Analysis
-
max time kernel
141s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 19:00
Static task
static1
General
-
Target
de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe
-
Size
1.2MB
-
MD5
903dc4c649108c3893e7599e10966449
-
SHA1
b9b93febf9a10ead9d919cd5b04911e8aeaf2594
-
SHA256
de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580
-
SHA512
02e3891b6741b2ff3f3b1bc918de40c24a554ed9334dd9e8608f6edfbef1a73afc4d0896ed2a5a945d2724343aefdb3988fe39d64414395cf090466330ad358a
Malware Config
Extracted
danabot
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
loader
Extracted
danabot
2052
4
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
main
Signatures
-
Danabot Loader Component 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL DanabotLoader2021 behavioral1/memory/2276-134-0x0000000000A30000-0x0000000000B92000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL DanabotLoader2021 -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1332 created 2784 1332 WerFault.exe de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEflow pid process 26 1232 rundll32.exe 27 2176 RUNDLL32.EXE -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEpid process 1232 rundll32.exe 2176 RUNDLL32.EXE 2276 RUNDLL32.EXE 2276 RUNDLL32.EXE 2636 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 2276 set thread context of 2192 2276 RUNDLL32.EXE rundll32.exe -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1332 2784 WerFault.exe de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe -
Checks processor information in registry 2 TTPs 48 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXERUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE -
Processes:
RUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F9F1308730DACD5416147AB694B264D76012F24F RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F9F1308730DACD5416147AB694B264D76012F24F\Blob = 030000000100000014000000f9f1308730dacd5416147ab694b264d76012f24f20000000010000004b02000030820247308201b0a003020102020850652fb64cd2303c300d06092a864886f70d01010b0500304f3115301306035504030c0c4953524720526f667420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b3009060355040613025553301e170d3139313032313139303133395a170d3233313032303139303133395a304f3115301306035504030c0c4953524720526f667420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100dab8822475e947e6ec3c9f5986240c5e9a7e2c36432385f015fed96e472198eca9ee945675d63115984d5e48ff3a2fbeaacef692f340ef3e9c8085028e7e177af3bbd405df8554623d8e850bde228d5382b9f87bbb4d874fc7f0538367b69799447e1aecf0a01f4da5ed01db266c6457f099238257827e29a9c6d4a216f089450203010001a32c302a300f0603551d130101ff040530030101ff30170603551d110410300e820c4953524720526f6674205831300d06092a864886f70d01010b050003818100a584886402dc7bc72c500aa5f6f1c24b42b96c14b0279a7f3278ed43c7a65b529b9b48e6a9360385b0e3e8a7cb1ae39d4fc52f825ecf833dc5324b35eaaaf88f828e8ce37b0975e0356e776cf322545902c305bace8562682d086aa828d0ee469c5e8d5f78ca1bd695a361f0709983eb42f1c5105085cb89fa626a036f91c4a2 RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
