danabot | 2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd

General

Target

2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd.dll
Size

2.5MB
MD5

de8b54a938ac18f15cad804d79a0e19d
SHA1

b6004c62e2d9dbad9cfd5f7e18647ac983788766
SHA256

2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd
SHA512

7b64a99baafc8e692a47b9856f96b6bafa3cae22bd293c0e8faf148bdfe3f1401d5c316017b5c2f778d02ebc87edd2474e525b225ddc00685bb14da4c484e776

Score

10^/10

danabot 40 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

C2

185.158.250.216:443

194.76.225.46:443

45.11.180.153:443

194.76.225.61:443

Attributes

embedded_hash
AD14EA44261341E3690FA8CC1E236523
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

40

C2

185.158.250.216:443

194.76.225.46:443

45.11.180.153:443

194.76.225.61:443

Attributes

embedded_hash
AD14EA44261341E3690FA8CC1E236523
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/872-59-0x0000000074E00000-0x0000000074F63000-memory.dmp	DanabotLoader2021
behavioral1/memory/872-60-0x0000000074E00000-0x000000007508E000-memory.dmp	DanabotLoader2021
behavioral1/memory/288-67-0x0000000074E00000-0x0000000074F63000-memory.dmp	DanabotLoader2021
behavioral1/memory/288-68-0x0000000074E00000-0x000000007508E000-memory.dmp	DanabotLoader2021
behavioral1/memory/1672-78-0x0000000074E00000-0x000000007508E000-memory.dmp	DanabotLoader2021

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

2 872 rundll32.exe
3 288 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
2	872	rundll32.exe
3	288	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 1672 set thread context of 1732 1672 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\Bynootykhhl.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1672 set thread context of 1732	1672	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\Bynootykhhl.tmp	rundll32.exe

Checks processor information in registry 2 TTPs 43 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	RUNDLL32.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F611630B86ED3AC6734E9229493E4F23ED65D8D9\Blob = 030000000100000014000000f611630b86ed3ac6734e9229493e4f23ed65d8d920000000010000006a02000030820266308201cfa00302010202083d81add56fa21951300d06092a864886f70d01010b050030503132303006035504030c294d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417566686f72697479310d300b060355040a0c044d534654310b3009060355040613025553301e170d3139313032333136313530395a170d3233313032323136313530395a30503132303006035504030c294d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417566686f72697479310d300b060355040a0c044d534654310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100a718ef8f269ccd039fa7dab5c93fe173611f4f0807aaf037ce60ce228deb07b7366b9a16fdd300797696b6f96033720de660be330795f12348f2cfd64996093689433bec98ece7a3866cb3b259642bc61f290ae0bd91b5d4181cfadedcae0b40605f157e9e53f87dc1197d74ecefd21edb471bb9f6903af6c888778649be49c30203010001a3493047300f0603551d130101ff040530030101ff30340603551d11042d302b82294d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417566686f72697479300d06092a864886f70d01010b05000381810028ebfb5f5c20edb32d7abdd80d1d4dfad90d29b873f1f3e51f3e99cc3b871634741cc141eed5b85670cbd6456f1e71eb0c6ac862bbd5818e20b0eb093a2816afff078d6b45cc68fa79176a3a695d3aaeb6718586d559a38b72847a7caba21387483c985c427072fa915972b82d06a803c0e0d523ab9f6d5cd087354d8520e2cc	RUNDLL32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F611630B86ED3AC6734E9229493E4F23ED65D8D9	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

RUNDLL32.EXERUNDLL32.EXEpowershell.exepowershell.exe

pid process

288 RUNDLL32.EXE
288 RUNDLL32.EXE
288 RUNDLL32.EXE
1672 RUNDLL32.EXE
940 powershell.exe
288 RUNDLL32.EXE
288 RUNDLL32.EXE
968 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RUNDLL32.EXEpowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 288 RUNDLL32.EXE
Token: SeDebugPrivilege 940 powershell.exe
Token: SeDebugPrivilege 968 powershell.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

1732 rundll32.exe
288 RUNDLL32.EXE

pid	process
288	RUNDLL32.EXE
288	RUNDLL32.EXE
288	RUNDLL32.EXE
1672	RUNDLL32.EXE
940	powershell.exe
288	RUNDLL32.EXE
288	RUNDLL32.EXE
968	powershell.exe

description	pid	process
Token: SeDebugPrivilege	288	RUNDLL32.EXE
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe

pid	process
1732	rundll32.exe
288	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

