Analysis
-
max time kernel
140s -
max time network
140s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 21:31
Static task
static1
General
-
Target
db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb.exe
-
Size
1.1MB
-
MD5
24ca51b618666a5a044fcd3692f12c29
-
SHA1
8071b7e9e41602ce1e9b8b2d674a2f85c3fd007d
-
SHA256
db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb
-
SHA512
67044870ef92e5eeaa40e1a1ec9ff9e4f23b123383bf7a26692c29a2c079b843b6091fff4f4672c585dbb4175675aea1b42dc3df5f36fa1bea064949fea06523
Malware Config
Extracted
danabot
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
loader
Extracted
danabot
2052
4
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
main
Signatures
-
Danabot Loader Component 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL DanabotLoader2021 behavioral1/memory/4072-122-0x0000000004050000-0x00000000041B4000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL DanabotLoader2021 behavioral1/memory/3456-140-0x00000000040C0000-0x0000000004224000-memory.dmp DanabotLoader2021 -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 2688 created 4072 2688 WerFault.exe rundll32.exe PID 2412 created 3456 2412 WerFault.exe RUNDLL32.EXE -
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeRUNDLL32.EXEflow pid process 34 4072 rundll32.exe 40 1080 RUNDLL32.EXE 43 1080 RUNDLL32.EXE 44 1080 RUNDLL32.EXE 45 1080 RUNDLL32.EXE 46 1080 RUNDLL32.EXE -
Loads dropped DLL 7 IoCs
Processes:
rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEpid process 4072 rundll32.exe 4072 rundll32.exe 1080 RUNDLL32.EXE 3456 RUNDLL32.EXE 3456 RUNDLL32.EXE 2096 RUNDLL32.EXE 2096 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 3456 set thread context of 1860 3456 RUNDLL32.EXE rundll32.exe -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2688 4072 WerFault.exe rundll32.exe 2412 3456 WerFault.exe RUNDLL32.EXE -
Checks processor information in registry 2 TTPs 41 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXERUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE -
Processes:
RUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AC43CCAAF4221F1115EE31D89BCF5EED80FAAA21 RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AC43CCAAF4221F1115EE31D89BCF5EED80FAAA21\Blob = 030000000100000014000000ac43ccaaf4221f1115ee31d89bcf5eed80faaa2120000000010000009b0200003082029730820200a003020102020847dad0f16d05ccfe300d06092a864886f70d01010b0500306c312b302906035504030c2244696769436572742048696768204173737572616e636520455620526f6f6320434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3139313032323231333330385a170d3233313032313231333330385a306c312b302906035504030c2244696769436572742048696768204173737572616e636520455620526f6f6320434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100b8afdd1a70fa56a6a3eeeb6932a050a2c5b8c7236810981d338cd021bdb9fb2ac53b540b26032a821b747e9f3ab0d73da312086073d44ef04787b4e5bc56fda5f4d6c5e2823a015bf3fe432d4b87b37a892200e9059a56cec5e4e261a59fb7ec5e3392adbc684af018db8a1027e01941ed9aaa6f1dbbdc14b99b2ff55916dcbd0203010001a3423040300f0603551d130101ff040530030101ff302d0603551d1104263024822244696769436572742048696768204173737572616e636520455620526f6f63204341300d06092a864886f70d01010b0500038181003068ddc6645f426895497ac3fcf14f3a46fc532bc4a199dce7b35959d12b0122be0cc0c7bff983b2ca1c195f469c7580165be0e1701eec9132dac9618cfc2db4ea48a4d47bae1e3482d8d5d3fe6c3bcf8567b9c51361b939871511530d22cd5a64d4ffe1165480d2314f3c5ef56e99d032e69ff668bfec533d4bc3143f0380ef RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
