danabot | 13af9fa492ecf044422edad8b94dde94131e723d8b9a6e1aba79044d3eaecf52

Analysis

max time kernel
142s
max time network
124s
platform
windows10_x64
resource
win10-en-20211014
submitted
21-10-2021 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13af9fa492ecf044422edad8b94dde94131e723d8b9a6e1aba79044d3eaecf52.exe
Size

1.1MB
MD5

0b6d77009850a6c6b1b3e37fa256b6c1
SHA1

31e9bae613d94bcc8cdbd791b0fa054a22eea9fd
SHA256

13af9fa492ecf044422edad8b94dde94131e723d8b9a6e1aba79044d3eaecf52
SHA512

9be0621a748e1b7674455ce974072e2983b33bdb9918ded3fcbbaca99209de9e77f9a450bf1096e211858e9ff24075df8e68d012d46d696ff906ed48079e80ea

Score

10^/10

danabot 4 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2092 created 2636 2092 WerFault.exe RUNDLL32.EXE
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

24 4056 rundll32.exe
25 2812 RUNDLL32.EXE
28 2812 RUNDLL32.EXE
29 2812 RUNDLL32.EXE
30 2812 RUNDLL32.EXE
31 2812 RUNDLL32.EXE
Loads dropped DLL 6 IoCs

Processes:

rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

pid process

4056 rundll32.exe
2812 RUNDLL32.EXE
2812 RUNDLL32.EXE
2636 RUNDLL32.EXE
2636 RUNDLL32.EXE
1332 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 2092 created 2636	2092	WerFault.exe	RUNDLL32.EXE

flow	pid	process
24	4056	rundll32.exe
25	2812	RUNDLL32.EXE
28	2812	RUNDLL32.EXE
29	2812	RUNDLL32.EXE
30	2812	RUNDLL32.EXE
31	2812	RUNDLL32.EXE

pid	process
4056	rundll32.exe
2812	RUNDLL32.EXE
2812	RUNDLL32.EXE
2636	RUNDLL32.EXE
2636	RUNDLL32.EXE
1332	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 2636 set thread context of 2316 2636 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2092 2636 WerFault.exe RUNDLL32.EXE

description	pid	process	target process
PID 2636 set thread context of 2316	2636	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

pid	pid_target	process	target process
2092	2636	WerFault.exe	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 37 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TypedURLs	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EEB0313CDE39C2B1FBA89E6EC3DDA8B2E26738AE	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EEB0313CDE39C2B1FBA89E6EC3DDA8B2E26738AE\Blob = 030000000100000014000000eeb0313cde39c2b1fba89e6ec3dda8b2e26738ae20000000010000006e0200003082026a308201d3a00302010202081acf515c28bf95cf300d06092a864886f70d01010b0500305a3122302006035504030c1942616c74696d6f7270204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3139313032323035353133355a170d3233313032313035353133355a305a3122302006035504030c1942616c74696d6f7270204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d0030818902818100a4766f7b8b997d11b958c45497f870ed18ade1bcbf97a5aa2e8701ea826359281e4d1cd5a7048cd207ee829edad0d24c8abdf7c68f9d8d1fea2a6157c0fc8a37325ff8896d63725e7d8aebe3eacf25e5bcd5c2b1a78d55e58603bcab59a7d9c9c60854ed7a1d3952f6535c8a12d32b9898434f576985dfa9208d5c6f97892b710203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821942616c74696d6f7270204379626572547275737420526f6f74300d06092a864886f70d01010b050003818100025f8bfa03e1256af476974205d0d31bd88e51d5ddd591aa3493d151edb444524a3fe8d35b9c95b3a2ea439137501a0aa27b4584a775e828b510901dbdeb17a0fac146a7b2c2f7df880f19bf9cc73d9ed9b0a68508ecf12dd971f495195b1510b102463ccaa30308b80cb3963bbcc8a67d754db0290bdeb95339f49e6a49a3ff	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