rundll32.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 1712 wrote to memory of 872	1712	rundll32.exe	rundll32.exe
PID 1712 wrote to memory of 872	1712	rundll32.exe	rundll32.exe
PID 1712 wrote to memory of 872	1712	rundll32.exe	rundll32.exe
PID 1712 wrote to memory of 872	1712	rundll32.exe	rundll32.exe
PID 1712 wrote to memory of 872	1712	rundll32.exe	rundll32.exe
PID 1712 wrote to memory of 872	1712	rundll32.exe	rundll32.exe
PID 1712 wrote to memory of 872	1712	rundll32.exe	rundll32.exe
PID 872 wrote to memory of 288	872	rundll32.exe	RUNDLL32.EXE
PID 872 wrote to memory of 288	872	rundll32.exe	RUNDLL32.EXE
PID 872 wrote to memory of 288	872	rundll32.exe	RUNDLL32.EXE
PID 872 wrote to memory of 288	872	rundll32.exe	RUNDLL32.EXE
PID 872 wrote to memory of 288	872	rundll32.exe	RUNDLL32.EXE
PID 872 wrote to memory of 288	872	rundll32.exe	RUNDLL32.EXE
PID 872 wrote to memory of 288	872	rundll32.exe	RUNDLL32.EXE
PID 288 wrote to memory of 1672	288	RUNDLL32.EXE	RUNDLL32.EXE
PID 288 wrote to memory of 1672	288	RUNDLL32.EXE	RUNDLL32.EXE
PID 288 wrote to memory of 1672	288	RUNDLL32.EXE	RUNDLL32.EXE
PID 288 wrote to memory of 1672	288	RUNDLL32.EXE	RUNDLL32.EXE
PID 288 wrote to memory of 1672	288	RUNDLL32.EXE	RUNDLL32.EXE
PID 288 wrote to memory of 1672	288	RUNDLL32.EXE	RUNDLL32.EXE
PID 288 wrote to memory of 1672	288	RUNDLL32.EXE	RUNDLL32.EXE
PID 1672 wrote to memory of 1732	1672	RUNDLL32.EXE	rundll32.exe
PID 1672 wrote to memory of 1732	1672	RUNDLL32.EXE	rundll32.exe
PID 1672 wrote to memory of 1732	1672	RUNDLL32.EXE	rundll32.exe
PID 1672 wrote to memory of 1732	1672	RUNDLL32.EXE	rundll32.exe
PID 1672 wrote to memory of 1732	1672	RUNDLL32.EXE	rundll32.exe
PID 1732 wrote to memory of 1108	1732	rundll32.exe	ctfmon.exe
PID 1732 wrote to memory of 1108	1732	rundll32.exe	ctfmon.exe
PID 1732 wrote to memory of 1108	1732	rundll32.exe	ctfmon.exe
PID 288 wrote to memory of 940	288	RUNDLL32.EXE	powershell.exe
PID 288 wrote to memory of 940	288	RUNDLL32.EXE	powershell.exe
PID 288 wrote to memory of 940	288	RUNDLL32.EXE	powershell.exe
PID 288 wrote to memory of 940	288	RUNDLL32.EXE	powershell.exe
PID 288 wrote to memory of 968	288	RUNDLL32.EXE	powershell.exe
PID 288 wrote to memory of 968	288	RUNDLL32.EXE	powershell.exe
PID 288 wrote to memory of 968	288	RUNDLL32.EXE	powershell.exe
PID 288 wrote to memory of 968	288	RUNDLL32.EXE	powershell.exe
PID 968 wrote to memory of 728	968	powershell.exe	nslookup.exe
PID 968 wrote to memory of 728	968	powershell.exe	nslookup.exe
PID 968 wrote to memory of 728	968	powershell.exe	nslookup.exe
PID 968 wrote to memory of 728	968	powershell.exe	nslookup.exe
PID 288 wrote to memory of 1664	288	RUNDLL32.EXE	schtasks.exe
PID 288 wrote to memory of 1664	288	RUNDLL32.EXE	schtasks.exe
PID 288 wrote to memory of 1664	288	RUNDLL32.EXE	schtasks.exe
PID 288 wrote to memory of 1664	288	RUNDLL32.EXE	schtasks.exe
PID 288 wrote to memory of 1588	288	RUNDLL32.EXE	schtasks.exe
PID 288 wrote to memory of 1588	288	RUNDLL32.EXE	schtasks.exe
PID 288 wrote to memory of 1588	288	RUNDLL32.EXE	schtasks.exe
PID 288 wrote to memory of 1588	288	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd.dll,#1
2⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd.dll,bDA8N0paNXY=
3⤵
- Blocklisted process makes network request
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:288

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd.dll,UColc0gy
4⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17739
5⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:1108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpF95C.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp25EA.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:728

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1664

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Bynootykhhl.tmp
MD5
4bca84d5edf3e593ec56cc821b6bd1b9

SHA1
23f954be80e90a15c78e83c91fde3e39721aa74d

SHA256
c117355e69d059a29c8c39a2434a2b3a45d4339293c1c0591038838a3757056d

SHA512
f7b7382f72fbf2cba9784ad4d05f6eda8e5f2cf7851bc921fa364f3552c9112bb50ae41432b99277c37b78b4f7b01c50738ad04a554f05996b68f3dc1a39561c

Download Submit
C:\PROGRA~3\Bynootykhhl.tmp
MD5
081d53295a2aca5db20e49c64e7ffc49

SHA1
6cfdbce0d64d71006fd1823e1f1b37db9d0e136a

SHA256
e1e9152af525587c4cdb6f746c25815cf241ad4453b5f33e1529baa2409edfac

SHA512
c4eced9bb4ae110e8141cf1677d046c49d2bf01d551f338065a1d1f5f664ffc82fcbe4f38b3f4edf12f0efec33399f5194a894ede16bb9a573451c1f0ae6d8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp25EA.tmp.ps1
MD5
9098442deb6827d0131a31c8d56fae12

