danabot | 3a28782b09f18ace527e0ce8a8b8ae1a63a1b008bdfd38d8fc6d153b9c9f0c8b

Analysis

max time kernel
120s
max time network
123s
platform
windows10_x64
resource
win10-en-20211014
submitted
21-10-2021 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a28782b09f18ace527e0ce8a8b8ae1a63a1b008bdfd38d8fc6d153b9c9f0c8b.exe
Size

1.2MB
MD5

7e7498ec8f8b73476c4551d97ae0706e
SHA1

8a8b68ea0cc20c92c97ddad97a281d389e96e88d
SHA256

3a28782b09f18ace527e0ce8a8b8ae1a63a1b008bdfd38d8fc6d153b9c9f0c8b
SHA512

18677eafec3f01ca8776737375d57b57b3aa1e14e46b76d35c46212ed06a1cfba8b70712d2e82a90bafbb6fc44def8f0110d0c05b75096d7818e1c88f6852fcf

Score

10^/10

danabot 4 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3A2878~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\3A2878~1.DLL	DanabotLoader2021
behavioral1/memory/1384-126-0x00000000040C0000-0x0000000004224000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\3A2878~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\3A2878~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\3A2878~1.DLL	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4020 created 2800 4020 WerFault.exe 3a28782b09f18ace527e0ce8a8b8ae1a63a1b008bdfd38d8fc6d153b9c9f0c8b.exe
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

35 316 rundll32.exe
36 1384 RUNDLL32.EXE
Loads dropped DLL 6 IoCs

Processes:

rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

pid process

316 rundll32.exe
1384 RUNDLL32.EXE
1384 RUNDLL32.EXE
3936 RUNDLL32.EXE
2012 RUNDLL32.EXE
2012 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 4020 created 2800	4020	WerFault.exe	3a28782b09f18ace527e0ce8a8b8ae1a63a1b008bdfd38d8fc6d153b9c9f0c8b.exe

flow	pid	process
35	316	rundll32.exe
36	1384	RUNDLL32.EXE

pid	process
316	rundll32.exe
1384	RUNDLL32.EXE
1384	RUNDLL32.EXE
3936	RUNDLL32.EXE
2012	RUNDLL32.EXE
2012	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 3936 set thread context of 1268 3936 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4020 2800 WerFault.exe 3a28782b09f18ace527e0ce8a8b8ae1a63a1b008bdfd38d8fc6d153b9c9f0c8b.exe

description	pid	process	target process
PID 3936 set thread context of 1268	3936	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

pid	pid_target	process	target process
4020	2800	WerFault.exe	3a28782b09f18ace527e0ce8a8b8ae1a63a1b008bdfd38d8fc6d153b9c9f0c8b.exe

Checks processor information in registry 2 TTPs 47 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TypedURLs	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF11E9E5BF5CE3B0475D49857285D11AD5B5C9BB	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF11E9E5BF5CE3B0475D49857285D11AD5B5C9BB\Blob = 030000000100000014000000df11e9e5bf5ce3b0475d49857285d11ad5b5c9bb20000000010000009602000030820292308201fba00302010202082511d48704d84cd6300d06092a864886f70d01010b050030643136303406035504030c2d53796d616e74656320456e7465727072697365204d6f6f696c6520526f6f7420666f72204d6963726f736f6674311d301b060355040a0c1453796d616e74656320436f72706f726174696f6e310b3009060355040613025553301e170d3139313032333135333931335a170d3233313032323135333931335a30643136303406035504030c2d53796d616e74656320456e7465727072697365204d6f6f696c6520526f6f7420666f72204d6963726f736f6674311d301b060355040a0c1453796d616e74656320436f72706f726174696f6e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100a98e62b2d87cfb3a7998ce0df629562301114e9aaa0e3fc65ccf05fd8e4773062a033c092d328268cff3178f56c3d91df3eeeb0972636dafee0e1ad062c80d86f0e5356db141335a6f18b27aee5e4eeab8fb29e37ac417155431fcaf6b142cc1cb322211fc2c5217e4dca37ee2aebdedbecadc089bf036500b87f1307fe3fec30203010001a34d304b300f0603551d130101ff040530030101ff30380603551d110431302f822d53796d616e74656320456e7465727072697365204d6f6f696c6520526f6f7420666f72204d6963726f736f6674300d06092a864886f70d01010b0500038181007c4f4ac1c1f87d9ef48765647404a336d9df47b5711bcf745bfdf124ff818cfd69daf3deb4b770af4bc04e71e01a79642f5b5cb647051ace21b91e4d8df5540805c669e7126fc9a05c967b1e8ce9658756ac2dd116a4155030f17dee25ab3c096967155be2fb48d2aa5ad00474bcbcb7c31cf72c33487cf7c2f57cf05f8cf038	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

