danabot | de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580

Analysis

max time kernel
141s
max time network
124s
platform
windows10_x64
resource
win10-en-20211014
submitted
20-10-2021 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe
Size

1.2MB
MD5

903dc4c649108c3893e7599e10966449
SHA1

b9b93febf9a10ead9d919cd5b04911e8aeaf2594
SHA256

de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580
SHA512

02e3891b6741b2ff3f3b1bc918de40c24a554ed9334dd9e8608f6edfbef1a73afc4d0896ed2a5a945d2724343aefdb3988fe39d64414395cf090466330ad358a

Score

10^/10

danabot 4 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL	DanabotLoader2021
behavioral1/memory/2276-134-0x0000000000A30000-0x0000000000B92000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1332 created 2784 1332 WerFault.exe de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

26 1232 rundll32.exe
27 2176 RUNDLL32.EXE
Loads dropped DLL 5 IoCs

Processes:

rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

pid process

1232 rundll32.exe
2176 RUNDLL32.EXE
2276 RUNDLL32.EXE
2276 RUNDLL32.EXE
2636 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 1332 created 2784	1332	WerFault.exe	de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe

flow	pid	process
26	1232	rundll32.exe
27	2176	RUNDLL32.EXE

pid	process
1232	rundll32.exe
2176	RUNDLL32.EXE
2276	RUNDLL32.EXE
2276	RUNDLL32.EXE
2636	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 2276 set thread context of 2192 2276 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1332 2784 WerFault.exe de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe

description	pid	process	target process
PID 2276 set thread context of 2192	2276	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

pid	pid_target	process	target process
1332	2784	WerFault.exe	de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe

Checks processor information in registry 2 TTPs 48 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F9F1308730DACD5416147AB694B264D76012F24F	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F9F1308730DACD5416147AB694B264D76012F24F\Blob = 030000000100000014000000f9f1308730dacd5416147ab694b264d76012f24f20000000010000004b02000030820247308201b0a003020102020850652fb64cd2303c300d06092a864886f70d01010b0500304f3115301306035504030c0c4953524720526f667420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b3009060355040613025553301e170d3139313032313139303133395a170d3233313032303139303133395a304f3115301306035504030c0c4953524720526f667420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100dab8822475e947e6ec3c9f5986240c5e9a7e2c36432385f015fed96e472198eca9ee945675d63115984d5e48ff3a2fbeaacef692f340ef3e9c8085028e7e177af3bbd405df8554623d8e850bde228d5382b9f87bbb4d874fc7f0538367b69799447e1aecf0a01f4da5ed01db266c6457f099238257827e29a9c6d4a216f089450203010001a32c302a300f0603551d130101ff040530030101ff30170603551d110410300e820c4953524720526f6674205831300d06092a864886f70d01010b050003818100a584886402dc7bc72c500aa5f6f1c24b42b96c14b0279a7f3278ed43c7a65b529b9b48e6a9360385b0e3e8a7cb1ae39d4fc52f825ecf833dc5324b35eaaaf88f828e8ce37b0975e0356e776cf322545902c305bace8562682d086aa828d0ee469c5e8d5f78ca1bd695a361f0709983eb42f1c5105085cb89fa626a036f91c4a2	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

WerFault.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXEpowershell.exepowershell.exe

pid	process
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
1332	WerFault.exe
2176	RUNDLL32.EXE
2176	RUNDLL32.EXE
2176	RUNDLL32.EXE
2176	RUNDLL32.EXE
2176	RUNDLL32.EXE
2176	RUNDLL32.EXE
1340	powershell.exe
2276	RUNDLL32.EXE
2276	RUNDLL32.EXE
1340	powershell.exe
1340	powershell.exe
1244	powershell.exe
1244	powershell.exe
1244	powershell.exe
2176	RUNDLL32.EXE
2176	RUNDLL32.EXE
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

WerFault.exepowershell.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	1332	WerFault.exe
Token: SeBackupPrivilege	1332	WerFault.exe
Token: SeDebugPrivilege	1332	WerFault.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	2176	RUNDLL32.EXE
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

