danabot | 873bda53244561e93e69958937dcb0180f6319a65ae7b751e66540dcfc17c719

Analysis

max time kernel
145s
max time network
127s
platform
windows10_x64
resource
win10-en-20211014
submitted
20-10-2021 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

873bda53244561e93e69958937dcb0180f6319a65ae7b751e66540dcfc17c719.exe
Size

1.2MB
MD5

1a59897fb61b2a9c1696ccd9df0fd3c6
SHA1

59fc32b185f164bcbdfebcc51fcfe06ee2ee3272
SHA256

873bda53244561e93e69958937dcb0180f6319a65ae7b751e66540dcfc17c719
SHA512

a5c5e684700d413cb52f644e46b750f59941ac7aaadb030b595283e619f82bf63a9e773cc1158b924661719b40b2662b6728e57a8896d4345e9d9f7a4cc9e846

Score

10^/10

danabot 4 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\873BDA~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\873BDA~1.DLL	DanabotLoader2021
behavioral1/memory/2052-126-0x00000000040B0000-0x0000000004216000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\873BDA~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\873BDA~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\873BDA~1.DLL	DanabotLoader2021

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

24 1280 rundll32.exe
25 2052 RUNDLL32.EXE
Loads dropped DLL 5 IoCs

Processes:

rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

pid process

1280 rundll32.exe
2052 RUNDLL32.EXE
2052 RUNDLL32.EXE
1744 RUNDLL32.EXE
2612 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
24	1280	rundll32.exe
25	2052	RUNDLL32.EXE

pid	process
1280	rundll32.exe
2052	RUNDLL32.EXE
2052	RUNDLL32.EXE
1744	RUNDLL32.EXE
2612	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 1744 set thread context of 1320 1744 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1744 set thread context of 1320	1744	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

Checks processor information in registry 2 TTPs 41 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TypedURLs	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5F185A6159F72EA782E6A208F316734C2B45CEA4\Blob = 0300000001000000140000005f185a6159f72ea782e6a208f316734c2b45cea420000000010000009b0200003082029730820200a003020102020821910e0a11dca7c7300d06092a864886f70d01010b0500306c312b302906035504030c2244696769436572742048696768204173737572616e63652045562052736f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3139313031373233333232365a170d3233313031363233333232365a306c312b302906035504030c2244696769436572742048696768204173737572616e63652045562052736f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100ebeb6d0310e3d78ac1e8dff944ddaa2b9bff30466741ff6fb81a523c12c3998a18bf54f17db82df9949eb8752e5e42fc62a146b449185e74f0b32051ef93aafe573119401dee50b2b61d177e0d2a9fe22fec4e75cd0a88d327fb9417aa2ba2b1dc437e942c86e9d8a50ce06abeb3beae1206cf59dc486375781bc632f17705630203010001a3423040300f0603551d130101ff040530030101ff302d0603551d1104263024822244696769436572742048696768204173737572616e63652045562052736f74204341300d06092a864886f70d01010b0500038181007ec2a548fe3cac185d09e965a9325b7d102c285bbd381b1aee71642e5af3fb7f43192cb4484f1a947bf741d5dd5d178fae9c4bc604b2e346061c4d07719e7db265f1ccfd764b9d88bcd62c87f67c7e1a3464138fb51b74acc770223aba5adc71b83ea3d3313dd69953436f75c7e0582b0cdffe38ddb52c38f1cc88431ad81780	RUNDLL32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5F185A6159F72EA782E6A208F316734C2B45CEA4	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

RUNDLL32.EXEpowershell.exeRUNDLL32.EXEpowershell.exepowershell.exe

pid	process
2052	RUNDLL32.EXE
2052	RUNDLL32.EXE
2052	RUNDLL32.EXE
2052	RUNDLL32.EXE
2052	RUNDLL32.EXE
2052	RUNDLL32.EXE
3508	powershell.exe
1744	RUNDLL32.EXE
1744	RUNDLL32.EXE
3508	powershell.exe
3516	powershell.exe
3508	powershell.exe
3516	powershell.exe
3516	powershell.exe
2052	RUNDLL32.EXE
2052	RUNDLL32.EXE
2920	powershell.exe
2920	powershell.exe
2920	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	2052	RUNDLL32.EXE
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

