danabot | 2962b043447caa6a0ecfcb1befe91b22a96da25b518f603449c55b419ec71e7d

Analysis

max time kernel
143s
max time network
123s
platform
windows10_x64
resource
win10-en-20211014
submitted
21-10-2021 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2962b043447caa6a0ecfcb1befe91b22a96da25b518f603449c55b419ec71e7d.exe
Size

1.1MB
MD5

0f0e743d80e4d50839f475809ca9dc6b
SHA1

7b8669e3ccef71b05aef4bb4d8c2f36931f4688e
SHA256

2962b043447caa6a0ecfcb1befe91b22a96da25b518f603449c55b419ec71e7d
SHA512

dd9103057f6bfce478443c7ffefc7724bb7c74b8145d0a61691c03f12c48a0f64904b73edd4f6a9ccd9cef845d548343ef82c59a60ae332c1937f12544779332

Score

10^/10

danabot 4 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1548 created 1712 1548 WerFault.exe RUNDLL32.EXE
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

32 3952 rundll32.exe
33 3624 RUNDLL32.EXE
36 3624 RUNDLL32.EXE
37 3624 RUNDLL32.EXE
38 3624 RUNDLL32.EXE
39 3624 RUNDLL32.EXE
Loads dropped DLL 5 IoCs

Processes:

rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

pid process

3952 rundll32.exe
3952 rundll32.exe
3624 RUNDLL32.EXE
1712 RUNDLL32.EXE
1264 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 1548 created 1712	1548	WerFault.exe	RUNDLL32.EXE

flow	pid	process
32	3952	rundll32.exe
33	3624	RUNDLL32.EXE
36	3624	RUNDLL32.EXE
37	3624	RUNDLL32.EXE
38	3624	RUNDLL32.EXE
39	3624	RUNDLL32.EXE

pid	process
3952	rundll32.exe
3952	rundll32.exe
3624	RUNDLL32.EXE
1712	RUNDLL32.EXE
1264	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 1712 set thread context of 3320 1712 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1548 1712 WerFault.exe RUNDLL32.EXE

description	pid	process	target process
PID 1712 set thread context of 3320	1712	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

pid	pid_target	process	target process
1548	1712	WerFault.exe	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 38 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TypedURLs	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\61748FC4230BC37DBD37AE85697DC0FF75F8F1DE	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\61748FC4230BC37DBD37AE85697DC0FF75F8F1DE\Blob = 03000000010000001400000061748fc4230bc37dbd37ae85697dc0ff75f8f1de20000000010000003f0200003082023b308201a4a00302010202085d6e61773c351175300d06092a864886f70d01010b050030433121301f06035504030c184d6b63726f736f667420526f6f7420417574686f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e301e170d3139313032323033343631315a170d3233313032313033343631315a30433121301f06035504030c184d6b63726f736f667420526f6f7420417574686f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e30819f300d06092a864886f70d010101050003818d0030818902818100a09a48768213fb6548f2337f2da1ea3b97e6c0ff40f8e178d97a01caacfced34b57290721b52a1d90b8ecf06a7b5b59d47bd94957d7580c4c273f9901b968d6036b5ac6f94f8d9cdac6dec57d7b5fb6ee26da35a819cc39904f4d5e67697bb1d8682574058276ca6be0b2f04746761f11af5664f8fa9dfebeef74b0a095f79c90203010001a3383036300f0603551d130101ff040530030101ff30230603551d11041c301a82184d6b63726f736f667420526f6f7420417574686f72697479300d06092a864886f70d01010b05000381810092680ae367135e875bfe6ee12f8a6263a4a7c49822c79b58e16ee72190bd7eb2cd5ecee37621540b60047ec97486aed0e781296d36b6d9bce1b0253508557b47a59251f44eefd04c7df2de3cbc1add8729e5485eca47acd5f8a7d7572727d0701644dfb03266c8de2fd43c01f7e3bc5e3d3430feee7a581186e618c24cb9ce02	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

