Analysis
-
max time kernel
299s -
max time network
216s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09-01-2022 20:57
Static task
static1
Behavioral task
behavioral1
Sample
warrant.exe
Resource
win7-en-20211208
General
-
Target
warrant.exe
-
Size
1.1MB
-
MD5
63d9b309582fbf651840182519c04f18
-
SHA1
742539d685093f276242b1ca3fae82c0d20cad6a
-
SHA256
8409da61f57fbdf4ad602f4065afaca1f98fce73277cd54163f8b3e39c03c8e3
-
SHA512
c057b485f700071434df12cc27054936ecd904b4c302130c04f8317a0145f6e3c93ae556275b6d97bcddcbd7a26a1c22a112f9eb177c75fcc50cfb9cf1639385
Malware Config
Extracted
danabot
4
192.119.110.4:443
103.175.16.113:443
-
embedded_hash
422236FD601D11EE82825A484D26DD6F
-
type
loader
Signatures
-
Danabot Loader Component 9 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeRUNDLL32.EXEflow pid process 26 3096 rundll32.exe 28 3096 rundll32.exe 29 416 RUNDLL32.EXE -
Sets DLL path for service in the registry 2 TTPs
-
Sets service image path in registry 2 TTPs
-
Loads dropped DLL 8 IoCs
Processes:
rundll32.exesvchost.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEpid process 3096 rundll32.exe 588 svchost.exe 416 RUNDLL32.EXE 632 RUNDLL32.EXE 2780 RUNDLL32.EXE 3948 RUNDLL32.EXE 3624 RUNDLL32.EXE 3624 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exeRUNDLL32.EXEdescription ioc process File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\J: RUNDLL32.EXE File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\P: RUNDLL32.EXE File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\Y: RUNDLL32.EXE File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\A: RUNDLL32.EXE File opened (read-only) \??\B: RUNDLL32.EXE File opened (read-only) \??\G: RUNDLL32.EXE File opened (read-only) \??\I: RUNDLL32.EXE File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\N: RUNDLL32.EXE File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\V: RUNDLL32.EXE File opened (read-only) \??\Z: RUNDLL32.EXE File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\T: RUNDLL32.EXE File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\E: RUNDLL32.EXE File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\M: RUNDLL32.EXE File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\R: RUNDLL32.EXE File opened (read-only) \??\A: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\O: RUNDLL32.EXE File opened (read-only) \??\U: RUNDLL32.EXE File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\H: RUNDLL32.EXE File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\Q: RUNDLL32.EXE File opened (read-only) \??\X: RUNDLL32.EXE File opened (read-only) \??\F: RUNDLL32.EXE File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\K: RUNDLL32.EXE File opened (read-only) \??\L: RUNDLL32.EXE File opened (read-only) \??\S: RUNDLL32.EXE File opened (read-only) \??\W: RUNDLL32.EXE -
Drops file in System32 directory 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat RUNDLL32.EXE -
Suspicious use of SetThreadContext 4 IoCs
Processes:
RUNDLL32.EXERUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEdescription pid process target process PID 632 set thread context of 1152 632 RUNDLL32.EXE rundll32.exe PID 2780 set thread context of 1788 2780 RUNDLL32.EXE rundll32.exe PID 3948 set thread context of 2252 3948 RUNDLL32.EXE rundll32.exe PID 3624 set thread context of 3532 3624 RUNDLL32.EXE rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXErundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEsvchost.exeRUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE -
Processes:
rundll32.exerundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TypedURLs rundll32.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TypedURLs rundll32.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Internet Explorer\TypedURLs rundll32.exe -
Processes:
rundll32.exeRUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E8A3F5EC93D08B16E1425179F886486784F300CE rundll32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E8A3F5EC93D08B16E1425179F886486784F300CE\Blob = 030000000100000014000000e8a3f5ec93d08b16e1425179f886486784f300ce2000000001000000c0020000308202bc30820225a00302010202080d88073b09c39392300d06092a864886f70d01010b050030783138303606035504030c2f566572695369676e20556e6976657273616c20526f67742043657274696669636174696f6e20417574686f72697479311b3019060355040b0c1222286329203230303820566572695369676e31123010060355040a0c0922566572695369676e310b3009060355040613025553301e170d3230303131303231303132325a170d3234303130393231303132325a30783138303606035504030c2f566572695369676e20556e6976657273616c20526f67742043657274696669636174696f6e20417574686f72697479311b3019060355040b0c1222286329203230303820566572695369676e31123010060355040a0c0922566572695369676e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100b1956e8e694bbe488540b1ba629c8858cc196bf0efdd57ae7b400e6733722f31c7791707ea978a909cb199b169cef5e19e09be8c08135c46a44c4efd28473d8b6c1b307ee1ee8156273d38a9ef7372a638ee5b5fd396a61dc82bb7174c6c1a4b4fb286713dee23314a6fdf6fce3b70c5c2728d0430b526f1323bf8c5b33b06590203010001a34f304d300f0603551d130101ff040530030101ff303a0603551d1104333031822f566572695369676e20556e6976657273616c20526f67742043657274696669636174696f6e20417574686f72697479300d06092a864886f70d01010b05000381810043f6bac25d694ac5ff84d1e5d1a36e7d279944a883b8433e97420d9fe69f7f2506eb64181a1876f1d05cc1951d18bbc975f2f3820d014e2a2302a9ec6b038fe25390bdd4c7e3da029cb56e294e459ac7d1906f48ec9244af8e9f9c4c19c4603d8bb8fede5c0432cbb46a3a1f1c2f8410a513397bc758e4d30da58f0e38e50dae rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\47AFC8C8F97C03CBC55EFACFB631EA3DE50F24F8 RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\47AFC8C8F97C03CBC55EFACFB631EA3DE50F24F8\Blob = 03000000010000001400000047afc8c8f97c03cbc55efacfb631ea3de50f24f820000000010000009602000030820292308201fba00302010202084067dd6241446922300d06092a864886f70d01010b050030643136303406035504030c2d53796d616e74656320456e7465726b72697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674311d301b060355040a0c1453796d616e74656320436f72706f726174696f6e310b3009060355040613025553301e170d3230303131303231303132325a170d3234303130393231303132325a30643136303406035504030c2d53796d616e74656320456e7465726b72697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674311d301b060355040a0c1453796d616e74656320436f72706f726174696f6e310b300906035504061302555330819f300d06092a864886f70d010101050003818d003081890281810095177f1283a339464db7e8225092b901a7325a8d524d13d9678c682065b68f5209b47ddab9d9da59476c00d84d3a6090ee155cddfdc4e5858f978f3c216d3036312085202d410f6191515f92797f31439483e067aa2c62809951b4c912dc1f345a6305a69edba8c0dc339f2d8809ef5bdd3f274cc2abda5b6eb0e82d226f35550203010001a34d304b300f0603551d130101ff040530030101ff30380603551d110431302f822d53796d616e74656320456e7465726b72697365204d6f62696c6520526f6f7420666f72204d6963726f736f6674300d06092a864886f70d01010b05000381810089242e426d3242261c7922dbfc2230885191ceaf1a03d818f996ac69ae6c575f63101654d75862608fcf5e61dde234998b50d08460730436c9c5ceb5eb9ae081aa6f4ef0fc3c5d576210f66a38a74f3a838be61eeedb578a012d7e13991314db56d94e015c38a19e00e534c2c03dcf0c4814431b8724554722473e7e5509fa3e RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