1320 rundll32.exe
2052 RUNDLL32.EXE

pid	process
1320	rundll32.exe
2052	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

873bda53244561e93e69958937dcb0180f6319a65ae7b751e66540dcfc17c719.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 2268 wrote to memory of 1280	2268	873bda53244561e93e69958937dcb0180f6319a65ae7b751e66540dcfc17c719.exe	rundll32.exe
PID 2268 wrote to memory of 1280	2268	873bda53244561e93e69958937dcb0180f6319a65ae7b751e66540dcfc17c719.exe	rundll32.exe
PID 2268 wrote to memory of 1280	2268	873bda53244561e93e69958937dcb0180f6319a65ae7b751e66540dcfc17c719.exe	rundll32.exe
PID 1280 wrote to memory of 2052	1280	rundll32.exe	RUNDLL32.EXE
PID 1280 wrote to memory of 2052	1280	rundll32.exe	RUNDLL32.EXE
PID 1280 wrote to memory of 2052	1280	rundll32.exe	RUNDLL32.EXE
PID 2052 wrote to memory of 3508	2052	RUNDLL32.EXE	powershell.exe
PID 2052 wrote to memory of 3508	2052	RUNDLL32.EXE	powershell.exe
PID 2052 wrote to memory of 3508	2052	RUNDLL32.EXE	powershell.exe
PID 2052 wrote to memory of 1744	2052	RUNDLL32.EXE	RUNDLL32.EXE
PID 2052 wrote to memory of 1744	2052	RUNDLL32.EXE	RUNDLL32.EXE
PID 2052 wrote to memory of 1744	2052	RUNDLL32.EXE	RUNDLL32.EXE
PID 1744 wrote to memory of 1320	1744	RUNDLL32.EXE	rundll32.exe
PID 1744 wrote to memory of 1320	1744	RUNDLL32.EXE	rundll32.exe
PID 1744 wrote to memory of 1320	1744	RUNDLL32.EXE	rundll32.exe
PID 1320 wrote to memory of 1544	1320	rundll32.exe	ctfmon.exe
PID 1320 wrote to memory of 1544	1320	rundll32.exe	ctfmon.exe
PID 2052 wrote to memory of 2612	2052	RUNDLL32.EXE	RUNDLL32.EXE
PID 2052 wrote to memory of 2612	2052	RUNDLL32.EXE	RUNDLL32.EXE
PID 2052 wrote to memory of 2612	2052	RUNDLL32.EXE	RUNDLL32.EXE
PID 2052 wrote to memory of 3516	2052	RUNDLL32.EXE	powershell.exe
PID 2052 wrote to memory of 3516	2052	RUNDLL32.EXE	powershell.exe
PID 2052 wrote to memory of 3516	2052	RUNDLL32.EXE	powershell.exe
PID 2052 wrote to memory of 2920	2052	RUNDLL32.EXE	powershell.exe
PID 2052 wrote to memory of 2920	2052	RUNDLL32.EXE	powershell.exe
PID 2052 wrote to memory of 2920	2052	RUNDLL32.EXE	powershell.exe
PID 2920 wrote to memory of 2680	2920	powershell.exe	nslookup.exe
PID 2920 wrote to memory of 2680	2920	powershell.exe	nslookup.exe
PID 2920 wrote to memory of 2680	2920	powershell.exe	nslookup.exe
PID 2052 wrote to memory of 3236	2052	RUNDLL32.EXE	schtasks.exe
PID 2052 wrote to memory of 3236	2052	RUNDLL32.EXE	schtasks.exe
PID 2052 wrote to memory of 3236	2052	RUNDLL32.EXE	schtasks.exe
PID 2052 wrote to memory of 2056	2052	RUNDLL32.EXE	schtasks.exe
PID 2052 wrote to memory of 2056	2052	RUNDLL32.EXE	schtasks.exe
PID 2052 wrote to memory of 2056	2052	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\873bda53244561e93e69958937dcb0180f6319a65ae7b751e66540dcfc17c719.exe
"C:\Users\Admin\AppData\Local\Temp\873bda53244561e93e69958937dcb0180f6319a65ae7b751e66540dcfc17c719.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\873BDA~1.DLL,s C:\Users\Admin\AppData\Local\Temp\873BDA~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\873BDA~1.DLL,NykOaFRvaVlp
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\873BDA~1.DLL
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\873BDA~1.DLL,eChPWQ==
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17659
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:1544

