danabot | 2754480dc85bc4b2beb1eb6637945d1c8643cf43df940fa614e94635b1227847

Analysis

max time kernel
142s
max time network
124s
platform
windows10_x64
resource
win10-en-20211014
submitted
20-10-2021 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2754480dc85bc4b2beb1eb6637945d1c8643cf43df940fa614e94635b1227847.exe
Size

1.2MB
MD5

ffd87f2abdb8eb540ce899b1a25cc6ed
SHA1

81b3087989a3dadd745bcc53762d22334c05c20d
SHA256

2754480dc85bc4b2beb1eb6637945d1c8643cf43df940fa614e94635b1227847
SHA512

b497f9bff9d6515dca2423416a624b2ef75600ce06e53e39be79a146221f6933d49f3ebbab8454f6428464b24f6177182569ef5b13de0465a066c1aad73254d4

Score

10^/10

danabot 4 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\275448~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\275448~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\275448~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\275448~1.DLL	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3276 created 3952 3276 WerFault.exe RUNDLL32.EXE
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

30 3672 rundll32.exe
31 60 RUNDLL32.EXE
34 60 RUNDLL32.EXE
35 60 RUNDLL32.EXE
36 60 RUNDLL32.EXE
37 60 RUNDLL32.EXE
Loads dropped DLL 5 IoCs

Processes:

rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

pid process

3672 rundll32.exe
60 RUNDLL32.EXE
3952 RUNDLL32.EXE
1280 RUNDLL32.EXE
1280 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 3276 created 3952	3276	WerFault.exe	RUNDLL32.EXE

flow	pid	process
30	3672	rundll32.exe
31	60	RUNDLL32.EXE
34	60	RUNDLL32.EXE
35	60	RUNDLL32.EXE
36	60	RUNDLL32.EXE
37	60	RUNDLL32.EXE

pid	process
3672	rundll32.exe
60	RUNDLL32.EXE
3952	RUNDLL32.EXE
1280	RUNDLL32.EXE
1280	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 3952 set thread context of 2196 3952 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3276 3952 WerFault.exe RUNDLL32.EXE

description	pid	process	target process
PID 3952 set thread context of 2196	3952	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

pid	pid_target	process	target process
3276	3952	WerFault.exe	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 42 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TypedURLs	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\311A60E733B6A0987335BB1E726456CD7216533F	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\311A60E733B6A0987335BB1E726456CD7216533F\Blob = 030000000100000014000000311a60e733b6a0987335bb1e726456cd7216533f20000000010000003f0200003082023b308201a4a003020102020876141d3a25f951bb300d06092a864886f70d01010b050030433121301f06035504030c184d6963726f736f667420526f6a7420417574686f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e301e170d3139313032313031303732375a170d3233313032303031303732375a30433121301f06035504030c184d6963726f736f667420526f6a7420417574686f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e30819f300d06092a864886f70d010101050003818d0030818902818100c893f1ba9aa6910d569417ba852ea94f4af5f5de32cd25bcbc9a32816404c6200d398e8427969c86f5139c1853d5796d2b9d3edc47e3f2b5b315cdfc412ed66c04ae2b58e429e41fef3fe157c37715e0a720674a99e6531c5eb66bde9f3695fe17d787e72029d58c22c742c0ab9b18e7131b117d735a3f916f87e548ac80622d0203010001a3383036300f0603551d130101ff040530030101ff30230603551d11041c301a82184d6963726f736f667420526f6a7420417574686f72697479300d06092a864886f70d01010b0500038181000c72c1b46539e439d7197f03212a77a8259fe1c2bd80cc069fc883b64da96e49e5143bf5d13a421a27a43d45bbbfbe1fa56f0f051003779fd9bb6498dc5b98eab5f474680b6b8222f37a96fced623eddb3e509524979ec1512ac260c9a0db11c22127c66e71db2ce590b4810509c47dbbef32c91aba9a642668b750ec6518fe0	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