RUNDLL32.EXERUNDLL32.EXEpowershell.exeWerFault.exepowershell.exepowershell.exe

pid	process
2812	RUNDLL32.EXE
2812	RUNDLL32.EXE
2812	RUNDLL32.EXE
2812	RUNDLL32.EXE
2812	RUNDLL32.EXE
2812	RUNDLL32.EXE
2636	RUNDLL32.EXE
2636	RUNDLL32.EXE
388	powershell.exe
388	powershell.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
2092	WerFault.exe
3724	powershell.exe
388	powershell.exe
3724	powershell.exe
3724	powershell.exe
2812	RUNDLL32.EXE
2812	RUNDLL32.EXE
1092	powershell.exe
1092	powershell.exe
1092	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	2812	RUNDLL32.EXE
Token: SeRestorePrivilege	2092	WerFault.exe
Token: SeBackupPrivilege	2092	WerFault.exe
Token: SeDebugPrivilege	2092	WerFault.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

2316 rundll32.exe
2812 RUNDLL32.EXE

pid	process
2316	rundll32.exe
2812	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

13af9fa492ecf044422edad8b94dde94131e723d8b9a6e1aba79044d3eaecf52.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 1524 wrote to memory of 4056	1524	13af9fa492ecf044422edad8b94dde94131e723d8b9a6e1aba79044d3eaecf52.exe	rundll32.exe
PID 1524 wrote to memory of 4056	1524	13af9fa492ecf044422edad8b94dde94131e723d8b9a6e1aba79044d3eaecf52.exe	rundll32.exe
PID 1524 wrote to memory of 4056	1524	13af9fa492ecf044422edad8b94dde94131e723d8b9a6e1aba79044d3eaecf52.exe	rundll32.exe
PID 4056 wrote to memory of 2812	4056	rundll32.exe	RUNDLL32.EXE
PID 4056 wrote to memory of 2812	4056	rundll32.exe	RUNDLL32.EXE
PID 4056 wrote to memory of 2812	4056	rundll32.exe	RUNDLL32.EXE
PID 2812 wrote to memory of 388	2812	RUNDLL32.EXE	powershell.exe
PID 2812 wrote to memory of 388	2812	RUNDLL32.EXE	powershell.exe
PID 2812 wrote to memory of 388	2812	RUNDLL32.EXE	powershell.exe
PID 2812 wrote to memory of 2636	2812	RUNDLL32.EXE	RUNDLL32.EXE
PID 2812 wrote to memory of 2636	2812	RUNDLL32.EXE	RUNDLL32.EXE
PID 2812 wrote to memory of 2636	2812	RUNDLL32.EXE	RUNDLL32.EXE
PID 2636 wrote to memory of 2316	2636	RUNDLL32.EXE	rundll32.exe
PID 2636 wrote to memory of 2316	2636	RUNDLL32.EXE	rundll32.exe
PID 2636 wrote to memory of 2316	2636	RUNDLL32.EXE	rundll32.exe
PID 2812 wrote to memory of 1332	2812	RUNDLL32.EXE	RUNDLL32.EXE
PID 2812 wrote to memory of 1332	2812	RUNDLL32.EXE	RUNDLL32.EXE
PID 2812 wrote to memory of 1332	2812	RUNDLL32.EXE	RUNDLL32.EXE
PID 2316 wrote to memory of 3408	2316	rundll32.exe	ctfmon.exe
PID 2316 wrote to memory of 3408	2316	rundll32.exe	ctfmon.exe
PID 2812 wrote to memory of 3724	2812	RUNDLL32.EXE	powershell.exe
PID 2812 wrote to memory of 3724	2812	RUNDLL32.EXE	powershell.exe
PID 2812 wrote to memory of 3724	2812	RUNDLL32.EXE	powershell.exe
PID 2812 wrote to memory of 1092	2812	RUNDLL32.EXE	powershell.exe
PID 2812 wrote to memory of 1092	2812	RUNDLL32.EXE	powershell.exe
PID 2812 wrote to memory of 1092	2812	RUNDLL32.EXE	powershell.exe
PID 1092 wrote to memory of 916	1092	powershell.exe	nslookup.exe
PID 1092 wrote to memory of 916	1092	powershell.exe	nslookup.exe
PID 1092 wrote to memory of 916	1092	powershell.exe	nslookup.exe
PID 2812 wrote to memory of 2240	2812	RUNDLL32.EXE	schtasks.exe
PID 2812 wrote to memory of 2240	2812	RUNDLL32.EXE	schtasks.exe
PID 2812 wrote to memory of 2240	2812	RUNDLL32.EXE	schtasks.exe
PID 2812 wrote to memory of 3920	2812	RUNDLL32.EXE	schtasks.exe
PID 2812 wrote to memory of 3920	2812	RUNDLL32.EXE	schtasks.exe
PID 2812 wrote to memory of 3920	2812	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\13af9fa492ecf044422edad8b94dde94131e723d8b9a6e1aba79044d3eaecf52.exe
"C:\Users\Admin\AppData\Local\Temp\13af9fa492ecf044422edad8b94dde94131e723d8b9a6e1aba79044d3eaecf52.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\13AF9F~1.DLL,s C:\Users\Admin\AppData\Local\Temp\13AF9F~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\13AF9F~1.DLL,hVUwRmpx
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\13AF9F~1.DLL
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\13AF9F~1.DLL,eCRTWlprVXM=
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17659
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 784
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start
4⤵
- Loads dropped DLL
PID:1332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp113D.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp5DB9.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:916

