Analysis
-
max time kernel
132s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
06-10-2022 00:19
General
-
Target
file.exe
-
Size
146KB
-
MD5
5857452a7c4f42e1be84602d6fdd5de4
-
SHA1
031694f1a68eafa3915c886d6dba4c2034c7bea1
-
SHA256
9d95e51bc6240a1e42b4d7ac35f3949e98bc2462cfd84ae3180b3d3753d6fd32
-
SHA512
13d50804f489bad9340716ae7c1fb1a779e3d09917afc9bbf31d108f02223cc7295ca0d3e5b0c687e3d6d8d1434636a285743eda424e59ab5afd0223e500196e
-
SSDEEP
3072:KIkS00hfhxLbvCTQXMfJZjLIyUMe9a+BPcBaGO:VmYHvExZjLhe9zB4aG
Malware Config
Extracted
danabot
-
embedded_hash
EAD30BF58E340E9E105B328F524565E0
-
type
loader
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 42 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 49 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\53EC.exeC:\Users\Admin\AppData\Local\Temp\53EC.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\agentactivationruntimestarter.exeC:\Windows\system32\agentactivationruntimestarter.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 8602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 9082⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 163933⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 9082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 9802⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3fc 0x4b41⤵
-
C:\Users\Admin\AppData\Roaming\eurbtshC:\Users\Admin\AppData\Roaming\eurbtsh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4484 -ip 44841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4484 -ip 44841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4484 -ip 44841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4484 -ip 44841⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\53EC.exeFilesize
4.5MB
MD5630eda5f260f2dca98e6f04fbc12466b
SHA173204a957526c43ea8bae86cebd7297343575ff0
SHA256dca1c32ed4c0d83654a8f3bb557ee6c17884e768ae19f81cdaa5b6f9fc6458c8
SHA51215016f10c727a57a03fba182f54625327011501c30204b49992363f69ceaa291a6fee5f3d593669ba3b57ea85589ff5d3ebfaed40f30f40cdf0bb910c311e21e
-
C:\Users\Admin\AppData\Local\Temp\53EC.exeFilesize
4.5MB
MD5630eda5f260f2dca98e6f04fbc12466b
SHA173204a957526c43ea8bae86cebd7297343575ff0
SHA256dca1c32ed4c0d83654a8f3bb557ee6c17884e768ae19f81cdaa5b6f9fc6458c8
SHA51215016f10c727a57a03fba182f54625327011501c30204b49992363f69ceaa291a6fee5f3d593669ba3b57ea85589ff5d3ebfaed40f30f40cdf0bb910c311e21e
-
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.logFilesize
1KB
MD5bb547dd45ea43ede6061995b4501b67c
SHA12f33b48ae90b11c5e940ae0f30c298d5d01f78be
SHA2561e468f7498982fd02504ba0511bc09256fdfc7d9157b732f46b621148304c34c
SHA512103c72ab5634ad1db1b45770b21582468524920ada0b6dcdbc0b979d851adb0af2ed4ff8d014427bf61182b0e0758eefe8739c8d1c01717f96e11d238d7605f3
-
C:\Users\Admin\AppData\Local\Temp\Uapaipuuih.tmpFilesize
3.3MB
MD5963024ce4b5518f20619bdcb2998a789
SHA1bbce53b5aa2beeff5c9f1555a1e32350bba479b2
SHA256e473b9afa947ef211c7e7cad6521687d504ec244a22f5ea5381f7020f947fc7d
SHA512468f341fb7c284f0024ad5d13a72264d60e77b9ea724a770b4d45856dc0aaedd30e51263ea266e6979d7db1079703a9bc1358c5562aac6761ee45c06436baae8
-
C:\Users\Admin\AppData\Local\Temp\b7a972bc-9460-4c6f-93c0-e6dd9473f34f.tmpFilesize
23KB
MD52e0a52964e4f43a9830f01775bcb061b
SHA1deedc2124380dcc834798466b7ae8ca986aba82f
SHA2563884df97009ac7e97143743660ed8e010d5f77edcf611bf85276e876fc70754b
SHA51256c28175bfeb1adfa70761dbf3d46f60b3545de1dd879b346658a2701a173c5fd1959dcb6ecb931f7589f8178fa46d026da0edcfef0471f0fc9d65df7bc6ea44
-
C:\Users\Admin\AppData\Roaming\eurbtshFilesize
146KB
MD55857452a7c4f42e1be84602d6fdd5de4
SHA1031694f1a68eafa3915c886d6dba4c2034c7bea1
SHA2569d95e51bc6240a1e42b4d7ac35f3949e98bc2462cfd84ae3180b3d3753d6fd32
SHA51213d50804f489bad9340716ae7c1fb1a779e3d09917afc9bbf31d108f02223cc7295ca0d3e5b0c687e3d6d8d1434636a285743eda424e59ab5afd0223e500196e
-
C:\Users\Admin\AppData\Roaming\eurbtshFilesize
146KB
MD55857452a7c4f42e1be84602d6fdd5de4
SHA1031694f1a68eafa3915c886d6dba4c2034c7bea1
SHA2569d95e51bc6240a1e42b4d7ac35f3949e98bc2462cfd84ae3180b3d3753d6fd32