SHA1
7e661d2f63aeb8c57c79988f83f1f87094580727

SHA256
543846ff602ed5ade02eb30bc3824df77b796b52eda2d0e601e0a7acfb7a9fb4

SHA512
533ec444218feb7bd22bc4ed3f764090a3e03314eb11145ea5878be9eda59373b61de273c02f71325abfe6de0c3292fc52860c14dc603f4b70b0923cf1cede18

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp25EB.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF95C.tmp.ps1
MD5
3cbdc505032784bc778cfb05b61eb4a3

SHA1
94362cd111e5b0baa9b6f661f466e0adde315133

SHA256
c7d9a7d9d11d600ed8b9033b016ac12ac5ef784d87b090374384ae71f1dc736d

SHA512
fa241d9642e5fd438880f8009e655bebe7bd3b68f7f706b76dc3a5a51cd4832635c25b91531e12c9e4ff6688a8274a2e491541d3ea83ab65318ad318985b61bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
d0225b4c4a130b450c7f09c5401acd71

SHA1
8c3376b82faaa46ed5cbe1380a1ebf341d1808e3

SHA256
6e67f9a9acb03194d41082fef7b9c913993b9c9ed5375562444248561db76d0c

SHA512
9b7286a51956de1117c96f42d18254fac320c261f86c60b2ba45bea1b64e31fb3c44aeff49d48ab86e0c6750acf9687879b4e29061ced984b9c755967df95828

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/288-73-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/288-72-0x0000000075090000-0x0000000075091000-memory.dmp

Filesize
4KB

Download
memory/288-66-0x0000000074E00000-0x000000007508E000-memory.dmp

Filesize
2.6MB

Download
memory/288-67-0x0000000074E00000-0x0000000074F63000-memory.dmp

Filesize
1.4MB

Download
memory/288-68-0x0000000074E00000-0x000000007508E000-memory.dmp

Filesize
2.6MB

Download
memory/288-64-0x0000000000000000-mapping.dmp

Download
memory/288-71-0x00000000023A1000-0x0000000003385000-memory.dmp

Filesize
15.9MB

Download
memory/728-111-0x0000000000000000-mapping.dmp

Download
memory/872-63-0x0000000075090000-0x0000000075091000-memory.dmp

Filesize
4KB

Download
memory/872-55-0x0000000000000000-mapping.dmp

Download
memory/872-62-0x0000000002331000-0x0000000003315000-memory.dmp

Filesize
15.9MB

Download
memory/872-60-0x0000000074E00000-0x000000007508E000-memory.dmp

Filesize
2.6MB

Download
memory/872-59-0x0000000074E00000-0x0000000074F63000-memory.dmp

Filesize
1.4MB

Download
memory/872-58-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/872-57-0x0000000074E00000-0x000000007508E000-memory.dmp

Filesize
2.6MB

Download
memory/872-56-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/940-103-0x0000000002490000-0x00000000030DA000-memory.dmp

Filesize
12.3MB

Download
memory/940-104-0x0000000002490000-0x00000000030DA000-memory.dmp

Filesize
12.3MB

Download
memory/940-102-0x0000000002490000-0x00000000030DA000-memory.dmp

Filesize
12.3MB

Download
memory/940-100-0x0000000000000000-mapping.dmp

Download
memory/968-116-0x0000000000552000-0x0000000000554000-memory.dmp

Filesize
8KB

Download
memory/968-114-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/968-115-0x0000000000551000-0x0000000000552000-memory.dmp

Filesize
4KB

Download
memory/968-106-0x0000000000000000-mapping.dmp

Download
memory/1108-98-0x0000000000000000-mapping.dmp

Download
memory/1588-117-0x0000000000000000-mapping.dmp

Download
memory/1664-113-0x0000000000000000-mapping.dmp

Download
memory/1672-76-0x0000000074E00000-0x000000007508E000-memory.dmp

Filesize
2.6MB

Download
memory/1672-92-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1672-88-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1672-90-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1672-85-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1672-91-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1672-84-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/1672-93-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1672-83-0x0000000075090000-0x0000000075091000-memory.dmp

Filesize
4KB

Download
memory/1672-79-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1672-78-0x0000000074E00000-0x000000007508E000-memory.dmp

Filesize
2.6MB

Download
memory/1672-86-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1672-74-0x0000000000000000-mapping.dmp

Download
memory/1732-99-0x0000000001E50000-0x0000000002002000-memory.dmp

Filesize
1.7MB

Download
memory/1732-94-0x00000000FF8C3CEC-mapping.dmp

Download
memory/1732-96-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download
memory/1732-89-0x00000000000E0000-0x0000000000280000-memory.dmp

Filesize
1.6MB

Download
memory/1732-97-0x00000000000E0000-0x0000000000280000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads