danabot | db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb

Analysis

max time kernel
140s
max time network
140s
platform
windows10_x64
resource
win10-en-20210920
submitted
21-10-2021 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb.exe
Size

1.1MB
MD5

24ca51b618666a5a044fcd3692f12c29
SHA1

8071b7e9e41602ce1e9b8b2d674a2f85c3fd007d
SHA256

db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb
SHA512

67044870ef92e5eeaa40e1a1ec9ff9e4f23b123383bf7a26692c29a2c079b843b6091fff4f4672c585dbb4175675aea1b42dc3df5f36fa1bea064949fea06523

Score

10^/10

danabot 4 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL	DanabotLoader2021
behavioral1/memory/4072-122-0x0000000004050000-0x00000000041B4000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL	DanabotLoader2021
behavioral1/memory/3456-140-0x00000000040C0000-0x0000000004224000-memory.dmp	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 2688 created 4072 2688 WerFault.exe rundll32.exe
PID 2412 created 3456 2412 WerFault.exe RUNDLL32.EXE
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

34 4072 rundll32.exe
40 1080 RUNDLL32.EXE
43 1080 RUNDLL32.EXE
44 1080 RUNDLL32.EXE
45 1080 RUNDLL32.EXE
46 1080 RUNDLL32.EXE
Loads dropped DLL 7 IoCs

Processes:

rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

pid process

4072 rundll32.exe
4072 rundll32.exe
1080 RUNDLL32.EXE
3456 RUNDLL32.EXE
3456 RUNDLL32.EXE
2096 RUNDLL32.EXE
2096 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 2688 created 4072	2688	WerFault.exe	rundll32.exe
PID 2412 created 3456	2412	WerFault.exe	RUNDLL32.EXE

flow	pid	process
34	4072	rundll32.exe
40	1080	RUNDLL32.EXE
43	1080	RUNDLL32.EXE
44	1080	RUNDLL32.EXE
45	1080	RUNDLL32.EXE
46	1080	RUNDLL32.EXE

pid	process
4072	rundll32.exe
4072	rundll32.exe
1080	RUNDLL32.EXE
3456	RUNDLL32.EXE
3456	RUNDLL32.EXE
2096	RUNDLL32.EXE
2096	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 3456 set thread context of 1860 3456 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2688 4072 WerFault.exe rundll32.exe
2412 3456 WerFault.exe RUNDLL32.EXE

description	pid	process	target process
PID 3456 set thread context of 1860	3456	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

pid	pid_target	process	target process
2688	4072	WerFault.exe	rundll32.exe
2412	3456	WerFault.exe	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 41 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AC43CCAAF4221F1115EE31D89BCF5EED80FAAA21	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AC43CCAAF4221F1115EE31D89BCF5EED80FAAA21\Blob = 030000000100000014000000ac43ccaaf4221f1115ee31d89bcf5eed80faaa2120000000010000009b0200003082029730820200a003020102020847dad0f16d05ccfe300d06092a864886f70d01010b0500306c312b302906035504030c2244696769436572742048696768204173737572616e636520455620526f6f6320434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3139313032323231333330385a170d3233313032313231333330385a306c312b302906035504030c2244696769436572742048696768204173737572616e636520455620526f6f6320434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100b8afdd1a70fa56a6a3eeeb6932a050a2c5b8c7236810981d338cd021bdb9fb2ac53b540b26032a821b747e9f3ab0d73da312086073d44ef04787b4e5bc56fda5f4d6c5e2823a015bf3fe432d4b87b37a892200e9059a56cec5e4e261a59fb7ec5e3392adbc684af018db8a1027e01941ed9aaa6f1dbbdc14b99b2ff55916dcbd0203010001a3423040300f0603551d130101ff040530030101ff302d0603551d1104263024822244696769436572742048696768204173737572616e636520455620526f6f63204341300d06092a864886f70d01010b0500038181003068ddc6645f426895497ac3fcf14f3a46fc532bc4a199dce7b35959d12b0122be0cc0c7bff983b2ca1c195f469c7580165be0e1701eec9132dac9618cfc2db4ea48a4d47bae1e3482d8d5d3fe6c3bcf8567b9c51361b939871511530d22cd5a64d4ffe1165480d2314f3c5ef56e99d032e69ff668bfec533d4bc3143f0380ef	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