svchost.exerundll32.exeRUNDLL32.EXEpowershell.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEpid process 588 svchost.exe 588 svchost.exe 3096 rundll32.exe 3096 rundll32.exe 416 RUNDLL32.EXE 416 RUNDLL32.EXE 416 RUNDLL32.EXE 416 RUNDLL32.EXE 3096 rundll32.exe 3096 rundll32.exe 416 RUNDLL32.EXE 416 RUNDLL32.EXE 3096 rundll32.exe 3096 rundll32.exe 2848 powershell.exe 2848 powershell.exe 2848 powershell.exe 632 RUNDLL32.EXE 632 RUNDLL32.EXE 2780 RUNDLL32.EXE 2780 RUNDLL32.EXE 588 svchost.exe 588 svchost.exe 588 svchost.exe 588 svchost.exe 588 svchost.exe 588 svchost.exe 3948 RUNDLL32.EXE 3948 RUNDLL32.EXE 588 svchost.exe 588 svchost.exe 588 svchost.exe 588 svchost.exe 3624 RUNDLL32.EXE 3624 RUNDLL32.EXE 588 svchost.exe 588 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exerundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 3096 rundll32.exe Token: SeDebugPrivilege 416 RUNDLL32.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exepid process 1152 rundll32.exe 1788 rundll32.exe 2252 rundll32.exe 3532 rundll32.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
warrant.exesvchost.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEdescription pid process target process PID 2608 wrote to memory of 3096 2608 warrant.exe rundll32.exe PID 2608 wrote to memory of 3096 2608 warrant.exe rundll32.exe PID 2608 wrote to memory of 3096 2608 warrant.exe rundll32.exe PID 588 wrote to memory of 416 588 svchost.exe RUNDLL32.EXE PID 588 wrote to memory of 416 588 svchost.exe RUNDLL32.EXE PID 588 wrote to memory of 416 588 svchost.exe RUNDLL32.EXE PID 3096 wrote to memory of 2848 3096 rundll32.exe powershell.exe PID 3096 wrote to memory of 2848 3096 rundll32.exe powershell.exe PID 3096 wrote to memory of 2848 3096 rundll32.exe powershell.exe PID 3096 wrote to memory of 632 3096 rundll32.exe RUNDLL32.EXE PID 3096 wrote to memory of 632 3096 rundll32.exe RUNDLL32.EXE PID 3096 wrote to memory of 632 3096 rundll32.exe RUNDLL32.EXE PID 416 wrote to memory of 2780 416 RUNDLL32.EXE RUNDLL32.EXE PID 416 wrote to memory of 2780 416 RUNDLL32.EXE RUNDLL32.EXE PID 416 wrote to memory of 2780 416 RUNDLL32.EXE RUNDLL32.EXE PID 632 wrote to memory of 1152 632 RUNDLL32.EXE rundll32.exe PID 632 wrote to memory of 1152 632 RUNDLL32.EXE rundll32.exe PID 632 wrote to memory of 1152 632 RUNDLL32.EXE rundll32.exe PID 1152 wrote to memory of 1608 1152 rundll32.exe ctfmon.exe PID 1152 wrote to memory of 1608 1152 rundll32.exe ctfmon.exe PID 2780 wrote to memory of 1788 2780 RUNDLL32.EXE rundll32.exe PID 2780 wrote to memory of 1788 2780 RUNDLL32.EXE rundll32.exe PID 2780 wrote to memory of 1788 2780 RUNDLL32.EXE rundll32.exe PID 416 wrote to memory of 3948 416 RUNDLL32.EXE RUNDLL32.EXE PID 416 wrote to memory of 3948 416 RUNDLL32.EXE RUNDLL32.EXE PID 416 wrote to memory of 3948 416 RUNDLL32.EXE RUNDLL32.EXE PID 3948 wrote to memory of 2252 3948 RUNDLL32.EXE rundll32.exe PID 3948 wrote to memory of 2252 