WerFault.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXEpowershell.exepowershell.exepid process 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 1332 WerFault.exe 2176 RUNDLL32.EXE 2176 RUNDLL32.EXE 2176 RUNDLL32.EXE 2176 RUNDLL32.EXE 2176 RUNDLL32.EXE 2176 RUNDLL32.EXE 1340 powershell.exe 2276 RUNDLL32.EXE 2276 RUNDLL32.EXE 1340 powershell.exe 1340 powershell.exe 1244 powershell.exe 1244 powershell.exe 1244 powershell.exe 2176 RUNDLL32.EXE 2176 RUNDLL32.EXE 1520 powershell.exe 1520 powershell.exe 1520 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
WerFault.exepowershell.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeRestorePrivilege 1332 WerFault.exe Token: SeBackupPrivilege 1332 WerFault.exe Token: SeDebugPrivilege 1332 WerFault.exe Token: SeDebugPrivilege 1340 powershell.exe Token: SeDebugPrivilege 2176 RUNDLL32.EXE Token: SeDebugPrivilege 1244 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 2192 rundll32.exe 2176 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exedescription pid process target process PID 2784 wrote to memory of 1232 2784 de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe rundll32.exe PID 2784 wrote to memory of 1232 2784 de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe rundll32.exe PID 2784 wrote to memory of 1232 2784 de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe rundll32.exe PID 1232 wrote to memory of 2176 1232 rundll32.exe RUNDLL32.EXE PID 1232 wrote to memory of 2176 1232 rundll32.exe RUNDLL32.EXE PID 1232 wrote to memory of 2176 1232 rundll32.exe RUNDLL32.EXE PID 2176 wrote to memory of 1340 2176 RUNDLL32.EXE powershell.exe PID 2176 wrote to memory of 1340 2176 RUNDLL32.EXE powershell.exe PID 2176 wrote to memory of 1340 2176 RUNDLL32.EXE powershell.exe PID 2176 wrote to memory of 2276 2176 RUNDLL32.EXE RUNDLL32.EXE PID 2176 wrote to memory of 2276 2176 RUNDLL32.EXE RUNDLL32.EXE PID 2176 wrote to memory of 2276 2176 RUNDLL32.EXE RUNDLL32.EXE PID 2276 wrote to memory of 2192 2276 RUNDLL32.EXE rundll32.exe PID 2276 wrote to memory of 2192 2276 RUNDLL32.EXE rundll32.exe PID 2276 wrote to memory of 2192 2276 RUNDLL32.EXE rundll32.exe PID 2192 wrote to memory of 3052 2192 rundll32.exe ctfmon.exe PID 2192 wrote to memory of 3052 2192 rundll32.exe ctfmon.exe PID 2176 wrote to memory of 1244 2176 RUNDLL32.EXE powershell.exe PID 2176 wrote to memory of 1244 2176 RUNDLL32.EXE powershell.exe PID 2176 wrote to memory of 1244 2176 RUNDLL32.EXE powershell.exe PID 2176 wrote to memory of 2636 2176 RUNDLL32.EXE RUNDLL32.EXE PID 2176 wrote to memory of 2636 2176 RUNDLL32.EXE RUNDLL32.EXE PID 2176 wrote to memory of 2636 2176 RUNDLL32.EXE RUNDLL32.EXE PID 2176 wrote to memory of 1520 2176 RUNDLL32.EXE powershell.exe PID 2176 wrote to memory of 1520 2176 RUNDLL32.EXE powershell.exe PID 2176 wrote to memory of 1520 2176 RUNDLL32.EXE powershell.exe PID 1520 wrote to memory of 1920 1520 powershell.exe nslookup.exe PID 1520 wrote to memory of 1920 1520 powershell.exe nslookup.exe PID 1520 wrote to memory of 1920 1520 powershell.exe nslookup.exe PID 2176 wrote to memory of 1052 2176 RUNDLL32.EXE schtasks.exe PID 2176 wrote to memory of 1052 2176 RUNDLL32.EXE schtasks.exe PID 2176 wrote to memory of 1052 2176 RUNDLL32.EXE schtasks.exe PID 2176 wrote to memory of 2208 2176 RUNDLL32.EXE schtasks.exe PID 2176 wrote to memory of 2208 2176 RUNDLL32.EXE schtasks.exe PID 2176 wrote to memory of 2208 2176 RUNDLL32.EXE schtasks.