Analysis
-
max time kernel
144s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 10:02
Static task
static1
General
-
Target
12476bf4cc2940ef264ac615ac125bf89a1f76348a42a7410e6800380e36da84.exe
-
Size
1.1MB
-
MD5
faa5a6bae3386dd82857674cf54d6f0d
-
SHA1
49b350f2041e6003397397b2fc1f6787a84c8405
-
SHA256
12476bf4cc2940ef264ac615ac125bf89a1f76348a42a7410e6800380e36da84
-
SHA512
e3848e7d79698cbd356dc350750b35efe784ec789d8d5528e966f1c30f57203315d806b9d99a0778fca506464f5cd1960cca9094c2c581b3967a9c42a97ffe8d
Malware Config
Extracted
danabot
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
loader
Extracted
danabot
2052
4
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
main
Signatures
-
Danabot Loader Component 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\12476B~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\12476B~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\12476B~1.DLL DanabotLoader2021 behavioral1/memory/3312-122-0x00000000028A0000-0x0000000002A00000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\12476B~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\12476B~1.DLL DanabotLoader2021 -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2128 created 3928 2128 WerFault.exe RUNDLL32.EXE -
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeRUNDLL32.EXEflow pid process 28 3312 rundll32.exe 29 380 RUNDLL32.EXE 31 380 RUNDLL32.EXE 32 380 RUNDLL32.EXE 34 380 RUNDLL32.EXE 35 380 RUNDLL32.EXE -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEpid process 3312 rundll32.exe 3312 rundll32.exe 380 RUNDLL32.EXE 3928 RUNDLL32.EXE 1140 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 3928 set thread context of 3776 3928 RUNDLL32.EXE rundll32.exe -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2128 3928 WerFault.exe RUNDLL32.EXE -
Checks processor information in registry 2 TTPs 50 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXERUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE -
Processes:
RUNDLL32.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1F038F1FE805BC8C1FF308F4A5FC42CEB55BC216\Blob = 0300000001000000140000001f038f1fe805bc8c1ff308f4a5fc42ceb55bc21620000000010000009f0200003082029b30820204a00302010202084a5603a308041035300d06092a864886f70d01010b05003074311f301d06035504030c165468617774652054696d657374616d70696e61204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c65301e170d3139313031373233353332395a170d3233313031363233353332395a3074311f301d06035504030c165468617774652054696d657374616d70696e61204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c6530819f300d06092a864886f70d010101050003818d0030818902818100cc2a406dea4227bfd15d8e4694d7b395a8fb8eb86a0ccd180c4ab7d80723f607e29f52c70e0db9a5032359c091561963b1d466b71939751d6a87d559b58f441f22999d018214562f56e5c4e68fcaccb6e20a0c462c0cb41d520387dfcd60bbe5c2564c0cc423760fd05c4b32e1726760cc4514e943141e17201790abeb758d710203010001a3363034300f0603551d130101ff040530030101ff30210603551d11041a301882165468617774652054696d657374616d70696e61204341300d06092a864886f70d01010b050003818100815472b6d67e5d2b2a000344ad9e300543d8e1a1963e13d8c6fd0933fd0e7bd64f95badddbe954379c50509a9f31b39fd2f3297aaaae82a7eb644e778a5cf612063eb3893b9b8b6791a4030023e72c62636e13bf0ebffb4aab7a0369613e96b13f9454583b3a193dfe22a1221257dffadc7932e05fa7396adfbd34104b7bd77b RUNDLL32.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1F038F1FE805BC8C1FF308F4A5FC42CEB55BC216 RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
