danabot | 2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd

Analysis

max time kernel
143s
max time network
127s
platform
windows10_x64
resource
win10-en-20211014
submitted
22-10-2021 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd.dll
Size

2.5MB
MD5

de8b54a938ac18f15cad804d79a0e19d
SHA1

b6004c62e2d9dbad9cfd5f7e18647ac983788766
SHA256

2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd
SHA512

7b64a99baafc8e692a47b9856f96b6bafa3cae22bd293c0e8faf148bdfe3f1401d5c316017b5c2f778d02ebc87edd2474e525b225ddc00685bb14da4c484e776

Score

10^/10

danabot 40 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

185.158.250.216:443

194.76.225.46:443

45.11.180.153:443

194.76.225.61:443

Attributes

embedded_hash
AD14EA44261341E3690FA8CC1E236523
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

185.158.250.216:443

194.76.225.46:443

45.11.180.153:443

194.76.225.61:443

Attributes

embedded_hash
AD14EA44261341E3690FA8CC1E236523
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/676-117-0x0000000073D10000-0x0000000073E73000-memory.dmp	DanabotLoader2021
behavioral2/memory/676-118-0x0000000073D10000-0x0000000073F9E000-memory.dmp	DanabotLoader2021
behavioral2/memory/1916-126-0x0000000073D10000-0x0000000073F9E000-memory.dmp	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 1228 created 676 1228 WerFault.exe rundll32.exe
PID 3220 created 2384 3220 WerFault.exe RUNDLL32.EXE
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

21 676 rundll32.exe
32 1916 RUNDLL32.EXE
43 1916 RUNDLL32.EXE
44 1916 RUNDLL32.EXE
45 1916 RUNDLL32.EXE
46 1916 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 1228 created 676	1228	WerFault.exe	rundll32.exe
PID 3220 created 2384	3220	WerFault.exe	RUNDLL32.EXE

flow	pid	process
21	676	rundll32.exe
32	1916	RUNDLL32.EXE
43	1916	RUNDLL32.EXE
44	1916	RUNDLL32.EXE
45	1916	RUNDLL32.EXE
46	1916	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 2384 set thread context of 3180 2384 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\Bynootykhhl.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1228 676 WerFault.exe rundll32.exe
3220 2384 WerFault.exe RUNDLL32.EXE

description	pid	process	target process
PID 2384 set thread context of 3180	2384	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\Bynootykhhl.tmp	rundll32.exe

pid	pid_target	process	target process
1228	676	WerFault.exe	rundll32.exe
3220	2384	WerFault.exe	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 47 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TypedURLs	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\952EA1003E119595C1D9690066CB2E670661999F\Blob = 030000000100000014000000952ea1003e119595c1d9690066cb2e670661999f20000000010000009f0200003082029b30820204a003020102020812b9b6d844ed1a2c300d06092a864886f70d01010b05003074311f301d06035504030c165468617774652054696d657374616d70706e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c65301e170d3139313032333033303335395a170d3233313032323033303335395a3074311f301d06035504030c165468617774652054696d657374616d70706e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c6530819f300d06092a864886f70d010101050003818d0030818902818100f1aaef834f37a501106edf0844c785fa0a76f60d6de404ad157995f9224d12b554c29d25c9bd7e0bfd7863ddec749264367e6fdf5b1d3106b9a9708877168929fa31c4aa5ff41e373c1480212756b69c6f405755d0382d05e6dde4d0eaa2204f5702b3266dcb69f94ceff17843cb7a1767e753aeaf014196c14742e7722aab6f0203010001a3363034300f0603551d130101ff040530030101ff30210603551d11041a301882165468617774652054696d657374616d70706e67204341300d06092a864886f70d01010b0500038181003c2676d948145c39e9f4ba6afb0e298aa82aa2172b5c2b51df7733bbbfd24c03a516040070e8aecdf133f6fe064db577c2e854df19b065eb5755d3d4a9030f5ad1948f0f0b225fb7f35e66a996f766fb8bf8c934d671ed6060a5c683c7b8000b0be8b5c117628ec64ce0f66765962bc87f9aa61eb2d6e3364f2db86e5575d30f	RUNDLL32.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\952EA1003E119595C1D9690066CB2E670661999F	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

