danabot | 2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd

Analysis

max time kernel
137s
max time network
135s
platform
windows10_x64
resource
win10-en-20210920
submitted
22-10-2021 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd.dll
Size

2.5MB
MD5

de8b54a938ac18f15cad804d79a0e19d
SHA1

b6004c62e2d9dbad9cfd5f7e18647ac983788766
SHA256

2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd
SHA512

7b64a99baafc8e692a47b9856f96b6bafa3cae22bd293c0e8faf148bdfe3f1401d5c316017b5c2f778d02ebc87edd2474e525b225ddc00685bb14da4c484e776

Score

10^/10

danabot 40 banker collection discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

185.158.250.216:443

194.76.225.46:443

45.11.180.153:443

194.76.225.61:443

Attributes

embedded_hash
AD14EA44261341E3690FA8CC1E236523
type
loader

rsa_pubkey.plain

rsa_privkey.plain

Extracted

Family

danabot

Version

2052

Botnet

185.158.250.216:443

194.76.225.46:443

45.11.180.153:443

194.76.225.61:443

Attributes

embedded_hash
AD14EA44261341E3690FA8CC1E236523
type
main

rsa_privkey.plain

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot Loader Component 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1864-119-0x0000000073620000-0x00000000738AE000-memory.dmp	DanabotLoader2021
behavioral1/memory/1864-118-0x0000000073620000-0x0000000073783000-memory.dmp	DanabotLoader2021
behavioral1/memory/748-126-0x0000000073620000-0x00000000738AE000-memory.dmp	DanabotLoader2021

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 1156 created 1864 1156 WerFault.exe rundll32.exe
PID 3204 created 2700 3204 WerFault.exe RUNDLL32.EXE
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

flow pid process

20 1864 rundll32.exe
24 748 RUNDLL32.EXE
35 748 RUNDLL32.EXE
36 748 RUNDLL32.EXE
37 748 RUNDLL32.EXE
38 748 RUNDLL32.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 1156 created 1864	1156	WerFault.exe	rundll32.exe
PID 3204 created 2700	3204	WerFault.exe	RUNDLL32.EXE

flow	pid	process
20	1864	rundll32.exe
24	748	RUNDLL32.EXE
35	748	RUNDLL32.EXE
36	748	RUNDLL32.EXE
37	748	RUNDLL32.EXE
38	748	RUNDLL32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RUNDLL32.EXE

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

RUNDLL32.EXE

description pid process target process

PID 2700 set thread context of 2312 2700 RUNDLL32.EXE rundll32.exe
Drops file in Program Files directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\Bynootykhhl.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1156 1864 WerFault.exe rundll32.exe
3204 2700 WerFault.exe RUNDLL32.EXE

description	pid	process	target process
PID 2700 set thread context of 2312	2700	RUNDLL32.EXE	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\Bynootykhhl.tmp	rundll32.exe

pid	pid_target	process	target process
1156	1864	WerFault.exe	rundll32.exe
3204	2700	WerFault.exe	RUNDLL32.EXE

Checks processor information in registry 2 TTPs 44 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RUNDLL32.EXERUNDLL32.EXE

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RUNDLL32.EXE
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RUNDLL32.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RUNDLL32.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RUNDLL32.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TypedURLs	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RUNDLL32.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7A0F3BC329A08E8B41CBA6C90ED269E4EB48E331	RUNDLL32.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7A0F3BC329A08E8B41CBA6C90ED269E4EB48E331\Blob = 0300000001000000140000007a0f3bc329a08e8b41cba6c90ed269e4eb48e33120000000010000006e0200003082026a308201d3a00302010202082fafa5535c6cba45300d06092a864886f70d01010b0500305a3122302006035504030c1942616c74696d6f7265204379626572547275736f20526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3139313032363137313933355a170d3233313032353137313933355a305a3122302006035504030c1942616c74696d6f7265204379626572547275736f20526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d0030818902818100d2902fed7aea62c6d0e95eb55e15d339eed2c86a610fd68e2f9cbfaf1b63bbae7bae49223aa591f5ecc674ec8e25e7d035809b1f3280f92be53db90aafd2ef81676808d32e01be0b56b33e4480617c0db055c5729a794765d4f59b07a21e5ea448aba8566ef4087127052814567fd253bf917ea78a004d67156daab9e82982930203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821942616c74696d6f7265204379626572547275736f20526f6f74300d06092a864886f70d01010b0500038181002601e901a34aae42cc1e91f6416172d85b4b5179769f817021701f72cd39c6d2d248d6f109a651d213ea6d30b236ff922fe95f1bb5a98ade64d81c339fda169fd6af697ed3195931457e63ebff2e7cc9f1d40b08a3c474f783e1fef7061887877d7cef2aba33dffc800795ec28029be302dbe8b0e1debe2c9e126c36ec5598cb	RUNDLL32.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