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2240

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
e7de866986b2ecc1692eb335e1d06f70

SHA1
59eb72ee76d02f50a1f8652cb3255c5e04b3d725

SHA256
8099520735004cb51630a35469055ca8f370cc0322ce953264f888a50be1092a

SHA512
6a66f268a3045b6bb35a097d1defc682b37bf8740bd3edc4a58aa5d8a5677814e3d276b05d24e82da902c653a25c9c835bbb3b4b90d9710c3e7b90f3595dbb71

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
0362480a57d528400b17fba7833eddc5

SHA1
ad8c4a570306dc4d35871cd255d676069722a374

SHA256
34354cad01afde0ebb437606d37481d1013af862fd2166436e361dcce5c905ad

SHA512
83b08f9a7e241608e96bb625bd17133840c3c71ca41cddb09ef091ab53b87b13b4277b86ca9182dae6057717a38ddb99e5a171dbea46e706407cbc2362760761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
06d4793c8a89604ad993cbf7f8719c15

SHA1
6a7a03a8230f16d5e35c2a0f64b1e09ddfac4208

SHA256
7290e6f104f9750fe9e79daad1d1a81e5b7ab72daca06bcea6de68be6d21122d

SHA512
2de1facfff4d00f05be58694e5c9f09bb63bd59c11fc7f0070120d132e34c6808c1a8115099300c31b9e3239a19d76b45b127ea4bf2d9faf9e6ee93960f4bc13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
097bda7262cbdf238f7493be1c99893a

SHA1
36543fb385c6ada341a6f1a89b49893e2ab2d061

SHA256
db1ea44b71f5914e0ee77fd75bfe897b41e127e16455c8383a59f918df9081a9

SHA512
89f77b997eac48b01d1794f248b2ee49b252901c5fb1d842840eef8b70964a585f897d366ede9c7938995bb557f36007925d401a1cc50ae894c6cc2863083b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\13AF9F~1.DLL
MD5
dd20fa2f1e2b0648fe1f70e665b9fa9c

SHA1
6a62b136a8a21224f606a405024779e253d23e15

SHA256
0790c8e04264db5e6b0af9482eb148501567c3080d9a9659d77f638c5a729efb

SHA512
c70808868ad11e6fdccf7535583dfd889cad84599fb787e7b59b63c88d7987dce6af45989269017d468d1463001cd966e383ed7b09bd0ef8f7f90a46ae09c521

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp113D.tmp.ps1
MD5
e7adb37bb8ef23ec102e36b66dbb7440

SHA1
51bd2b96504ee9965e410fbe4ea68a7a6025e96b

SHA256
adda66f469535e336ac22f4ffcfaa4d3126ea3605580537fc4c065b705f6c960

SHA512
2df48ab707dfbdb1bea66480ce329bbd2c1e750e53510eb5f35e9a0529c21f04e1ff1a46b53d5318f625abf81371ce7ed12fd24ef912bbcc2f5de95cfd2bdd5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp113E.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DB9.tmp.ps1
MD5
01c0781afd73ba961b49bf3470313c61

SHA1
93d71c9d210f0aa55d2e3a8bebcc8fad0ca177a5

SHA256
6af8fcae7523e7128ba433443568191309199bb05c0761f1e16325df9253b656

SHA512
8228b24ae936d447e3c866ec2a9de439f69661f0ecd0fd55012cbc907e8c9a56bc0210fd91889ef00fe5bee03c7b0ac7f6a7bac5923dc1f6d6db32714f430ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DBA.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\Users\Admin\AppData\Local\Temp\13AF9F~1.DLL
MD5
dd20fa2f1e2b0648fe1f70e665b9fa9c