WerFault.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exe

pid	process
1228	WerFault.exe
1228	WerFault.exe
1228	WerFault.exe
1228	WerFault.exe
1228	WerFault.exe
1228	WerFault.exe
1228	WerFault.exe
1228	WerFault.exe
1228	WerFault.exe
1228	WerFault.exe
1228	WerFault.exe
1228	WerFault.exe
1228	WerFault.exe
1916	RUNDLL32.EXE
1916	RUNDLL32.EXE
1916	RUNDLL32.EXE
1916	RUNDLL32.EXE
1916	RUNDLL32.EXE
1916	RUNDLL32.EXE
3448	powershell.exe
3448	powershell.exe
3448	powershell.exe
2384	RUNDLL32.EXE
2384	RUNDLL32.EXE
3220	WerFault.exe
3220	WerFault.exe
3220	WerFault.exe
3220	WerFault.exe
3220	WerFault.exe
3220	WerFault.exe
3220	WerFault.exe
3220	WerFault.exe
3220	WerFault.exe
3220	WerFault.exe
3220	WerFault.exe
3220	WerFault.exe
3220	WerFault.exe
996	powershell.exe
996	powershell.exe
996	powershell.exe
1916	RUNDLL32.EXE
1916	RUNDLL32.EXE
2284	powershell.exe
2284	powershell.exe
2284	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

WerFault.exepowershell.exeWerFault.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	1228	WerFault.exe
Token: SeBackupPrivilege	1228	WerFault.exe
Token: SeDebugPrivilege	1228	WerFault.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	3220	WerFault.exe
Token: SeDebugPrivilege	1916	RUNDLL32.EXE
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

3180 rundll32.exe
1916 RUNDLL32.EXE

pid	process
3180	rundll32.exe
1916	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

rundll32.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 2332 wrote to memory of 676	2332	rundll32.exe	rundll32.exe
PID 2332 wrote to memory of 676	2332	rundll32.exe	rundll32.exe
PID 2332 wrote to memory of 676	2332	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 1916	676	rundll32.exe	RUNDLL32.EXE
PID 676 wrote to memory of 1916	676	rundll32.exe	RUNDLL32.EXE
PID 676 wrote to memory of 1916	676	rundll32.exe	RUNDLL32.EXE
PID 1916 wrote to memory of 3448	1916	RUNDLL32.EXE	powershell.exe
PID 1916 wrote to memory of 3448	1916	RUNDLL32.EXE	powershell.exe
PID 1916 wrote to memory of 3448	1916	RUNDLL32.EXE	powershell.exe
PID 1916 wrote to memory of 2384	1916	RUNDLL32.EXE	RUNDLL32.EXE
PID 1916 wrote to memory of 2384	1916	RUNDLL32.EXE	RUNDLL32.EXE
PID 1916 wrote to memory of 2384	1916	RUNDLL32.EXE	RUNDLL32.EXE
PID 2384 wrote to memory of 3180	2384	RUNDLL32.EXE	rundll32.exe
PID 2384 wrote to memory of 3180	2384	RUNDLL32.EXE	rundll32.exe
PID 2384 wrote to memory of 3180	2384	RUNDLL32.EXE	rundll32.exe
PID 3180 wrote to memory of 2380	3180	rundll32.exe	ctfmon.exe
PID 3180 wrote to memory of 2380	3180	rundll32.exe	ctfmon.exe
PID 1916 wrote to memory of 996	1916	RUNDLL32.EXE	powershell.exe
PID 1916 wrote to memory of 996	1916	RUNDLL32.EXE	powershell.exe
PID 1916 wrote to memory of 996	1916	RUNDLL32.EXE	powershell.exe
PID 1916 wrote to memory of 2284	1916	RUNDLL32.EXE	powershell.exe
PID 1916 wrote to memory of 2284	1916	RUNDLL32.EXE	powershell.exe
PID 1916 wrote to memory of 2284	1916	RUNDLL32.EXE	powershell.exe
PID 2284 wrote to memory of 3588	2284	powershell.exe	nslookup.exe
PID 2284 wrote to memory of 3588	2284	powershell.exe	nslookup.exe
PID 2284 wrote to memory of 3588	2284	powershell.exe	nslookup.exe
PID 1916 wrote to memory of 2316	1916	RUNDLL32.EXE	schtasks.exe
PID 1916 wrote to memory of 2316	1916	RUNDLL32.EXE	schtasks.exe
PID 1916 wrote to memory of 2316	1916	RUNDLL32.EXE	schtasks.exe
PID 1916 wrote to memory of 960	1916	RUNDLL32.EXE	schtasks.exe
PID 1916 wrote to memory of 960	1916	RUNDLL32.EXE	schtasks.exe
PID 1916 wrote to memory of 960	1916	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd.dll,#1
2⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd.dll,RDUPN05MTTNQ
3⤵
- Blocklisted process makes network request
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd.dll
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd.dll,gixVWDdONw==
4⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 17659
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1388
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpF3E1.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpB25.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:3588

