Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
23-09-2022 06:40
Static task
static1
Behavioral task
behavioral1
Sample
16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee.exe
Resource
win10-20220812-en
General
-
Target
16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee.exe
-
Size
170KB
-
MD5
1694a1aaab237984a204b338060bde49
-
SHA1
0b7e55eda5e452041b792a61645602122b5437e7
-
SHA256
16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee
-
SHA512
f03a28c3f7942080914f23f2a4a6c014b6289316f122381e747e771b6a9d8fd75968ec83c1d1e1628bd0eb00b9e39d8b82cda2b3af09c469d343dd3a113b5aab
-
SSDEEP
3072:yJBL8sV5z53hjNhf0F2e081eA/IyGiNBp7uJ/PkW4n:GLN7thjzfw2pvA/I05i
Malware Config
Extracted
danabot
-
embedded_hash
6618C163D57D6441FCCA65D86C4D380D
-
type
loader
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2692-141-0x00000000005E0000-0x00000000005E9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 47 1304 rundll32.exe 49 1304 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
7D7D.exepid process 4064 7D7D.exe -
Deletes itself 1 IoCs
Processes:
pid process 3020 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1732 4064 WerFault.exe 7D7D.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee.exepid process 2692 16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee.exe 2692 16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee.exe 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3020 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee.exepid process 2692 16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
7D7D.exedescription pid process target process PID 3020 wrote to memory of 4064 3020 7D7D.exe PID 3020 wrote to memory of 4064 3020 7D7D.exe PID 3020 wrote to memory of 4064 3020 7D7D.exe PID 4064 wrote to memory of 4104 4064 7D7D.exe appidtel.exe PID 4064 wrote to memory of 4104 4064 7D7D.exe appidtel.exe PID 4064 wrote to memory of 4104 4064 7D7D.exe appidtel.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe PID 4064 wrote to memory of 1304 4064 7D7D.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee.exe"C:\Users\Admin\AppData\Local\Temp\16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7D7D.exeC:\Users\Admin\AppData\Local\Temp\7D7D.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\appidtel.exeC:\Windows\system32\appidtel.exe2⤵
-
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 6202⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7D7D.exeFilesize
1.3MB
MD510b0c3dfacb99f9f2ca02f9df4bc96db
SHA113a48798517d9b28961d49bf67f5764b46ca14b7
SHA2561fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f
SHA512b4fc3b20a9f14c777b8d69ca65d02052a13d45a3ee42fc733bdaa299339ce9c4316534b303ce413a8f43efde7d11213067991b3f969c30fefdd884f571e0cb9f
-
C:\Users\Admin\AppData\Local\Temp\7D7D.exeFilesize
1.3MB
MD510b0c3dfacb99f9f2ca02f9df4bc96db
SHA113a48798517d9b28961d49bf67f5764b46ca14b7
SHA2561fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f
SHA512b4fc3b20a9f14c777b8d69ca65d02052a13d45a3ee42fc733bdaa299339ce9c4316534b303ce413a8f43efde7d11213067991b3f969c30fefdd884f571e0cb9f
-
memory/1304-221-0x0000000000000000-mapping.dmp
-
memory/1304-281-0x00000000007E0000-0x00000000007E3000-memory.dmpFilesize
12KB
-
memory/1304-282-0x00000000007F0000-0x00000000007F3000-memory.dmpFilesize
12KB
-
memory/1304-283-0x0000000000A00000-0x0000000000A03000-memory.dmpFilesize
12KB
-
memory/1304-284-0x0000000000A10000-0x0000000000A13000-memory.dmpFilesize
12KB
-
memory/2692-136-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-140-0x0000000000600000-0x00000000006AE000-memory.dmpFilesize
696KB
-
memory/2692-122-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-123-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-124-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-125-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-126-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-127-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-128-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-129-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-131-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-132-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-133-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-134-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-135-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-120-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-137-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-138-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-139-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-121-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-141-0x00000000005E0000-0x00000000005E9000-memory.dmpFilesize
36KB
-
memory/2692-142-0x0000000000400000-0x0000000000585000-memory.dmpFilesize
1.5MB
-
memory/2692-143-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-144-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-145-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-146-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-147-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-148-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-149-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-151-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-150-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-152-0x0000000000400000-0x0000000000585000-memory.dmpFilesize
1.5MB
-
memory/2692-119-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-118-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-117-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-116-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/2692-115-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-155-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-161-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-163-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-166-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-169-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-168-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-167-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-170-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-165-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-164-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-160-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-172-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-173-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-174-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-178-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-179-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-177-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-180-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-181-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-182-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-176-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-175-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-183-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-186-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-184-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-187-0x0000000002530000-0x000000000280B000-memory.dmpFilesize
2.9MB
-
memory/4064-185-0x0000000002400000-0x0000000002528000-memory.dmpFilesize
1.2MB
-
memory/4064-200-0x0000000000400000-0x00000000006E8000-memory.dmpFilesize
2.9MB
-
memory/4064-201-0x0000000002530000-0x000000000280B000-memory.dmpFilesize
2.9MB
-
memory/4064-202-0x0000000002400000-0x0000000002528000-memory.dmpFilesize
1.2MB
-
memory/4064-215-0x0000000000400000-0x00000000006E8000-memory.dmpFilesize
2.9MB
-
memory/4064-159-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-158-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-157-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-156-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4064-153-0x0000000000000000-mapping.dmp
-
memory/4104-189-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-190-0x0000000077C70000-0x0000000077DFE000-memory.dmpFilesize
1.6MB
-
memory/4104-188-0x0000000000000000-mapping.dmp