danabot | 2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd

Analysis

max time kernel
139s
max time network
122s
platform
windows10_x64
resource
win10-en-20211014
submitted
22-10-2021 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de8b54a938ac18f15cad804d79a0e19d.dll
Size

2.5MB
MD5

de8b54a938ac18f15cad804d79a0e19d
SHA1

b6004c62e2d9dbad9cfd5f7e18647ac983788766
SHA256

2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd
SHA512

7b64a99baafc8e692a47b9856f96b6bafa3cae22bd293c0e8faf148bdfe3f1401d5c316017b5c2f778d02ebc87edd2474e525b225ddc00685bb14da4c484e776

Score

10^/10

danabot 40 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

185.158.250.216:443

194.76.225.46:443

45.11.180.153:443

194.76.225.61:443

Attributes

embedded_hash
AD14EA44261341E3690FA8CC1E236523
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

185.158.250.216:443

194.76.225.46:443

45.11.180.153:443

194.76.225.61:443

Attributes

embedded_hash
AD14EA44261341E3690FA8CC1E236523
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/740-117-0x00000000739D0000-0x0000000073B33000-memory.dmp	DanabotLoader2021
behavioral2/memory/740-118-0x00000000739D0000-0x0000000073C5E000-memory.dmp	DanabotLoader2021
behavioral2/memory/4624-126-0x00000000739D0000-0x0000000073C5E000-memory.dmp	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 3444 created 740 3444 WerFault.exe rundll32.exe
PID 1580 created 1312 1580 WerFault.exe RUNDLL32.EXE
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

22 740 rundll32.exe
25 4624 RUNDLL32.EXE
36 4624 RUNDLL32.EXE
37 4624 RUNDLL32.EXE
38 4624 RUNDLL32.EXE
39 4624 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 3444 created 740	3444	WerFault.exe	rundll32.exe
PID 1580 created 1312	1580	WerFault.exe	RUNDLL32.EXE

flow	pid	process
22	740	rundll32.exe
25	4624	RUNDLL32.EXE
36	4624	RUNDLL32.EXE
37	4624	RUNDLL32.EXE
38	4624	RUNDLL32.EXE
39	4624	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 1312 set thread context of 1300 1312 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\Bynootykhhl.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3444 740 WerFault.exe rundll32.exe
1580 1312 WerFault.exe RUNDLL32.EXE

description	pid	process	target process
PID 1312 set thread context of 1300	1312	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\Bynootykhhl.tmp	rundll32.exe

pid	pid_target	process	target process
3444	740	WerFault.exe	rundll32.exe
1580	1312	WerFault.exe	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 46 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TypedURLs	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F3D724E578BAFFDDCDB1AFD55C8CD63F88653292	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F3D724E578BAFFDDCDB1AFD55C8CD63F88653292\Blob = 030000000100000014000000f3d724e578baffddcdb1afd55c8cd63f886532922000000001000000230200003082021f30820188a003020102020818503ad05856c492300d06092a864886f70d01010b0500302f312d302b06035504030c244d6963726f736f667420526f6f7420436572746966696361746520417574686d72697479301e170d3139313032333133303635355a170d3233313032323133303635355a302f312d302b06035504030c244d6963726f736f667420526f6f7420436572746966696361746520417574686d7269747930819f300d06092a864886f70d010101050003818d0030818902818100a924578a17ddfcc27ab528497d98bc37ae45c4293449cb55e5e937a56fea6a8a7412ef7145acb6220b215ab8167d592ff0e7c68be2ffdd8ce0806d7a8a4148e388394ec904e30dfdb2704c9769930c5f06613f9e91ffa541a6ce1e6e2940ceb1e2de4f079e92c08831adfbb9e85b7e82df140ff046868b63115305fadb1361350203010001a3443042300f0603551d130101ff040530030101ff302f0603551d110428302682244d6963726f736f667420526f6f7420436572746966696361746520417574686d72697479300d06092a864886f70d01010b05000381810091d0db328b63f799e516614addbe568dca632daa5c5cacbe85bd88e2298209636815e5042a13f795e78fd50fa87409e50d28fe8d7b304c2598b4df4bd6829de6165314ecc40b6d81f6828d60883079a54d11c00dff1cd6b7337aa22bcfada11a8dd10a3bdaa5c1011fc3eaefa9f46a32ba628ee301c6d1eec2998852fb683a95	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