2192 rundll32.exe
2176 RUNDLL32.EXE

pid	process
2192	rundll32.exe
2176	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 2784 wrote to memory of 1232	2784	de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe	rundll32.exe
PID 2784 wrote to memory of 1232	2784	de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe	rundll32.exe
PID 2784 wrote to memory of 1232	2784	de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe	rundll32.exe
PID 1232 wrote to memory of 2176	1232	rundll32.exe	RUNDLL32.EXE
PID 1232 wrote to memory of 2176	1232	rundll32.exe	RUNDLL32.EXE
PID 1232 wrote to memory of 2176	1232	rundll32.exe	RUNDLL32.EXE
PID 2176 wrote to memory of 1340	2176	RUNDLL32.EXE	powershell.exe
PID 2176 wrote to memory of 1340	2176	RUNDLL32.EXE	powershell.exe
PID 2176 wrote to memory of 1340	2176	RUNDLL32.EXE	powershell.exe
PID 2176 wrote to memory of 2276	2176	RUNDLL32.EXE	RUNDLL32.EXE
PID 2176 wrote to memory of 2276	2176	RUNDLL32.EXE	RUNDLL32.EXE
PID 2176 wrote to memory of 2276	2176	RUNDLL32.EXE	RUNDLL32.EXE
PID 2276 wrote to memory of 2192	2276	RUNDLL32.EXE	rundll32.exe
PID 2276 wrote to memory of 2192	2276	RUNDLL32.EXE	rundll32.exe
PID 2276 wrote to memory of 2192	2276	RUNDLL32.EXE	rundll32.exe
PID 2192 wrote to memory of 3052	2192	rundll32.exe	ctfmon.exe
PID 2192 wrote to memory of 3052	2192	rundll32.exe	ctfmon.exe
PID 2176 wrote to memory of 1244	2176	RUNDLL32.EXE	powershell.exe
PID 2176 wrote to memory of 1244	2176	RUNDLL32.EXE	powershell.exe
PID 2176 wrote to memory of 1244	2176	RUNDLL32.EXE	powershell.exe
PID 2176 wrote to memory of 2636	2176	RUNDLL32.EXE	RUNDLL32.EXE
PID 2176 wrote to memory of 2636	2176	RUNDLL32.EXE	RUNDLL32.EXE
PID 2176 wrote to memory of 2636	2176	RUNDLL32.EXE	RUNDLL32.EXE
PID 2176 wrote to memory of 1520	2176	RUNDLL32.EXE	powershell.exe
PID 2176 wrote to memory of 1520	2176	RUNDLL32.EXE	powershell.exe
PID 2176 wrote to memory of 1520	2176	RUNDLL32.EXE	powershell.exe
PID 1520 wrote to memory of 1920	1520	powershell.exe	nslookup.exe
PID 1520 wrote to memory of 1920	1520	powershell.exe	nslookup.exe
PID 1520 wrote to memory of 1920	1520	powershell.exe	nslookup.exe
PID 2176 wrote to memory of 1052	2176	RUNDLL32.EXE	schtasks.exe
PID 2176 wrote to memory of 1052	2176	RUNDLL32.EXE	schtasks.exe
PID 2176 wrote to memory of 1052	2176	RUNDLL32.EXE	schtasks.exe
PID 2176 wrote to memory of 2208	2176	RUNDLL32.EXE	schtasks.exe
PID 2176 wrote to memory of 2208	2176	RUNDLL32.EXE	schtasks.exe
PID 2176 wrote to memory of 2208	2176	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe
"C:\Users\Admin\AppData\Local\Temp\de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL,s C:\Users\Admin\AppData\Local\Temp\DE1A4D~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL,Ty0iVDVHN0Q=
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL,UzAiNjlYTFJB
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17659
5⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:3052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp2504.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start
4⤵
- Loads dropped DLL
PID:2636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp95B1.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:1920

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1052

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 552
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
fc58c5b7fb9ee266c52d4d680a852335

SHA1
0df53e7eea1c6981098823e6b1e7b3cbef61583d

SHA256
b84a88520ced37c1e9c6d4ee57d66b046b54054f5be0fd1c1717496cdd746feb

SHA512
3e51407c2b6bd3baeb72540b104e8d6b85ffff29133d83cbe74ba50f564452125eebcbff7f8bc91e1703a94c91a61eafa768cc9fabf7305f867173fc9cfb41fe

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
52a81575d7d9130236b93ea4153e0a62

SHA1
8ec2bbd4545560643528633b611b44f67fe5ff23

SHA256
880f6bed88a0902463f069f09ab727fff4768f77c091f3b05ea4e80cd1911b45

SHA512
5960062778cbed914f96a61a245f5d2a85e5370cd809f73577dfe90ebf3bd344982a2ec4bca9de719ac032bd6460ed34079d1e36fb6eae5eaec7b8a07a3aaede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
f7a808b5711f58fb4f85476c1bb24ac3

SHA1
fbdf9670d622e8fc3446ad4f53fbbd83016f03d1

SHA256
de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec

SHA512
866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5b4062ce44ae1b44f9e7ac0695d4db45

SHA1
6c9869b324c06d1de09f5332bcb9b99b239b5fd0

SHA256
28ee0f26e5c4ade85430b8ce3c4588379e5d27253c2d4e000b06f028411b5ade

SHA512
40be157181d9aef78319f1f219bb83afb52a196ee208b8e7625790e9372a72494a0b84ecb383b0d80005bc933538d74f32640cfb835ce83d3d7952dc36e95a23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4fab775607f25d664bcfc2ae069161e7

