danabot | 12476bf4cc2940ef264ac615ac125bf89a1f76348a42a7410e6800380e36da84

Analysis

max time kernel
144s
max time network
124s
platform
windows10_x64
resource
win10-en-20211014
submitted
21-10-2021 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12476bf4cc2940ef264ac615ac125bf89a1f76348a42a7410e6800380e36da84.exe
Size

1.1MB
MD5

faa5a6bae3386dd82857674cf54d6f0d
SHA1

49b350f2041e6003397397b2fc1f6787a84c8405
SHA256

12476bf4cc2940ef264ac615ac125bf89a1f76348a42a7410e6800380e36da84
SHA512

e3848e7d79698cbd356dc350750b35efe784ec789d8d5528e966f1c30f57203315d806b9d99a0778fca506464f5cd1960cca9094c2c581b3967a9c42a97ffe8d

Score

10^/10

danabot 4 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

192.119.110.73:443

192.236.147.159:443

192.210.222.88:443

Attributes

embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\12476B~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\12476B~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\12476B~1.DLL	DanabotLoader2021
behavioral1/memory/3312-122-0x00000000028A0000-0x0000000002A00000-memory.dmp	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\12476B~1.DLL	DanabotLoader2021
\Users\Admin\AppData\Local\Temp\12476B~1.DLL	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2128 created 3928 2128 WerFault.exe RUNDLL32.EXE
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

28 3312 rundll32.exe
29 380 RUNDLL32.EXE
31 380 RUNDLL32.EXE
32 380 RUNDLL32.EXE
34 380 RUNDLL32.EXE
35 380 RUNDLL32.EXE
Loads dropped DLL 5 IoCs

Processes:

rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXE

pid process

3312 rundll32.exe
3312 rundll32.exe
380 RUNDLL32.EXE
3928 RUNDLL32.EXE
1140 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 2128 created 3928	2128	WerFault.exe	RUNDLL32.EXE

flow	pid	process
28	3312	rundll32.exe
29	380	RUNDLL32.EXE
31	380	RUNDLL32.EXE
32	380	RUNDLL32.EXE
34	380	RUNDLL32.EXE
35	380	RUNDLL32.EXE

pid	process
3312	rundll32.exe
3312	rundll32.exe
380	RUNDLL32.EXE
3928	RUNDLL32.EXE
1140	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 3928 set thread context of 3776 3928 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2128 3928 WerFault.exe RUNDLL32.EXE

description	pid	process	target process
PID 3928 set thread context of 3776	3928	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\zohplghndapsm.tmp	rundll32.exe

pid	pid_target	process	target process
2128	3928	WerFault.exe	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 50 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1F038F1FE805BC8C1FF308F4A5FC42CEB55BC216\Blob = 0300000001000000140000001f038f1fe805bc8c1ff308f4a5fc42ceb55bc21620000000010000009f0200003082029b30820204a00302010202084a5603a308041035300d06092a864886f70d01010b05003074311f301d06035504030c165468617774652054696d657374616d70696e61204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c65301e170d3139313031373233353332395a170d3233313031363233353332395a3074311f301d06035504030c165468617774652054696d657374616d70696e61204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c6530819f300d06092a864886f70d010101050003818d0030818902818100cc2a406dea4227bfd15d8e4694d7b395a8fb8eb86a0ccd180c4ab7d80723f607e29f52c70e0db9a5032359c091561963b1d466b71939751d6a87d559b58f441f22999d018214562f56e5c4e68fcaccb6e20a0c462c0cb41d520387dfcd60bbe5c2564c0cc423760fd05c4b32e1726760cc4514e943141e17201790abeb758d710203010001a3363034300f0603551d130101ff040530030101ff30210603551d11041a301882165468617774652054696d657374616d70696e61204341300d06092a864886f70d01010b050003818100815472b6d67e5d2b2a000344ad9e300543d8e1a1963e13d8c6fd0933fd0e7bd64f95badddbe954379c50509a9f31b39fd2f3297aaaae82a7eb644e778a5cf612063eb3893b9b8b6791a4030023e72c62636e13bf0ebffb4aab7a0369613e96b13f9454583b3a193dfe22a1221257dffadc7932e05fa7396adfbd34104b7bd77b	RUNDLL32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1F038F1FE805BC8C1FF308F4A5FC42CEB55BC216	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