WerFault.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exepid process 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 1080 RUNDLL32.EXE 1080 RUNDLL32.EXE 1080 RUNDLL32.EXE 1080 RUNDLL32.EXE 1080 RUNDLL32.EXE 1080 RUNDLL32.EXE 1628 powershell.exe 1628 powershell.exe 3456 RUNDLL32.EXE 3456 RUNDLL32.EXE 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 2412 WerFault.exe 1628 powershell.exe 2880 powershell.exe 2880 powershell.exe 2880 powershell.exe 1080 RUNDLL32.EXE 1080 RUNDLL32.EXE 1540 powershell.exe 1540 powershell.exe 1540 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
WerFault.exepowershell.exeWerFault.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeRestorePrivilege 2688 WerFault.exe Token: SeBackupPrivilege 2688 WerFault.exe Token: SeDebugPrivilege 2688 WerFault.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 2412 WerFault.exe Token: SeDebugPrivilege 1080 RUNDLL32.EXE Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 1860 rundll32.exe 1080 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exedescription pid process target process PID 2812 wrote to memory of 4072 2812 db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb.exe rundll32.exe PID 2812 wrote to memory of 4072 2812 db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb.exe rundll32.exe PID 2812 wrote to memory of 4072 2812 db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb.exe rundll32.exe PID 4072 wrote to memory of 1080 4072 rundll32.exe RUNDLL32.EXE PID 4072 wrote to memory of 1080 4072 rundll32.exe RUNDLL32.EXE PID 4072 wrote to memory of 1080 4072 rundll32.exe RUNDLL32.EXE PID 1080 wrote to memory of 1628 1080 RUNDLL32.EXE powershell.exe PID 1080 wrote to memory of 1628 1080 RUNDLL32.EXE powershell.exe PID 1080 wrote to memory of 1628 1080 RUNDLL32.EXE powershell.exe PID 1080 wrote to memory of 3456 1080 RUNDLL32.EXE RUNDLL32.EXE PID 1080 wrote to memory of 3456 1080 RUNDLL32.EXE RUNDLL32.EXE PID 1080 wrote to memory of 3456 1080 RUNDLL32.EXE RUNDLL32.EXE PID 3456 wrote to memory of 1860 3456 RUNDLL32.EXE rundll32.exe PID 3456 wrote to memory of 1860 3456 RUNDLL32.EXE rundll32.exe PID 3456 wrote to memory of 1860 3456 RUNDLL32.EXE rundll32.exe PID 1080 wrote to memory of 2096 1080 RUNDLL32.EXE RUNDLL32.EXE PID 1080 wrote to memory of 2096 1080 RUNDLL32.EXE RUNDLL32.EXE PID 1080 wrote to memory of 2096 1080 RUNDLL32.EXE RUNDLL32.EXE PID 1860 wrote to memory of 2748 1860 rundll32.exe ctfmon.exe PID 1860 wrote to memory of 2748 1860 rundll32.exe ctfmon.exe PID 1080 wrote to memory of 2880 1080 RUNDLL32.EXE powershell.exe PID 1080 wrote to memory of 2880 1080 RUNDLL32.EXE powershell.exe PID 1080 wrote to memory of 2880 1080 RUNDLL32.EXE powershell.exe PID 1080 wrote to memory of 1540 1080 RUNDLL32.EXE powershell.exe PID 1080 wrote to memory of 1540 1080 RUNDLL32.EXE powershell.exe PID 1080 wrote to memory of 1540 1080 RUNDLL32.EXE powershell.exe PID 1540 wrote to memory of 3496 1540 powershell.exe nslookup.exe PID 1540 wrote to memory of 3496 1540 powershell.exe nslookup.exe PID 1540 wrote to memory of 3496 1540 powershell.exe nslookup.exe PID 1080 wrote to memory of 3780 1080 RUNDLL32.EXE schtasks.exe PID 1080 wrote to memory of 3780 1080 RUNDLL32.EXE schtasks.exe PID 1080 wrote to memory of 3780 1080 RUNDLL32.EXE schtasks.exe PID 1080 wrote to memory of 1036 1080 RUNDLL32.EXE schtasks.exe PID 1080 wrote to memory of 1036 1080 RUNDLL32.EXE schtasks.exe PID 1080 wrote to memory of 1036 1080 RUNDLL32.EXE schtasks.