danabot | b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e

Analysis

max time kernel
91s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2022 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Size

1.3MB
MD5

f0c494e386eee0c623b4a7685f01916e
SHA1

0ad286248fddf6500c01caf659736e737e0b7e9c
SHA256

b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e
SHA512

de03f3daafda3c0ab8604e5cb5fdfafa83ee8e136b5dac9c375b99e1cf452aa0afd310239663b27c7b38b287549eb8b4cc057ba7b771e30ca064efb7f4e5962f
SSDEEP

24576:2GgQbyym/cA+QtEsBaJGhuk3gd5nlmkOYHgjDHpDXJ6aYg+f5:2UK6ScM73KOYHgPVJ/H

Score

10^/10

danabot banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

192.236.233.188:443

192.119.70.159:443

23.106.124.171:443

213.227.155.103:443

Attributes

embedded_hash
56951C922035D696BFCE443750496462
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 2 IoCs

flow	pid	Process
34	3656	rundll32.exe
35	4884	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4752 set thread context of 4884	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	102

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2796	4752	WerFault.exe	80
3096	4752	WerFault.exe	80
2808	4752	WerFault.exe	80
3880	4752	WerFault.exe	80
3376	4752	WerFault.exe	80

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe

Checks processor information in registry 2 TTPs 48 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2F6B0837CD6EB912FDA58C008C2746C7A1BDCC94	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2F6B0837CD6EB912FDA58C008C2746C7A1BDCC94\Blob = 0300000001000000140000002f6b0837cd6eb912fda58c008c2746c7a1bdcc9420000000010000007a02000030820276308201dfa0030201020208623935b027892404300d06092a864886f70d01010b050030613120301e06035504030c17446c67694365727420476c6f62616c20526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3230313030373133333233315a170d3234313030363133333233315a30613120301e06035504030c17446c67694365727420476c6f62616c20526f6f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100cfe01ff3bf1585659126d36ec378aec401f27e70bd2c2fc17eca5fa38c0c6852be1976222c5e69f9c02fb7989e6d757fc55eccc77cf2063bed6565b37e303c20128e9500a8d1aeeed73dd0b41f9ec6a8295cab384cc88eff519e2fe7ec86e96f713cc0d31057e888c7224c05d43419552ac9bee4e616a1bdca4c72c8618b5bd50203010001a3373035300f0603551d130101ff040530030101ff30220603551d11041b30198217446c67694365727420476c6f62616c20526f6f74204341300d06092a864886f70d01010b050003818100150a3ec2e5ceb12d281fb9886f7f115e611689314932da3642cd9698eb75e8fede27e5d27920bd0059a1d204a101731cb03157022b0cd009bd354c30156767d56c0b03dac0f985797985ffde2de1a18352c8a93b83b96c545781b34d7b353db9f94f4365689390a65e884f50c54c8f544804064dc5226a36be19e00b5e6a2548	rundll32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4884	rundll32.exe
4884	rundll32.exe
4884	rundll32.exe
4884	rundll32.exe
4884	rundll32.exe
4884	rundll32.exe
4884	rundll32.exe
4884	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4128	svchost.exe
Token: SeShutdownPrivilege	4128	svchost.exe
Token: SeCreatePagefilePrivilege	4128	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4884	rundll32.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 4944	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	81
PID 4752 wrote to memory of 4944	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	81
PID 4752 wrote to memory of 4944	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	81
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 3656	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	94
PID 4752 wrote to memory of 4884	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	102
PID 4752 wrote to memory of 4884	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	102
PID 4752 wrote to memory of 4884	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	102
PID 4752 wrote to memory of 4884	4752	b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe	102

C:\Users\Admin\AppData\Local\Temp\b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
"C:\Users\Admin\AppData\Local\Temp\b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe"
1⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\SysWOW64\agentactivationruntimestarter.exe
  C:\Windows\system32\agentactivationruntimestarter.exe
  2⤵
  PID:4944
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:3656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 596
  2⤵
  - Program crash
  PID:2796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 876
  2⤵
  - Program crash
  PID:3096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 876
  2⤵
  - Program crash
  PID:2808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 940
  2⤵
  - Program crash
  PID:3880
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:4884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1036
  2⤵
  - Program crash
  PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x33c
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4752 -ip 4752
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4752 -ip 4752
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4752 -ip 4752
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4752 -ip 4752
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4752 -ip 4752
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sepawuaopqtypsq.tmp