RUNDLL32.EXERUNDLL32.EXEpowershell.exeWerFault.exepowershell.exepowershell.exe

pid	process
380	RUNDLL32.EXE
380	RUNDLL32.EXE
380	RUNDLL32.EXE
380	RUNDLL32.EXE
380	RUNDLL32.EXE
380	RUNDLL32.EXE
3928	RUNDLL32.EXE
3928	RUNDLL32.EXE
3612	powershell.exe
3612	powershell.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
2128	WerFault.exe
3244	powershell.exe
3612	powershell.exe
3244	powershell.exe
3244	powershell.exe
380	RUNDLL32.EXE
380	RUNDLL32.EXE
968	powershell.exe
968	powershell.exe
968	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeWerFault.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeRestorePrivilege	2128	WerFault.exe
Token: SeBackupPrivilege	2128	WerFault.exe
Token: SeDebugPrivilege	380	RUNDLL32.EXE
Token: SeDebugPrivilege	2128	WerFault.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

3776 rundll32.exe
380 RUNDLL32.EXE

pid	process
3776	rundll32.exe
380	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

12476bf4cc2940ef264ac615ac125bf89a1f76348a42a7410e6800380e36da84.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 3128 wrote to memory of 3312	3128	12476bf4cc2940ef264ac615ac125bf89a1f76348a42a7410e6800380e36da84.exe	rundll32.exe
PID 3128 wrote to memory of 3312	3128	12476bf4cc2940ef264ac615ac125bf89a1f76348a42a7410e6800380e36da84.exe	rundll32.exe
PID 3128 wrote to memory of 3312	3128	12476bf4cc2940ef264ac615ac125bf89a1f76348a42a7410e6800380e36da84.exe	rundll32.exe
PID 3312 wrote to memory of 380	3312	rundll32.exe	RUNDLL32.EXE
PID 3312 wrote to memory of 380	3312	rundll32.exe	RUNDLL32.EXE
PID 3312 wrote to memory of 380	3312	rundll32.exe	RUNDLL32.EXE
PID 380 wrote to memory of 3612	380	RUNDLL32.EXE	powershell.exe
PID 380 wrote to memory of 3612	380	RUNDLL32.EXE	powershell.exe
PID 380 wrote to memory of 3612	380	RUNDLL32.EXE	powershell.exe
PID 380 wrote to memory of 3928	380	RUNDLL32.EXE	RUNDLL32.EXE
PID 380 wrote to memory of 3928	380	RUNDLL32.EXE	RUNDLL32.EXE
PID 380 wrote to memory of 3928	380	RUNDLL32.EXE	RUNDLL32.EXE
PID 3928 wrote to memory of 3776	3928	RUNDLL32.EXE	rundll32.exe
PID 3928 wrote to memory of 3776	3928	RUNDLL32.EXE	rundll32.exe
PID 3928 wrote to memory of 3776	3928	RUNDLL32.EXE	rundll32.exe
PID 380 wrote to memory of 1140	380	RUNDLL32.EXE	RUNDLL32.EXE
PID 380 wrote to memory of 1140	380	RUNDLL32.EXE	RUNDLL32.EXE
PID 380 wrote to memory of 1140	380	RUNDLL32.EXE	RUNDLL32.EXE
PID 3776 wrote to memory of 1280	3776	rundll32.exe	ctfmon.exe
PID 3776 wrote to memory of 1280	3776	rundll32.exe	ctfmon.exe
PID 380 wrote to memory of 3244	380	RUNDLL32.EXE	powershell.exe
PID 380 wrote to memory of 3244	380	RUNDLL32.EXE	powershell.exe
PID 380 wrote to memory of 3244	380	RUNDLL32.EXE	powershell.exe
PID 380 wrote to memory of 968	380	RUNDLL32.EXE	powershell.exe
PID 380 wrote to memory of 968	380	RUNDLL32.EXE	powershell.exe
PID 380 wrote to memory of 968	380	RUNDLL32.EXE	powershell.exe
PID 968 wrote to memory of 2992	968	powershell.exe	nslookup.exe
PID 968 wrote to memory of 2992	968	powershell.exe	nslookup.exe
PID 968 wrote to memory of 2992	968	powershell.exe	nslookup.exe
PID 380 wrote to memory of 3344	380	RUNDLL32.EXE	schtasks.exe
PID 380 wrote to memory of 3344	380	RUNDLL32.EXE	schtasks.exe
PID 380 wrote to memory of 3344	380	RUNDLL32.EXE	schtasks.exe
PID 380 wrote to memory of 3840	380	RUNDLL32.EXE	schtasks.exe
PID 380 wrote to memory of 3840	380	RUNDLL32.EXE	schtasks.exe
PID 380 wrote to memory of 3840	380	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Users\Admin\AppData\Local\Temp\12476bf4cc2940ef264ac615ac125bf89a1f76348a42a7410e6800380e36da84.exe
"C:\Users\Admin\AppData\Local\Temp\12476bf4cc2940ef264ac615ac125bf89a1f76348a42a7410e6800380e36da84.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\12476B~1.DLL,s C:\Users\Admin\AppData\Local\Temp\12476B~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3312