WerFault.exeRUNDLL32.EXERUNDLL32.EXEpowershell.exepowershell.exepowershell.exe

pid	process
4020	WerFault.exe
4020	WerFault.exe
4020	WerFault.exe
4020	WerFault.exe
4020	WerFault.exe
4020	WerFault.exe
4020	WerFault.exe
4020	WerFault.exe
4020	WerFault.exe
4020	WerFault.exe
4020	WerFault.exe
4020	WerFault.exe
1384	RUNDLL32.EXE
1384	RUNDLL32.EXE
1384	RUNDLL32.EXE
1384	RUNDLL32.EXE
1384	RUNDLL32.EXE
1384	RUNDLL32.EXE
3936	RUNDLL32.EXE
3936	RUNDLL32.EXE
2660	powershell.exe
2660	powershell.exe
1040	powershell.exe
1040	powershell.exe
2660	powershell.exe
1040	powershell.exe
1384	RUNDLL32.EXE
1384	RUNDLL32.EXE
1952	powershell.exe
1952	powershell.exe
1952	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

WerFault.exepowershell.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	4020	WerFault.exe
Token: SeBackupPrivilege	4020	WerFault.exe
Token: SeDebugPrivilege	4020	WerFault.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	1384	RUNDLL32.EXE
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

1268 rundll32.exe
1384 RUNDLL32.EXE

pid	process
1268	rundll32.exe
1384	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

3a28782b09f18ace527e0ce8a8b8ae1a63a1b008bdfd38d8fc6d153b9c9f0c8b.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exe

description	pid	process	target process
PID 2800 wrote to memory of 316	2800	3a28782b09f18ace527e0ce8a8b8ae1a63a1b008bdfd38d8fc6d153b9c9f0c8b.exe	rundll32.exe
PID 2800 wrote to memory of 316	2800	3a28782b09f18ace527e0ce8a8b8ae1a63a1b008bdfd38d8fc6d153b9c9f0c8b.exe	rundll32.exe
PID 2800 wrote to memory of 316	2800	3a28782b09f18ace527e0ce8a8b8ae1a63a1b008bdfd38d8fc6d153b9c9f0c8b.exe	rundll32.exe
PID 316 wrote to memory of 1384	316	rundll32.exe	RUNDLL32.EXE
PID 316 wrote to memory of 1384	316	rundll32.exe	RUNDLL32.EXE
PID 316 wrote to memory of 1384	316	rundll32.exe	RUNDLL32.EXE
PID 1384 wrote to memory of 2660	1384	RUNDLL32.EXE	powershell.exe
PID 1384 wrote to memory of 2660	1384	RUNDLL32.EXE	powershell.exe
PID 1384 wrote to memory of 2660	1384	RUNDLL32.EXE	powershell.exe
PID 1384 wrote to memory of 3936	1384	RUNDLL32.EXE	RUNDLL32.EXE
PID 1384 wrote to memory of 3936	1384	RUNDLL32.EXE	RUNDLL32.EXE
PID 1384 wrote to memory of 3936	1384	RUNDLL32.EXE	RUNDLL32.EXE
PID 3936 wrote to memory of 1268	3936	RUNDLL32.EXE	rundll32.exe
PID 3936 wrote to memory of 1268	3936	RUNDLL32.EXE	rundll32.exe
PID 1384 wrote to memory of 2012	1384	RUNDLL32.EXE	RUNDLL32.EXE
PID 1384 wrote to memory of 2012	1384	RUNDLL32.EXE	RUNDLL32.EXE
PID 1384 wrote to memory of 2012	1384	RUNDLL32.EXE	RUNDLL32.EXE
PID 3936 wrote to memory of 1268	3936	RUNDLL32.EXE	rundll32.exe
PID 1268 wrote to memory of 428	1268	rundll32.exe	ctfmon.exe
PID 1268 wrote to memory of 428	1268	rundll32.exe	ctfmon.exe
PID 1384 wrote to memory of 1040	1384	RUNDLL32.EXE	powershell.exe
PID 1384 wrote to memory of 1040	1384	RUNDLL32.EXE	powershell.exe
PID 1384 wrote to memory of 1040	1384	RUNDLL32.EXE	powershell.exe
PID 1384 wrote to memory of 1952	1384	RUNDLL32.EXE	powershell.exe
PID 1384 wrote to memory of 1952	1384	RUNDLL32.EXE	powershell.exe
PID 1384 wrote to memory of 1952	1384	RUNDLL32.EXE	powershell.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\3a28782b09f18ace527e0ce8a8b8ae1a63a1b008bdfd38d8fc6d153b9c9f0c8b.exe
"C:\Users\Admin\AppData\Local\Temp\3a28782b09f18ace527e0ce8a8b8ae1a63a1b008bdfd38d8fc6d153b9c9f0c8b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3A2878~1.DLL,s C:\Users\Admin\AppData\Local\Temp\3A2878~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\3A2878~1.DLL,eB9ZQQ==
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3A2878~1.DLL
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\3A2878~1.DLL,dDg7Mm9SMXcx
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17659
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:428