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start
4⤵
- Loads dropped DLL
PID:2612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp190D.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp8594.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:2680

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3236

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
2def7e89943100cf26d70ef373b1260e

SHA1
d90f028ae9ac9f8edc26445639752acbcacc70e7

SHA256
178020d76bd88c4681056aeb6a693e8db6afe0f6283466c687c0ca0d04ed1549

SHA512
a65902089d46d2dcaca02caa028cc288e287de7a315ab631c532cf8c584850c2c896d3e8820ff338ab86e177b79d828c4fe1c8606e690477714a1afd65750624

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
4d5db43d45cc8b36696f368666417ab5

SHA1
cc82d33804f5a55603713bc810ce80c6bf2268b9

SHA256
2fec09f366f2f28a4b17c99e3118e77d412d772192cb7945cedfa74d5535de0b

SHA512
aba91c548a1795549cf44dcecae46f0bb1bed78092f1578c1a90bac53a86242f7ed5cb310169a0d8174551c19dfec37f1b84b1d78678b548539a51309c56687e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
f7a808b5711f58fb4f85476c1bb24ac3

SHA1
fbdf9670d622e8fc3446ad4f53fbbd83016f03d1

SHA256
de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec

SHA512
866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
34cbce7a86066983ddec1c5c7316fa24

SHA1
a1135a1ddbfd3ae8079f7e449d7978fdb92f3bd9

SHA256
23bf6d99f757f6728c8c896676b0707e190e1acb80ec8758696fa3efa8d6cb42

SHA512
f6537a61341ef316200de61d4185d7fdf8169fa5f01446241d34dc74ffdf9edfd520c5d06d54c9df8a8d1eb0eeab53141d75c88f157b72cbcb6b7f0bdb84e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4f0e6d4bfba74d0550be96353f7e3943

SHA1
4f71108e890e4758b0ab3b158272d8cd324f7503

SHA256
28408be76e74a44e34ac19ba651d0b51b27817de151d4159ccb4243f8a2e36e4

SHA512
7715de7e52c321bd599b931fd810fed1a4224091b10dee5bf7ad810472c6088e4413e0575cbf408c763fa80639a1aafca48b1cd00ba4c4a149806b601d32ad4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
097aa50823bef08089cf7239b8d12576

SHA1
1921861d0bbc8de3e5963075b88ad22a8e665de3

SHA256
cdf697e6cf442845bb46156891f7715d0d5c4a68071f288021e21f0c75b1d4aa

SHA512
7d70eef3eec0e2196ed721feae20e057bba2eb4a7713ef3c25f6da4e331cdf9fd74c5fa6e806dc8cc9f818e1584ae377b517e0f1070be03673930637008ac5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
C:\Users\Admin\AppData\Local\Temp\873BDA~1.DLL
MD5
a3d21bf856332e635f8f8c2d56c43ed4

SHA1
6911ba484359c54d2e90383f71b07be873f047cb

SHA256
5bcae59c51a93bfe54c73ad48b4e96611c29cd327584067eceffe57018208b58

SHA512
4ab5e446cc370a1485cc59b37274685550c06f5945252c8b0d859896d8a3d3748b7f29ae9101452fbd412640cd2c00276474586bb203dab3f54abee1a4f5fb09

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp190D.tmp.ps1
MD5
341ea6b8a0dc22f64e53649793fabc86