Filesize
3.3MB

MD5
8b9c0f72deaf2ee06e7441209cbe4ffb

SHA1
34912f3c7f4285d85497c96e95c33e5d6a597c97

SHA256
1e7242ac7c025b87636e59c07e3601f1bbf5894ce0b23709405b6fefbca4dabe

SHA512
db8fb980b6331f494fea8dd4adf6d8724c9ad1a7a2048c6d91e49d9e81fc83700c1195854efc5dcbe2b3aef8d94b5f0ddd7ae8910f40b9cdab017e381f855cd7

Download Submit
memory/3656-139-0x0000000000000000-mapping.dmp

Download
memory/3656-142-0x0000000000A90000-0x0000000000A94000-memory.dmp

Filesize
16KB

Download
memory/3656-141-0x0000000000A90000-0x0000000000A94000-memory.dmp

Filesize
16KB

Download
memory/3656-140-0x0000000000A80000-0x0000000000A84000-memory.dmp

Filesize
16KB

Download
memory/4752-148-0x0000000003DD0000-0x0000000003F10000-memory.dmp

Filesize
1.2MB

Download
memory/4752-150-0x0000000003DD0000-0x0000000003F10000-memory.dmp

Filesize
1.2MB

Download
memory/4752-137-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/4752-136-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/4752-135-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/4752-134-0x00000000025A0000-0x0000000002862000-memory.dmp

Filesize
2.8MB

Download
memory/4752-133-0x000000000244C000-0x000000000256A000-memory.dmp

Filesize
1.1MB

Download
memory/4752-144-0x0000000003120000-0x0000000003BE3000-memory.dmp

Filesize
10.8MB

Download
memory/4752-145-0x0000000003120000-0x0000000003BE3000-memory.dmp

Filesize
10.8MB

Download
memory/4752-146-0x0000000003120000-0x0000000003BE3000-memory.dmp

Filesize
10.8MB

Download
memory/4752-147-0x0000000003DD0000-0x0000000003F10000-memory.dmp

Filesize
1.2MB

Download
memory/4752-163-0x0000000003120000-0x0000000003BE3000-memory.dmp

Filesize
10.8MB

Download
memory/4752-149-0x0000000003DD0000-0x0000000003F10000-memory.dmp

Filesize
1.2MB

Download
memory/4752-138-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/4752-151-0x0000000003DD0000-0x0000000003F10000-memory.dmp

Filesize
1.2MB

Download
memory/4752-152-0x0000000003DD0000-0x0000000003F10000-memory.dmp

Filesize
1.2MB

Download
memory/4752-153-0x0000000003DD0000-0x0000000003F10000-memory.dmp

Filesize
1.2MB

Download
memory/4752-154-0x0000000003DD0000-0x0000000003F10000-memory.dmp

Filesize
1.2MB

Download
memory/4752-162-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/4752-159-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/4884-157-0x0000000003760000-0x00000000038A0000-memory.dmp

Filesize
1.2MB

Download
memory/4884-158-0x0000000003760000-0x00000000038A0000-memory.dmp

Filesize
1.2MB

Download
memory/4884-156-0x0000000002C90000-0x0000000003753000-memory.dmp

Filesize
10.8MB

Download
memory/4884-160-0x0000000000B40000-0x00000000014E4000-memory.dmp

Filesize
9.6MB

Download
memory/4884-161-0x0000000002C90000-0x0000000003753000-memory.dmp

Filesize
10.8MB

Download
memory/4884-155-0x0000000000000000-mapping.dmp

Download
memory/4884-164-0x0000000002C90000-0x0000000003753000-memory.dmp

Filesize
10.8MB

Download
memory/4944-132-0x0000000000000000-mapping.dmp

Download