 wrote to memory of 3852	2672	RUNDLL32.EXE	schtasks.exe
PID 2672 wrote to memory of 3784	2672	RUNDLL32.EXE	schtasks.exe
PID 2672 wrote to memory of 3784	2672	RUNDLL32.EXE	schtasks.exe
PID 2672 wrote to memory of 3784	2672	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\6a3f117945ca17618bb20c7dd65998710a08c4c9f9db4038f5a7290ec15dbb59.exe
"C:\Users\Admin\AppData\Local\Temp\6a3f117945ca17618bb20c7dd65998710a08c4c9f9db4038f5a7290ec15dbb59.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6A3F11~1.DLL,s C:\Users\Admin\AppData\Local\Temp\6A3F11~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\6A3F11~1.DLL,TgpET0pMZjY=
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\6A3F11~1.DLL
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\6A3F11~1.DLL,hzBWUkhBT0U=
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17659
5⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:3588

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start
4⤵
- Loads dropped DLL
PID:2240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp641.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp747D.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:2484

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3852

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
17091b38ce10fd872a32063f524b80e2

SHA1
e4293c863884a7d334e7820349c834acaab8948e

SHA256
8e521dbb442dc8e544cd7e347b909b51158bc14a9f4a878bc256a369805557d0

SHA512
4d76841ef8ccace91bdf047606ca1383840fb1e70123a85a2605ad13b9fd5002a959f50e2dc629f283a6b1e1f211d872b5f489f5265d04ee97fc7a1f4a896a62

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
17091b38ce10fd872a32063f524b80e2

SHA1
e4293c863884a7d334e7820349c834acaab8948e

SHA256
8e521dbb442dc8e544cd7e347b909b51158bc14a9f4a878bc256a369805557d0

SHA512
4d76841ef8ccace91bdf047606ca1383840fb1e70123a85a2605ad13b9fd5002a959f50e2dc629f283a6b1e1f211d872b5f489f5265d04ee97fc7a1f4a896a62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
f7a808b5711f58fb4f85476c1bb24ac3

SHA1
fbdf9670d622e8fc3446ad4f53fbbd83016f03d1

SHA256
de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec

SHA512
866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f83e919d1926ec250b5496aa505b9f2b

SHA1
972c8932643e720be66cff2222683221fa9e3efe

SHA256
e7eec7c6f5adacb7a6af9aa84cda4da94bc0f35fd42c30aa2d85a87a532599a3

SHA512
0d61fed55e87df40287938c34e4f2ee08e353c2de4e1adafb76ddb9942f2b9ca662476750c297c32c16eb9bf4871bfdc514f5c434e136cda65bdfb85780994e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a8aa59b5aa2a36dbc6717e571c830898

SHA1
bf1b46a6fba41c1c4dae9d74ba65f8f4ab9cf6d8

SHA256
399de7e1692ef02db11e4a2cc02985d5ec17f74f0b2a4078bcb2350cf05481ac

SHA512
73b83b2036c3ee1151c1f75d302113c2a3398aa7d86279dc894c76f247900c13110d4336e050d9bd8268bb3141a8e7a01fdb9932d2df2f3e9a771a74b7530ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A3F11~1.DLL
MD5
f42c34737cba389f94300650cc9e22ca

SHA1
6bc6f9e71ee2d1bffb37ac1e0fbfe63c7dc0e0c6

SHA256
9f1d965762f05485d436fbdf76a9a1573d422dd9236cbf29b24de9c07d6cc5de

SHA512
76c1c5a66da050c0a041b642e8394aa6a9ad1ac49843ac68c9fd5739a1d5f851ca272499e9b35b299ccb6fb91a0ce724f69cdabd8c7ea4bc64dbb6be00885d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp641.tmp.ps1
MD5
4580312aa0294b50d8100cd17ebcda1b