RUNDLL32.EXERUNDLL32.EXEpowershell.exeWerFault.exepowershell.exepowershell.exepid process 380 RUNDLL32.EXE 380 RUNDLL32.EXE 380 RUNDLL32.EXE 380 RUNDLL32.EXE 380 RUNDLL32.EXE 380 RUNDLL32.EXE 3928 RUNDLL32.EXE 3928 RUNDLL32.EXE 3612 powershell.exe 3612 powershell.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 2128 WerFault.exe 3244 powershell.exe 3612 powershell.exe 3244 powershell.exe 3244 powershell.exe 380 RUNDLL32.EXE 380 RUNDLL32.EXE 968 powershell.exe 968 powershell.exe 968 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exeWerFault.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3612 powershell.exe Token: SeRestorePrivilege 2128 WerFault.exe Token: SeBackupPrivilege 2128 WerFault.exe Token: SeDebugPrivilege 380 RUNDLL32.EXE Token: SeDebugPrivilege 2128 WerFault.exe Token: SeDebugPrivilege 3244 powershell.exe Token: SeDebugPrivilege 968 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 3776 rundll32.exe 380 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
12476bf4cc2940ef264ac615ac125bf89a1f76348a42a7410e6800380e36da84.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exedescription pid process target process PID 3128 wrote to memory of 3312 3128 12476bf4cc2940ef264ac615ac125bf89a1f76348a42a7410e6800380e36da84.exe rundll32.exe PID 3128 wrote to memory of 3312 3128 12476bf4cc2940ef264ac615ac125bf89a1f76348a42a7410e6800380e36da84.exe rundll32.exe PID 3128 wrote to memory of 3312 3128 12476bf4cc2940ef264ac615ac125bf89a1f76348a42a7410e6800380e36da84.exe rundll32.exe PID 3312 wrote to memory of 380 3312 rundll32.exe RUNDLL32.EXE PID 3312 wrote to memory of 380 3312 rundll32.exe RUNDLL32.EXE PID 3312 wrote to memory of 380 3312 rundll32.exe RUNDLL32.EXE PID 380 wrote to memory of 3612 380 RUNDLL32.EXE powershell.exe PID 380 wrote to memory of 3612 380 RUNDLL32.EXE powershell.exe PID 380 wrote to memory of 3612 380 RUNDLL32.EXE powershell.exe PID 380 wrote to memory of 3928 380 RUNDLL32.EXE RUNDLL32.EXE PID 380 wrote to memory of 3928 380 RUNDLL32.EXE RUNDLL32.EXE PID 380 wrote to memory of 3928 380 RUNDLL32.EXE RUNDLL32.EXE PID 3928 wrote to memory of 3776 3928 RUNDLL32.EXE rundll32.exe PID 3928 wrote to memory of 3776 3928 RUNDLL32.EXE rundll32.exe PID 3928 wrote to memory of 3776 3928 RUNDLL32.EXE rundll32.exe PID 380 wrote to memory of 1140 380 RUNDLL32.EXE RUNDLL32.EXE PID 380 wrote to memory of 1140 380 RUNDLL32.EXE RUNDLL32.EXE PID 380 wrote to memory of 1140 380 RUNDLL32.EXE RUNDLL32.EXE PID 3776 wrote to memory of 1280 3776 rundll32.exe ctfmon.exe PID 3776 wrote to memory of 1280 3776 rundll32.exe ctfmon.exe PID 380 wrote to memory of 3244 380 RUNDLL32.EXE powershell.exe PID 380 wrote to memory of 3244 380 RUNDLL32.EXE powershell.exe PID 380 wrote to memory of 3244 380 RUNDLL32.EXE powershell.exe PID 380 wrote to memory of 968 380 RUNDLL32.EXE powershell.exe PID 380 wrote to memory of 968 380 RUNDLL32.EXE powershell.exe PID 380 wrote to memory of 968 380 RUNDLL32.EXE powershell.exe PID 968 wrote to memory of 2992 968 powershell.exe nslookup.exe PID 968 wrote to memory of 2992 968 powershell.exe nslookup.exe PID 968 wrote to memory of 2992 968 powershell.exe nslookup.exe PID 380 wrote to memory of 3344 380 RUNDLL32.EXE schtasks.exe PID 380 wrote to memory of 3344 380 RUNDLL32.EXE schtasks.exe PID 380 wrote to memory of 3344 380 RUNDLL32.EXE schtasks.exe PID 380 wrote to memory of 3840 380 RUNDLL32.EXE schtasks.exe PID 380 wrote to memory of 3840 380 RUNDLL32.EXE schtasks.exe PID 380 wrote to memory of 3840 380 RUNDLL32.EXE schtasks.