RUNDLL32.EXEpowershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exe

pid	process
60	RUNDLL32.EXE
60	RUNDLL32.EXE
60	RUNDLL32.EXE
60	RUNDLL32.EXE
60	RUNDLL32.EXE
60	RUNDLL32.EXE
1220	powershell.exe
3952	RUNDLL32.EXE
3952	RUNDLL32.EXE
1220	powershell.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
3276	WerFault.exe
2000	powershell.exe
1220	powershell.exe
2000	powershell.exe
2000	powershell.exe
60	RUNDLL32.EXE
60	RUNDLL32.EXE
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	60	RUNDLL32.EXE
Token: SeRestorePrivilege	3276	WerFault.exe
Token: SeBackupPrivilege	3276	WerFault.exe
Token: SeDebugPrivilege	3276	WerFault.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

2196 rundll32.exe
60 RUNDLL32.EXE

pid	process
2196	rundll32.exe
60	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

2754480dc85bc4b2beb1eb6637945d1c8643cf43df940fa614e94635b1227847.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 1380 wrote to memory of 3672	1380	2754480dc85bc4b2beb1eb6637945d1c8643cf43df940fa614e94635b1227847.exe	rundll32.exe
PID 1380 wrote to memory of 3672	1380	2754480dc85bc4b2beb1eb6637945d1c8643cf43df940fa614e94635b1227847.exe	rundll32.exe
PID 1380 wrote to memory of 3672	1380	2754480dc85bc4b2beb1eb6637945d1c8643cf43df940fa614e94635b1227847.exe	rundll32.exe
PID 3672 wrote to memory of 60	3672	rundll32.exe	RUNDLL32.EXE
PID 3672 wrote to memory of 60	3672	rundll32.exe	RUNDLL32.EXE
PID 3672 wrote to memory of 60	3672	rundll32.exe	RUNDLL32.EXE
PID 60 wrote to memory of 1220	60	RUNDLL32.EXE	powershell.exe
PID 60 wrote to memory of 1220	60	RUNDLL32.EXE	powershell.exe
PID 60 wrote to memory of 1220	60	RUNDLL32.EXE	powershell.exe
PID 60 wrote to memory of 3952	60	RUNDLL32.EXE	RUNDLL32.EXE
PID 60 wrote to memory of 3952	60	RUNDLL32.EXE	RUNDLL32.EXE
PID 60 wrote to memory of 3952	60	RUNDLL32.EXE	RUNDLL32.EXE
PID 3952 wrote to memory of 2196	3952	RUNDLL32.EXE	rundll32.exe
PID 3952 wrote to memory of 2196	3952	RUNDLL32.EXE	rundll32.exe
PID 3952 wrote to memory of 2196	3952	RUNDLL32.EXE	rundll32.exe
PID 60 wrote to memory of 1280	60	RUNDLL32.EXE	RUNDLL32.EXE
PID 60 wrote to memory of 1280	60	RUNDLL32.EXE	RUNDLL32.EXE
PID 60 wrote to memory of 1280	60	RUNDLL32.EXE	RUNDLL32.EXE
PID 2196 wrote to memory of 3252	2196	rundll32.exe	ctfmon.exe
PID 2196 wrote to memory of 3252	2196	rundll32.exe	ctfmon.exe
PID 60 wrote to memory of 2000	60	RUNDLL32.EXE	powershell.exe
PID 60 wrote to memory of 2000	60	RUNDLL32.EXE	powershell.exe
PID 60 wrote to memory of 2000	60	RUNDLL32.EXE	powershell.exe
PID 60 wrote to memory of 3564	60	RUNDLL32.EXE	powershell.exe
PID 60 wrote to memory of 3564	60	RUNDLL32.EXE	powershell.exe
PID 60 wrote to memory of 3564	60	RUNDLL32.EXE	powershell.exe
PID 3564 wrote to memory of 3208	3564	powershell.exe	nslookup.exe
PID 3564 wrote to memory of 3208	3564	powershell.exe	nslookup.exe
PID 3564 wrote to memory of 3208	3564	powershell.exe	nslookup.exe
PID 60 wrote to memory of 2448	60	RUNDLL32.EXE	schtasks.exe
PID 60 wrote to memory of 2448	60	RUNDLL32.EXE	schtasks.exe
PID 60 wrote to memory of 2448	60	RUNDLL32.EXE	schtasks.exe
PID 60 wrote to memory of 2456	60	RUNDLL32.EXE	schtasks.exe
PID 60 wrote to memory of 2456	60	RUNDLL32.EXE	schtasks.exe
PID 60 wrote to memory of 2456	60	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\2754480dc85bc4b2beb1eb6637945d1c8643cf43df940fa614e94635b1227847.exe
"C:\Users\Admin\AppData\Local\Temp\2754480dc85bc4b2beb1eb6637945d1c8643cf43df940fa614e94635b1227847.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\275448~1.DLL,s C:\Users\Admin\AppData\Local\Temp\275448~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\275448~1.DLL,o09U
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:60