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb.exe"C:\Users\Admin\AppData\Local\Temp\db3cffa16f2e8436dc53c4418072f1b0c80f94966b9c01e204808dc1857aa8bb.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL,s C:\Users\Admin\AppData\Local\Temp\DB3CFF~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL,UABQ3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLL,GA8INFk=4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 196385⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 7845⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpDA3F.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpFBC3.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 8363⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
ac9aa30f97cba656ecc798d1aead4410
SHA1b220e54a401c1c1135ce0a8106c249a7b7a87c44
SHA256de3d0be676bca261b2ce5691b55b444355dd3ba0dd7614f1dd4f2921656b24d8
SHA512118a41f3c386a29c2833d717d7d3eeab8c1cf85b34c303dd31f5e461aa14edb0198d75329902864402621b7431dcada6d2ee999e7bb071042f13d45604614d59
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
21a323f376814ae05dc070b11578c114
SHA1cdd9dfb27375d47e6205114fa4d28a3020dc345c
SHA2561ceff0fd970c6d7e8fa30030c25fcc9b61c4a4d05708c11a8fc82354b2ef696a
SHA512f03711ad77b502f63186c36a511bf80b521a6e17fcc55fa5325a7e27e535a88edf1cf7a164e0e77736b62edca8fe7720789a20d803df321e5d223b57d97c2b29
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
f7a808b5711f58fb4f85476c1bb24ac3
SHA1fbdf9670d622e8fc3446ad4f53fbbd83016f03d1
SHA256de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec
SHA512866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b9fcf19b406834827aac40a877ee298d
SHA1907d2cb284a9e9d201326e45653ddc9f1927ef2e
SHA256c1b8593af5000ac01f90ef0a4294f60773d69e26f77e44b83d49eb070b02a484
SHA5125e78e5e0b0f7626883a1cfea416c3722d1d1da9cea6cd1ffafc814cfcd52f72d62a5f432877779651922cbaf787aa633cca3596d42177c9c3dcf80bd36086601
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
02f17c4cb7dd6bcd061918fc8364ef6f
SHA1d399e287b9146ab4a686eb7ae24e0384da3c02a3
SHA256046b2ab37b20376d9b1dbc4318fb21af84a302d8047a1e63cb4ffec40496099f
SHA512d0479b0ff38a7015649cab8aee9c48237edb787cd192a36a9b200592a146c96b511f95c36ac1bb66c2e86b9d2ab5aeb12edd7525cf83417649d5cb24012e557c
-
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
C:\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLLMD5
3d1db587348c06ae651b41e360ba5f8d
SHA1e0b8602218d26c391733665a695f99c06e84e986
SHA25636465c39bf10ed8a1aa733c65c5c355b33dc1885e107b339be35cd1a8781399e
SHA5120f66d4b20d19d39ac8b382728188f997609b8d6eaa68ace59d4aa9e601b053fb83672f80cc3bca66b72b2f62b9aa6fa92c737ab7e0d783270765c7ab5a67d8b6
-
C:\Users\Admin\AppData\Local\Temp\tmpDA3F.tmp.ps1MD5
1b07ee697565077f5f0ae0a62034d668
SHA14c085a5dea6b95740580a4155aae7c11ba53352e
SHA2563b1f7fa696f65611c18a02f1b862d8e1a4513f0c7b5c07e6f3e98b199ce21805
SHA512fd3fee68d81d45db0c4908ea2d439439a37fd6039c5c2cb2d1a4af3b8e1f9451025e1379ee83ee27deb3f3e3aa4c1510123704ad6b3dc2d8ae42779a7433775a
-
C:\Users\Admin\AppData\Local\Temp\tmpDA40.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\tmpFBC3.tmp.ps1MD5