SHA1
0cb9e9b1486685d7e0c69ffb4e750abbe39ef7e2

SHA256
77fb26601ba4fa752ebd9e95ec3d8ffda8060c4ff4df9a22e257d7e04b0e9b22

SHA512
bb74851776df0bef969ffa4d7b242aabc4898aaba45a1942537ff0c96b173ff26c97549376af2a9091c8ac1d4c4fb9b3d432fe95168ca0cd67e6834d94695c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp642.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp747D.tmp.ps1
MD5
16dfdf2f967ade71b96c76742efdca3c

SHA1
3dda7cef57db4f6480361fbbfcf4442a7914e0e1

SHA256
b25e3b15bcd31a28d1f41180e0e40758f622ddcb44c37d81299d53de4c8330db

SHA512
a498750d5b607993d17f9ab76b606c9824a974f5976e3585ed0b665e5ba2333ee98e52f418294d644dd985e98e361db63d07c03f6ef54329eac243a82130dc0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp747E.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
\Users\Admin\AppData\Local\Temp\6A3F11~1.DLL
MD5
f42c34737cba389f94300650cc9e22ca

SHA1
6bc6f9e71ee2d1bffb37ac1e0fbfe63c7dc0e0c6

SHA256
9f1d965762f05485d436fbdf76a9a1573d422dd9236cbf29b24de9c07d6cc5de

SHA512
76c1c5a66da050c0a041b642e8394aa6a9ad1ac49843ac68c9fd5739a1d5f851ca272499e9b35b299ccb6fb91a0ce724f69cdabd8c7ea4bc64dbb6be00885d75

Download Submit
\Users\Admin\AppData\Local\Temp\6A3F11~1.DLL
MD5
f42c34737cba389f94300650cc9e22ca

SHA1
6bc6f9e71ee2d1bffb37ac1e0fbfe63c7dc0e0c6

SHA256
9f1d965762f05485d436fbdf76a9a1573d422dd9236cbf29b24de9c07d6cc5de

SHA512
76c1c5a66da050c0a041b642e8394aa6a9ad1ac49843ac68c9fd5739a1d5f851ca272499e9b35b299ccb6fb91a0ce724f69cdabd8c7ea4bc64dbb6be00885d75

Download Submit
\Users\Admin\AppData\Local\Temp\6A3F11~1.DLL
MD5
f42c34737cba389f94300650cc9e22ca

SHA1
6bc6f9e71ee2d1bffb37ac1e0fbfe63c7dc0e0c6

SHA256
9f1d965762f05485d436fbdf76a9a1573d422dd9236cbf29b24de9c07d6cc5de

SHA512
76c1c5a66da050c0a041b642e8394aa6a9ad1ac49843ac68c9fd5739a1d5f851ca272499e9b35b299ccb6fb91a0ce724f69cdabd8c7ea4bc64dbb6be00885d75

Download Submit
\Users\Admin\AppData\Local\Temp\6A3F11~1.DLL
MD5
f42c34737cba389f94300650cc9e22ca

SHA1
6bc6f9e71ee2d1bffb37ac1e0fbfe63c7dc0e0c6

SHA256
9f1d965762f05485d436fbdf76a9a1573d422dd9236cbf29b24de9c07d6cc5de

SHA512
76c1c5a66da050c0a041b642e8394aa6a9ad1ac49843ac68c9fd5739a1d5f851ca272499e9b35b299ccb6fb91a0ce724f69cdabd8c7ea4bc64dbb6be00885d75

Download Submit
memory/856-452-0x0000000004A53000-0x0000000004A54000-memory.dmp

Filesize
4KB

Download
memory/856-364-0x0000000000000000-mapping.dmp

Download
memory/856-394-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/856-396-0x0000000004A52000-0x0000000004A53000-memory.dmp

Filesize
4KB

Download
memory/956-204-0x0000000009410000-0x0000000009411000-memory.dmp

Filesize
4KB

Download
memory/956-208-0x0000000006C33000-0x0000000006C34000-memory.dmp

Filesize
4KB

Download
memory/956-138-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/956-139-0x0000000006C32000-0x0000000006C33000-memory.dmp