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe"C:\Users\Admin\AppData\Local\Temp\de1a4d7099917b0d32f3193d4ad9171c38c49e0c6295fb0e5761fdfe5ca74580.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL,s C:\Users\Admin\AppData\Local\Temp\DE1A4D~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL,Ty0iVDVHN0Q=3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLL,UzAiNjlYTFJB4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 176595⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp2504.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp95B1.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 5522⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
fc58c5b7fb9ee266c52d4d680a852335
SHA10df53e7eea1c6981098823e6b1e7b3cbef61583d
SHA256b84a88520ced37c1e9c6d4ee57d66b046b54054f5be0fd1c1717496cdd746feb
SHA5123e51407c2b6bd3baeb72540b104e8d6b85ffff29133d83cbe74ba50f564452125eebcbff7f8bc91e1703a94c91a61eafa768cc9fabf7305f867173fc9cfb41fe
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
52a81575d7d9130236b93ea4153e0a62
SHA18ec2bbd4545560643528633b611b44f67fe5ff23
SHA256880f6bed88a0902463f069f09ab727fff4768f77c091f3b05ea4e80cd1911b45
SHA5125960062778cbed914f96a61a245f5d2a85e5370cd809f73577dfe90ebf3bd344982a2ec4bca9de719ac032bd6460ed34079d1e36fb6eae5eaec7b8a07a3aaede
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
f7a808b5711f58fb4f85476c1bb24ac3
SHA1fbdf9670d622e8fc3446ad4f53fbbd83016f03d1
SHA256de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec
SHA512866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
7247129cd0644457905b7d6bf17fd078
SHA1dbf9139b5a1b72141f170d2eae911bbbe7e128c8
SHA256dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4
SHA5129b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
5b4062ce44ae1b44f9e7ac0695d4db45
SHA16c9869b324c06d1de09f5332bcb9b99b239b5fd0
SHA25628ee0f26e5c4ade85430b8ce3c4588379e5d27253c2d4e000b06f028411b5ade
SHA51240be157181d9aef78319f1f219bb83afb52a196ee208b8e7625790e9372a72494a0b84ecb383b0d80005bc933538d74f32640cfb835ce83d3d7952dc36e95a23
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
4fab775607f25d664bcfc2ae069161e7
SHA106c69e2913b339cd2e2ef1d877e9ca6f79ef3888
SHA256de2188efeb3f0949875673590a7c755ca9d9b5f8e1500ed2819107558ca3ddbe
SHA512381b8c9fc06f1ab75e2c245d6004646039e1d105ecbc76bff2f1b57d749f984bb26d5080931352828391525d4d55bd13d3585eb88160d9d982d5214432b74aa2
-
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
C:\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLLMD5
b7f8224d7283aaf4e302241bc6e2845c
SHA154d4853b9391e96ec8ac54dd7de6613945425c85
SHA256902b307e9c19a520e9691517488b533563f9d9fca1d94ddbd283b56080b42398
SHA51283e543e924f662627c5ef1a3407ec7503fb574f08bd114707b8d6fb61822aea799b2a16f0524cd78356a3143f2791c70396344b129ed4862dba4aeccbf68e781
-
C:\Users\Admin\AppData\Local\Temp\tmp2504.tmp.ps1MD5
7e1bd3e206d5d632e05a397fd2453e79
SHA1818322b17c71f8f4f9c76d93b3ac596789cafeb3
SHA256881374cca02a885229dbcae62589bc4b3a260cc8b3544540e53e07938638b44b
SHA51275ecbeb87243e64175ff655e9b005d756befc0c0e1b5a71d640b8ed389166099876765adc29fa08319fd97eeda252e9bd1a26742e1379619947fd251160b8266