d6dbf898124619568c061cd17fd95103
SHA1c6e2af5e8f6e16d84f3d6e10e3f183c170172908
SHA256949736696795f076affd31297c2dfc0e02108d97c73a6cc40e4261ea2ad9902e
SHA512e917a89eb14117fbbe3660b6acf1f1656fb281be066ced8bbcfa6c9f9d00d0a7bb3d0640bb738eed7ba406ec2f24d69c1c3a10a37c5d58f4aa2f09a4dbd3eee4
-
C:\Users\Admin\AppData\Local\Temp\tmpFBC4.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLLMD5
3d1db587348c06ae651b41e360ba5f8d
SHA1e0b8602218d26c391733665a695f99c06e84e986
SHA25636465c39bf10ed8a1aa733c65c5c355b33dc1885e107b339be35cd1a8781399e
SHA5120f66d4b20d19d39ac8b382728188f997609b8d6eaa68ace59d4aa9e601b053fb83672f80cc3bca66b72b2f62b9aa6fa92c737ab7e0d783270765c7ab5a67d8b6
-
\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLLMD5
3d1db587348c06ae651b41e360ba5f8d
SHA1e0b8602218d26c391733665a695f99c06e84e986
SHA25636465c39bf10ed8a1aa733c65c5c355b33dc1885e107b339be35cd1a8781399e
SHA5120f66d4b20d19d39ac8b382728188f997609b8d6eaa68ace59d4aa9e601b053fb83672f80cc3bca66b72b2f62b9aa6fa92c737ab7e0d783270765c7ab5a67d8b6
-
\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLLMD5
3d1db587348c06ae651b41e360ba5f8d
SHA1e0b8602218d26c391733665a695f99c06e84e986
SHA25636465c39bf10ed8a1aa733c65c5c355b33dc1885e107b339be35cd1a8781399e
SHA5120f66d4b20d19d39ac8b382728188f997609b8d6eaa68ace59d4aa9e601b053fb83672f80cc3bca66b72b2f62b9aa6fa92c737ab7e0d783270765c7ab5a67d8b6
-
\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLLMD5
3d1db587348c06ae651b41e360ba5f8d
SHA1e0b8602218d26c391733665a695f99c06e84e986
SHA25636465c39bf10ed8a1aa733c65c5c355b33dc1885e107b339be35cd1a8781399e
SHA5120f66d4b20d19d39ac8b382728188f997609b8d6eaa68ace59d4aa9e601b053fb83672f80cc3bca66b72b2f62b9aa6fa92c737ab7e0d783270765c7ab5a67d8b6
-
\Users\Admin\AppData\Local\Temp\DB3CFF~1.DLLMD5
3d1db587348c06ae651b41e360ba5f8d
SHA1e0b8602218d26c391733665a695f99c06e84e986
SHA25636465c39bf10ed8a1aa733c65c5c355b33dc1885e107b339be35cd1a8781399e
SHA5120f66d4b20d19d39ac8b382728188f997609b8d6eaa68ace59d4aa9e601b053fb83672f80cc3bca66b72b2f62b9aa6fa92c737ab7e0d783270765c7ab5a67d8b6
-
memory/1036-463-0x0000000000000000-mapping.dmp
-
memory/1080-129-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/1080-128-0x0000000004BF1000-0x0000000005BD5000-memory.dmpFilesize
15.9MB
-
memory/1080-125-0x0000000000000000-mapping.dmp
-
memory/1540-410-0x0000000006A90000-0x0000000006A91000-memory.dmpFilesize
4KB
-
memory/1540-412-0x0000000006A92000-0x0000000006A93000-memory.dmpFilesize
4KB
-
memory/1540-395-0x0000000000000000-mapping.dmp
-
memory/1540-453-0x0000000006A93000-0x0000000006A94000-memory.dmpFilesize
4KB
-
memory/1628-200-0x00000000090A0000-0x00000000090A1000-memory.dmpFilesize
4KB
-
memory/1628-136-0x0000000004912000-0x0000000004913000-memory.dmpFilesize
4KB
-
memory/1628-143-0x0000000007990000-0x0000000007991000-memory.dmpFilesize
4KB
-
memory/1628-130-0x0000000000000000-mapping.dmp
-
memory/1628-145-0x0000000007A00000-0x0000000007A01000-memory.dmpFilesize
4KB
-
memory/1628-146-0x0000000007BC0000-0x0000000007BC1000-memory.dmpFilesize
4KB
-
memory/1628-132-0x0000000002E40000-0x0000000002E41000-memory.dmpFilesize
4KB
-
memory/1628-149-0x0000000008010000-0x0000000008011000-memory.dmpFilesize
4KB
-
memory/1628-151-0x0000000008490000-0x0000000008491000-memory.dmpFilesize
4KB
-
memory/1628-131-0x0000000002E40000-0x0000000002E41000-memory.dmpFilesize
4KB
-
memory/1628-133-0x0000000004830000-0x0000000004831000-memory.dmpFilesize