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start
4⤵
- Loads dropped DLL
PID:2012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpF6EF.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp58E7.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:1960

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:612

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 552
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
ac9aa30f97cba656ecc798d1aead4410

SHA1
b220e54a401c1c1135ce0a8106c249a7b7a87c44

SHA256
de3d0be676bca261b2ce5691b55b444355dd3ba0dd7614f1dd4f2921656b24d8

SHA512
118a41f3c386a29c2833d717d7d3eeab8c1cf85b34c303dd31f5e461aa14edb0198d75329902864402621b7431dcada6d2ee999e7bb071042f13d45604614d59

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
cdcc319fe49740a7618f236a707a25ad

SHA1
20c3b95fc5dc7a0a19dbbe53854e9cca13b37c9b

SHA256
28c0b1878a1d9b6a0f9ce41bbfd776f70b5460c39446aa519549a954b991c3ab

SHA512
58957c2c7355505fa3f08a3c3a6f4e81ddb747dfcd87f7f4ddfbea90da7cdb93fec16123ec381f12ddb4ee2fb9a619f6c39af5c5288868421852ca2eaf096729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
11df68e64dd42450c34abe83234fb80f

SHA1
20437a89a53e2da7990d6d06b6cec994814e9b95

SHA256
635e8f0227575001be3c113dd7035580b014ddca975aca0cd49312918f1fcd89

SHA512
7f5c234efc80a13ed4428f30a3b48d17b731a160f19d169afd3a5dba1b701423aa7a649515b91b82e020b74ea41b9daffb39588f02e02d6293a4ea1ea533b2d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bf011a8bea98e3cf538a1d3fc6dae7af

SHA1
5e1b54f2b2225ccd30bcd9cf31231bf71e510cdf

SHA256
fe54aab5efee3260cc735af032e9ad57a7b663e9bc747046b53c00fbffafb8da

SHA512
ca51c0ade6a6146f0f9c6d8f37efa21ee3e1ba280269c243d3d12383a55df36ffae156a3924872a376a1f67d112f423d0ded6ceffe5526cf4d506ace59566dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A2878~1.DLL
MD5
f5a82cbd73ad3a1394cdd7e6b55f77d0

SHA1
548ba34cd37884f2d2cc8f86a37d6ddd1b485e98

SHA256
18cc19c504c2bc120d8e1dd3a3cc58b9d3319f4e5fb5296c7f911fc64c72766c

SHA512
5d804b5fd2c4d507c5f572c81ac3efdf45f8af8af02976fce7811fb39681c838ec379f8d9773217b3256696ee3d6d47fa412c6c916d8b4e14c64a97fbe3a8dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp58E7.tmp.ps1
MD5
e706e3f080e84755d846d02b63f2969f

SHA1
afac9518142845e4590bba5a98171bd94ce4ba88

SHA256
2c80630d1ec75771acbbf953b2c404ebff36d8a98772a32e937c20c79dcae655

SHA512
5bbeae1ec1f5b6d206ba8338e6e1adc43807d9ef37c43f799ef434a71dcc1774dd8468375d0ece009dbedc0b216283c64846581041937e29bd0becbb2cca5963