WerFault.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exe

pid	process
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe
748	RUNDLL32.EXE
748	RUNDLL32.EXE
748	RUNDLL32.EXE
748	RUNDLL32.EXE
748	RUNDLL32.EXE
748	RUNDLL32.EXE
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
2700	RUNDLL32.EXE
2700	RUNDLL32.EXE
3204	WerFault.exe
3204	WerFault.exe
3204	WerFault.exe
3204	WerFault.exe
3204	WerFault.exe
3204	WerFault.exe
3204	WerFault.exe
3204	WerFault.exe
3204	WerFault.exe
3204	WerFault.exe
3204	WerFault.exe
3204	WerFault.exe
3204	WerFault.exe
3764	powershell.exe
3764	powershell.exe
3764	powershell.exe
748	RUNDLL32.EXE
748	RUNDLL32.EXE
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

WerFault.exepowershell.exeWerFault.exeRUNDLL32.EXEpowershell.exepowershell.exe

description	pid	process
Token: SeRestorePrivilege	1156	WerFault.exe
Token: SeBackupPrivilege	1156	WerFault.exe
Token: SeDebugPrivilege	1156	WerFault.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	3204	WerFault.exe
Token: SeDebugPrivilege	748	RUNDLL32.EXE
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exeRUNDLL32.EXE

pid process

2312 rundll32.exe
748 RUNDLL32.EXE

pid	process
2312	rundll32.exe
748	RUNDLL32.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

rundll32.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exe

description	pid	process	target process
PID 3608 wrote to memory of 1864	3608	rundll32.exe	rundll32.exe
PID 3608 wrote to memory of 1864	3608	rundll32.exe	rundll32.exe
PID 3608 wrote to memory of 1864	3608	rundll32.exe	rundll32.exe
PID 1864 wrote to memory of 748	1864	rundll32.exe	RUNDLL32.EXE
PID 1864 wrote to memory of 748	1864	rundll32.exe	RUNDLL32.EXE
PID 1864 wrote to memory of 748	1864	rundll32.exe	RUNDLL32.EXE
PID 748 wrote to memory of 3140	748	RUNDLL32.EXE	powershell.exe
PID 748 wrote to memory of 3140	748	RUNDLL32.EXE	powershell.exe
PID 748 wrote to memory of 3140	748	RUNDLL32.EXE	powershell.exe
PID 748 wrote to memory of 2700	748	RUNDLL32.EXE	RUNDLL32.EXE
PID 748 wrote to memory of 2700	748	RUNDLL32.EXE	RUNDLL32.EXE
PID 748 wrote to memory of 2700	748	RUNDLL32.EXE	RUNDLL32.EXE
PID 2700 wrote to memory of 2312	2700	RUNDLL32.EXE	rundll32.exe
PID 2700 wrote to memory of 2312	2700	RUNDLL32.EXE	rundll32.exe
PID 2700 wrote to memory of 2312	2700	RUNDLL32.EXE	rundll32.exe
PID 2312 wrote to memory of 1320	2312	rundll32.exe	ctfmon.exe
PID 2312 wrote to memory of 1320	2312	rundll32.exe	ctfmon.exe
PID 748 wrote to memory of 3764	748	RUNDLL32.EXE	powershell.exe
PID 748 wrote to memory of 3764	748	RUNDLL32.EXE	powershell.exe
PID 748 wrote to memory of 3764	748	RUNDLL32.EXE	powershell.exe
PID 748 wrote to memory of 2032	748	RUNDLL32.EXE	powershell.exe
PID 748 wrote to memory of 2032	748	RUNDLL32.EXE	powershell.exe
PID 748 wrote to memory of 2032	748	RUNDLL32.EXE	powershell.exe
PID 2032 wrote to memory of 960	2032	powershell.exe	nslookup.exe
PID 2032 wrote to memory of 960	2032	powershell.exe	nslookup.exe
PID 2032 wrote to memory of 960	2032	powershell.exe	nslookup.exe
PID 748 wrote to memory of 1960	748	RUNDLL32.EXE	schtasks.exe
PID 748 wrote to memory of 1960	748	RUNDLL32.EXE	schtasks.exe
PID 748 wrote to memory of 1960	748	RUNDLL32.EXE	schtasks.exe
PID 748 wrote to memory of 1956	748	RUNDLL32.EXE	schtasks.exe
PID 748 wrote to memory of 1956	748	RUNDLL32.EXE	schtasks.exe
PID 748 wrote to memory of 1956	748	RUNDLL32.EXE	schtasks.exe