4KB
-
memory/1628-134-0x0000000007360000-0x0000000007361000-memory.dmpFilesize
4KB
-
memory/1628-234-0x0000000004913000-0x0000000004914000-memory.dmpFilesize
4KB
-
memory/1628-209-0x00000000095F0000-0x00000000095F1000-memory.dmpFilesize
4KB
-
memory/1628-207-0x0000000009220000-0x0000000009221000-memory.dmpFilesize
4KB
-
memory/1628-135-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/1628-203-0x000000007F3B0000-0x000000007F3B1000-memory.dmpFilesize
4KB
-
memory/1628-192-0x00000000090F0000-0x0000000009123000-memory.dmpFilesize
204KB
-
memory/1628-172-0x0000000002E40000-0x0000000002E41000-memory.dmpFilesize
4KB
-
memory/1628-142-0x0000000007170000-0x0000000007171000-memory.dmpFilesize
4KB
-
memory/1628-161-0x0000000008360000-0x0000000008361000-memory.dmpFilesize
4KB
-
memory/1860-170-0x0000000000400000-0x00000000005A0000-memory.dmpFilesize
1.6MB
-
memory/1860-160-0x00007FF67D125FD0-mapping.dmp
-
memory/1860-167-0x000001B267580000-0x000001B267582000-memory.dmpFilesize
8KB
-
memory/1860-168-0x000001B267580000-0x000001B267582000-memory.dmpFilesize
8KB
-
memory/1860-171-0x000001B267850000-0x000001B267A02000-memory.dmpFilesize
1.7MB
-
memory/2096-158-0x0000000000000000-mapping.dmp
-
memory/2748-169-0x0000000000000000-mapping.dmp
-
memory/2812-116-0x0000000004EC0000-0x0000000004FC7000-memory.dmpFilesize
1.0MB
-
memory/2812-118-0x0000000000400000-0x0000000002FE8000-memory.dmpFilesize
43.9MB
-
memory/2812-115-0x0000000004DD0000-0x0000000004EC0000-memory.dmpFilesize
960KB
-
memory/2880-174-0x0000000000000000-mapping.dmp
-
memory/2880-175-0x0000000002D70000-0x0000000002D71000-memory.dmpFilesize
4KB
-
memory/2880-176-0x0000000002D70000-0x0000000002D71000-memory.dmpFilesize
4KB
-
memory/2880-179-0x0000000006DF0000-0x0000000006DF1000-memory.dmpFilesize
4KB
-
memory/2880-180-0x0000000006DF2000-0x0000000006DF3000-memory.dmpFilesize
4KB
-
memory/2880-208-0x00000000084F0000-0x00000000084F1000-memory.dmpFilesize
4KB
-
memory/2880-299-0x0000000006DF3000-0x0000000006DF4000-memory.dmpFilesize
4KB
-
memory/3456-156-0x00000000027B0000-0x00000000027B1000-memory.dmpFilesize
4KB
-
memory/3456-144-0x00000000047E1000-0x00000000057C5000-memory.dmpFilesize
15.9MB
-
memory/3456-155-0x0000000005890000-0x00000000059D0000-memory.dmpFilesize
1.2MB
-
memory/3456-154-0x0000000005890000-0x00000000059D0000-memory.dmpFilesize
1.2MB
-
memory/3456-148-0x0000000002660000-0x0000000002661000-memory.dmpFilesize
4KB
-
memory/3456-157-0x0000000005890000-0x00000000059D0000-memory.dmpFilesize
1.2MB
-
memory/3456-152-0x0000000005890000-0x00000000059D0000-memory.dmpFilesize
1.2MB
-
memory/3456-150-0x0000000005890000-0x00000000059D0000-memory.dmpFilesize
1.2MB
-
memory/3456-147-0x00000000059E0000-0x00000000059E1000-memory.dmpFilesize
4KB
-
memory/3456-137-0x0000000000000000-mapping.dmp
-
memory/3456-140-0x00000000040C0000-0x0000000004224000-memory.dmpFilesize
1.4MB
-
memory/3456-159-0x0000000005890000-0x00000000059D0000-memory.dmpFilesize
1.2MB
-
memory/3496-452-0x0000000000000000-mapping.dmp
-
memory/3780-456-0x0000000000000000-mapping.dmp
-
memory/4072-122-0x0000000004050000-0x00000000041B4000-memory.dmpFilesize
1.4MB
-
memory/4072-123-0x0000000004871000-0x0000000005855000-memory.dmpFilesize
15.9MB
-
memory/4072-117-0x0000000000000000-mapping.dmp
-
memory/4072-124-0x00000000041C0000-0x00000000041C1000-memory.dmpFilesize
4KB