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\12476bf4cc2940ef264ac615ac125bf89a1f76348a42a7410e6800380e36da84.exe"C:\Users\Admin\AppData\Local\Temp\12476bf4cc2940ef264ac615ac125bf89a1f76348a42a7410e6800380e36da84.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\12476B~1.DLL,s C:\Users\Admin\AppData\Local\Temp\12476B~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\12476B~1.DLL,OQwtdTN33⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\12476B~1.DLL4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\12476B~1.DLL,gl0kdUpj4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 176595⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 7845⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp65.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4ED5.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
a6bed279111f34a8ef68dc7f275fea04
SHA152f5ff67daf88eec2c5c379243f033fb650b5a7a
SHA256a841c1b6357cd4b3ba9d3c77290197cc74bcb34242bfeb7a6b7fd8a4d25aeaea
SHA512b6348d5e3e0e9df68fdb4e3d11c9d2d5e0e622965efbd69aa70c41d5a6b4203c20a89bd08b08a52233d98ee445e11459875f6c9c0890767d11cfa574cc431bfb
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
a6bed279111f34a8ef68dc7f275fea04
SHA152f5ff67daf88eec2c5c379243f033fb650b5a7a
SHA256a841c1b6357cd4b3ba9d3c77290197cc74bcb34242bfeb7a6b7fd8a4d25aeaea
SHA512b6348d5e3e0e9df68fdb4e3d11c9d2d5e0e622965efbd69aa70c41d5a6b4203c20a89bd08b08a52233d98ee445e11459875f6c9c0890767d11cfa574cc431bfb
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
f7a808b5711f58fb4f85476c1bb24ac3
SHA1fbdf9670d622e8fc3446ad4f53fbbd83016f03d1
SHA256de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec
SHA512866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
7247129cd0644457905b7d6bf17fd078
SHA1dbf9139b5a1b72141f170d2eae911bbbe7e128c8
SHA256dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4
SHA5129b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
11955f4f9ef907047ada5a86642c281d
SHA1dfc6fc2520ab5f14644c9a6e7855fe90c3b626a3
SHA25637d6fcb00ead5844b0a30506a5ec1f7b77d7ab8fc5fe4aadb974f9c65a3af2f1
SHA512dfd22498e05bc3dbfe6157b2126b95bec9020a6f3ef7bd194ec83d0b510693c582f0a49179a96c875ef38f8818bc8c952dc08d07c1e8be411dea988122935fe2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
d1b036a135588a4a816b43f243abe46b
SHA1b51d33f01245d8b19c7bf392c29ea0703d0d1c76
SHA2564c024515f1d6bd941dd9fbc8189183d36a5d0f8d06e08b1a3805820a80444075
SHA5126d2dc5d77f45741d587c4845a911a1060981aab769127c5dce6b538a6a6d948a148a1277dca03b344e9caca07747e9ee532e38ece4580f0601c7748728ce435a
-
C:\Users\Admin\AppData\Local\Temp\12476B~1.DLLMD5
587f3156a92bcc5aeed7d02b3c2ec536
SHA19a13cca82dc66604917a42672e901320ea8e4674
SHA256a26e6219aa61531dc2f870ccb38fb3be4ae22025329e6c8eefa3967b56df132a
SHA5127e19857f25bfeba8018812c55430734e6a45a4d3e2b6b5a3339795c6f1de2fdfbcfd8ec60cb859742ae2ccb88d232f487ed5ecb1894554b68369c9f1665cf7a9
-
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
C:\Users\Admin\AppData\Local\Temp\tmp4ED5.tmp.ps1MD5
15f2fe04b5e3202356001ba9f6497000
SHA183da8e9a5c7596f6ddd4414f0f69925b9fdc96b0