-
C:\Users\Admin\AppData\Local\Temp\tmp2505.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\tmp95B1.tmp.ps1MD5
a5be14daef1183c3ff03645f143e5afb
SHA1a15f5995d01d5a626512fc5fe6aa7ffac555dd33
SHA256f14ef9376d0462b09b611c205f8898af5a0dfaded30b97b0bfa70b3d6acc1106
SHA512d07efdeba3c1152246767b1c34003e9ab0c382dce80712813d0a161a3ad94053ea123c9f80be9635b3023edc6bd0182645199511742b6771b1dcb19527aef905
-
C:\Users\Admin\AppData\Local\Temp\tmp95B2.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLLMD5
b7f8224d7283aaf4e302241bc6e2845c
SHA154d4853b9391e96ec8ac54dd7de6613945425c85
SHA256902b307e9c19a520e9691517488b533563f9d9fca1d94ddbd283b56080b42398
SHA51283e543e924f662627c5ef1a3407ec7503fb574f08bd114707b8d6fb61822aea799b2a16f0524cd78356a3143f2791c70396344b129ed4862dba4aeccbf68e781
-
\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLLMD5
b7f8224d7283aaf4e302241bc6e2845c
SHA154d4853b9391e96ec8ac54dd7de6613945425c85
SHA256902b307e9c19a520e9691517488b533563f9d9fca1d94ddbd283b56080b42398
SHA51283e543e924f662627c5ef1a3407ec7503fb574f08bd114707b8d6fb61822aea799b2a16f0524cd78356a3143f2791c70396344b129ed4862dba4aeccbf68e781
-
\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLLMD5
b7f8224d7283aaf4e302241bc6e2845c
SHA154d4853b9391e96ec8ac54dd7de6613945425c85
SHA256902b307e9c19a520e9691517488b533563f9d9fca1d94ddbd283b56080b42398
SHA51283e543e924f662627c5ef1a3407ec7503fb574f08bd114707b8d6fb61822aea799b2a16f0524cd78356a3143f2791c70396344b129ed4862dba4aeccbf68e781
-
\Users\Admin\AppData\Local\Temp\DE1A4D~1.DLLMD5
b7f8224d7283aaf4e302241bc6e2845c
SHA154d4853b9391e96ec8ac54dd7de6613945425c85
SHA256902b307e9c19a520e9691517488b533563f9d9fca1d94ddbd283b56080b42398
SHA51283e543e924f662627c5ef1a3407ec7503fb574f08bd114707b8d6fb61822aea799b2a16f0524cd78356a3143f2791c70396344b129ed4862dba4aeccbf68e781
-
memory/1052-453-0x0000000000000000-mapping.dmp
-
memory/1232-121-0x0000000004B21000-0x0000000005B05000-memory.dmpFilesize
15.9MB
-
memory/1232-118-0x0000000000000000-mapping.dmp
-
memory/1232-122-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/1244-204-0x0000000008B20000-0x0000000008B21000-memory.dmpFilesize
4KB
-
memory/1244-164-0x0000000000000000-mapping.dmp
-
memory/1244-174-0x0000000005112000-0x0000000005113000-memory.dmpFilesize
4KB
-
memory/1244-173-0x0000000005110000-0x0000000005111000-memory.dmpFilesize
4KB
-
memory/1244-170-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/1244-169-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/1244-262-0x0000000005113000-0x0000000005114000-memory.dmpFilesize
4KB
-
memory/1340-197-0x0000000008B10000-0x0000000008B11000-memory.dmpFilesize
4KB
-
memory/1340-129-0x00000000033C0000-0x00000000033C1000-memory.dmpFilesize
4KB
-
memory/1340-145-0x0000000007870000-0x0000000007871000-memory.dmpFilesize
4KB
-
memory/1340-128-0x0000000000000000-mapping.dmp
-
memory/1340-131-0x00000000033C0000-0x00000000033C1000-memory.dmpFilesize
4KB
-
memory/1340-206-0x0000000007293000-0x0000000007294000-memory.dmpFilesize
4KB
-
memory/1340-205-0x0000000009BF0000-0x0000000009BF1000-memory.dmpFilesize
4KB
-
memory/1340-202-0x0000000009A20000-0x0000000009A21000-memory.dmpFilesize
4KB
-
memory/1340-152-0x0000000007F70000-0x0000000007F71000-memory.dmpFilesize