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2316

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 1388
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Bynootykhhl.tmp
MD5
4bca84d5edf3e593ec56cc821b6bd1b9

SHA1
23f954be80e90a15c78e83c91fde3e39721aa74d

SHA256
c117355e69d059a29c8c39a2434a2b3a45d4339293c1c0591038838a3757056d

SHA512
f7b7382f72fbf2cba9784ad4d05f6eda8e5f2cf7851bc921fa364f3552c9112bb50ae41432b99277c37b78b4f7b01c50738ad04a554f05996b68f3dc1a39561c

Download Submit
C:\PROGRA~3\Bynootykhhl.tmp
MD5
f6b6c54afb193322c19b448d967bbbce

SHA1
529e99d03cf159d70aa425ea388eb090dae46ec8

SHA256
774b622d31333962c4dab797022318ee673ca713c16d5c6fd3557df413dcf8f5

SHA512
6737ae27b3c9fedf5ece9ff786347ed2f22ad161e1d95295a3aed11ea63d00e3f739480922f141943532fef7b8166467304bea7d1015a53f14e5012e784217a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
df31a1ff981ffbac12d80579681d9928

SHA1
9929af950f61c6e6cae9a5f0767e2fd7f1f1431e

SHA256
02562ad07ef22fb765dd6e433578953c29d63d62e73ee45dad18307ce713ddbc

SHA512
3dbd274ae127f4835bbac3e0c759cec808dd7fddbf14b216788c86d6433f827c78b251a27b59b433434001134585c8a003eb1ea44442faec59a76157eb4692c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e459e1a874f7e7f421fc9cda30803d13

SHA1
01a02c48f8341a219225723361440818bde34e56

SHA256
b14e897b2fadeff0fa9f2af762886097e63fe9dd290f1364c6ffcf7ed2f67800

SHA512
83668e63f1c9993faa9ce8364405b431bd2569d751c36a6234224f8d7160d94224ad8647106a5b7160fac29dc9907094771e310dfb01fb2962ccdd9aa2838114

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB25.tmp.ps1
MD5
500925541ad54c3c290a0e21c520d530

SHA1
c47e98816f1393bee6917005a8ee221d50e2b46b

SHA256
b2b018dbcf8288bade16b55431fdb198dc088ec2fe34cbf7e98b471002aa7902

SHA512
6b424f055654964d1cb61fa7cead00c9318dace20a8cffe1613a5315b52bc765c027b3123921ecaf64f781afc9540e6f1440f8eb25a0bfa09d882d5e32bcd234

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB26.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF3E1.tmp.ps1
MD5
065393202736693d9f67a3a55ad070fd

SHA1
56ab03114e953e2f7923d6b3f53e34fbac6b4a20

SHA256
3095cb812d11e10664af1ed6aa28531605d1bb9498dcb0c2e0122f1d96732404

SHA512
3271329ad80c9893c9a2a60e5832c9c5b4b3eab5a2c747644b7623ac366807adbbf0afe930829db31579341d96ebea8fecdef40172aec8e741e91dd85cd59783

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF3E2.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
memory/676-118-0x0000000073D10000-0x0000000073F9E000-memory.dmp

Filesize
2.6MB

Download
memory/676-120-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/676-122-0x00000000743D0000-0x00000000743D1000-memory.dmp