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\12476B~1.DLL,OQwtdTN3
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\12476B~1.DLL
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\12476B~1.DLL,gl0kdUpj
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17659
5⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 784
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start
4⤵
- Loads dropped DLL
PID:1140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp65.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4ED5.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:2992

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3344

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:3840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\zohplghndapsm.tmp
MD5
a6bed279111f34a8ef68dc7f275fea04

SHA1
52f5ff67daf88eec2c5c379243f033fb650b5a7a

SHA256
a841c1b6357cd4b3ba9d3c77290197cc74bcb34242bfeb7a6b7fd8a4d25aeaea

SHA512
b6348d5e3e0e9df68fdb4e3d11c9d2d5e0e622965efbd69aa70c41d5a6b4203c20a89bd08b08a52233d98ee445e11459875f6c9c0890767d11cfa574cc431bfb

Download Submit
C:\PROGRA~3\zohplghndapsm.tmp
MD5
a6bed279111f34a8ef68dc7f275fea04

SHA1
52f5ff67daf88eec2c5c379243f033fb650b5a7a

SHA256
a841c1b6357cd4b3ba9d3c77290197cc74bcb34242bfeb7a6b7fd8a4d25aeaea

SHA512
b6348d5e3e0e9df68fdb4e3d11c9d2d5e0e622965efbd69aa70c41d5a6b4203c20a89bd08b08a52233d98ee445e11459875f6c9c0890767d11cfa574cc431bfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
f7a808b5711f58fb4f85476c1bb24ac3

SHA1
fbdf9670d622e8fc3446ad4f53fbbd83016f03d1

SHA256
de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec

SHA512
866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
11955f4f9ef907047ada5a86642c281d

SHA1
dfc6fc2520ab5f14644c9a6e7855fe90c3b626a3

SHA256
37d6fcb00ead5844b0a30506a5ec1f7b77d7ab8fc5fe4aadb974f9c65a3af2f1

SHA512
dfd22498e05bc3dbfe6157b2126b95bec9020a6f3ef7bd194ec83d0b510693c582f0a49179a96c875ef38f8818bc8c952dc08d07c1e8be411dea988122935fe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d1b036a135588a4a816b43f243abe46b

SHA1
b51d33f01245d8b19c7bf392c29ea0703d0d1c76

SHA256
4c024515f1d6bd941dd9fbc8189183d36a5d0f8d06e08b1a3805820a80444075

SHA512
6d2dc5d77f45741d587c4845a911a1060981aab769127c5dce6b538a6a6d948a148a1277dca03b344e9caca07747e9ee532e38ece4580f0601c7748728ce435a

Download Submit
C:\Users\Admin\AppData\Local\Temp\12476B~1.DLL
MD5
587f3156a92bcc5aeed7d02b3c2ec536

SHA1
9a13cca82dc66604917a42672e901320ea8e4674

SHA256
a26e6219aa61531dc2f870ccb38fb3be4ae22025329e6c8eefa3967b56df132a

SHA512
7e19857f25bfeba8018812c55430734e6a45a4d3e2b6b5a3339795c6f1de2fdfbcfd8ec60cb859742ae2ccb88d232f487ed5ecb1894554b68369c9f1665cf7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4ED5.tmp.ps1
MD5
15f2fe04b5e3202356001ba9f6497000