SHA1
512e4b2811116db4de40729c7cbc814c07f27168

SHA256
d82148b550f6aef30f68c6c404d82e12cb07644f601010d506642effb4c702bf

SHA512
c0f401e556f4b94f77a30eaee45601ed29e0989ecf9aa537e384c2773df3b5669a81d4fb2f06aace2b2ddb4a122dfdb965eef6c3e58e68eeeadec7c9d57203e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp190E.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8594.tmp.ps1
MD5
b35f5a32299dbe62fa0105935bd48c0c

SHA1
230595aebc026f3d52514ea01b17e04a963b723f

SHA256
e2ec01632dedc5d00af763cb88a10a43ae012dc479b34088ed54a18807b07c85

SHA512
fde00da0e1170adcfd14c98bf5af7fa7e2f30b6df126a33306ed2bea3805d8c68675e00523e8b0b6ca7d2b933bce1fa5926268e0c1551fc4e3f071033e8bf95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8595.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
\Users\Admin\AppData\Local\Temp\873BDA~1.DLL
MD5
a3d21bf856332e635f8f8c2d56c43ed4

SHA1
6911ba484359c54d2e90383f71b07be873f047cb

SHA256
5bcae59c51a93bfe54c73ad48b4e96611c29cd327584067eceffe57018208b58

SHA512
4ab5e446cc370a1485cc59b37274685550c06f5945252c8b0d859896d8a3d3748b7f29ae9101452fbd412640cd2c00276474586bb203dab3f54abee1a4f5fb09

Download Submit
\Users\Admin\AppData\Local\Temp\873BDA~1.DLL
MD5
a3d21bf856332e635f8f8c2d56c43ed4

SHA1
6911ba484359c54d2e90383f71b07be873f047cb

SHA256
5bcae59c51a93bfe54c73ad48b4e96611c29cd327584067eceffe57018208b58

SHA512
4ab5e446cc370a1485cc59b37274685550c06f5945252c8b0d859896d8a3d3748b7f29ae9101452fbd412640cd2c00276474586bb203dab3f54abee1a4f5fb09

Download Submit
\Users\Admin\AppData\Local\Temp\873BDA~1.DLL
MD5
a3d21bf856332e635f8f8c2d56c43ed4

SHA1
6911ba484359c54d2e90383f71b07be873f047cb

SHA256
5bcae59c51a93bfe54c73ad48b4e96611c29cd327584067eceffe57018208b58

SHA512
4ab5e446cc370a1485cc59b37274685550c06f5945252c8b0d859896d8a3d3748b7f29ae9101452fbd412640cd2c00276474586bb203dab3f54abee1a4f5fb09

Download Submit
\Users\Admin\AppData\Local\Temp\873BDA~1.DLL
MD5
a3d21bf856332e635f8f8c2d56c43ed4

SHA1
6911ba484359c54d2e90383f71b07be873f047cb

SHA256
5bcae59c51a93bfe54c73ad48b4e96611c29cd327584067eceffe57018208b58

SHA512
4ab5e446cc370a1485cc59b37274685550c06f5945252c8b0d859896d8a3d3748b7f29ae9101452fbd412640cd2c00276474586bb203dab3f54abee1a4f5fb09

Download Submit
memory/1280-122-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1280-121-0x0000000004AB1000-0x0000000005A95000-memory.dmp

Filesize
15.9MB

Download
memory/1280-117-0x0000000000000000-mapping.dmp

Download
memory/1320-155-0x00007FF730F15FD0-mapping.dmp

Download
memory/1320-161-0x00000178C6620000-0x00000178C67D2000-memory.dmp

Filesize
1.7MB

Download
memory/1320-160-0x0000000000290000-0x0000000000430000-memory.dmp

Filesize
1.6MB

Download
memory/1320-158-0x00000178C6510000-0x00000178C6512000-memory.dmp

Filesize
8KB

Download
memory/1320-159-0x00000178C6510000-0x00000178C6512000-memory.dmp

Filesize
8KB

Download
memory/1544-163-0x0000000000000000-mapping.dmp

Download
memory/1744-151-0x0000000005ED0000-0x0000000006010000-memory.dmp

Filesize
1.2MB

Download
memory/1744-153-0x0000000005ED0000-0x0000000006010000-memory.dmp

Filesize
1.2MB

Download
memory/1744-147-0x0000000005ED0000-0x0000000006010000-memory.dmp

Filesize
1.2MB

Download
memory/1744-148-0x0000000005ED0000-0x0000000006010000-memory.dmp

Filesize
1.2MB

Download
memory/1744-150-0x0000000005ED0000-0x0000000006010000-memory.dmp

Filesize
1.2MB

Download
memory/1744-140-0x0000000004E21000-0x0000000005E05000-memory.dmp

Filesize
15.9MB

Download
memory/1744-152-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/1744-146-0x00000000060E0000-0x00000000060E1000-memory.dmp