WerFault.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exe

pid	process
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
2688	WerFault.exe
1080	RUNDLL32.EXE
1080	RUNDLL32.EXE
1080	RUNDLL32.EXE
1080	RUNDLL32.EXE
1080	RUNDLL32.EXE
1080	RUNDLL32.EXE
1628	powershell.exe
1628	powershell.exe
3456	RUNDLL32.EXE
3456	RUNDLL32.EXE
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
1628	powershell.exe
2880	powershell.exe
2880	powershell.exe
2880	powershell.exe
1080	RUNDLL32.EXE
1080	RUNDLL32.EXE
1540	powershell.exe
1540	powershell.exe
1540	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

WerFault.exepowershell.exeWerFault.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	2688	WerFault.exe
Token: SeBackupPrivilege	2688	WerFault.exe
Token: SeDebugPrivilege	2688	WerFault.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2412	WerFault.exe
Token: SeDebugPrivilege	1080	RUNDLL32.EXE
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

1860 rundll32.exe
1080 RUNDLL32.EXE

pid	process
1860	rundll32.exe
1080	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 2812 wrote to memory of 4072	2812	db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb.exe	rundll32.exe
PID 2812 wrote to memory of 4072	2812	db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb.exe	rundll32.exe
PID 2812 wrote to memory of 4072	2812	db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb.exe	rundll32.exe
PID 4072 wrote to memory of 1080	4072	rundll32.exe	RUNDLL32.EXE
PID 4072 wrote to memory of 1080	4072	rundll32.exe	RUNDLL32.EXE
PID 4072 wrote to memory of 1080	4072	rundll32.exe	RUNDLL32.EXE
PID 1080 wrote to memory of 1628	1080	RUNDLL32.EXE	powershell.exe
PID 1080 wrote to memory of 1628	1080	RUNDLL32.EXE	powershell.exe
PID 1080 wrote to memory of 1628	1080	RUNDLL32.EXE	powershell.exe
PID 1080 wrote to memory of 3456	1080	RUNDLL32.EXE	RUNDLL32.EXE
PID 1080 wrote to memory of 3456	1080	RUNDLL32.EXE	RUNDLL32.EXE
PID 1080 wrote to memory of 3456	1080	RUNDLL32.EXE	RUNDLL32.EXE
PID 3456 wrote to memory of 1860	3456	RUNDLL32.EXE	rundll32.exe
PID 3456 wrote to memory of 1860	3456	RUNDLL32.EXE	rundll32.exe
PID 3456 wrote to memory of 1860	3456	RUNDLL32.EXE	rundll32.exe
PID 1080 wrote to memory of 2096	1080	RUNDLL32.EXE	RUNDLL32.EXE
PID 1080 wrote to memory of 2096	1080	RUNDLL32.EXE	RUNDLL32.EXE
PID 1080 wrote to memory of 2096	1080	RUNDLL32.EXE	RUNDLL32.EXE
PID 1860 wrote to memory of 2748	1860	rundll32.exe	ctfmon.exe
PID 1860 wrote to memory of 2748	1860	rundll32.exe	ctfmon.exe
PID 1080 wrote to memory of 2880	1080	RUNDLL32.EXE	powershell.exe
PID 1080 wrote to memory of 2880	1080	RUNDLL32.EXE	powershell.exe
PID 1080 wrote to memory of 2880	1080	RUNDLL32.EXE	powershell.exe
PID 1080 wrote to memory of 1540	1080	RUNDLL32.EXE	powershell.exe
PID 1080 wrote to memory of 1540	1080	RUNDLL32.EXE	powershell.exe
PID 1080 wrote to memory of 1540	1080	RUNDLL32.EXE	powershell.exe
PID 1540 wrote to memory of 3496	1540	powershell.exe	nslookup.exe
PID 1540 wrote to memory of 3496	1540	powershell.exe	nslookup.exe
PID 1540 wrote to memory of 3496	1540	powershell.exe	nslookup.exe
PID 1080 wrote to memory of 3780	1080	RUNDLL32.EXE	schtasks.exe
PID 1080 wrote to memory of 3780	1080	RUNDLL32.EXE	schtasks.exe
PID 1080 wrote to memory of 3780	1080	RUNDLL32.EXE	schtasks.exe
PID 1080 wrote to memory of 1036	1080	RUNDLL32.EXE	schtasks.exe
PID 1080 wrote to memory of 1036	1080	RUNDLL32.EXE	schtasks.exe
PID 1080 wrote to memory of 1036	1080	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb.exe
"C:\Users\Admin\AppData\Local\Temp\db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL,s C:\Users\Admin\AppData\Local\Temp\DB3CFF~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL,UABQ
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL,GA8INFk=
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 19638
5⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 784
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start
4⤵
- Loads dropped DLL
PID:2096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpDA3F.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpFBC3.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:3496

