danabot | 28c6011ce5deb72197f4e8a26910d7fd368f4c5d7e83dea4a6fe7502d846091a

Analysis

max time kernel
142s
max time network
126s
platform
windows10_x64
resource
win10-en-20211014
submitted
20-10-2021 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28c6011ce5deb72197f4e8a26910d7fd368f4c5d7e83dea4a6fe7502d846091a.exe
Size

1.2MB
MD5

7edffa62f8534925e9568fc8129b377e
SHA1

83c127c87333db4785f0e7c17aea92c3e880aae8
SHA256

28c6011ce5deb72197f4e8a26910d7fd368f4c5d7e83dea4a6fe7502d846091a
SHA512

4519940f74c31ca828c31963ab896ef622713a4326470df1d18807acf963ee37de0d54e0cbd9fec8a2c69310cf3ea9bbaab11463112426ae52fed68c360ea11e

Score

10^/10

danabot 4 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\28C601~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\28C601~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\28C601~1.DLL	DanabotLoader2021
behavioral1/memory/2076-134-0x0000000003F60000-0x00000000040C2000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\28C601~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\28C601~1.DLL	DanabotLoader2021

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

33 812 rundll32.exe
34 1852 RUNDLL32.EXE
Loads dropped DLL 5 IoCs

Processes:

rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

pid process

812 rundll32.exe
1852 RUNDLL32.EXE
2076 RUNDLL32.EXE
2076 RUNDLL32.EXE
740 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
33	812	rundll32.exe
34	1852	RUNDLL32.EXE

pid	process
812	rundll32.exe
1852	RUNDLL32.EXE
2076	RUNDLL32.EXE
2076	RUNDLL32.EXE
740	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 2076 set thread context of 1400 2076 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2076 set thread context of 1400	2076	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

Checks processor information in registry 2 TTPs 44 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E5774F927E4D73E7CFCEDEE9D88E1518DAF54E1F\Blob = 030000000100000014000000e5774f927e4d73e7cfcedee9d88e1518daf54e1f20000000010000009f0200003082029b30820204a0030201020208070110296da68380300d06092a864886f70d01010b05003074311f301d06035504030c165468617774652054696d6573746f6d70696e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c65301e170d3139313032313033323635375a170d3233313032303033323635375a3074311f301d06035504030c165468617774652054696d6573746f6d70696e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c6530819f300d06092a864886f70d010101050003818d0030818902818100b20ed2ef72572eea177d9470baaa92c5d870dd9bcba59da4a0e0b740491684abba1e22ed20b34d60cc947df0dec82c8e79341f7fab6a90752cf90029bc3a7309b1eba4e21769b047af693616034ef9ddab371dd5ed235ff68ce45f45a371eb175ab41ded06b86aca800cd5e2169d29235a2ae7503f745c922c6ba936a442a0670203010001a3363034300f0603551d130101ff040530030101ff30210603551d11041a301882165468617774652054696d6573746f6d70696e67204341300d06092a864886f70d01010b050003818100444b10edb4b0f0730acc452f19cf2c1deb004bf34882d6ff92bfcfc89b5e98054c3b49a0c31ddd2814e0863c3659d81d6a31856596335f0747217007c57b6488728b4bc468162f6a8035fc54235021216314c5b9dd330305c749c9b320e6fdb3c90b392f2c96d0540f7f9fef6b45785dd7948d073f35cba65b427da909178efd	RUNDLL32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E5774F927E4D73E7CFCEDEE9D88E1518DAF54E1F	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

RUNDLL32.EXEpowershell.exeRUNDLL32.EXEpowershell.exepowershell.exe

pid	process
1852	RUNDLL32.EXE
1852	RUNDLL32.EXE
1852	RUNDLL32.EXE
1852	RUNDLL32.EXE
1852	RUNDLL32.EXE
1852	RUNDLL32.EXE
704	powershell.exe
2076	RUNDLL32.EXE
2076	RUNDLL32.EXE
704	powershell.exe
3140	powershell.exe
704	powershell.exe
3140	powershell.exe
3140	powershell.exe
1852	RUNDLL32.EXE
1852	RUNDLL32.EXE
3736	powershell.exe
3736	powershell.exe
3736	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	1852	RUNDLL32.EXE
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