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\275448~1.DLL
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\275448~1.DLL,QxooZ2s2
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17659
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 808
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start
4⤵
- Loads dropped DLL
PID:1280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp883.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp52BD.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:3208

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2448

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
2def7e89943100cf26d70ef373b1260e

SHA1
d90f028ae9ac9f8edc26445639752acbcacc70e7

SHA256
178020d76bd88c4681056aeb6a693e8db6afe0f6283466c687c0ca0d04ed1549

SHA512
a65902089d46d2dcaca02caa028cc288e287de7a315ab631c532cf8c584850c2c896d3e8820ff338ab86e177b79d828c4fe1c8606e690477714a1afd65750624

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
215771e6a0398a9818667d79c06163e3

SHA1
96adf9e778b2141255d34685c1139ceb68389cc4

SHA256
a0a7ef1b8d898c4552786bf90c6e1e96a2a1e609c9184183f28d9d4dde063233

SHA512
b0aa22f13b4d5d9d6fc76440bc02935bb5d0fa109c27f5f5a5e168871957115ff232f57207a090f7e6a0c0799f4367fdc40d411d94854af5d3d21894616605fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
f7a808b5711f58fb4f85476c1bb24ac3

SHA1
fbdf9670d622e8fc3446ad4f53fbbd83016f03d1

SHA256
de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec

SHA512
866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b2267c70a0e1c04ab802cf792b8e18f1

SHA1
fedd43729e4fd401b077345359d6554b6863f342

SHA256
0df37c42fecacc545061ef27e128a8855df31d0de5f7caf0896214a871c95657

SHA512
c29ffc0b5fcb8395c460ff34751beb18af8950fc5be48129293d873ae8149c13e77c3a42becddad39e35ca033e8c0ebcd1cd7a05c4371081e06059b5cc5bcb66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
35d7863598143f9fa52ef3a06cf454aa

SHA1
55fbb0bd1605977edeaac36433d0962cce316092

SHA256
ca040c47d97f655021326ece210d169b65d4f142843ff86150eb219c4bfcdab4

SHA512
0fa3060f2ee119d7f9647056ab35d62f5da1bd0c47c3bbdd6d95daeaf8990bfa4b0e8ba68806f2d9a0d992e432a8cc99a961b0e68d33355231abeb4bcd41ff64

Download Submit
C:\Users\Admin\AppData\Local\Temp\275448~1.DLL
MD5
04125fbe0b2fa02ebb26b56083ab3a92

SHA1
c0bca6b2197c8e38f021776cc629adc38388a807

SHA256
100827abff7d734b60bce0c810671cac321c5d56e688e524f95d110ef12c4922

SHA512
60c2fd6d8d7ad2ea17b1296eb02af417cd1aa00950b099cefecaaed974a4d87ebf47e149c89cf3e190208f576104491315d0c82d7baadf80f73877b5e42ebb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp52BD.tmp.ps1
MD5
f6d89dc67d8c83b56ddbf168d6167717