4KB
-
memory/1340-154-0x00000000080E0000-0x00000000080E1000-memory.dmpFilesize
4KB
-
memory/1340-136-0x0000000007160000-0x0000000007161000-memory.dmpFilesize
4KB
-
memory/1340-193-0x000000007E620000-0x000000007E621000-memory.dmpFilesize
4KB
-
memory/1340-158-0x00000000081E0000-0x00000000081E1000-memory.dmpFilesize
4KB
-
memory/1340-188-0x00000000098F0000-0x0000000009923000-memory.dmpFilesize
204KB
-
memory/1340-177-0x00000000033C0000-0x00000000033C1000-memory.dmpFilesize
4KB
-
memory/1340-137-0x00000000078D0000-0x00000000078D1000-memory.dmpFilesize
4KB
-
memory/1340-138-0x0000000007290000-0x0000000007291000-memory.dmpFilesize
4KB
-
memory/1340-162-0x00000000074C0000-0x00000000074C1000-memory.dmpFilesize
4KB
-
memory/1340-163-0x0000000008A60000-0x0000000008A61000-memory.dmpFilesize
4KB
-
memory/1340-139-0x0000000007292000-0x0000000007293000-memory.dmpFilesize
4KB
-
memory/1340-166-0x0000000008970000-0x0000000008971000-memory.dmpFilesize
4KB
-
memory/1520-399-0x0000000006DF0000-0x0000000006DF1000-memory.dmpFilesize
4KB
-
memory/1520-452-0x0000000006DF3000-0x0000000006DF4000-memory.dmpFilesize
4KB
-
memory/1520-400-0x0000000006DF2000-0x0000000006DF3000-memory.dmpFilesize
4KB
-
memory/1520-382-0x0000000000000000-mapping.dmp
-
memory/1920-449-0x0000000000000000-mapping.dmp
-
memory/2176-127-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/2176-123-0x0000000000000000-mapping.dmp
-
memory/2176-126-0x00000000052B1000-0x0000000006295000-memory.dmpFilesize
15.9MB
-
memory/2192-160-0x00000000001D0000-0x0000000000370000-memory.dmpFilesize
1.6MB
-
memory/2192-157-0x000001993A450000-0x000001993A452000-memory.dmpFilesize
8KB
-
memory/2192-153-0x00007FF7026F5FD0-mapping.dmp
-
memory/2192-156-0x000001993A450000-0x000001993A452000-memory.dmpFilesize
8KB
-
memory/2192-161-0x000001993A590000-0x000001993A742000-memory.dmpFilesize
1.7MB
-
memory/2208-454-0x0000000000000000-mapping.dmp
-
memory/2276-150-0x0000000005710000-0x0000000005850000-memory.dmpFilesize
1.2MB
-
memory/2276-141-0x0000000001270000-0x0000000001271000-memory.dmpFilesize
4KB
-
memory/2276-144-0x0000000005710000-0x0000000005850000-memory.dmpFilesize
1.2MB
-
memory/2276-148-0x0000000005710000-0x0000000005850000-memory.dmpFilesize
1.2MB
-
memory/2276-142-0x0000000001290000-0x0000000001291000-memory.dmpFilesize
4KB
-
memory/2276-130-0x0000000000000000-mapping.dmp
-
memory/2276-134-0x0000000000A30000-0x0000000000B92000-memory.dmpFilesize
1.4MB
-
memory/2276-151-0x0000000005710000-0x0000000005850000-memory.dmpFilesize
1.2MB
-
memory/2276-147-0x0000000005710000-0x0000000005850000-memory.dmpFilesize
1.2MB
-
memory/2276-149-0x00000000012A0000-0x00000000012A1000-memory.dmpFilesize
4KB
-
memory/2276-140-0x0000000004721000-0x0000000005705000-memory.dmpFilesize
15.9MB
-
memory/2276-143-0x0000000005710000-0x0000000005850000-memory.dmpFilesize
1.2MB
-
memory/2636-165-0x0000000000000000-mapping.dmp
-
memory/2784-115-0x0000000003254000-0x0000000003343000-memory.dmpFilesize
956KB
-
memory/2784-117-0x0000000000400000-0x0000000002E8B000-memory.dmpFilesize
42.5MB
-
memory/2784-116-0x0000000003350000-0x0000000003456000-memory.dmpFilesize
1.0MB
-
memory/3052-159-0x0000000000000000-mapping.dmp