Filesize
4KB

Download
memory/1744-154-0x0000000005ED0000-0x0000000006010000-memory.dmp

Filesize
1.2MB

Download
memory/1744-136-0x0000000000000000-mapping.dmp

Download
memory/1744-143-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2052-126-0x00000000040B0000-0x0000000004216000-memory.dmp

Filesize
1.4MB

Download
memory/2052-129-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/2052-128-0x0000000004651000-0x0000000005635000-memory.dmp

Filesize
15.9MB

Download
memory/2052-123-0x0000000000000000-mapping.dmp

Download
memory/2056-458-0x0000000000000000-mapping.dmp

Download
memory/2268-118-0x0000000000400000-0x0000000002E86000-memory.dmp

Filesize
42.5MB

Download
memory/2268-115-0x0000000004BC9000-0x0000000004CBB000-memory.dmp

Filesize
968KB

Download
memory/2268-116-0x0000000004D10000-0x0000000004E19000-memory.dmp

Filesize
1.0MB

Download
memory/2612-166-0x0000000000000000-mapping.dmp

Download
memory/2680-453-0x0000000000000000-mapping.dmp

Download
memory/2920-455-0x00000000047D3000-0x00000000047D4000-memory.dmp

Filesize
4KB

Download
memory/2920-385-0x00000000047D2000-0x00000000047D3000-memory.dmp

Filesize
4KB

Download
memory/2920-384-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/2920-359-0x0000000000000000-mapping.dmp

Download
memory/3236-457-0x0000000000000000-mapping.dmp

Download
memory/3508-171-0x00000000086F0000-0x00000000086F1000-memory.dmp

Filesize
4KB

Download
memory/3508-134-0x0000000000000000-mapping.dmp

Download
memory/3508-142-0x0000000007670000-0x0000000007671000-memory.dmp

Filesize
4KB

Download
memory/3508-144-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/3508-183-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/3508-145-0x0000000004BB2000-0x0000000004BB3000-memory.dmp

Filesize
4KB

Download
memory/3508-156-0x0000000007450000-0x0000000007451000-memory.dmp

Filesize
4KB

Download
memory/3508-195-0x00000000093F0000-0x0000000009423000-memory.dmp

Filesize
204KB

Download
memory/3508-201-0x000000007EE90000-0x000000007EE91000-memory.dmp

Filesize
4KB

Download
memory/3508-204-0x0000000008760000-0x0000000008761000-memory.dmp

Filesize
4KB

Download
memory/3508-162-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/3508-215-0x0000000004BB3000-0x0000000004BB4000-memory.dmp

Filesize
4KB

Download
memory/3508-164-0x0000000007E20000-0x0000000007E21000-memory.dmp

Filesize
4KB

Download
memory/3508-176-0x00000000085F0000-0x00000000085F1000-memory.dmp

Filesize
4KB

Download
memory/3508-165-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/3508-141-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/3508-170-0x0000000007E90000-0x0000000007E91000-memory.dmp

Filesize
4KB

Download
memory/3508-137-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/3508-135-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/3516-169-0x0000000000000000-mapping.dmp

Download
memory/3516-172-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/3516-248-0x00000000065B3000-0x00000000065B4000-memory.dmp

Filesize
4KB

Download
memory/3516-203-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/3516-193-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download
memory/3516-173-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/3516-178-0x00000000065B2000-0x00000000065B3000-memory.dmp

Filesize
4KB

Download
memory/3516-177-0x00000000065B0000-0x00000000065B1000-memory.dmp

Filesize
4KB

Download