SHA1
83da8e9a5c7596f6ddd4414f0f69925b9fdc96b0

SHA256
0fa189839e3e844fc336db4a500ca8e1371f7432a2c99f06194c95263c5a9613

SHA512
9bc159ba3e5f09bb325e5d783a536e24027850874e0d3ec53e94c79ec5b4340584503d43314552d4bc8a2b3947453d65f60ac073e98ae87531b6417e28c89248

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4ED6.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp65.tmp.ps1
MD5
aae041085ce3c3233112e477f62cea57

SHA1
62ba6703e4eaf454185119cb649bd7d79a4e8943

SHA256
51f761964f28c355d81067f246c14499b63df3f5f9b9ec03828df8ed479d145f

SHA512
83f30821a4ee64bab1e6ff3f1c54c69e2fce887a09910f845b33243edaaea89b943101bda7ae4294f22258127e79dfc1a88ed9023b377332b85b1bc68880e2f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp66.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
\Users\Admin\AppData\Local\Temp\12476B~1.DLL
MD5
587f3156a92bcc5aeed7d02b3c2ec536

SHA1
9a13cca82dc66604917a42672e901320ea8e4674

SHA256
a26e6219aa61531dc2f870ccb38fb3be4ae22025329e6c8eefa3967b56df132a

SHA512
7e19857f25bfeba8018812c55430734e6a45a4d3e2b6b5a3339795c6f1de2fdfbcfd8ec60cb859742ae2ccb88d232f487ed5ecb1894554b68369c9f1665cf7a9

Download Submit
\Users\Admin\AppData\Local\Temp\12476B~1.DLL
MD5
587f3156a92bcc5aeed7d02b3c2ec536

SHA1
9a13cca82dc66604917a42672e901320ea8e4674

SHA256
a26e6219aa61531dc2f870ccb38fb3be4ae22025329e6c8eefa3967b56df132a

SHA512
7e19857f25bfeba8018812c55430734e6a45a4d3e2b6b5a3339795c6f1de2fdfbcfd8ec60cb859742ae2ccb88d232f487ed5ecb1894554b68369c9f1665cf7a9

Download Submit
\Users\Admin\AppData\Local\Temp\12476B~1.DLL
MD5
587f3156a92bcc5aeed7d02b3c2ec536

SHA1
9a13cca82dc66604917a42672e901320ea8e4674

SHA256
a26e6219aa61531dc2f870ccb38fb3be4ae22025329e6c8eefa3967b56df132a

SHA512
7e19857f25bfeba8018812c55430734e6a45a4d3e2b6b5a3339795c6f1de2fdfbcfd8ec60cb859742ae2ccb88d232f487ed5ecb1894554b68369c9f1665cf7a9

Download Submit
\Users\Admin\AppData\Local\Temp\12476B~1.DLL
MD5
587f3156a92bcc5aeed7d02b3c2ec536

SHA1
9a13cca82dc66604917a42672e901320ea8e4674

SHA256
a26e6219aa61531dc2f870ccb38fb3be4ae22025329e6c8eefa3967b56df132a

SHA512
7e19857f25bfeba8018812c55430734e6a45a4d3e2b6b5a3339795c6f1de2fdfbcfd8ec60cb859742ae2ccb88d232f487ed5ecb1894554b68369c9f1665cf7a9

Download Submit
\Users\Admin\AppData\Local\Temp\58cfb4a6.dll
MD5
5951f0afa96cda14623b4cce74d58cca

SHA1
ad4a21bd28a3065037b1ea40fab4d7c4d7549fde

SHA256
8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce

SHA512
b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071

Download Submit
memory/380-125-0x0000000000000000-mapping.dmp

Download
memory/380-129-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/380-128-0x0000000004AE1000-0x0000000005AC5000-memory.dmp

Filesize
15.9MB

Download
memory/968-356-0x0000000000000000-mapping.dmp

Download
memory/968-452-0x0000000004663000-0x0000000004664000-memory.dmp

Filesize
4KB

Download
memory/968-385-0x0000000004662000-0x0000000004663000-memory.dmp

Filesize
4KB

Download
memory/968-384-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/1140-151-0x0000000000000000-mapping.dmp