outlook_office_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

outlook_win_path 1 IoCs

Processes:

RUNDLL32.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RUNDLL32.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd.dll,#1
2⤵
- Blocklisted process makes network request
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd.dll,eC5KQzhRbUg=
3⤵
- Blocklisted process makes network request
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd.dll
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\SysWOW64\RUNDLL32.EXE
C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd.dll,o1hK
4⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 19638
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\system32\ctfmon.exe
ctfmon.exe
6⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1384
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpD889.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpE9B2.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:960

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1960

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 1396
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Bynootykhhl.tmp
MD5
4bca84d5edf3e593ec56cc821b6bd1b9

SHA1
23f954be80e90a15c78e83c91fde3e39721aa74d

SHA256
c117355e69d059a29c8c39a2434a2b3a45d4339293c1c0591038838a3757056d

SHA512
f7b7382f72fbf2cba9784ad4d05f6eda8e5f2cf7851bc921fa364f3552c9112bb50ae41432b99277c37b78b4f7b01c50738ad04a554f05996b68f3dc1a39561c

Download Submit
C:\PROGRA~3\Bynootykhhl.tmp
MD5
7bfbc25bbf75afc608f38796b21395c8

SHA1
21aa9b898e97a7df806c9e60566639487e889d33

SHA256
07787e1c32f3b5a4347e11f9ec6e21b4c59759db1b13fa323f7e45ddf0029972

SHA512
851c75624458f823166705b7bd713bb849d07f8cc768b1e772a68c4a2677663636685b72489fb773e9efc510d654b12e32a65d447dc22a76ceb30c0eb33563e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
94ebe7dcbbe2fffba29a1bd83f7d6c3d

SHA1
6947becd5a906d327c69be983044960d2eeccc3c

SHA256
96510bb0ad6f8a1b26f93607e6bd2a5af5cdc285f9932d83023b4822462dab89

SHA512
9e36236a6bba5fd75211cc6d51e799eeed12d0949b4c50fec191724c2bebd199a57ef10b08a9d9c44f6149385657de3d70d2e363ec62f52253d479ed99b39a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
31061763dc669b5be129797fef3e6af0

SHA1
1b1e81dff7f3edb606936f5010b5a9e817a9c0e6

SHA256
fd462fccc10e43abcf08156cf9934ec16f466b67595bb469e1ab53572c6e2621

SHA512
51d873dcb0bf52e0ae1494a73ab66135ffb827437345889eadc0e20b3402d893f8115bd2a320cfe428557044bc87c63d5951b817b29fb7f05e388f87f122ffd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD889.tmp.ps1
MD5
2c15c6b297a1e3865554ec9b6abf66bb

SHA1
e079d109cef36e14693839e99494db39b22ec14f

SHA256
62795ee34ac2c242e438868010d6bdf42572d97fb248c285739d93a39de2169f

SHA512
aa0522ec3391f26a069a93ed26b8bdac8638291eb5c12ee47d0d80677263d2e48b48102edd82982dd4b673a6b50d0f01b01288a45531085b4d260c2c516f89a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD88A.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE9B2.tmp.ps1
MD5
2bb8cb49eab49debff6f02231ec23f7a

SHA1
c79a1644cbc97a12f204c9ce6948ff80797108a6

SHA256
d945472c8630857378e225a13b1c5dd318c5f4f1f67d82094fe84aae7a81a580

SHA512
8420cf1434e480c06e12e041e739eb91744c59ff1243746b85def97a1b9ad9d4f53d0da2dd3867dffd0bad997904417ecb8bcdaaeccbf72b8f6423e369a6dcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE9B3.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
memory/748-123-0x0000000000000000-mapping.dmp