1400 rundll32.exe
1852 RUNDLL32.EXE

pid	process
1400	rundll32.exe
1852	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

28c6011ce5deb72197f4e8a26910d7fd368f4c5d7e83dea4a6fe7502d846091a.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 2276 wrote to memory of 812	2276	28c6011ce5deb72197f4e8a26910d7fd368f4c5d7e83dea4a6fe7502d846091a.exe	rundll32.exe
PID 2276 wrote to memory of 812	2276	28c6011ce5deb72197f4e8a26910d7fd368f4c5d7e83dea4a6fe7502d846091a.exe	rundll32.exe
PID 2276 wrote to memory of 812	2276	28c6011ce5deb72197f4e8a26910d7fd368f4c5d7e83dea4a6fe7502d846091a.exe	rundll32.exe
PID 812 wrote to memory of 1852	812	rundll32.exe	RUNDLL32.EXE
PID 812 wrote to memory of 1852	812	rundll32.exe	RUNDLL32.EXE
PID 812 wrote to memory of 1852	812	rundll32.exe	RUNDLL32.EXE
PID 1852 wrote to memory of 704	1852	RUNDLL32.EXE	powershell.exe
PID 1852 wrote to memory of 704	1852	RUNDLL32.EXE	powershell.exe
PID 1852 wrote to memory of 704	1852	RUNDLL32.EXE	powershell.exe
PID 1852 wrote to memory of 2076	1852	RUNDLL32.EXE	RUNDLL32.EXE
PID 1852 wrote to memory of 2076	1852	RUNDLL32.EXE	RUNDLL32.EXE
PID 1852 wrote to memory of 2076	1852	RUNDLL32.EXE	RUNDLL32.EXE
PID 2076 wrote to memory of 1400	2076	RUNDLL32.EXE	rundll32.exe
PID 2076 wrote to memory of 1400	2076	RUNDLL32.EXE	rundll32.exe
PID 1852 wrote to memory of 740	1852	RUNDLL32.EXE	RUNDLL32.EXE
PID 1852 wrote to memory of 740	1852	RUNDLL32.EXE	RUNDLL32.EXE
PID 1852 wrote to memory of 740	1852	RUNDLL32.EXE	RUNDLL32.EXE
PID 2076 wrote to memory of 1400	2076	RUNDLL32.EXE	rundll32.exe
PID 1400 wrote to memory of 2988	1400	rundll32.exe	ctfmon.exe
PID 1400 wrote to memory of 2988	1400	rundll32.exe	ctfmon.exe
PID 1852 wrote to memory of 3140	1852	RUNDLL32.EXE	powershell.exe
PID 1852 wrote to memory of 3140	1852	RUNDLL32.EXE	powershell.exe
PID 1852 wrote to memory of 3140	1852	RUNDLL32.EXE	powershell.exe
PID 1852 wrote to memory of 3736	1852	RUNDLL32.EXE	powershell.exe
PID 1852 wrote to memory of 3736	1852	RUNDLL32.EXE	powershell.exe
PID 1852 wrote to memory of 3736	1852	RUNDLL32.EXE	powershell.exe
PID 3736 wrote to memory of 3016	3736	powershell.exe	nslookup.exe
PID 3736 wrote to memory of 3016	3736	powershell.exe	nslookup.exe
PID 3736 wrote to memory of 3016	3736	powershell.exe	nslookup.exe
PID 1852 wrote to memory of 3216	1852	RUNDLL32.EXE	schtasks.exe
PID 1852 wrote to memory of 3216	1852	RUNDLL32.EXE	schtasks.exe
PID 1852 wrote to memory of 3216	1852	RUNDLL32.EXE	schtasks.exe
PID 1852 wrote to memory of 2636	1852	RUNDLL32.EXE	schtasks.exe
PID 1852 wrote to memory of 2636	1852	RUNDLL32.EXE	schtasks.exe
PID 1852 wrote to memory of 2636	1852	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\28c6011ce5deb72197f4e8a26910d7fd368f4c5d7e83dea4a6fe7502d846091a.exe
"C:\Users\Admin\AppData\Local\Temp\28c6011ce5deb72197f4e8a26910d7fd368f4c5d7e83dea4a6fe7502d846091a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\28C601~1.DLL,s C:\Users\Admin\AppData\Local\Temp\28C601~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\28C601~1.DLL,hFUv
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\28C601~1.DLL
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\28C601~1.DLL,VCYtT2pZbUw=
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17659
5⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:2988