SHA1
6217d3e0b54b51837470fe22d4fe0a47c59ea3b4

SHA256
53ce40ccb2b53b026f983d4e2c6312ce16512181a148014afc49e102a3cb5a03

SHA512
ef7f6c81aa014a1853649b0b824ebcfc8e04e1c8ebe2a340a4fd4a559bf4f6edd293e323042c76e6f42dddde453a89f3c72d6aa5c5572bf6afc75f646d49df8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp52BE.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp883.tmp.ps1
MD5
c389286bb83ab555f9f80b5362b2da21

SHA1
37434995fa1ef3fc066eb418ff50c470876e69cc

SHA256
b17053aa38feda85fa7486688fd4fd2c7a5eb83d36b7377bdaf2146e9b350369

SHA512
03fb2ae9ffafcdd07de312e4d8ec8e2d0b312866025ddec55c13ad037ad1f3d10cd863bb69ddde88f60e298896a9cfbf0e9309614c4e5ff958c6d8589a7a4e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp893.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
\Users\Admin\AppData\Local\Temp\275448~1.DLL
MD5
04125fbe0b2fa02ebb26b56083ab3a92

SHA1
c0bca6b2197c8e38f021776cc629adc38388a807

SHA256
100827abff7d734b60bce0c810671cac321c5d56e688e524f95d110ef12c4922

SHA512
60c2fd6d8d7ad2ea17b1296eb02af417cd1aa00950b099cefecaaed974a4d87ebf47e149c89cf3e190208f576104491315d0c82d7baadf80f73877b5e42ebb7b

Download Submit
\Users\Admin\AppData\Local\Temp\275448~1.DLL
MD5
04125fbe0b2fa02ebb26b56083ab3a92

SHA1
c0bca6b2197c8e38f021776cc629adc38388a807

SHA256
100827abff7d734b60bce0c810671cac321c5d56e688e524f95d110ef12c4922

SHA512
60c2fd6d8d7ad2ea17b1296eb02af417cd1aa00950b099cefecaaed974a4d87ebf47e149c89cf3e190208f576104491315d0c82d7baadf80f73877b5e42ebb7b

Download Submit
\Users\Admin\AppData\Local\Temp\275448~1.DLL
MD5
04125fbe0b2fa02ebb26b56083ab3a92

SHA1
c0bca6b2197c8e38f021776cc629adc38388a807

SHA256
100827abff7d734b60bce0c810671cac321c5d56e688e524f95d110ef12c4922

SHA512
60c2fd6d8d7ad2ea17b1296eb02af417cd1aa00950b099cefecaaed974a4d87ebf47e149c89cf3e190208f576104491315d0c82d7baadf80f73877b5e42ebb7b

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
memory/60-126-0x00000000050D1000-0x00000000060B5000-memory.dmp

Filesize
15.9MB

Download
memory/60-127-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/60-123-0x0000000000000000-mapping.dmp

Download
memory/1220-191-0x0000000009830000-0x0000000009863000-memory.dmp

Filesize
204KB

Download
memory/1220-212-0x0000000004D83000-0x0000000004D84000-memory.dmp

Filesize
4KB

Download
memory/1220-137-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/1220-138-0x0000000004D82000-0x0000000004D83000-memory.dmp

Filesize
4KB

Download
memory/1220-128-0x0000000000000000-mapping.dmp

Download
memory/1220-129-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/1220-206-0x0000000009960000-0x0000000009961000-memory.dmp

Filesize
4KB

Download
memory/1220-199-0x00000000089E0000-0x00000000089E1000-memory.dmp

Filesize
4KB

Download
memory/1220-194-0x000000007E930000-0x000000007E931000-memory.dmp

Filesize
4KB

Download
memory/1220-130-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/1220-179-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/1220-147-0x00000000077B0000-0x00000000077B1000-memory.dmp