Download
memory/748-129-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/748-126-0x0000000073620000-0x00000000738AE000-memory.dmp

Filesize
2.6MB

Download
memory/748-130-0x0000000005251000-0x0000000006235000-memory.dmp

Filesize
15.9MB

Download
memory/748-124-0x0000000073620000-0x00000000738AE000-memory.dmp

Filesize
2.6MB

Download
memory/748-131-0x0000000073EF0000-0x0000000073EF1000-memory.dmp

Filesize
4KB

Download
memory/960-463-0x0000000000000000-mapping.dmp

Download
memory/1320-409-0x0000000000000000-mapping.dmp

Download
memory/1864-119-0x0000000073620000-0x00000000738AE000-memory.dmp

Filesize
2.6MB

Download
memory/1864-117-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1864-116-0x0000000073620000-0x00000000738AE000-memory.dmp

Filesize
2.6MB

Download
memory/1864-115-0x0000000000000000-mapping.dmp

Download
memory/1864-121-0x0000000004C91000-0x0000000005C75000-memory.dmp

Filesize
15.9MB

Download
memory/1864-122-0x0000000073EF0000-0x0000000073EF1000-memory.dmp

Filesize
4KB

Download
memory/1864-118-0x0000000073620000-0x0000000073783000-memory.dmp

Filesize
1.4MB

Download
memory/1956-468-0x0000000000000000-mapping.dmp

Download
memory/1960-466-0x0000000000000000-mapping.dmp

Download
memory/2032-453-0x0000000006540000-0x0000000006541000-memory.dmp

Filesize
4KB

Download
memory/2032-441-0x0000000000000000-mapping.dmp

Download
memory/2032-454-0x0000000006542000-0x0000000006543000-memory.dmp

Filesize
4KB

Download
memory/2032-467-0x0000000006543000-0x0000000006544000-memory.dmp

Filesize
4KB

Download
memory/2312-412-0x00000132AA940000-0x00000132AAAF2000-memory.dmp

Filesize
1.7MB

Download
memory/2312-411-0x0000000000690000-0x0000000000830000-memory.dmp

Filesize
1.6MB

Download
memory/2312-405-0x00007FF673055FD0-mapping.dmp

Download
memory/2700-141-0x0000000000000000-mapping.dmp

Download
memory/2700-410-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/2700-394-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2700-395-0x0000000004671000-0x0000000005655000-memory.dmp

Filesize
15.9MB

Download
memory/3140-137-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/3140-143-0x0000000007570000-0x0000000007571000-memory.dmp

Filesize
4KB

Download
memory/3140-172-0x0000000009820000-0x0000000009821000-memory.dmp

Filesize
4KB

Download
memory/3140-171-0x0000000009650000-0x0000000009651000-memory.dmp

Filesize
4KB

Download
memory/3140-168-0x000000007E7B0000-0x000000007E7B1000-memory.dmp

Filesize
4KB

Download
memory/3140-165-0x00000000094E0000-0x00000000094E1000-memory.dmp

Filesize
4KB

Download
memory/3140-158-0x0000000009520000-0x0000000009553000-memory.dmp

Filesize
204KB

Download
memory/3140-136-0x0000000000000000-mapping.dmp

Download
memory/3140-151-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/3140-150-0x00000000085B0000-0x00000000085B1000-memory.dmp

Filesize
4KB

Download
memory/3140-149-0x00000000070A2000-0x00000000070A3000-memory.dmp

Filesize
4KB

Download
memory/3140-138-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/3140-139-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/3140-148-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/3140-140-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/3140-147-0x0000000008770000-0x0000000008771000-memory.dmp

Filesize
4KB

Download
memory/3140-146-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/3140-145-0x0000000007E10000-0x0000000007E11000-memory.dmp

Filesize
4KB

Download
memory/3140-144-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/3140-197-0x00000000070A3000-0x00000000070A4000-memory.dmp

Filesize
4KB

Download
memory/3140-142-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/3764-440-0x00000000044B3000-0x00000000044B4000-memory.dmp

Filesize
4KB

Download
memory/3764-430-0x00000000044B2000-0x00000000044B3000-memory.dmp

Filesize
4KB

Download
memory/3764-429-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/3764-413-0x0000000000000000-mapping.dmp

Download