SHA1
6a62b136a8a21224f606a405024779e253d23e15

SHA256
0790c8e04264db5e6b0af9482eb148501567c3080d9a9659d77f638c5a729efb

SHA512
c70808868ad11e6fdccf7535583dfd889cad84599fb787e7b59b63c88d7987dce6af45989269017d468d1463001cd966e383ed7b09bd0ef8f7f90a46ae09c521

Download Submit
\Users\Admin\AppData\Local\Temp\13AF9F~1.DLL
MD5
dd20fa2f1e2b0648fe1f70e665b9fa9c

SHA1
6a62b136a8a21224f606a405024779e253d23e15

SHA256
0790c8e04264db5e6b0af9482eb148501567c3080d9a9659d77f638c5a729efb

SHA512
c70808868ad11e6fdccf7535583dfd889cad84599fb787e7b59b63c88d7987dce6af45989269017d468d1463001cd966e383ed7b09bd0ef8f7f90a46ae09c521

Download Submit
\Users\Admin\AppData\Local\Temp\13AF9F~1.DLL
MD5
dd20fa2f1e2b0648fe1f70e665b9fa9c

SHA1
6a62b136a8a21224f606a405024779e253d23e15

SHA256
0790c8e04264db5e6b0af9482eb148501567c3080d9a9659d77f638c5a729efb

SHA512
c70808868ad11e6fdccf7535583dfd889cad84599fb787e7b59b63c88d7987dce6af45989269017d468d1463001cd966e383ed7b09bd0ef8f7f90a46ae09c521

Download Submit
\Users\Admin\AppData\Local\Temp\13AF9F~1.DLL
MD5
dd20fa2f1e2b0648fe1f70e665b9fa9c

SHA1
6a62b136a8a21224f606a405024779e253d23e15

SHA256
0790c8e04264db5e6b0af9482eb148501567c3080d9a9659d77f638c5a729efb

SHA512
c70808868ad11e6fdccf7535583dfd889cad84599fb787e7b59b63c88d7987dce6af45989269017d468d1463001cd966e383ed7b09bd0ef8f7f90a46ae09c521

Download Submit
\Users\Admin\AppData\Local\Temp\13AF9F~1.DLL
MD5
dd20fa2f1e2b0648fe1f70e665b9fa9c

SHA1
6a62b136a8a21224f606a405024779e253d23e15

SHA256
0790c8e04264db5e6b0af9482eb148501567c3080d9a9659d77f638c5a729efb

SHA512
c70808868ad11e6fdccf7535583dfd889cad84599fb787e7b59b63c88d7987dce6af45989269017d468d1463001cd966e383ed7b09bd0ef8f7f90a46ae09c521

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
memory/388-182-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/388-220-0x00000000040F3000-0x00000000040F4000-memory.dmp

Filesize
4KB

Download
memory/388-136-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/388-208-0x0000000008B70000-0x0000000008B71000-memory.dmp

Filesize
4KB

Download
memory/388-132-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/388-130-0x0000000000000000-mapping.dmp

Download
memory/388-138-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/388-202-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/388-140-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/388-199-0x000000007E8D0000-0x000000007E8D1000-memory.dmp

Filesize
4KB

Download
memory/388-142-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/388-143-0x00000000040F2000-0x00000000040F3000-memory.dmp

Filesize
4KB

Download
memory/388-193-0x0000000008990000-0x00000000089C3000-memory.dmp

Filesize
204KB

Download
memory/388-173-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/388-170-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/388-168-0x0000000006790000-0x0000000006791000-memory.dmp

Filesize
4KB

Download
memory/388-167-0x0000000007420000-0x0000000007421000-memory.dmp

Filesize
4KB

Download
memory/388-164-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/388-165-0x00000000073B0000-0x00000000073B1000-memory.dmp