Filesize
4KB

Download
memory/1220-168-0x0000000008850000-0x0000000008851000-memory.dmp

Filesize
4KB

Download
memory/1220-135-0x00000000077E0000-0x00000000077E1000-memory.dmp

Filesize
4KB

Download
memory/1220-166-0x0000000008900000-0x0000000008901000-memory.dmp

Filesize
4KB

Download
memory/1220-134-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/1220-165-0x0000000008460000-0x0000000008461000-memory.dmp

Filesize
4KB

Download
memory/1220-163-0x0000000008110000-0x0000000008111000-memory.dmp

Filesize
4KB

Download
memory/1220-161-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

Filesize
4KB

Download
memory/1220-160-0x0000000007E80000-0x0000000007E81000-memory.dmp

Filesize
4KB

Download
memory/1280-149-0x0000000000000000-mapping.dmp

Download
memory/1380-117-0x0000000000400000-0x0000000002E86000-memory.dmp

Filesize
42.5MB

Download
memory/1380-116-0x0000000004E40000-0x0000000004F49000-memory.dmp

Filesize
1.0MB

Download
memory/1380-115-0x0000000004CA8000-0x0000000004D9A000-memory.dmp

Filesize
968KB

Download
memory/2000-167-0x0000000000000000-mapping.dmp

Download
memory/2000-200-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/2000-254-0x0000000006B23000-0x0000000006B24000-memory.dmp

Filesize
4KB

Download
memory/2000-190-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/2000-178-0x0000000006B22000-0x0000000006B23000-memory.dmp

Filesize
4KB

Download
memory/2000-177-0x0000000006B20000-0x0000000006B21000-memory.dmp

Filesize
4KB

Download
memory/2000-170-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/2000-169-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/2196-159-0x000001EBC8D10000-0x000001EBC8D12000-memory.dmp

Filesize
8KB

Download
memory/2196-157-0x0000000000C50000-0x0000000000DF0000-memory.dmp

Filesize
1.6MB

Download
memory/2196-152-0x00007FF6EDBF5FD0-mapping.dmp

Download
memory/2196-164-0x000001EBC8F30000-0x000001EBC90E2000-memory.dmp

Filesize
1.7MB

Download
memory/2196-158-0x000001EBC8D10000-0x000001EBC8D12000-memory.dmp

Filesize
8KB

Download
memory/2448-453-0x0000000000000000-mapping.dmp

Download
memory/2456-454-0x0000000000000000-mapping.dmp

Download
memory/3208-438-0x0000000000000000-mapping.dmp

Download
memory/3252-162-0x0000000000000000-mapping.dmp

Download
memory/3564-452-0x0000000004AB3000-0x0000000004AB4000-memory.dmp

Filesize
4KB

Download
memory/3564-353-0x0000000004AB2000-0x0000000004AB3000-memory.dmp

Filesize
4KB

Download
memory/3564-351-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/3564-327-0x0000000000000000-mapping.dmp

Download
memory/3672-122-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3672-121-0x0000000004E21000-0x0000000005E05000-memory.dmp

Filesize
15.9MB

Download
memory/3672-118-0x0000000000000000-mapping.dmp

Download
memory/3952-141-0x0000000005C30000-0x0000000005D70000-memory.dmp

Filesize
1.2MB

Download
memory/3952-140-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/3952-150-0x0000000005C30000-0x0000000005D70000-memory.dmp

Filesize
1.2MB

Download
memory/3952-136-0x0000000004B81000-0x0000000005B65000-memory.dmp

Filesize
15.9MB

Download
memory/3952-139-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3952-148-0x0000000005C30000-0x0000000005D70000-memory.dmp

Filesize
1.2MB

Download
memory/3952-142-0x0000000005C30000-0x0000000005D70000-memory.dmp

Filesize
1.2MB

Download
memory/3952-144-0x0000000005C30000-0x0000000005D70000-memory.dmp

Filesize
1.2MB

Download
memory/3952-145-0x0000000005C30000-0x0000000005D70000-memory.dmp

Filesize
1.2MB

Download
memory/3952-146-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/3952-131-0x0000000000000000-mapping.dmp

Download