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start
4⤵
- Loads dropped DLL
PID:740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpFE71.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp6CCD.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:3016

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3216

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
cf6df07eadcfa62475176a47cd68ff86

SHA1
37f367bcd2ff0f35b0849c0dda2abde7820492a2

SHA256
cdba3afc087a7f05b24b6d0a6f9b570b1fead98719879c1b89770a72ddaa2d7e

SHA512
a5b85553b88bcd139943cb3c386d644b283125938b218e3f9e6c4784692747fb69cdd3107078f6a0986f0ecff8517a4d04f42ed694b666cc7b24d2e11b7f9a80

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
cf6df07eadcfa62475176a47cd68ff86

SHA1
37f367bcd2ff0f35b0849c0dda2abde7820492a2

SHA256
cdba3afc087a7f05b24b6d0a6f9b570b1fead98719879c1b89770a72ddaa2d7e

SHA512
a5b85553b88bcd139943cb3c386d644b283125938b218e3f9e6c4784692747fb69cdd3107078f6a0986f0ecff8517a4d04f42ed694b666cc7b24d2e11b7f9a80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
f7a808b5711f58fb4f85476c1bb24ac3

SHA1
fbdf9670d622e8fc3446ad4f53fbbd83016f03d1

SHA256
de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec

SHA512
866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4ded3e1b42ce8ad34c360077b353bbb0

SHA1
d0b31c95b56dfef8d0a4af8e26675833815a0319

SHA256
cb9879b3236686becabc8a71a7c4903ae83b7611b47759f755a1667a923df7bb

SHA512
388e4d7e0318da97e1386bb6553c65eaac32838bfb17a8c7c751c23f34cd848c2e2d4c359260df9dd3c7d58bef43cca1597ffb59423d9f6ec6c7b20d7cfdb90d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a88bc5b7b17cf8e3eba40d7ef4b3901d

SHA1
307c3e27de483c59185b379d9bbf26cc34f06a0e

SHA256
7ec397e29d0ad9b0533ef06a0e0a7a4f9a482bd74fbfa18c8d40be700383495e

SHA512
dd37aa85c5c98b558e15777bf38998efa0ed2620c64ba60cefaf9a6241708cfdfbe65f3e3e93bd51021d155f6d28fd4eed1054ee9ab012aa9aff9d25c9407595

Download Submit
C:\Users\Admin\AppData\Local\Temp\28C601~1.DLL
MD5
cf5d4c10502510e92af825d06353cd9c

SHA1
d2ba35b348e0efc317a7cbd1c7bfad134e8bfd12

SHA256
e0737c51b7c9712f1090e5b19d2744bc3f66382bea5de086e9827c836c382ee7

SHA512
2fac9dbf75a9de28f20b15c93f5ce972337ca2be5dd30fe2617bcd4233f8539256640516eb744a5380cdcd8bf609bd5d4749179833f86ba6073a3bac1642fdbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6CCD.tmp.ps1
MD5
ae1cda89daed1d856f22751f8737d1f1

SHA1
85749f8355f2a77d04e02fe7187622dd6dddcfc2

SHA256
3542554394e2457e7a2951e7db643726ae3e8c1453b23026855230b4caf3a80f

SHA512
272253857a2a42368f352308174b25c338922d6314312c6fd728a01bc6422a1ddbd9c38ab9690005a29e04534993aa6b62d1e8fd718205fdf4b061fc0229c992