Filesize
4KB

Download
memory/388-157-0x0000000006B30000-0x0000000006B31000-memory.dmp

Filesize
4KB

Download
memory/916-449-0x0000000000000000-mapping.dmp

Download
memory/1092-454-0x0000000007233000-0x0000000007234000-memory.dmp

Filesize
4KB

Download
memory/1092-369-0x0000000007232000-0x0000000007233000-memory.dmp

Filesize
4KB

Download
memory/1092-352-0x0000000007230000-0x0000000007231000-memory.dmp

Filesize
4KB

Download
memory/1092-338-0x0000000000000000-mapping.dmp

Download
memory/1332-149-0x0000000000000000-mapping.dmp

Download
memory/1524-116-0x0000000004FD0000-0x00000000050D5000-memory.dmp

Filesize
1.0MB

Download
memory/1524-115-0x0000000004EE0000-0x0000000004FCE000-memory.dmp

Filesize
952KB

Download
memory/1524-117-0x0000000000400000-0x0000000002FE6000-memory.dmp

Filesize
43.9MB

Download
memory/2240-455-0x0000000000000000-mapping.dmp

Download
memory/2316-162-0x0000000000340000-0x00000000004E0000-memory.dmp

Filesize
1.6MB

Download
memory/2316-156-0x00007FF6DF395FD0-mapping.dmp

Download
memory/2316-161-0x000001C5B94C0000-0x000001C5B94C2000-memory.dmp

Filesize
8KB

Download
memory/2316-163-0x000001C5B9740000-0x000001C5B98F2000-memory.dmp

Filesize
1.7MB

Download
memory/2316-159-0x000001C5B94C0000-0x000001C5B94C2000-memory.dmp

Filesize
8KB

Download
memory/2636-155-0x0000000005AF0000-0x0000000005C30000-memory.dmp

Filesize
1.2MB

Download
memory/2636-131-0x0000000000000000-mapping.dmp

Download
memory/2636-145-0x0000000005AF0000-0x0000000005C30000-memory.dmp

Filesize
1.2MB

Download
memory/2636-148-0x0000000005AF0000-0x0000000005C30000-memory.dmp

Filesize
1.2MB

Download
memory/2636-150-0x0000000005AF0000-0x0000000005C30000-memory.dmp

Filesize
1.2MB

Download
memory/2636-151-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2636-153-0x0000000005AF0000-0x0000000005C30000-memory.dmp

Filesize
1.2MB

Download
memory/2636-135-0x0000000000F40000-0x00000000010A1000-memory.dmp

Filesize
1.4MB

Download
memory/2636-146-0x0000000005AF0000-0x0000000005C30000-memory.dmp

Filesize
1.2MB

Download
memory/2636-144-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2636-160-0x0000000000950000-0x0000000000A9A000-memory.dmp

Filesize
1.3MB

Download
memory/2636-141-0x0000000005C40000-0x0000000005C41000-memory.dmp

Filesize
4KB

Download
memory/2636-139-0x0000000004A41000-0x0000000005A25000-memory.dmp

Filesize
15.9MB

Download
memory/2812-126-0x0000000000E00000-0x0000000000F61000-memory.dmp

Filesize
1.4MB

Download
memory/2812-129-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/2812-128-0x0000000004981000-0x0000000005965000-memory.dmp

Filesize
15.9MB

Download
memory/2812-123-0x0000000000000000-mapping.dmp

Download
memory/3408-166-0x0000000000000000-mapping.dmp

Download
memory/3724-195-0x0000000006730000-0x0000000006731000-memory.dmp

Filesize
4KB

Download
memory/3724-249-0x00000000064B3000-0x00000000064B4000-memory.dmp

Filesize
4KB

Download
memory/3724-207-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

Filesize
4KB

Download
memory/3724-181-0x00000000064B2000-0x00000000064B3000-memory.dmp

Filesize
4KB

Download
memory/3724-175-0x00000000064B0000-0x00000000064B1000-memory.dmp

Filesize
4KB

Download
memory/3724-171-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

Filesize
4KB

Download
memory/3724-172-0x0000000003EF0000-0x0000000003EF1000-memory.dmp

Filesize
4KB

Download
memory/3724-169-0x0000000000000000-mapping.dmp

Download
memory/3920-456-0x0000000000000000-mapping.dmp

Download
memory/4056-122-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4056-121-0x0000000005321000-0x0000000006305000-memory.dmp

Filesize
15.9MB

Download
memory/4056-118-0x0000000000000000-mapping.dmp

Download