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3780

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 836
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
ac9aa30f97cba656ecc798d1aead4410

SHA1
b220e54a401c1c1135ce0a8106c249a7b7a87c44

SHA256
de3d0be676bca261b2ce5691b55b444355dd3ba0dd7614f1dd4f2921656b24d8

SHA512
118a41f3c386a29c2833d717d7d3eeab8c1cf85b34c303dd31f5e461aa14edb0198d75329902864402621b7431dcada6d2ee999e7bb071042f13d45604614d59

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
21a323f376814ae05dc070b11578c114

SHA1
cdd9dfb27375d47e6205114fa4d28a3020dc345c

SHA256
1ceff0fd970c6d7e8fa30030c25fcc9b61c4a4d05708c11a8fc82354b2ef696a

SHA512
f03711ad77b502f63186c36a511bf80b521a6e17fcc55fa5325a7e27e535a88edf1cf7a164e0e77736b62edca8fe7720789a20d803df321e5d223b57d97c2b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
f7a808b5711f58fb4f85476c1bb24ac3

SHA1
fbdf9670d622e8fc3446ad4f53fbbd83016f03d1

SHA256
de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec

SHA512
866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b9fcf19b406834827aac40a877ee298d

SHA1
907d2cb284a9e9d201326e45653ddc9f1927ef2e

SHA256
c1b8593af5000ac01f90ef0a4294f60773d69e26f77e44b83d49eb070b02a484

SHA512
5e78e5e0b0f7626883a1cfea416c3722d1d1da9cea6cd1ffafc814cfcd52f72d62a5f432877779651922cbaf787aa633cca3596d42177c9c3dcf80bd36086601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
02f17c4cb7dd6bcd061918fc8364ef6f

SHA1
d399e287b9146ab4a686eb7ae24e0384da3c02a3

SHA256
046b2ab37b20376d9b1dbc4318fb21af84a302d8047a1e63cb4ffec40496099f

SHA512
d0479b0ff38a7015649cab8aee9c48237edb787cd192a36a9b200592a146c96b511f95c36ac1bb66c2e86b9d2ab5aeb12edd7525cf83417649d5cb24012e557c

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL
MD5
3d1db587348c06ae651b41e360ba5f8d

SHA1
e0b8602218d26c391733665a695f99c06e84e986

SHA256
36465c39bf10ed8a1aa733c65c5c355b33dc1885e107b339be35cd1a8781399e

SHA512
0f66d4b20d19d39ac8b382728188f997609b8d6eaa68ace59d4aa9e601b053fb83672f80cc3bca66b72b2f62b9aa6fa92c737ab7e0d783270765c7ab5a67d8b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDA3F.tmp.ps1
MD5
1b07ee697565077f5f0ae0a62034d668

SHA1
4c085a5dea6b95740580a4155aae7c11ba53352e

SHA256
3b1f7fa696f65611c18a02f1b862d8e1a4513f0c7b5c07e6f3e98b199ce21805

SHA512
fd3fee68d81d45db0c4908ea2d439439a37fd6039c5c2cb2d1a4af3b8e1f9451025e1379ee83ee27deb3f3e3aa4c1510123704ad6b3dc2d8ae42779a7433775a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDA40.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFBC3.tmp.ps1
MD5
d6dbf898124619568c061cd17fd95103