Filesize
4KB

Download
memory/956-136-0x0000000006C40000-0x0000000006C41000-memory.dmp

Filesize
4KB

Download
memory/956-167-0x0000000007BE0000-0x0000000007BE1000-memory.dmp

Filesize
4KB

Download
memory/956-130-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/956-171-0x00000000083E0000-0x00000000083E1000-memory.dmp

Filesize
4KB

Download
memory/956-179-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/956-128-0x0000000000000000-mapping.dmp

Download
memory/956-147-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download
memory/956-166-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/956-197-0x00000000084C0000-0x00000000084C1000-memory.dmp

Filesize
4KB

Download
memory/956-196-0x000000007F6A0000-0x000000007F6A1000-memory.dmp

Filesize
4KB

Download
memory/956-189-0x00000000090A0000-0x00000000090D3000-memory.dmp

Filesize
204KB

Download
memory/956-152-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/956-161-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/956-158-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/956-129-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/956-137-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/1256-157-0x0000022499630000-0x0000022499632000-memory.dmp

Filesize
8KB

Download
memory/1256-153-0x00007FF7F4A35FD0-mapping.dmp

Download
memory/1256-156-0x0000022499630000-0x0000022499632000-memory.dmp

Filesize
8KB

Download
memory/1256-163-0x0000000000580000-0x0000000000720000-memory.dmp

Filesize
1.6MB

Download
memory/1256-164-0x0000022499930000-0x0000022499AE2000-memory.dmp

Filesize
1.7MB

Download
memory/1656-115-0x0000000004E30000-0x0000000004F1F000-memory.dmp

Filesize
956KB

Download
memory/1656-116-0x0000000004F20000-0x0000000005026000-memory.dmp

Filesize
1.0MB

Download
memory/1656-117-0x0000000000400000-0x0000000002FE7000-memory.dmp

Filesize
43.9MB

Download
memory/1816-148-0x0000000005810000-0x0000000005950000-memory.dmp

Filesize
1.2MB

Download
memory/1816-146-0x0000000005810000-0x0000000005950000-memory.dmp

Filesize
1.2MB

Download
memory/1816-134-0x0000000000CC0000-0x0000000000E22000-memory.dmp

Filesize
1.4MB

Download
memory/1816-140-0x0000000004761000-0x0000000005745000-memory.dmp

Filesize
15.9MB

Download
memory/1816-141-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/1816-142-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/1816-143-0x0000000005810000-0x0000000005950000-memory.dmp

Filesize
1.2MB

Download
memory/1816-144-0x0000000005810000-0x0000000005950000-memory.dmp

Filesize
1.2MB

Download
memory/1816-151-0x0000000005810000-0x0000000005950000-memory.dmp

Filesize
1.2MB

Download
memory/1816-150-0x0000000005810000-0x0000000005950000-memory.dmp

Filesize
1.2MB

Download
memory/1816-149-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/1816-131-0x0000000000000000-mapping.dmp

Download
memory/2240-155-0x0000000000000000-mapping.dmp

Download
memory/2436-168-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/2436-205-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/2436-165-0x0000000000000000-mapping.dmp

Download
memory/2436-203-0x0000000008140000-0x0000000008141000-memory.dmp

Filesize
4KB

Download
memory/2436-257-0x0000000006C83000-0x0000000006C84000-memory.dmp

Filesize
4KB

Download
memory/2436-169-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/2436-174-0x0000000006C82000-0x0000000006C83000-memory.dmp

Filesize
4KB

Download
memory/2436-173-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download
memory/2484-449-0x0000000000000000-mapping.dmp

Download
memory/2672-126-0x0000000004CB1000-0x0000000005C95000-memory.dmp

Filesize
15.9MB

Download
memory/2672-123-0x0000000000000000-mapping.dmp

Download
memory/2672-127-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2760-121-0x0000000005061000-0x0000000006045000-memory.dmp

Filesize
15.9MB

Download
memory/2760-118-0x0000000000000000-mapping.dmp

Download
memory/2760-122-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3588-162-0x0000000000000000-mapping.dmp

Download
memory/3784-454-0x0000000000000000-mapping.dmp

Download
memory/3852-453-0x0000000000000000-mapping.dmp

Download