SHA2560fa189839e3e844fc336db4a500ca8e1371f7432a2c99f06194c95263c5a9613
SHA5129bc159ba3e5f09bb325e5d783a536e24027850874e0d3ec53e94c79ec5b4340584503d43314552d4bc8a2b3947453d65f60ac073e98ae87531b6417e28c89248
-
C:\Users\Admin\AppData\Local\Temp\tmp4ED6.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
C:\Users\Admin\AppData\Local\Temp\tmp65.tmp.ps1MD5
aae041085ce3c3233112e477f62cea57
SHA162ba6703e4eaf454185119cb649bd7d79a4e8943
SHA25651f761964f28c355d81067f246c14499b63df3f5f9b9ec03828df8ed479d145f
SHA51283f30821a4ee64bab1e6ff3f1c54c69e2fce887a09910f845b33243edaaea89b943101bda7ae4294f22258127e79dfc1a88ed9023b377332b85b1bc68880e2f3
-
C:\Users\Admin\AppData\Local\Temp\tmp66.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
\Users\Admin\AppData\Local\Temp\12476B~1.DLLMD5
587f3156a92bcc5aeed7d02b3c2ec536
SHA19a13cca82dc66604917a42672e901320ea8e4674
SHA256a26e6219aa61531dc2f870ccb38fb3be4ae22025329e6c8eefa3967b56df132a
SHA5127e19857f25bfeba8018812c55430734e6a45a4d3e2b6b5a3339795c6f1de2fdfbcfd8ec60cb859742ae2ccb88d232f487ed5ecb1894554b68369c9f1665cf7a9
-
\Users\Admin\AppData\Local\Temp\12476B~1.DLLMD5
587f3156a92bcc5aeed7d02b3c2ec536
SHA19a13cca82dc66604917a42672e901320ea8e4674
SHA256a26e6219aa61531dc2f870ccb38fb3be4ae22025329e6c8eefa3967b56df132a
SHA5127e19857f25bfeba8018812c55430734e6a45a4d3e2b6b5a3339795c6f1de2fdfbcfd8ec60cb859742ae2ccb88d232f487ed5ecb1894554b68369c9f1665cf7a9
-
\Users\Admin\AppData\Local\Temp\12476B~1.DLLMD5
587f3156a92bcc5aeed7d02b3c2ec536
SHA19a13cca82dc66604917a42672e901320ea8e4674
SHA256a26e6219aa61531dc2f870ccb38fb3be4ae22025329e6c8eefa3967b56df132a
SHA5127e19857f25bfeba8018812c55430734e6a45a4d3e2b6b5a3339795c6f1de2fdfbcfd8ec60cb859742ae2ccb88d232f487ed5ecb1894554b68369c9f1665cf7a9
-
\Users\Admin\AppData\Local\Temp\12476B~1.DLLMD5
587f3156a92bcc5aeed7d02b3c2ec536
SHA19a13cca82dc66604917a42672e901320ea8e4674
SHA256a26e6219aa61531dc2f870ccb38fb3be4ae22025329e6c8eefa3967b56df132a
SHA5127e19857f25bfeba8018812c55430734e6a45a4d3e2b6b5a3339795c6f1de2fdfbcfd8ec60cb859742ae2ccb88d232f487ed5ecb1894554b68369c9f1665cf7a9
-
\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
memory/380-125-0x0000000000000000-mapping.dmp
-
memory/380-129-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/380-128-0x0000000004AE1000-0x0000000005AC5000-memory.dmpFilesize
15.9MB
-
memory/968-356-0x0000000000000000-mapping.dmp
-
memory/968-452-0x0000000004663000-0x0000000004664000-memory.dmpFilesize
4KB
-
memory/968-385-0x0000000004662000-0x0000000004663000-memory.dmpFilesize
4KB
-
memory/968-384-0x0000000004660000-0x0000000004661000-memory.dmpFilesize
4KB
-
memory/1140-151-0x0000000000000000-mapping.dmp
-
memory/1280-158-0x0000000000000000-mapping.dmp
-
memory/2992-449-0x0000000000000000-mapping.dmp
-
memory/3128-115-0x0000000004E90000-0x0000000004F7E000-memory.dmpFilesize
952KB
-
memory/3128-117-0x0000000000400000-0x0000000002FE6000-memory.dmpFilesize
43.9MB
-
memory/3128-116-0x0000000004F80000-0x0000000005085000-memory.dmpFilesize
1.0MB
-
memory/3244-206-0x00000000048F0000-0x00000000048F1000-memory.dmpFilesize
4KB
-
memory/3244-204-0x0000000007130000-0x0000000007131000-memory.dmpFilesize
4KB
-
memory/3244-274-0x0000000004A93000-0x0000000004A94000-memory.dmpFilesize
4KB
-
memory/3244-174-0x0000000004A92000-0x0000000004A93000-memory.dmpFilesize
4KB
-
memory/3244-173-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/3244-169-0x00000000048F0000-0x00000000048F1000-memory.dmpFilesize