RUNDLL32.EXERUNDLL32.EXEpowershell.exeWerFault.exepowershell.exepowershell.exe

pid	process
3624	RUNDLL32.EXE
3624	RUNDLL32.EXE
3624	RUNDLL32.EXE
3624	RUNDLL32.EXE
3624	RUNDLL32.EXE
3624	RUNDLL32.EXE
1712	RUNDLL32.EXE
1712	RUNDLL32.EXE
1196	powershell.exe
1196	powershell.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
1548	WerFault.exe
916	powershell.exe
1196	powershell.exe
916	powershell.exe
916	powershell.exe
3624	RUNDLL32.EXE
3624	RUNDLL32.EXE
1164	powershell.exe
1164	powershell.exe
1164	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeWerFault.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeRestorePrivilege	1548	WerFault.exe
Token: SeBackupPrivilege	1548	WerFault.exe
Token: SeDebugPrivilege	3624	RUNDLL32.EXE
Token: SeDebugPrivilege	1548	WerFault.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

3320 rundll32.exe
3624 RUNDLL32.EXE

pid	process
3320	rundll32.exe
3624	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

2962b043447caa6a0ecfcb1befe91b22a96da25b518f603449c55b419ec71e7d.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 1556 wrote to memory of 3952	1556	2962b043447caa6a0ecfcb1befe91b22a96da25b518f603449c55b419ec71e7d.exe	rundll32.exe
PID 1556 wrote to memory of 3952	1556	2962b043447caa6a0ecfcb1befe91b22a96da25b518f603449c55b419ec71e7d.exe	rundll32.exe
PID 1556 wrote to memory of 3952	1556	2962b043447caa6a0ecfcb1befe91b22a96da25b518f603449c55b419ec71e7d.exe	rundll32.exe
PID 3952 wrote to memory of 3624	3952	rundll32.exe	RUNDLL32.EXE
PID 3952 wrote to memory of 3624	3952	rundll32.exe	RUNDLL32.EXE
PID 3952 wrote to memory of 3624	3952	rundll32.exe	RUNDLL32.EXE
PID 3624 wrote to memory of 1196	3624	RUNDLL32.EXE	powershell.exe
PID 3624 wrote to memory of 1196	3624	RUNDLL32.EXE	powershell.exe
PID 3624 wrote to memory of 1196	3624	RUNDLL32.EXE	powershell.exe
PID 3624 wrote to memory of 1712	3624	RUNDLL32.EXE	RUNDLL32.EXE
PID 3624 wrote to memory of 1712	3624	RUNDLL32.EXE	RUNDLL32.EXE
PID 3624 wrote to memory of 1712	3624	RUNDLL32.EXE	RUNDLL32.EXE
PID 1712 wrote to memory of 3320	1712	RUNDLL32.EXE	rundll32.exe
PID 1712 wrote to memory of 3320	1712	RUNDLL32.EXE	rundll32.exe
PID 1712 wrote to memory of 3320	1712	RUNDLL32.EXE	rundll32.exe
PID 3624 wrote to memory of 1264	3624	RUNDLL32.EXE	RUNDLL32.EXE
PID 3624 wrote to memory of 1264	3624	RUNDLL32.EXE	RUNDLL32.EXE
PID 3624 wrote to memory of 1264	3624	RUNDLL32.EXE	RUNDLL32.EXE
PID 3320 wrote to memory of 1696	3320	rundll32.exe	ctfmon.exe
PID 3320 wrote to memory of 1696	3320	rundll32.exe	ctfmon.exe
PID 3624 wrote to memory of 916	3624	RUNDLL32.EXE	powershell.exe
PID 3624 wrote to memory of 916	3624	RUNDLL32.EXE	powershell.exe
PID 3624 wrote to memory of 916	3624	RUNDLL32.EXE	powershell.exe
PID 3624 wrote to memory of 1164	3624	RUNDLL32.EXE	powershell.exe
PID 3624 wrote to memory of 1164	3624	RUNDLL32.EXE	powershell.exe
PID 3624 wrote to memory of 1164	3624	RUNDLL32.EXE	powershell.exe
PID 1164 wrote to memory of 3628	1164	powershell.exe	nslookup.exe
PID 1164 wrote to memory of 3628	1164	powershell.exe	nslookup.exe
PID 1164 wrote to memory of 3628	1164	powershell.exe	nslookup.exe
PID 3624 wrote to memory of 1816	3624	RUNDLL32.EXE	schtasks.exe
PID 3624 wrote to memory of 1816	3624	RUNDLL32.EXE	schtasks.exe
PID 3624 wrote to memory of 1816	3624	RUNDLL32.EXE	schtasks.exe
PID 3624 wrote to memory of 1136	3624	RUNDLL32.EXE	schtasks.exe
PID 3624 wrote to memory of 1136	3624	RUNDLL32.EXE	schtasks.exe
PID 3624 wrote to memory of 1136	3624	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\2962b043447caa6a0ecfcb1befe91b22a96da25b518f603449c55b419ec71e7d.exe
"C:\Users\Admin\AppData\Local\Temp\2962b043447caa6a0ecfcb1befe91b22a96da25b518f603449c55b419ec71e7d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2962B0~1.DLL,s C:\Users\Admin\AppData\Local\Temp\2962B0~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\2962B0~1.DLL,XRVITw==
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\2962B0~1.DLL
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\2962B0~1.DLL,NSoKSA==
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17659
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 804
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start
4⤵
- Loads dropped DLL
PID:1264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp113D.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp579F.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:3628