3948 RUNDLL32.EXE rundll32.exe PID 3948 wrote to memory of 2252 3948 RUNDLL32.EXE rundll32.exe PID 416 wrote to memory of 3624 416 RUNDLL32.EXE RUNDLL32.EXE PID 416 wrote to memory of 3624 416 RUNDLL32.EXE RUNDLL32.EXE PID 416 wrote to memory of 3624 416 RUNDLL32.EXE RUNDLL32.EXE PID 3624 wrote to memory of 3532 3624 RUNDLL32.EXE rundll32.exe PID 3624 wrote to memory of 3532 3624 RUNDLL32.EXE rundll32.exe PID 3624 wrote to memory of 3532 3624 RUNDLL32.EXE rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\warrant.exe"C:\Users\Admin\AppData\Local\Temp\warrant.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,z C:\Users\Admin\AppData\Local\Temp\warrant.exe2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,aglgd0Q=3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 60304⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,lDhcNHE=2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,kEZJMkI=3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 60304⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,nk5PbHk1dE1Q3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 60304⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,YTomQkVXTFc=3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 60304⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\utpgu.tmpMD5
b75787c624c39566bf70d9e8d4b112b8
SHA1d78609b67077eb665fb27a4afa93ec44d18bf97b
SHA25644ccb723aa17b23efd1f7ea5d426475d372a014627ed3142afbb22e65f1d30fb
SHA5128dd61fb615624fb6291a0a54c23378bf751bd3db8ff41daef2c3eb15a9ed726740ddbf1b010119edaec7c6e87868fdae10200119ec25fdef8f4495d1c75bdfba
-
C:\ProgramData\utpgu.tmpMD5
798fb476020239874b47ad9040585f95
SHA1703bf5763b41b46eb508ef7f218d0ed3e28a5144
SHA2560755ae426ff4225c7e112acad81c1dc7175245839cbc6659db4ae4bf5a1b3847
SHA5124709ac75225ccca01d24cffcb6584038cac8686ff679822bbdf4aa36f9edccabae56f81759cf5b26b737c5a13bd45d598a61219f9a9b0ddeef1d78baeefb5c7c
-
C:\ProgramData\utpgu.tmpMD5
4c2a09f76a4b515f9d8593ff80f2b321
SHA1233470f4e837ce05d03d3f849d12c1db8f75cc15
SHA25629c02423ab03379ec030e7b33be97ea466479a5bb4dac24196e1acc7cfdc5671
SHA51219cb56227afcb6d76ca29db1b6eaad96827068dd9d670e5ff6b50142ccf4d416ebe644edf86bffb03f2ac0164dbb03adf57556cb1dbdabe7e8acfe6f8bca3dde
-
C:\ProgramData\utpgu.tmpMD5
9f9f304dd537db3f3e26ef8d4b48dc18
SHA11e9d23723e4b668409cf9db33bbc3286ec74e392
SHA2565ef1699d259c280697ae3ea1a372a247d1690788da7785dd0bf629cb6ea94cb4
SHA5121cbaa74b858eef8c7b2a3dccd916a811f0678881a21370779ac89059e78358fe68a6f10cde90ce2b8269a38bdb2acdeaf1e8b5eee71c683486b2de1c4587910d
-
C:\ProgramData\utpgu.tmpMD5
9f9f304dd537db3f3e26ef8d4b48dc18
SHA11e9d23723e4b668409cf9db33bbc3286ec74e392
SHA2565ef1699d259c280697ae3ea1a372a247d1690788da7785dd0bf629cb6ea94cb4
SHA5121cbaa74b858eef8c7b2a3dccd916a811f0678881a21370779ac89059e78358fe68a6f10cde90ce2b8269a38bdb2acdeaf1e8b5eee71c683486b2de1c4587910d
-
C:\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
50b6f4057987242251898d8748afd51e
SHA1171f85794faae4a0808a620a0424d077ecfc5252
SHA256913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a
SHA5121bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
50b6f4057987242251898d8748afd51e
SHA1171f85794faae4a0808a620a0424d077ecfc5252
SHA256913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a
SHA5121bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
50b6f4057987242251898d8748afd51e
SHA1171f85794faae4a0808a620a0424d077ecfc5252
SHA256913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a
SHA5121bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
50b6f4057987242251898d8748afd51e
SHA1171f85794faae4a0808a620a0424d077ecfc5252
SHA256913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a
SHA5121bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
50b6f4057987242251898d8748afd51e
SHA1171f85794faae4a0808a620a0424d077ecfc5252
SHA256913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a
SHA5121bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
50b6f4057987242251898d8748afd51e
SHA1171f85794faae4a0808a620a0424d077ecfc5252
SHA256913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a
SHA5121bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
50b6f4057987242251898d8748afd51e
SHA1171f85794faae4a0808a620a0424d077ecfc5252
SHA256913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a
SHA5121bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
50b6f4057987242251898d8748afd51e
SHA1171f85794faae4a0808a620a0424d077ecfc5252
SHA256913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a
SHA5121bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
50b6f4057987242251898d8748afd51e
SHA1171f85794faae4a0808a620a0424d077ecfc5252
SHA256913af4f2b141ac69d136fe88d4cfe155a5a439456c89e54eac57122ed3ef6c3a
SHA5121bcbbf7398b1d596864cf253fa13fb89f996c626fae5ecf0a7472f4d6f62a0cf214734aa73c26e05e8dc72507adc707e96af4224cd9d1371b662cd744e36b93d
-
memory/416-127-0x0000000000000000-mapping.dmp
-
memory/416-129-0x0000000004A51000-0x0000000005A51000-memory.dmpFilesize
16.0MB
-
memory/416-130-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/588-125-0x0000000003D71000-0x0000000004D71000-memory.dmpFilesize
16.0MB
-
memory/588-126-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/632-218-0x0000000005E30000-0x0000000005E31000-memory.dmpFilesize
4KB
-
memory/632-215-0x0000000005CC0000-0x0000000005E00000-memory.dmpFilesize
1.2MB
-
memory/632-184-0x0000000004BF1000-0x0000000005BF1000-memory.dmpFilesize
16.0MB
-
memory/632-194-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/632-162-0x0000000000000000-mapping.dmp
-
memory/632-203-0x0000000005E10000-0x0000000005E11000-memory.dmpFilesize
4KB
-
memory/632-205-0x0000000005CC0000-0x0000000005E00000-memory.dmpFilesize
1.2MB
-
memory/632-207-0x0000000005CC0000-0x0000000005E00000-memory.dmpFilesize
1.2MB
-
memory/632-212-0x0000000005CC0000-0x0000000005E00000-memory.dmpFilesize
1.2MB
-
memory/632-219-0x0000000005CC0000-0x0000000005E00000-memory.dmpFilesize
1.2MB
-
memory/1152-230-0x0000015522150000-0x0000015522312000-memory.dmpFilesize
1.8MB
-
memory/1152-228-0x0000000000D50000-0x0000000000F01000-memory.dmpFilesize
1.7MB
-
memory/1152-223-0x00007FF747375FD0-mapping.dmp
-
memory/1608-235-0x0000000000000000-mapping.dmp
-
memory/1788-273-0x00007FF747375FD0-mapping.dmp
-
memory/1788-278-0x000002AD28870000-0x000002AD28A32000-memory.dmpFilesize
1.8MB
-
memory/2252-445-0x00000184FD2F0000-0x00000184FD4B2000-memory.dmpFilesize
1.8MB
-
memory/2252-440-0x00007FF747375FD0-mapping.dmp
-
memory/2608-117-0x0000000000400000-0x0000000002C59000-memory.dmpFilesize
40.3MB
-
memory/2608-115-0x0000000004AE0000-0x0000000004BC3000-memory.dmpFilesize
908KB
-
memory/2608-116-0x0000000004BD0000-0x0000000004CCA000-memory.dmpFilesize
1000KB
-
memory/2780-279-0x00000000065B0000-0x00000000065B1000-memory.dmpFilesize
4KB
-
memory/2780-193-0x0000000000000000-mapping.dmp
-
memory/2780-277-0x0000000005351000-0x0000000006351000-memory.dmpFilesize
16.0MB
-
memory/2848-136-0x0000000007380000-0x0000000007381000-memory.dmpFilesize
4KB
-
memory/2848-138-0x0000000007810000-0x0000000007832000-memory.dmpFilesize
136KB
-
memory/2848-171-0x0000000009DB0000-0x0000000009E44000-memory.dmpFilesize
592KB
-
memory/2848-172-0x0000000007383000-0x0000000007384000-memory.dmpFilesize
4KB
-
memory/2848-168-0x000000007F3E0000-0x000000007F3E1000-memory.dmpFilesize
4KB
-
memory/2848-163-0x0000000009850000-0x000000000986E000-memory.dmpFilesize
120KB
-
memory/2848-161-0x00000000089B0000-0x0000000008A26000-memory.dmpFilesize
472KB
-
memory/2848-160-0x0000000008BD0000-0x0000000008C1B000-memory.dmpFilesize
300KB
-
memory/2848-159-0x0000000008160000-0x00000000081C6000-memory.dmpFilesize
408KB
-
memory/2848-158-0x00000000080F0000-0x0000000008156000-memory.dmpFilesize
408KB
-
memory/2848-157-0x0000000007810000-0x0000000007832000-memory.dmpFilesize
136KB
-
memory/2848-156-0x0000000009870000-0x00000000098A3000-memory.dmpFilesize
204KB
-
memory/2848-155-0x0000000009870000-0x00000000098A3000-memory.dmpFilesize
204KB
-
memory/2848-154-0x00000000079C0000-0x0000000007FE8000-memory.dmpFilesize
6.2MB
-
memory/2848-146-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/2848-145-0x00000000089B0000-0x0000000008A26000-memory.dmpFilesize
472KB
-
memory/2848-143-0x0000000008BD0000-0x0000000008C1B000-memory.dmpFilesize
300KB
-
memory/2848-142-0x0000000008590000-0x00000000085AC000-memory.dmpFilesize
112KB
-
memory/2848-141-0x00000000081E0000-0x0000000008530000-memory.dmpFilesize
3.3MB
-
memory/2848-140-0x0000000008160000-0x00000000081C6000-memory.dmpFilesize
408KB
-
memory/2848-139-0x00000000080F0000-0x0000000008156000-memory.dmpFilesize
408KB
-
memory/2848-170-0x0000000009BE0000-0x0000000009C85000-memory.dmpFilesize
660KB
-
memory/2848-137-0x0000000007382000-0x0000000007383000-memory.dmpFilesize
4KB
-
memory/2848-135-0x00000000079C0000-0x0000000007FE8000-memory.dmpFilesize
6.2MB
-
memory/2848-404-0x0000000009CB0000-0x0000000009CCA000-memory.dmpFilesize
104KB
-
memory/2848-409-0x0000000009CB0000-0x0000000009CCA000-memory.dmpFilesize
104KB
-
memory/2848-410-0x0000000009CA0000-0x0000000009CA8000-memory.dmpFilesize
32KB
-
memory/2848-415-0x0000000009CA0000-0x0000000009CA8000-memory.dmpFilesize
32KB
-
memory/2848-131-0x0000000000000000-mapping.dmp
-
memory/2848-134-0x00000000071E0000-0x0000000007216000-memory.dmpFilesize
216KB
-
memory/2848-133-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/2848-132-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/3096-122-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/3096-121-0x0000000004B11000-0x0000000005B11000-memory.dmpFilesize
16.0MB
-
memory/3096-118-0x0000000000000000-mapping.dmp
-
memory/3532-463-0x00007FF747375FD0-mapping.dmp
-
memory/3532-468-0x000002E67B370000-0x000002E67B532000-memory.dmpFilesize
1.8MB
-
memory/3624-446-0x0000000000000000-mapping.dmp
-
memory/3624-453-0x0000000004801000-0x0000000005801000-memory.dmpFilesize
16.0MB
-
memory/3624-466-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/3948-436-0x0000000005341000-0x0000000006341000-memory.dmpFilesize
16.0MB
-
memory/3948-444-0x00000000035D0000-0x00000000035D1000-memory.dmpFilesize
4KB
-
memory/3948-425-0x0000000000000000-mapping.dmp