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp58F7.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF6EF.tmp.ps1
MD5
4a77f22e362dac202aca9628209bf5f5

SHA1
c36b9eaa3a91959b25b6fb1bd3676ad876462d0c

SHA256
4305c600c11c7ba669135857b55f0f51edc7dfaacce6de06298985bb680c27ac

SHA512
da65d9034d31ba2473586692e1acabd2086efcf600edc9ef14bdb126f401e32ce232928706fde9420fe3ad3f8cc0bca42654b219adf3cbfe69e733aa90b7c86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF6F0.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
\Users\Admin\AppData\Local\Temp\3A2878~1.DLL
MD5
f5a82cbd73ad3a1394cdd7e6b55f77d0

SHA1
548ba34cd37884f2d2cc8f86a37d6ddd1b485e98

SHA256
18cc19c504c2bc120d8e1dd3a3cc58b9d3319f4e5fb5296c7f911fc64c72766c

SHA512
5d804b5fd2c4d507c5f572c81ac3efdf45f8af8af02976fce7811fb39681c838ec379f8d9773217b3256696ee3d6d47fa412c6c916d8b4e14c64a97fbe3a8dc8

Download Submit
\Users\Admin\AppData\Local\Temp\3A2878~1.DLL
MD5
f5a82cbd73ad3a1394cdd7e6b55f77d0

SHA1
548ba34cd37884f2d2cc8f86a37d6ddd1b485e98

SHA256
18cc19c504c2bc120d8e1dd3a3cc58b9d3319f4e5fb5296c7f911fc64c72766c

SHA512
5d804b5fd2c4d507c5f572c81ac3efdf45f8af8af02976fce7811fb39681c838ec379f8d9773217b3256696ee3d6d47fa412c6c916d8b4e14c64a97fbe3a8dc8

Download Submit
\Users\Admin\AppData\Local\Temp\3A2878~1.DLL
MD5
f5a82cbd73ad3a1394cdd7e6b55f77d0

SHA1
548ba34cd37884f2d2cc8f86a37d6ddd1b485e98

SHA256
18cc19c504c2bc120d8e1dd3a3cc58b9d3319f4e5fb5296c7f911fc64c72766c

SHA512
5d804b5fd2c4d507c5f572c81ac3efdf45f8af8af02976fce7811fb39681c838ec379f8d9773217b3256696ee3d6d47fa412c6c916d8b4e14c64a97fbe3a8dc8

Download Submit
\Users\Admin\AppData\Local\Temp\3A2878~1.DLL
MD5
f5a82cbd73ad3a1394cdd7e6b55f77d0

SHA1
548ba34cd37884f2d2cc8f86a37d6ddd1b485e98

SHA256
18cc19c504c2bc120d8e1dd3a3cc58b9d3319f4e5fb5296c7f911fc64c72766c

SHA512
5d804b5fd2c4d507c5f572c81ac3efdf45f8af8af02976fce7811fb39681c838ec379f8d9773217b3256696ee3d6d47fa412c6c916d8b4e14c64a97fbe3a8dc8

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
memory/316-122-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/316-121-0x0000000004F91000-0x0000000005F75000-memory.dmp

Filesize
15.9MB

Download
memory/316-118-0x0000000000000000-mapping.dmp

Download
memory/428-162-0x0000000000000000-mapping.dmp

Download
memory/612-455-0x0000000000000000-mapping.dmp

Download
memory/1040-201-0x0000000009E40000-0x0000000009E41000-memory.dmp

Filesize
4KB

Download
memory/1040-187-0x0000000008420000-0x0000000008421000-memory.dmp

Filesize
4KB

Download
memory/1040-173-0x0000000006FB2000-0x0000000006FB3000-memory.dmp

Filesize
4KB

Download
memory/1040-172-0x0000000006FB0000-0x0000000006FB1000-memory.dmp

Filesize
4KB

Download
memory/1040-168-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1040-169-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1040-167-0x0000000000000000-mapping.dmp

Download
memory/1040-188-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1040-204-0x00000000093D0000-0x00000000093D1000-memory.dmp