SHA51213d50804f489bad9340716ae7c1fb1a779e3d09917afc9bbf31d108f02223cc7295ca0d3e5b0c687e3d6d8d1434636a285743eda424e59ab5afd0223e500196e
-
memory/852-150-0x0000000000400000-0x0000000000581000-memory.dmpFilesize
1.5MB
-
memory/852-149-0x0000000000400000-0x0000000000581000-memory.dmpFilesize
1.5MB
-
memory/852-148-0x000000000084D000-0x000000000085D000-memory.dmpFilesize
64KB
-
memory/1696-187-0x0000000000000000-mapping.dmp
-
memory/1952-141-0x0000000000000000-mapping.dmp
-
memory/2496-188-0x0000000000000000-mapping.dmp
-
memory/4256-186-0x000001B61B740000-0x000001B61B964000-memory.dmpFilesize
2.1MB
-
memory/4256-182-0x00007FF75F966890-mapping.dmp
-
memory/4256-184-0x000001B61CF90000-0x000001B61D0D0000-memory.dmpFilesize
1.2MB
-
memory/4256-183-0x000001B61CF90000-0x000001B61D0D0000-memory.dmpFilesize
1.2MB
-
memory/4256-185-0x0000000000310000-0x0000000000525000-memory.dmpFilesize
2.1MB
-
memory/4256-189-0x000001B61B740000-0x000001B61B964000-memory.dmpFilesize
2.1MB
-
memory/4484-160-0x00000000043C0000-0x0000000004500000-memory.dmpFilesize
1.2MB
-
memory/4484-151-0x0000000000400000-0x0000000000A22000-memory.dmpFilesize
6.1MB
-
memory/4484-153-0x0000000003830000-0x00000000042F7000-memory.dmpFilesize
10.8MB
-
memory/4484-154-0x0000000003830000-0x00000000042F7000-memory.dmpFilesize
10.8MB
-
memory/4484-155-0x0000000003830000-0x00000000042F7000-memory.dmpFilesize
10.8MB
-
memory/4484-156-0x00000000043C0000-0x0000000004500000-memory.dmpFilesize
1.2MB
-
memory/4484-157-0x00000000043C0000-0x0000000004500000-memory.dmpFilesize
1.2MB
-
memory/4484-158-0x00000000043C0000-0x0000000004500000-memory.dmpFilesize
1.2MB
-
memory/4484-159-0x00000000043C0000-0x0000000004500000-memory.dmpFilesize
1.2MB
-
memory/4484-137-0x0000000000000000-mapping.dmp
-
memory/4484-161-0x00000000043C0000-0x0000000004500000-memory.dmpFilesize
1.2MB
-
memory/4484-162-0x00000000043C0000-0x0000000004500000-memory.dmpFilesize
1.2MB
-
memory/4484-163-0x00000000043C0000-0x0000000004500000-memory.dmpFilesize
1.2MB
-
memory/4484-140-0x0000000002706000-0x0000000002B70000-memory.dmpFilesize
4.4MB
-
memory/4484-142-0x0000000002B80000-0x0000000003196000-memory.dmpFilesize
6.1MB
-
memory/4484-143-0x0000000000400000-0x0000000000A22000-memory.dmpFilesize
6.1MB
-
memory/4484-174-0x0000000003830000-0x00000000042F7000-memory.dmpFilesize
10.8MB
-
memory/4484-173-0x0000000000400000-0x0000000000A22000-memory.dmpFilesize
6.1MB
-
memory/4484-144-0x0000000002706000-0x0000000002B70000-memory.dmpFilesize
4.4MB
-
memory/4484-152-0x0000000000400000-0x0000000000A22000-memory.dmpFilesize
6.1MB
-
memory/4484-145-0x0000000000400000-0x0000000000A22000-memory.dmpFilesize
6.1MB
-
memory/4828-180-0x0000000003480000-0x00000000035C0000-memory.dmpFilesize
1.2MB
-
memory/4828-167-0x0000000003480000-0x00000000035C0000-memory.dmpFilesize
1.2MB
-
memory/4828-181-0x0000000003480000-0x00000000035C0000-memory.dmpFilesize
1.2MB
-
memory/4828-166-0x0000000000420000-0x0000000000DC8000-memory.dmpFilesize
9.7MB
-
memory/4828-176-0x0000000003480000-0x00000000035C0000-memory.dmpFilesize
1.2MB
-
memory/4828-177-0x0000000003480000-0x00000000035C0000-memory.dmpFilesize
1.2MB
-
memory/4828-178-0x0000000003480000-0x00000000035C0000-memory.dmpFilesize
1.2MB
-
memory/4828-179-0x0000000003480000-0x00000000035C0000-memory.dmpFilesize
1.2MB
-
memory/4828-169-0x0000000002890000-0x0000000003357000-memory.dmpFilesize
10.8MB
-
memory/4828-168-0x0000000003480000-0x00000000035C0000-memory.dmpFilesize
1.2MB
-
memory/4828-175-0x0000000002890000-0x0000000003357000-memory.dmpFilesize
10.8MB
-
memory/4828-165-0x0000000002890000-0x0000000003357000-memory.dmpFilesize
10.8MB
-
memory/4828-164-0x0000000000000000-mapping.dmp
-
memory/4980-132-0x000000000094D000-0x000000000095E000-memory.dmpFilesize
68KB
-
memory/4980-136-0x0000000000400000-0x0000000000581000-memory.dmpFilesize
1.5MB
-
memory/4980-135-0x000000000094D000-0x000000000095E000-memory.dmpFilesize
68KB
-
memory/4980-134-0x0000000000400000-0x0000000000581000-memory.dmpFilesize
1.5MB
-
memory/4980-133-0x0000000000920000-0x0000000000929000-memory.dmpFilesize
36KB