Download
memory/1280-158-0x0000000000000000-mapping.dmp

Download
memory/2992-449-0x0000000000000000-mapping.dmp

Download
memory/3128-115-0x0000000004E90000-0x0000000004F7E000-memory.dmp

Filesize
952KB

Download
memory/3128-117-0x0000000000400000-0x0000000002FE6000-memory.dmp

Filesize
43.9MB

Download
memory/3128-116-0x0000000004F80000-0x0000000005085000-memory.dmp

Filesize
1.0MB

Download
memory/3244-206-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/3244-204-0x0000000007130000-0x0000000007131000-memory.dmp

Filesize
4KB

Download
memory/3244-274-0x0000000004A93000-0x0000000004A94000-memory.dmp

Filesize
4KB

Download
memory/3244-174-0x0000000004A92000-0x0000000004A93000-memory.dmp

Filesize
4KB

Download
memory/3244-173-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3244-169-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/3244-167-0x0000000000000000-mapping.dmp

Download
memory/3244-168-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/3312-122-0x00000000028A0000-0x0000000002A00000-memory.dmp

Filesize
1.4MB

Download
memory/3312-118-0x0000000000000000-mapping.dmp

Download
memory/3312-123-0x0000000004781000-0x0000000005765000-memory.dmp

Filesize
15.9MB

Download
memory/3312-124-0x0000000005A00000-0x0000000005A01000-memory.dmp

Filesize
4KB

Download
memory/3344-453-0x0000000000000000-mapping.dmp

Download
memory/3612-197-0x0000000008800000-0x0000000008801000-memory.dmp

Filesize
4KB

Download
memory/3612-140-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/3612-130-0x0000000000000000-mapping.dmp

Download
memory/3612-132-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/3612-164-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/3612-165-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/3612-166-0x0000000008570000-0x0000000008571000-memory.dmp

Filesize
4KB

Download
memory/3612-160-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/3612-159-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/3612-135-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/3612-172-0x0000000008620000-0x0000000008621000-memory.dmp

Filesize
4KB

Download
memory/3612-137-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/3612-138-0x0000000006DB0000-0x0000000006DB1000-memory.dmp

Filesize
4KB

Download
memory/3612-179-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/3612-189-0x0000000009320000-0x0000000009353000-memory.dmp

Filesize
204KB

Download
memory/3612-195-0x000000007FC70000-0x000000007FC71000-memory.dmp

Filesize
4KB

Download
memory/3612-149-0x0000000006ED2000-0x0000000006ED3000-memory.dmp

Filesize
4KB

Download
memory/3612-161-0x0000000007D90000-0x0000000007D91000-memory.dmp

Filesize
4KB

Download
memory/3612-203-0x00000000096D0000-0x00000000096D1000-memory.dmp

Filesize
4KB

Download
memory/3612-211-0x0000000006ED3000-0x0000000006ED4000-memory.dmp

Filesize
4KB

Download
memory/3612-205-0x0000000009860000-0x0000000009861000-memory.dmp

Filesize
4KB

Download
memory/3776-152-0x00007FF65EC55FD0-mapping.dmp

Download
memory/3776-162-0x0000000000530000-0x00000000006D0000-memory.dmp

Filesize
1.6MB

Download
memory/3776-163-0x00000218D28E0000-0x00000218D2A92000-memory.dmp

Filesize
1.7MB

Download
memory/3776-154-0x00000218D27B0000-0x00000218D27B2000-memory.dmp

Filesize
8KB

Download
memory/3776-156-0x00000218D27B0000-0x00000218D27B2000-memory.dmp

Filesize
8KB

Download
memory/3840-454-0x0000000000000000-mapping.dmp

Download
memory/3928-139-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/3928-141-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/3928-147-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/3928-142-0x0000000006020000-0x0000000006160000-memory.dmp

Filesize
1.2MB

Download
memory/3928-136-0x0000000004F71000-0x0000000005F55000-memory.dmp

Filesize
15.9MB

Download
memory/3928-143-0x0000000006020000-0x0000000006160000-memory.dmp

Filesize
1.2MB

Download
memory/3928-148-0x0000000006020000-0x0000000006160000-memory.dmp

Filesize
1.2MB

Download
memory/3928-145-0x0000000006020000-0x0000000006160000-memory.dmp

Filesize
1.2MB

Download
memory/3928-131-0x0000000000000000-mapping.dmp

Download
memory/3928-146-0x0000000006020000-0x0000000006160000-memory.dmp

Filesize
1.2MB

Download
memory/3928-150-0x0000000006020000-0x0000000006160000-memory.dmp

Filesize
1.2MB

Download