SHA1
c6e2af5e8f6e16d84f3d6e10e3f183c170172908

SHA256
949736696795f076affd31297c2dfc0e02108d97c73a6cc40e4261ea2ad9902e

SHA512
e917a89eb14117fbbe3660b6acf1f1656fb281be066ced8bbcfa6c9f9d00d0a7bb3d0640bb738eed7ba406ec2f24d69c1c3a10a37c5d58f4aa2f09a4dbd3eee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFBC4.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL
MD5
3d1db587348c06ae651b41e360ba5f8d

SHA1
e0b8602218d26c391733665a695f99c06e84e986

SHA256
36465c39bf10ed8a1aa733c65c5c355b33dc1885e107b339be35cd1a8781399e

SHA512
0f66d4b20d19d39ac8b382728188f997609b8d6eaa68ace59d4aa9e601b053fb83672f80cc3bca66b72b2f62b9aa6fa92c737ab7e0d783270765c7ab5a67d8b6

Download Submit
\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL
MD5
3d1db587348c06ae651b41e360ba5f8d

SHA1
e0b8602218d26c391733665a695f99c06e84e986

SHA256
36465c39bf10ed8a1aa733c65c5c355b33dc1885e107b339be35cd1a8781399e

SHA512
0f66d4b20d19d39ac8b382728188f997609b8d6eaa68ace59d4aa9e601b053fb83672f80cc3bca66b72b2f62b9aa6fa92c737ab7e0d783270765c7ab5a67d8b6

Download Submit
\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL
MD5
3d1db587348c06ae651b41e360ba5f8d

SHA1
e0b8602218d26c391733665a695f99c06e84e986

SHA256
36465c39bf10ed8a1aa733c65c5c355b33dc1885e107b339be35cd1a8781399e

SHA512
0f66d4b20d19d39ac8b382728188f997609b8d6eaa68ace59d4aa9e601b053fb83672f80cc3bca66b72b2f62b9aa6fa92c737ab7e0d783270765c7ab5a67d8b6

Download Submit
\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL
MD5
3d1db587348c06ae651b41e360ba5f8d

SHA1
e0b8602218d26c391733665a695f99c06e84e986

SHA256
36465c39bf10ed8a1aa733c65c5c355b33dc1885e107b339be35cd1a8781399e

SHA512
0f66d4b20d19d39ac8b382728188f997609b8d6eaa68ace59d4aa9e601b053fb83672f80cc3bca66b72b2f62b9aa6fa92c737ab7e0d783270765c7ab5a67d8b6

Download Submit
\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL
MD5
3d1db587348c06ae651b41e360ba5f8d

SHA1
e0b8602218d26c391733665a695f99c06e84e986

SHA256
36465c39bf10ed8a1aa733c65c5c355b33dc1885e107b339be35cd1a8781399e

SHA512
0f66d4b20d19d39ac8b382728188f997609b8d6eaa68ace59d4aa9e601b053fb83672f80cc3bca66b72b2f62b9aa6fa92c737ab7e0d783270765c7ab5a67d8b6

Download Submit
memory/1036-463-0x0000000000000000-mapping.dmp

Download
memory/1080-129-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1080-128-0x0000000004BF1000-0x0000000005BD5000-memory.dmp

Filesize
15.9MB

Download
memory/1080-125-0x0000000000000000-mapping.dmp

Download
memory/1540-410-0x0000000006A90000-0x0000000006A91000-memory.dmp

Filesize
4KB

Download
memory/1540-412-0x0000000006A92000-0x0000000006A93000-memory.dmp

Filesize
4KB

Download
memory/1540-395-0x0000000000000000-mapping.dmp

Download
memory/1540-453-0x0000000006A93000-0x0000000006A94000-memory.dmp

Filesize
4KB

Download
memory/1628-200-0x00000000090A0000-0x00000000090A1000-memory.dmp

Filesize
4KB

Download
memory/1628-136-0x0000000004912000-0x0000000004913000-memory.dmp

Filesize
4KB

Download
memory/1628-143-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/1628-130-0x0000000000000000-mapping.dmp

Download
memory/1628-145-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/1628-146-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/1628-132-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/1628-149-0x0000000008010000-0x0000000008011000-memory.dmp