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1816

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
885cacc747a33506a56a8b556650dd09

SHA1
8738f61aa35029d0a6e9258233a947935ad17cc8

SHA256
530c992e88ea9129f4fbc245579c552802c15586ddefdf190b6ee01bb85468cc

SHA512
cc49dba28b9e2781b2a7ec4923fdab2e12faf338f90454810b998ecc358681ab8fd956b283a31e18cb15fd34a6c2c0eb9122729b2dfcf65d96a6f55547e4d1c0

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
ed5cdaab480a72930cadc1323f84760e

SHA1
41eb86d9d38f9e2d3d2d61f09b5a9053b200d4a5

SHA256
9143322829079c09c94d47947a1b038d126e87afbbcd6a0223a152652a963382

SHA512
84957fafcdab477e77b1a8fd9bf3193c7bdd75256eefb45b842f6d1a92918a349ea4dc0f2e68d86a6fbf1c7564405814604b64105c1562e9d0fe40361e97e357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
a71f142529408a71b4ab8ffd39061c59

SHA1
7fbd459754fe9d50c79f77657fd3ce6ad341de02

SHA256
f0a3fc2f7377da91c4e6b3dfe31dae5eb8be8541f349a16741746a717964b7b5

SHA512
9727db18faf9f033ebffe610232b39310a7e420a6c0f4a9fec317be01842fe243f6ed26dde8a5f296645e4bf7fd54729e7bfcab8fb4b733518d3947d26cb3fa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c308c3effbea4ccd7e8982f18c2969a4

SHA1
db222a9d8cb9510fbfebff3b3d440499fb839782

SHA256
995b55e88d1df9d80481e4d3706df47c47a02d49ce11ca504750c2b773452ceb

SHA512
5c7bcf79ac6c20a7b6bb205957d182b5ce88d3c0bc561d81cebe739937541d22673a4bc50705a7401974ea1c92eb58adee0979088e3e84f7bc52e31a39fb611b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6638ce27e8cb2e9d4ed9e757752e2ab6

SHA1
adac95d12491fa374f60b5d741deee475a418f0a

SHA256
381f7aa63a16801fe8af55613b1eb0713052ad5b6c3bee60ff9b5b647331f2be

SHA512
25c47e9a5eaf629c58284340dd302b1b4fa80d5bccff72d8ca593fb3d67a5e47c98fe06a6709e55d553200baa67a8825514504b4bdbeae76407b040daf34ced7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2962B0~1.DLL
MD5
be8102b02b6b07e5a8dca07ea97484f5

SHA1
c339c3688b7c0a30e4d540ad0016166874d59711

SHA256
edd2fb6c3e8f2b769aebf879a1a94882bb0e40c857b516d37ea7c7ddd4aeff00

SHA512
9f90ec67a994219a61478defcebd4e3d8fe240f3bd269222ed3683bfaa1e1b7190e8b020fee4ef0454a56779b1d8e1dc98cdca1d8f5e6342e61dab87b0628938

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp113D.tmp.ps1
MD5
e7adb37bb8ef23ec102e36b66dbb7440