WerFault.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exe

pid	process
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
3444	WerFault.exe
4624	RUNDLL32.EXE
4624	RUNDLL32.EXE
4624	RUNDLL32.EXE
4624	RUNDLL32.EXE
4624	RUNDLL32.EXE
4624	RUNDLL32.EXE
900	powershell.exe
900	powershell.exe
900	powershell.exe
1312	RUNDLL32.EXE
1312	RUNDLL32.EXE
1580	WerFault.exe
1580	WerFault.exe
1580	WerFault.exe
1580	WerFault.exe
1580	WerFault.exe
1580	WerFault.exe
1580	WerFault.exe
1580	WerFault.exe
1580	WerFault.exe
1580	WerFault.exe
1580	WerFault.exe
1580	WerFault.exe
1580	WerFault.exe
2968	powershell.exe
2968	powershell.exe
2968	powershell.exe
4624	RUNDLL32.EXE
4624	RUNDLL32.EXE
3728	powershell.exe
3728	powershell.exe
3728	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

WerFault.exepowershell.exeWerFault.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	3444	WerFault.exe
Token: SeBackupPrivilege	3444	WerFault.exe
Token: SeDebugPrivilege	3444	WerFault.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	1580	WerFault.exe
Token: SeDebugPrivilege	4624	RUNDLL32.EXE
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	3728	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

1300 rundll32.exe
4624 RUNDLL32.EXE

pid	process
1300	rundll32.exe
4624	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

rundll32.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 2864 wrote to memory of 740	2864	rundll32.exe	rundll32.exe
PID 2864 wrote to memory of 740	2864	rundll32.exe	rundll32.exe
PID 2864 wrote to memory of 740	2864	rundll32.exe	rundll32.exe
PID 740 wrote to memory of 4624	740	rundll32.exe	RUNDLL32.EXE
PID 740 wrote to memory of 4624	740	rundll32.exe	RUNDLL32.EXE
PID 740 wrote to memory of 4624	740	rundll32.exe	RUNDLL32.EXE
PID 4624 wrote to memory of 900	4624	RUNDLL32.EXE	powershell.exe
PID 4624 wrote to memory of 900	4624	RUNDLL32.EXE	powershell.exe
PID 4624 wrote to memory of 900	4624	RUNDLL32.EXE	powershell.exe
PID 4624 wrote to memory of 1312	4624	RUNDLL32.EXE	RUNDLL32.EXE
PID 4624 wrote to memory of 1312	4624	RUNDLL32.EXE	RUNDLL32.EXE
PID 4624 wrote to memory of 1312	4624	RUNDLL32.EXE	RUNDLL32.EXE
PID 1312 wrote to memory of 1300	1312	RUNDLL32.EXE	rundll32.exe
PID 1312 wrote to memory of 1300	1312	RUNDLL32.EXE	rundll32.exe
PID 1312 wrote to memory of 1300	1312	RUNDLL32.EXE	rundll32.exe
PID 1300 wrote to memory of 3080	1300	rundll32.exe	ctfmon.exe
PID 1300 wrote to memory of 3080	1300	rundll32.exe	ctfmon.exe
PID 4624 wrote to memory of 2968	4624	RUNDLL32.EXE	powershell.exe
PID 4624 wrote to memory of 2968	4624	RUNDLL32.EXE	powershell.exe
PID 4624 wrote to memory of 2968	4624	RUNDLL32.EXE	powershell.exe
PID 4624 wrote to memory of 3728	4624	RUNDLL32.EXE	powershell.exe
PID 4624 wrote to memory of 3728	4624	RUNDLL32.EXE	powershell.exe
PID 4624 wrote to memory of 3728	4624	RUNDLL32.EXE	powershell.exe
PID 3728 wrote to memory of 2188	3728	powershell.exe	nslookup.exe
PID 3728 wrote to memory of 2188	3728	powershell.exe	nslookup.exe
PID 3728 wrote to memory of 2188	3728	powershell.exe	nslookup.exe
PID 4624 wrote to memory of 2524	4624	RUNDLL32.EXE	schtasks.exe
PID 4624 wrote to memory of 2524	4624	RUNDLL32.EXE	schtasks.exe
PID 4624 wrote to memory of 2524	4624	RUNDLL32.EXE	schtasks.exe
PID 4624 wrote to memory of 2820	4624	RUNDLL32.EXE	schtasks.exe
PID 4624 wrote to memory of 2820	4624	RUNDLL32.EXE	schtasks.exe
PID 4624 wrote to memory of 2820	4624	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\de8b54a938ac18f15cad804d79a0e19d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\de8b54a938ac18f15cad804d79a0e19d.dll,#1
2⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\de8b54a938ac18f15cad804d79a0e19d.dll,ZkocUURIVFE0
3⤵
- Blocklisted process makes network request
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\de8b54a938ac18f15cad804d79a0e19d.dll
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\de8b54a938ac18f15cad804d79a0e19d.dll,mTdhNA==
4⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17659
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 1380
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpC32D.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpD33C.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:2188