Filesize
4KB

Download
memory/676-115-0x0000000000000000-mapping.dmp

Download
memory/676-117-0x0000000073D10000-0x0000000073E73000-memory.dmp

Filesize
1.4MB

Download
memory/676-121-0x00000000047C1000-0x00000000057A5000-memory.dmp

Filesize
15.9MB

Download
memory/676-116-0x0000000073D10000-0x0000000073F9E000-memory.dmp

Filesize
2.6MB

Download
memory/960-468-0x0000000000000000-mapping.dmp

Download
memory/996-426-0x00000000069A0000-0x00000000069A1000-memory.dmp

Filesize
4KB

Download
memory/996-427-0x00000000069A2000-0x00000000069A3000-memory.dmp

Filesize
4KB

Download
memory/996-440-0x00000000069A3000-0x00000000069A4000-memory.dmp

Filesize
4KB

Download
memory/996-413-0x0000000000000000-mapping.dmp

Download
memory/1916-128-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/1916-126-0x0000000073D10000-0x0000000073F9E000-memory.dmp

Filesize
2.6MB

Download
memory/1916-124-0x0000000073D10000-0x0000000073F9E000-memory.dmp

Filesize
2.6MB

Download
memory/1916-123-0x0000000000000000-mapping.dmp

Download
memory/1916-131-0x00000000743D0000-0x00000000743D1000-memory.dmp

Filesize
4KB

Download
memory/1916-130-0x0000000005231000-0x0000000006215000-memory.dmp

Filesize
15.9MB

Download
memory/2284-448-0x0000000000CD2000-0x0000000000CD3000-memory.dmp

Filesize
4KB

Download
memory/2284-466-0x0000000000CD3000-0x0000000000CD4000-memory.dmp

Filesize
4KB

Download
memory/2284-441-0x0000000000000000-mapping.dmp

Download
memory/2284-446-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/2316-467-0x0000000000000000-mapping.dmp

Download
memory/2380-412-0x0000000000000000-mapping.dmp

Download
memory/2384-408-0x0000000004E91000-0x0000000005E75000-memory.dmp

Filesize
15.9MB

Download
memory/2384-409-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2384-388-0x0000000000C40000-0x0000000000CEE000-memory.dmp

Filesize
696KB

Download
memory/2384-137-0x0000000000000000-mapping.dmp

Download
memory/3180-410-0x0000000000770000-0x0000000000910000-memory.dmp

Filesize
1.6MB

Download
memory/3180-411-0x000002793AA60000-0x000002793AC12000-memory.dmp

Filesize
1.7MB

Download
memory/3180-404-0x00007FF7A5D85FD0-mapping.dmp

Download
memory/3448-136-0x0000000000000000-mapping.dmp

Download
memory/3448-147-0x00000000076B0000-0x00000000076B1000-memory.dmp

Filesize
4KB

Download
memory/3448-172-0x00000000042F3000-0x00000000042F4000-memory.dmp

Filesize
4KB

Download
memory/3448-171-0x000000007E9A0000-0x000000007E9A1000-memory.dmp

Filesize
4KB

Download
memory/3448-170-0x0000000008E80000-0x0000000008E81000-memory.dmp

Filesize
4KB

Download
memory/3448-165-0x0000000008D10000-0x0000000008D11000-memory.dmp

Filesize
4KB

Download
memory/3448-158-0x0000000008D50000-0x0000000008D83000-memory.dmp

Filesize
204KB

Download
memory/3448-151-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/3448-150-0x0000000007DC0000-0x0000000007DC1000-memory.dmp

Filesize
4KB

Download
memory/3448-149-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/3448-148-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/3448-173-0x0000000009060000-0x0000000009061000-memory.dmp

Filesize
4KB

Download
memory/3448-146-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/3448-145-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/3448-144-0x0000000006CE0000-0x0000000006CE1000-memory.dmp

Filesize
4KB

Download
memory/3448-143-0x00000000042F2000-0x00000000042F3000-memory.dmp

Filesize
4KB

Download
memory/3448-142-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/3448-138-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/3448-141-0x0000000006D40000-0x0000000006D41000-memory.dmp

Filesize
4KB

Download
memory/3448-140-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/3448-139-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/3588-463-0x0000000000000000-mapping.dmp

Download