SHA1
06c69e2913b339cd2e2ef1d877e9ca6f79ef3888

SHA256
de2188efeb3f0949875673590a7c755ca9d9b5f8e1500ed2819107558ca3ddbe

SHA512
381b8c9fc06f1ab75e2c245d6004646039e1d105ecbc76bff2f1b57d749f984bb26d5080931352828391525d4d55bd13d3585eb88160d9d982d5214432b74aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL
MD5
b7f8224d7283aaf4e302241bc6e2845c

SHA1
54d4853b9391e96ec8ac54dd7de6613945425c85

SHA256
902b307e9c19a520e9691517488b533563f9d9fca1d94ddbd283b56080b42398

SHA512
83e543e924f662627c5ef1a3407ec7503fb574f08bd114707b8d6fb61822aea799b2a16f0524cd78356a3143f2791c70396344b129ed4862dba4aeccbf68e781

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2504.tmp.ps1
MD5
7e1bd3e206d5d632e05a397fd2453e79

SHA1
818322b17c71f8f4f9c76d93b3ac596789cafeb3

SHA256
881374cca02a885229dbcae62589bc4b3a260cc8b3544540e53e07938638b44b

SHA512
75ecbeb87243e64175ff655e9b005d756befc0c0e1b5a71d640b8ed389166099876765adc29fa08319fd97eeda252e9bd1a26742e1379619947fd251160b8266

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2505.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp95B1.tmp.ps1
MD5
a5be14daef1183c3ff03645f143e5afb

SHA1
a15f5995d01d5a626512fc5fe6aa7ffac555dd33

SHA256
f14ef9376d0462b09b611c205f8898af5a0dfaded30b97b0bfa70b3d6acc1106

SHA512
d07efdeba3c1152246767b1c34003e9ab0c382dce80712813d0a161a3ad94053ea123c9f80be9635b3023edc6bd0182645199511742b6771b1dcb19527aef905

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp95B2.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL
MD5
b7f8224d7283aaf4e302241bc6e2845c

SHA1
54d4853b9391e96ec8ac54dd7de6613945425c85

SHA256
902b307e9c19a520e9691517488b533563f9d9fca1d94ddbd283b56080b42398

SHA512
83e543e924f662627c5ef1a3407ec7503fb574f08bd114707b8d6fb61822aea799b2a16f0524cd78356a3143f2791c70396344b129ed4862dba4aeccbf68e781

Download Submit
\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL
MD5
b7f8224d7283aaf4e302241bc6e2845c

SHA1
54d4853b9391e96ec8ac54dd7de6613945425c85

SHA256
902b307e9c19a520e9691517488b533563f9d9fca1d94ddbd283b56080b42398

SHA512
83e543e924f662627c5ef1a3407ec7503fb574f08bd114707b8d6fb61822aea799b2a16f0524cd78356a3143f2791c70396344b129ed4862dba4aeccbf68e781

Download Submit
\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL
MD5
b7f8224d7283aaf4e302241bc6e2845c

SHA1
54d4853b9391e96ec8ac54dd7de6613945425c85

SHA256
902b307e9c19a520e9691517488b533563f9d9fca1d94ddbd283b56080b42398

SHA512
83e543e924f662627c5ef1a3407ec7503fb574f08bd114707b8d6fb61822aea799b2a16f0524cd78356a3143f2791c70396344b129ed4862dba4aeccbf68e781

Download Submit
\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL
MD5
b7f8224d7283aaf4e302241bc6e2845c

SHA1
54d4853b9391e96ec8ac54dd7de6613945425c85

SHA256
902b307e9c19a520e9691517488b533563f9d9fca1d94ddbd283b56080b42398

SHA512
83e543e924f662627c5ef1a3407ec7503fb574f08bd114707b8d6fb61822aea799b2a16f0524cd78356a3143f2791c70396344b129ed4862dba4aeccbf68e781

Download Submit
memory/1052-453-0x0000000000000000-mapping.dmp

Download
memory/1232-121-0x0000000004B21000-0x0000000005B05000-memory.dmp

Filesize
15.9MB

Download
memory/1232-118-0x0000000000000000-mapping.dmp

Download
memory/1232-122-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1244-204-0x0000000008B20000-0x0000000008B21000-memory.dmp

Filesize
4KB

Download
memory/1244-164-0x0000000000000000-mapping.dmp

Download
memory/1244-174-0x0000000005112000-0x0000000005113000-memory.dmp

Filesize
4KB

Download
memory/1244-173-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/1244-170-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/1244-169-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/1244-262-0x0000000005113000-0x0000000005114000-memory.dmp