Filesize
4KB

Download
memory/1040-219-0x0000000006FB3000-0x0000000006FB4000-memory.dmp

Filesize
4KB

Download
memory/1268-158-0x00000211B4590000-0x00000211B4592000-memory.dmp

Filesize
8KB

Download
memory/1268-160-0x00000000004E0000-0x0000000000680000-memory.dmp

Filesize
1.6MB

Download
memory/1268-161-0x00000211B4790000-0x00000211B4942000-memory.dmp

Filesize
1.7MB

Download
memory/1268-159-0x00000211B4590000-0x00000211B4592000-memory.dmp

Filesize
8KB

Download
memory/1268-156-0x00007FF603F55FD0-mapping.dmp

Download
memory/1384-126-0x00000000040C0000-0x0000000004224000-memory.dmp

Filesize
1.4MB

Download
memory/1384-123-0x0000000000000000-mapping.dmp

Download
memory/1384-128-0x00000000046B1000-0x0000000005695000-memory.dmp

Filesize
15.9MB

Download
memory/1384-129-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/1952-320-0x0000000000000000-mapping.dmp

Download
memory/1952-454-0x0000000007133000-0x0000000007134000-memory.dmp

Filesize
4KB

Download
memory/1952-351-0x0000000007132000-0x0000000007133000-memory.dmp

Filesize
4KB

Download
memory/1952-349-0x0000000007130000-0x0000000007131000-memory.dmp

Filesize
4KB

Download
memory/1960-441-0x0000000000000000-mapping.dmp

Download
memory/2012-152-0x0000000002390000-0x00000000023BF000-memory.dmp

Filesize
188KB

Download
memory/2012-146-0x0000000000000000-mapping.dmp

Download
memory/2660-184-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/2660-164-0x0000000007A60000-0x0000000007A61000-memory.dmp

Filesize
4KB

Download
memory/2660-143-0x0000000001222000-0x0000000001223000-memory.dmp

Filesize
4KB

Download
memory/2660-140-0x0000000007330000-0x0000000007331000-memory.dmp

Filesize
4KB

Download
memory/2660-141-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/2660-163-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download
memory/2660-178-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/2660-179-0x00000000082C0000-0x00000000082C1000-memory.dmp

Filesize
4KB

Download
memory/2660-180-0x00000000081D0000-0x00000000081D1000-memory.dmp

Filesize
4KB

Download
memory/2660-217-0x0000000001223000-0x0000000001224000-memory.dmp

Filesize
4KB

Download
memory/2660-165-0x0000000007260000-0x0000000007261000-memory.dmp

Filesize
4KB

Download
memory/2660-138-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/2660-130-0x0000000000000000-mapping.dmp

Download
memory/2660-195-0x0000000008F80000-0x0000000008FB3000-memory.dmp

Filesize
204KB

Download
memory/2660-166-0x0000000007BA0000-0x0000000007BA1000-memory.dmp

Filesize
4KB

Download
memory/2660-135-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/2660-206-0x000000007EE80000-0x000000007EE81000-memory.dmp

Filesize
4KB

Download
memory/2660-134-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/2800-115-0x0000000000BC1000-0x0000000000CB1000-memory.dmp

Filesize
960KB

Download
memory/2800-117-0x0000000000400000-0x0000000000957000-memory.dmp

Filesize
5.3MB

Download
memory/2800-116-0x0000000000CC0000-0x0000000000DC7000-memory.dmp

Filesize
1.0MB

Download
memory/3848-456-0x0000000000000000-mapping.dmp

Download
memory/3936-144-0x0000000006350000-0x0000000006490000-memory.dmp

Filesize
1.2MB

Download
memory/3936-153-0x00000000064B0000-0x00000000064B1000-memory.dmp

Filesize
4KB

Download
memory/3936-142-0x0000000006350000-0x0000000006490000-memory.dmp

Filesize
1.2MB

Download
memory/3936-131-0x0000000000000000-mapping.dmp

Download
memory/3936-155-0x0000000006350000-0x0000000006490000-memory.dmp

Filesize
1.2MB

Download
memory/3936-147-0x0000000006350000-0x0000000006490000-memory.dmp

Filesize
1.2MB

Download
memory/3936-149-0x0000000006350000-0x0000000006490000-memory.dmp

Filesize
1.2MB

Download
memory/3936-154-0x0000000006350000-0x0000000006490000-memory.dmp

Filesize
1.2MB

Download
memory/3936-139-0x00000000064A0000-0x00000000064A1000-memory.dmp

Filesize
4KB

Download
memory/3936-137-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3936-136-0x00000000052A1000-0x0000000006285000-memory.dmp

Filesize
15.9MB

Download