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6CCE.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFE71.tmp.ps1
MD5
31bda7eda1214091d9d4189fddec6153

SHA1
0d1c22641d3fef8c02d2b65c36d2423b9aeba56b

SHA256
0c19df9ec228faf1036f3c915e9e7cef1d235171d8d99dc8696e74f844f139e1

SHA512
0292b52eb9008800fdbe7a6a6dcc79cb8d76ae6ec34770221c53cde3ee7caa04e630f126eff80e04324769f919abbd4bb6cf470fa27a5c7cbfb7ddfc12a08328

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFE72.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
\Users\Admin\AppData\Local\Temp\28C601~1.DLL
MD5
cf5d4c10502510e92af825d06353cd9c

SHA1
d2ba35b348e0efc317a7cbd1c7bfad134e8bfd12

SHA256
e0737c51b7c9712f1090e5b19d2744bc3f66382bea5de086e9827c836c382ee7

SHA512
2fac9dbf75a9de28f20b15c93f5ce972337ca2be5dd30fe2617bcd4233f8539256640516eb744a5380cdcd8bf609bd5d4749179833f86ba6073a3bac1642fdbd

Download Submit
\Users\Admin\AppData\Local\Temp\28C601~1.DLL
MD5
cf5d4c10502510e92af825d06353cd9c

SHA1
d2ba35b348e0efc317a7cbd1c7bfad134e8bfd12

SHA256
e0737c51b7c9712f1090e5b19d2744bc3f66382bea5de086e9827c836c382ee7

SHA512
2fac9dbf75a9de28f20b15c93f5ce972337ca2be5dd30fe2617bcd4233f8539256640516eb744a5380cdcd8bf609bd5d4749179833f86ba6073a3bac1642fdbd

Download Submit
\Users\Admin\AppData\Local\Temp\28C601~1.DLL
MD5
cf5d4c10502510e92af825d06353cd9c

SHA1
d2ba35b348e0efc317a7cbd1c7bfad134e8bfd12

SHA256
e0737c51b7c9712f1090e5b19d2744bc3f66382bea5de086e9827c836c382ee7

SHA512
2fac9dbf75a9de28f20b15c93f5ce972337ca2be5dd30fe2617bcd4233f8539256640516eb744a5380cdcd8bf609bd5d4749179833f86ba6073a3bac1642fdbd

Download Submit
\Users\Admin\AppData\Local\Temp\28C601~1.DLL
MD5
cf5d4c10502510e92af825d06353cd9c

SHA1
d2ba35b348e0efc317a7cbd1c7bfad134e8bfd12

SHA256
e0737c51b7c9712f1090e5b19d2744bc3f66382bea5de086e9827c836c382ee7

SHA512
2fac9dbf75a9de28f20b15c93f5ce972337ca2be5dd30fe2617bcd4233f8539256640516eb744a5380cdcd8bf609bd5d4749179833f86ba6073a3bac1642fdbd

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
memory/704-159-0x0000000008040000-0x0000000008041000-memory.dmp

Filesize
4KB

Download
memory/704-179-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/704-167-0x00000000087D0000-0x00000000087D1000-memory.dmp

Filesize
4KB

Download
memory/704-130-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/704-136-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/704-137-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/704-138-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/704-139-0x0000000004D22000-0x0000000004D23000-memory.dmp

Filesize
4KB

Download
memory/704-166-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/704-171-0x0000000008820000-0x0000000008821000-memory.dmp

Filesize
4KB

Download
memory/704-163-0x00000000080B0000-0x00000000080B1000-memory.dmp

Filesize
4KB

Download
memory/704-189-0x0000000009530000-0x0000000009563000-memory.dmp

Filesize
204KB

Download
memory/704-208-0x0000000004D23000-0x0000000004D24000-memory.dmp

Filesize
4KB

Download
memory/704-153-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/704-129-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/704-128-0x0000000000000000-mapping.dmp