4KB
-
memory/3244-167-0x0000000000000000-mapping.dmp
-
memory/3244-168-0x00000000048F0000-0x00000000048F1000-memory.dmpFilesize
4KB
-
memory/3312-122-0x00000000028A0000-0x0000000002A00000-memory.dmpFilesize
1.4MB
-
memory/3312-118-0x0000000000000000-mapping.dmp
-
memory/3312-123-0x0000000004781000-0x0000000005765000-memory.dmpFilesize
15.9MB
-
memory/3312-124-0x0000000005A00000-0x0000000005A01000-memory.dmpFilesize
4KB
-
memory/3344-453-0x0000000000000000-mapping.dmp
-
memory/3612-197-0x0000000008800000-0x0000000008801000-memory.dmpFilesize
4KB
-
memory/3612-140-0x0000000007510000-0x0000000007511000-memory.dmpFilesize
4KB
-
memory/3612-130-0x0000000000000000-mapping.dmp
-
memory/3612-132-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/3612-164-0x0000000007EE0000-0x0000000007EE1000-memory.dmpFilesize
4KB
-
memory/3612-165-0x0000000007140000-0x0000000007141000-memory.dmpFilesize
4KB
-
memory/3612-166-0x0000000008570000-0x0000000008571000-memory.dmpFilesize
4KB
-
memory/3612-160-0x0000000007BB0000-0x0000000007BB1000-memory.dmpFilesize
4KB
-
memory/3612-159-0x00000000074E0000-0x00000000074E1000-memory.dmpFilesize
4KB
-
memory/3612-135-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/3612-172-0x0000000008620000-0x0000000008621000-memory.dmpFilesize
4KB
-
memory/3612-137-0x0000000006ED0000-0x0000000006ED1000-memory.dmpFilesize
4KB
-
memory/3612-138-0x0000000006DB0000-0x0000000006DB1000-memory.dmpFilesize
4KB
-
memory/3612-179-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/3612-189-0x0000000009320000-0x0000000009353000-memory.dmpFilesize
204KB
-
memory/3612-195-0x000000007FC70000-0x000000007FC71000-memory.dmpFilesize
4KB
-
memory/3612-149-0x0000000006ED2000-0x0000000006ED3000-memory.dmpFilesize
4KB
-
memory/3612-161-0x0000000007D90000-0x0000000007D91000-memory.dmpFilesize
4KB
-
memory/3612-203-0x00000000096D0000-0x00000000096D1000-memory.dmpFilesize
4KB
-
memory/3612-211-0x0000000006ED3000-0x0000000006ED4000-memory.dmpFilesize
4KB
-
memory/3612-205-0x0000000009860000-0x0000000009861000-memory.dmpFilesize
4KB
-
memory/3776-152-0x00007FF65EC55FD0-mapping.dmp
-
memory/3776-162-0x0000000000530000-0x00000000006D0000-memory.dmpFilesize
1.6MB
-
memory/3776-163-0x00000218D28E0000-0x00000218D2A92000-memory.dmpFilesize
1.7MB
-
memory/3776-154-0x00000218D27B0000-0x00000218D27B2000-memory.dmpFilesize
8KB
-
memory/3776-156-0x00000218D27B0000-0x00000218D27B2000-memory.dmpFilesize
8KB
-
memory/3840-454-0x0000000000000000-mapping.dmp
-
memory/3928-139-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/3928-141-0x0000000003380000-0x0000000003381000-memory.dmpFilesize
4KB
-
memory/3928-147-0x0000000003390000-0x0000000003391000-memory.dmpFilesize
4KB
-
memory/3928-142-0x0000000006020000-0x0000000006160000-memory.dmpFilesize
1.2MB
-
memory/3928-136-0x0000000004F71000-0x0000000005F55000-memory.dmpFilesize
15.9MB
-
memory/3928-143-0x0000000006020000-0x0000000006160000-memory.dmpFilesize
1.2MB
-
memory/3928-148-0x0000000006020000-0x0000000006160000-memory.dmpFilesize
1.2MB
-
memory/3928-145-0x0000000006020000-0x0000000006160000-memory.dmpFilesize
1.2MB
-
memory/3928-131-0x0000000000000000-mapping.dmp
-
memory/3928-146-0x0000000006020000-0x0000000006160000-memory.dmpFilesize
1.2MB
-
memory/3928-150-0x0000000006020000-0x0000000006160000-memory.dmpFilesize
1.2MB