Filesize
4KB

Download
memory/1628-151-0x0000000008490000-0x0000000008491000-memory.dmp

Filesize
4KB

Download
memory/1628-131-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/1628-133-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/1628-134-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/1628-234-0x0000000004913000-0x0000000004914000-memory.dmp

Filesize
4KB

Download
memory/1628-209-0x00000000095F0000-0x00000000095F1000-memory.dmp

Filesize
4KB

Download
memory/1628-207-0x0000000009220000-0x0000000009221000-memory.dmp

Filesize
4KB

Download
memory/1628-135-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1628-203-0x000000007F3B0000-0x000000007F3B1000-memory.dmp

Filesize
4KB

Download
memory/1628-192-0x00000000090F0000-0x0000000009123000-memory.dmp

Filesize
204KB

Download
memory/1628-172-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/1628-142-0x0000000007170000-0x0000000007171000-memory.dmp

Filesize
4KB

Download
memory/1628-161-0x0000000008360000-0x0000000008361000-memory.dmp

Filesize
4KB

Download
memory/1860-170-0x0000000000400000-0x00000000005A0000-memory.dmp

Filesize
1.6MB

Download
memory/1860-160-0x00007FF67D125FD0-mapping.dmp

Download
memory/1860-167-0x000001B267580000-0x000001B267582000-memory.dmp

Filesize
8KB

Download
memory/1860-168-0x000001B267580000-0x000001B267582000-memory.dmp

Filesize
8KB

Download
memory/1860-171-0x000001B267850000-0x000001B267A02000-memory.dmp

Filesize
1.7MB

Download
memory/2096-158-0x0000000000000000-mapping.dmp

Download
memory/2748-169-0x0000000000000000-mapping.dmp

Download
memory/2812-116-0x0000000004EC0000-0x0000000004FC7000-memory.dmp

Filesize
1.0MB

Download
memory/2812-118-0x0000000000400000-0x0000000002FE8000-memory.dmp

Filesize
43.9MB

Download
memory/2812-115-0x0000000004DD0000-0x0000000004EC0000-memory.dmp

Filesize
960KB

Download
memory/2880-174-0x0000000000000000-mapping.dmp

Download
memory/2880-175-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/2880-176-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/2880-179-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download
memory/2880-180-0x0000000006DF2000-0x0000000006DF3000-memory.dmp

Filesize
4KB

Download
memory/2880-208-0x00000000084F0000-0x00000000084F1000-memory.dmp

Filesize
4KB

Download
memory/2880-299-0x0000000006DF3000-0x0000000006DF4000-memory.dmp

Filesize
4KB

Download
memory/3456-156-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/3456-144-0x00000000047E1000-0x00000000057C5000-memory.dmp

Filesize
15.9MB

Download
memory/3456-155-0x0000000005890000-0x00000000059D0000-memory.dmp

Filesize
1.2MB

Download
memory/3456-154-0x0000000005890000-0x00000000059D0000-memory.dmp

Filesize
1.2MB

Download
memory/3456-148-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/3456-157-0x0000000005890000-0x00000000059D0000-memory.dmp

Filesize
1.2MB

Download
memory/3456-152-0x0000000005890000-0x00000000059D0000-memory.dmp

Filesize
1.2MB

Download
memory/3456-150-0x0000000005890000-0x00000000059D0000-memory.dmp

Filesize
1.2MB

Download
memory/3456-147-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/3456-137-0x0000000000000000-mapping.dmp

Download
memory/3456-140-0x00000000040C0000-0x0000000004224000-memory.dmp

Filesize
1.4MB

Download
memory/3456-159-0x0000000005890000-0x00000000059D0000-memory.dmp

Filesize
1.2MB

Download
memory/3496-452-0x0000000000000000-mapping.dmp

Download
memory/3780-456-0x0000000000000000-mapping.dmp

Download
memory/4072-122-0x0000000004050000-0x00000000041B4000-memory.dmp

Filesize
1.4MB

Download
memory/4072-123-0x0000000004871000-0x0000000005855000-memory.dmp

Filesize
15.9MB

Download
memory/4072-117-0x0000000000000000-mapping.dmp

Download
memory/4072-124-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download