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2524

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1388
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Bynootykhhl.tmp
MD5
4bca84d5edf3e593ec56cc821b6bd1b9

SHA1
23f954be80e90a15c78e83c91fde3e39721aa74d

SHA256
c117355e69d059a29c8c39a2434a2b3a45d4339293c1c0591038838a3757056d

SHA512
f7b7382f72fbf2cba9784ad4d05f6eda8e5f2cf7851bc921fa364f3552c9112bb50ae41432b99277c37b78b4f7b01c50738ad04a554f05996b68f3dc1a39561c

Download Submit
C:\PROGRA~3\Bynootykhhl.tmp
MD5
abfa8793cbf5231490b64d2e11f06652

SHA1
374b48a5bef51fa89bf0dabe620933ac86623e8c

SHA256
c245d233c217a727be87362d581812c916cef5de060cd19641bc336c79e79f61

SHA512
38ea411b97a229f1409c03de5418db7614c5c618f2a4efe8bf77568c510d7ca2255d1b9f6f053ed49dc00eeeb7fe18754f5cba645369bd2f0bf519b7faf83a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a5c13b40083daf1a433a6c2d71bf39b2

SHA1
e8aff142a3fb6a1606990e6463f13aa4d5c2aff6

SHA256
c0e99853f2b0dd78185f03c5caedc6a30313991ab37aea71f646a9ab2cd95593

SHA512
c85489a00b17bd09594fb323b10412a7c64f2232a7eb18f1e71d117e5f50afd4793178325a11694cfa5976721d97245b593fa4279d26614a8e0d728c3a7d53f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d187bd05dc9431feb85c11ee1f07e5f5

SHA1
cf61f03a41c6ad36b073835d9ba35cfc13d4c4c1

SHA256
963d2ad177817e06b8e5703b25ed692b85136a8ccba79547c4eefdc14f891fe9

SHA512
07a39bf55f56f9268e06ae66c47858b429d22120cdaa7a4379f4763cd76e9b2f3a8ed80c8c1dde29bd1f8292d7aac9905d1c1177b63ace37ad5cf3682e4895c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC32D.tmp.ps1
MD5
5a3ea1b44d7a6663ce61becfcac4a139

SHA1
33beb28fc094333960b754c196063851ad543caa

SHA256
1561c97653ff2c0b3076ee2f56732ba35b4707dac45a38e56070fe2b0eaf9d17

SHA512
96cef8e5df83e0ce4b99157214eb78ac7cdc77cadb157f0a15344d4777fa5ef19addcbb100f4f5f730579eed0b3a6c4905515751aa4e51a04ee0789849cd2fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC32E.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD33C.tmp.ps1
MD5
cdd15a1d2245f0ed530b5f9c61622679

SHA1
3cc748b823b04eb3972d94720484a3df545c1c95

SHA256
5a5ec993c0e11fd0708d3bb6aef3448b4f52673df72e91d1252ada8ad7dcfa34

SHA512
2287abe64e436434b001409396bf443e697876f502f41e4afc46d2bb7bc4b7d9c8cb7b37b6ce493903ee983a8d1dd0a5f63243052999e1cb851606a28f4c6925

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD33D.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
memory/740-122-0x0000000074070000-0x0000000074071000-memory.dmp