Download
memory/704-204-0x0000000009660000-0x0000000009661000-memory.dmp

Filesize
4KB

Download
memory/704-198-0x0000000008780000-0x0000000008781000-memory.dmp

Filesize
4KB

Download
memory/704-156-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/704-193-0x000000007FD30000-0x000000007FD31000-memory.dmp

Filesize
4KB

Download
memory/740-146-0x0000000000000000-mapping.dmp

Download
memory/812-121-0x0000000004C41000-0x0000000005C25000-memory.dmp

Filesize
15.9MB

Download
memory/812-122-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/812-118-0x0000000000000000-mapping.dmp

Download
memory/1400-155-0x00007FF795BF5FD0-mapping.dmp

Download
memory/1400-160-0x000002D1E27E0000-0x000002D1E27E2000-memory.dmp

Filesize
8KB

Download
memory/1400-158-0x000002D1E27E0000-0x000002D1E27E2000-memory.dmp

Filesize
8KB

Download
memory/1400-161-0x0000000000BF0000-0x0000000000D90000-memory.dmp

Filesize
1.6MB

Download
memory/1400-162-0x000002D1E0E60000-0x000002D1E1012000-memory.dmp

Filesize
1.7MB

Download
memory/1852-127-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1852-126-0x0000000004D81000-0x0000000005D65000-memory.dmp

Filesize
15.9MB

Download
memory/1852-123-0x0000000000000000-mapping.dmp

Download
memory/2076-147-0x0000000005630000-0x0000000005770000-memory.dmp

Filesize
1.2MB

Download
memory/2076-144-0x0000000005630000-0x0000000005770000-memory.dmp

Filesize
1.2MB

Download
memory/2076-131-0x0000000000000000-mapping.dmp

Download
memory/2076-140-0x0000000004581000-0x0000000005565000-memory.dmp

Filesize
15.9MB

Download
memory/2076-141-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/2076-142-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/2076-143-0x0000000005630000-0x0000000005770000-memory.dmp

Filesize
1.2MB

Download
memory/2076-134-0x0000000003F60000-0x00000000040C2000-memory.dmp

Filesize
1.4MB

Download
memory/2076-154-0x0000000005630000-0x0000000005770000-memory.dmp

Filesize
1.2MB

Download
memory/2076-152-0x0000000005630000-0x0000000005770000-memory.dmp

Filesize
1.2MB

Download
memory/2076-151-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2076-150-0x0000000005630000-0x0000000005770000-memory.dmp

Filesize
1.2MB

Download
memory/2276-115-0x0000000004D18000-0x0000000004E07000-memory.dmp

Filesize
956KB

Download
memory/2276-116-0x0000000004E10000-0x0000000004F16000-memory.dmp

Filesize
1.0MB

Download
memory/2276-117-0x0000000000400000-0x0000000002E83000-memory.dmp

Filesize
42.5MB

Download
memory/2636-454-0x0000000000000000-mapping.dmp

Download
memory/2988-164-0x0000000000000000-mapping.dmp

Download
memory/3016-449-0x0000000000000000-mapping.dmp

Download
memory/3140-169-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/3140-173-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/3140-168-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/3140-200-0x0000000008210000-0x0000000008211000-memory.dmp

Filesize
4KB

Download
memory/3140-255-0x0000000004953000-0x0000000004954000-memory.dmp

Filesize
4KB

Download
memory/3140-175-0x0000000004952000-0x0000000004953000-memory.dmp

Filesize
4KB

Download
memory/3140-165-0x0000000000000000-mapping.dmp

Download
memory/3140-205-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/3216-453-0x0000000000000000-mapping.dmp

Download
memory/3736-398-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/3736-412-0x0000000004922000-0x0000000004923000-memory.dmp

Filesize
4KB

Download
memory/3736-383-0x0000000000000000-mapping.dmp

Download
memory/3736-450-0x0000000004923000-0x0000000004924000-memory.dmp

Filesize
4KB

Download