SHA1
51bd2b96504ee9965e410fbe4ea68a7a6025e96b

SHA256
adda66f469535e336ac22f4ffcfaa4d3126ea3605580537fc4c065b705f6c960

SHA512
2df48ab707dfbdb1bea66480ce329bbd2c1e750e53510eb5f35e9a0529c21f04e1ff1a46b53d5318f625abf81371ce7ed12fd24ef912bbcc2f5de95cfd2bdd5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp113E.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp579F.tmp.ps1
MD5
aacfc09af9d5d5ed93682c66653a8350

SHA1
7abfd1101aa439f7dda0460569220dcbc80b1ca6

SHA256
b58dba1343bfcb964723c0f40952ff4f030f53abf66ff713abb8a00d18024359

SHA512
8dd5e7d8a525dcd7e8e2c700e54c17336a54783021f9bc947bf1f9dcbd05a2d97af4256de8f2f611f8fa7d073d3d5313a2638bd0ce32377e13ef00848f8ce901

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp57A0.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\2962B0~1.DLL
MD5
be8102b02b6b07e5a8dca07ea97484f5

SHA1
c339c3688b7c0a30e4d540ad0016166874d59711

SHA256
edd2fb6c3e8f2b769aebf879a1a94882bb0e40c857b516d37ea7c7ddd4aeff00

SHA512
9f90ec67a994219a61478defcebd4e3d8fe240f3bd269222ed3683bfaa1e1b7190e8b020fee4ef0454a56779b1d8e1dc98cdca1d8f5e6342e61dab87b0628938

Download Submit
\Users\Admin\AppData\Local\Temp\2962B0~1.DLL
MD5
be8102b02b6b07e5a8dca07ea97484f5

SHA1
c339c3688b7c0a30e4d540ad0016166874d59711

SHA256
edd2fb6c3e8f2b769aebf879a1a94882bb0e40c857b516d37ea7c7ddd4aeff00

SHA512
9f90ec67a994219a61478defcebd4e3d8fe240f3bd269222ed3683bfaa1e1b7190e8b020fee4ef0454a56779b1d8e1dc98cdca1d8f5e6342e61dab87b0628938

Download Submit
\Users\Admin\AppData\Local\Temp\2962B0~1.DLL
MD5
be8102b02b6b07e5a8dca07ea97484f5

SHA1
c339c3688b7c0a30e4d540ad0016166874d59711

SHA256
edd2fb6c3e8f2b769aebf879a1a94882bb0e40c857b516d37ea7c7ddd4aeff00

SHA512
9f90ec67a994219a61478defcebd4e3d8fe240f3bd269222ed3683bfaa1e1b7190e8b020fee4ef0454a56779b1d8e1dc98cdca1d8f5e6342e61dab87b0628938

Download Submit
\Users\Admin\AppData\Local\Temp\2962B0~1.DLL
MD5
be8102b02b6b07e5a8dca07ea97484f5

SHA1
c339c3688b7c0a30e4d540ad0016166874d59711

SHA256
edd2fb6c3e8f2b769aebf879a1a94882bb0e40c857b516d37ea7c7ddd4aeff00

SHA512
9f90ec67a994219a61478defcebd4e3d8fe240f3bd269222ed3683bfaa1e1b7190e8b020fee4ef0454a56779b1d8e1dc98cdca1d8f5e6342e61dab87b0628938

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
memory/916-250-0x0000000000DA3000-0x0000000000DA4000-memory.dmp

Filesize
4KB

Download
memory/916-170-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/916-169-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/916-167-0x0000000000000000-mapping.dmp

Download
memory/916-202-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/916-191-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/916-175-0x0000000000DA2000-0x0000000000DA3000-memory.dmp

Filesize
4KB

Download
memory/916-174-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1136-454-0x0000000000000000-mapping.dmp

Download
memory/1164-451-0x00000000068F3000-0x00000000068F4000-memory.dmp

Filesize
4KB

Download
memory/1164-328-0x0000000000000000-mapping.dmp

Download
memory/1164-354-0x00000000068F0000-0x00000000068F1000-memory.dmp

Filesize
4KB

Download
memory/1164-356-0x00000000068F2000-0x00000000068F3000-memory.dmp

Filesize
4KB

Download
memory/1196-158-0x0000000006AD0000-0x0000000006AD1000-memory.dmp

Filesize
4KB

Download
memory/1196-132-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1196-130-0x0000000000000000-mapping.dmp