Filesize
4KB

Download
memory/740-121-0x0000000004DA1000-0x0000000005D85000-memory.dmp

Filesize
15.9MB

Download
memory/740-120-0x0000000000CC0000-0x0000000000D6E000-memory.dmp

Filesize
696KB

Download
memory/740-118-0x00000000739D0000-0x0000000073C5E000-memory.dmp

Filesize
2.6MB

Download
memory/740-117-0x00000000739D0000-0x0000000073B33000-memory.dmp

Filesize
1.4MB

Download
memory/740-116-0x00000000739D0000-0x0000000073C5E000-memory.dmp

Filesize
2.6MB

Download
memory/740-115-0x0000000000000000-mapping.dmp

Download
memory/900-134-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/900-135-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/900-136-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/900-132-0x0000000000000000-mapping.dmp

Download
memory/900-138-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/900-139-0x0000000001372000-0x0000000001373000-memory.dmp

Filesize
4KB

Download
memory/900-140-0x0000000007440000-0x0000000007441000-memory.dmp

Filesize
4KB

Download
memory/900-141-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/900-142-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

Filesize
4KB

Download
memory/900-143-0x0000000007E20000-0x0000000007E21000-memory.dmp

Filesize
4KB

Download
memory/900-144-0x00000000081F0000-0x00000000081F1000-memory.dmp

Filesize
4KB

Download
memory/900-145-0x0000000008710000-0x0000000008711000-memory.dmp

Filesize
4KB

Download
memory/900-146-0x00000000085D0000-0x00000000085D1000-memory.dmp

Filesize
4KB

Download
memory/900-147-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/900-154-0x00000000095B0000-0x00000000095E3000-memory.dmp

Filesize
204KB

Download
memory/900-161-0x0000000009350000-0x0000000009351000-memory.dmp

Filesize
4KB

Download
memory/900-166-0x00000000096E0000-0x00000000096E1000-memory.dmp

Filesize
4KB

Download
memory/900-167-0x000000007EED0000-0x000000007EED1000-memory.dmp

Filesize
4KB

Download
memory/900-168-0x00000000098D0000-0x00000000098D1000-memory.dmp

Filesize
4KB

Download
memory/900-173-0x0000000001373000-0x0000000001374000-memory.dmp

Filesize
4KB

Download
memory/900-133-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/1300-401-0x00007FF623A15FD0-mapping.dmp

Download
memory/1300-407-0x0000000000140000-0x00000000002E0000-memory.dmp

Filesize
1.6MB

Download
memory/1300-408-0x0000016A493C0000-0x0000016A49572000-memory.dmp

Filesize
1.7MB

Download
memory/1312-400-0x0000000004A61000-0x0000000005A45000-memory.dmp

Filesize
15.9MB

Download
memory/1312-389-0x0000000000A00000-0x0000000000B4A000-memory.dmp

Filesize
1.3MB

Download
memory/1312-406-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/1312-137-0x0000000000000000-mapping.dmp

Download
memory/2188-459-0x0000000000000000-mapping.dmp

Download
memory/2524-463-0x0000000000000000-mapping.dmp

Download
memory/2820-464-0x0000000000000000-mapping.dmp

Download
memory/2968-409-0x0000000000000000-mapping.dmp

Download
memory/2968-424-0x0000000006F62000-0x0000000006F63000-memory.dmp

Filesize
4KB

Download
memory/2968-423-0x0000000006F60000-0x0000000006F61000-memory.dmp

Filesize
4KB

Download
memory/2968-436-0x0000000006F63000-0x0000000006F64000-memory.dmp

Filesize
4KB

Download
memory/3080-405-0x0000000000000000-mapping.dmp

Download
memory/3728-437-0x0000000000000000-mapping.dmp

Download
memory/3728-446-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/3728-447-0x0000000000FA2000-0x0000000000FA3000-memory.dmp

Filesize
4KB

Download
memory/3728-462-0x0000000000FA3000-0x0000000000FA4000-memory.dmp

Filesize
4KB

Download
memory/4624-129-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4624-124-0x00000000739D0000-0x0000000073C5E000-memory.dmp

Filesize
2.6MB

Download
memory/4624-123-0x0000000000000000-mapping.dmp

Download
memory/4624-126-0x00000000739D0000-0x0000000073C5E000-memory.dmp

Filesize
2.6MB

Download
memory/4624-130-0x00000000045E1000-0x00000000055C5000-memory.dmp

Filesize
15.9MB

Download
memory/4624-131-0x0000000074070000-0x0000000074071000-memory.dmp

Filesize
4KB

Download