Filesize
4KB

Download
memory/1340-197-0x0000000008B10000-0x0000000008B11000-memory.dmp

Filesize
4KB

Download
memory/1340-129-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1340-145-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/1340-128-0x0000000000000000-mapping.dmp

Download
memory/1340-131-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1340-206-0x0000000007293000-0x0000000007294000-memory.dmp

Filesize
4KB

Download
memory/1340-205-0x0000000009BF0000-0x0000000009BF1000-memory.dmp

Filesize
4KB

Download
memory/1340-202-0x0000000009A20000-0x0000000009A21000-memory.dmp

Filesize
4KB

Download
memory/1340-152-0x0000000007F70000-0x0000000007F71000-memory.dmp

Filesize
4KB

Download
memory/1340-154-0x00000000080E0000-0x00000000080E1000-memory.dmp

Filesize
4KB

Download
memory/1340-136-0x0000000007160000-0x0000000007161000-memory.dmp

Filesize
4KB

Download
memory/1340-193-0x000000007E620000-0x000000007E621000-memory.dmp

Filesize
4KB

Download
memory/1340-158-0x00000000081E0000-0x00000000081E1000-memory.dmp

Filesize
4KB

Download
memory/1340-188-0x00000000098F0000-0x0000000009923000-memory.dmp

Filesize
204KB

Download
memory/1340-177-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/1340-137-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/1340-138-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/1340-162-0x00000000074C0000-0x00000000074C1000-memory.dmp

Filesize
4KB

Download
memory/1340-163-0x0000000008A60000-0x0000000008A61000-memory.dmp

Filesize
4KB

Download
memory/1340-139-0x0000000007292000-0x0000000007293000-memory.dmp

Filesize
4KB

Download
memory/1340-166-0x0000000008970000-0x0000000008971000-memory.dmp

Filesize
4KB

Download
memory/1520-399-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download
memory/1520-452-0x0000000006DF3000-0x0000000006DF4000-memory.dmp

Filesize
4KB

Download
memory/1520-400-0x0000000006DF2000-0x0000000006DF3000-memory.dmp

Filesize
4KB

Download
memory/1520-382-0x0000000000000000-mapping.dmp

Download
memory/1920-449-0x0000000000000000-mapping.dmp

Download
memory/2176-127-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2176-123-0x0000000000000000-mapping.dmp

Download
memory/2176-126-0x00000000052B1000-0x0000000006295000-memory.dmp

Filesize
15.9MB

Download
memory/2192-160-0x00000000001D0000-0x0000000000370000-memory.dmp

Filesize
1.6MB

Download
memory/2192-157-0x000001993A450000-0x000001993A452000-memory.dmp

Filesize
8KB

Download
memory/2192-153-0x00007FF7026F5FD0-mapping.dmp

Download
memory/2192-156-0x000001993A450000-0x000001993A452000-memory.dmp

Filesize
8KB

Download
memory/2192-161-0x000001993A590000-0x000001993A742000-memory.dmp

Filesize
1.7MB

Download
memory/2208-454-0x0000000000000000-mapping.dmp

Download
memory/2276-150-0x0000000005710000-0x0000000005850000-memory.dmp

Filesize
1.2MB

Download
memory/2276-141-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/2276-144-0x0000000005710000-0x0000000005850000-memory.dmp

Filesize
1.2MB

Download
memory/2276-148-0x0000000005710000-0x0000000005850000-memory.dmp

Filesize
1.2MB

Download
memory/2276-142-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/2276-130-0x0000000000000000-mapping.dmp

Download
memory/2276-134-0x0000000000A30000-0x0000000000B92000-memory.dmp

Filesize
1.4MB

Download
memory/2276-151-0x0000000005710000-0x0000000005850000-memory.dmp

Filesize
1.2MB

Download
memory/2276-147-0x0000000005710000-0x0000000005850000-memory.dmp

Filesize
1.2MB

Download
memory/2276-149-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/2276-140-0x0000000004721000-0x0000000005705000-memory.dmp

Filesize
15.9MB

Download
memory/2276-143-0x0000000005710000-0x0000000005850000-memory.dmp

Filesize
1.2MB

Download
memory/2636-165-0x0000000000000000-mapping.dmp

Download
memory/2784-115-0x0000000003254000-0x0000000003343000-memory.dmp

Filesize
956KB

Download
memory/2784-117-0x0000000000400000-0x0000000002E8B000-memory.dmp

Filesize
42.5MB

Download
memory/2784-116-0x0000000003350000-0x0000000003456000-memory.dmp

Filesize
1.0MB

Download
memory/3052-159-0x0000000000000000-mapping.dmp

Download