Download
memory/1196-133-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1196-218-0x0000000000D93000-0x0000000000D94000-memory.dmp

Filesize
4KB

Download
memory/1196-206-0x0000000008CD0000-0x0000000008CD1000-memory.dmp

Filesize
4KB

Download
memory/1196-137-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1196-198-0x0000000008810000-0x0000000008811000-memory.dmp

Filesize
4KB

Download
memory/1196-199-0x000000007ED60000-0x000000007ED61000-memory.dmp

Filesize
4KB

Download
memory/1196-145-0x0000000000D92000-0x0000000000D93000-memory.dmp

Filesize
4KB

Download
memory/1196-190-0x0000000008BA0000-0x0000000008BD3000-memory.dmp

Filesize
204KB

Download
memory/1196-138-0x0000000006D60000-0x0000000006D61000-memory.dmp

Filesize
4KB

Download
memory/1196-179-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1196-160-0x0000000006B70000-0x0000000006B71000-memory.dmp

Filesize
4KB

Download
memory/1196-143-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1196-168-0x0000000007BE0000-0x0000000007BE1000-memory.dmp

Filesize
4KB

Download
memory/1196-163-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/1196-164-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/1196-165-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/1196-166-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/1264-155-0x0000000000000000-mapping.dmp

Download
memory/1556-115-0x0000000004F00000-0x0000000004FF1000-memory.dmp

Filesize
964KB

Download
memory/1556-117-0x0000000000400000-0x0000000002FE8000-memory.dmp

Filesize
43.9MB

Download
memory/1556-116-0x0000000005000000-0x0000000005108000-memory.dmp

Filesize
1.0MB

Download
memory/1696-159-0x0000000000000000-mapping.dmp

Download
memory/1712-150-0x0000000005C40000-0x0000000005D80000-memory.dmp

Filesize
1.2MB

Download
memory/1712-148-0x0000000005E50000-0x0000000005E51000-memory.dmp

Filesize
4KB

Download
memory/1712-140-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/1712-139-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1712-136-0x0000000004C51000-0x0000000005C35000-memory.dmp

Filesize
15.9MB

Download
memory/1712-146-0x0000000005C40000-0x0000000005D80000-memory.dmp

Filesize
1.2MB

Download
memory/1712-147-0x0000000005C40000-0x0000000005D80000-memory.dmp

Filesize
1.2MB

Download
memory/1712-141-0x0000000005C40000-0x0000000005D80000-memory.dmp

Filesize
1.2MB

Download
memory/1712-149-0x0000000005C40000-0x0000000005D80000-memory.dmp

Filesize
1.2MB

Download
memory/1712-142-0x0000000005C40000-0x0000000005D80000-memory.dmp

Filesize
1.2MB

Download
memory/1712-131-0x0000000000000000-mapping.dmp

Download
memory/1816-453-0x0000000000000000-mapping.dmp

Download
memory/3320-154-0x0000029286420000-0x0000029286422000-memory.dmp

Filesize
8KB

Download
memory/3320-153-0x0000029286420000-0x0000029286422000-memory.dmp

Filesize
8KB

Download
memory/3320-151-0x00007FF6A5C25FD0-mapping.dmp

Download
memory/3320-162-0x0000029286470000-0x0000029286622000-memory.dmp

Filesize
1.7MB

Download
memory/3320-161-0x00000000001A0000-0x0000000000340000-memory.dmp

Filesize
1.6MB

Download
memory/3624-129-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3624-128-0x0000000004AC1000-0x0000000005AA5000-memory.dmp

Filesize
15.9MB

Download
memory/3624-125-0x0000000000000000-mapping.dmp

Download
memory/3628-438-0x0000000000000000-mapping.dmp

Download
memory/3952-124-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/3952-118-0x0000000000000000-mapping.dmp

Download
memory/3952-122-0x00000000029E0000-0x0000000002B45000-memory.dmp

Filesize
1.4MB

Download
memory/3952-123-0x00000000048F1000-0x00000000058D5000-memory.dmp

Filesize
15.9MB

Download