danabot | 93582891bce408609f20af2a38f181e77b8134cc3a87e0fd887edadf29be6373

Analysis

max time kernel
96s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2022 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c044ffcbac6f16c4322deb7957cc901c.exe
Size

1.3MB
MD5

c044ffcbac6f16c4322deb7957cc901c
SHA1

36234162600dcf2730ba01e07125dc497bac74b7
SHA256

93582891bce408609f20af2a38f181e77b8134cc3a87e0fd887edadf29be6373
SHA512

d48ca582f20bca1e668c06d5a5616933c5bc38287bbc64715d506cd10d387eeec106f2a0669e74371351b95f324dd5cafc5c90d4aa5dea35a41a2ce9d143db0b
SSDEEP

24576:Q4wlY+1ZBpNIuDdhcOvNtnsQVB4Ak7uMdsLd1XBktTV7yUX9rl:QRlYcZBDvXsmk7l3WUx

Score

10^/10

danabot banker discovery spyware stealer trojan

Malware Config

Extracted

Family

danabot

192.236.233.188:443

192.119.70.159:443

23.106.124.171:443

213.227.155.103:443

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes

embedded_hash
56951C922035D696BFCE443750496462
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Blocklisted process makes network request 3 IoCs

flow	pid	Process
30	2756	rundll32.exe
31	2756	rundll32.exe
32	372	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3940 set thread context of 372	3940	c044ffcbac6f16c4322deb7957cc901c.exe	102

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2476	3940	WerFault.exe	80
2464	3940	WerFault.exe	80
2864	3940	WerFault.exe	80
4076	3940	WerFault.exe	80

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe

Checks processor information in registry 2 TTPs 42 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	c044ffcbac6f16c4322deb7957cc901c.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	c044ffcbac6f16c4322deb7957cc901c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	c044ffcbac6f16c4322deb7957cc901c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	c044ffcbac6f16c4322deb7957cc901c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	c044ffcbac6f16c4322deb7957cc901c.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	c044ffcbac6f16c4322deb7957cc901c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	c044ffcbac6f16c4322deb7957cc901c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	c044ffcbac6f16c4322deb7957cc901c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	c044ffcbac6f16c4322deb7957cc901c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	c044ffcbac6f16c4322deb7957cc901c.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	c044ffcbac6f16c4322deb7957cc901c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	c044ffcbac6f16c4322deb7957cc901c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	c044ffcbac6f16c4322deb7957cc901c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	c044ffcbac6f16c4322deb7957cc901c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	c044ffcbac6f16c4322deb7957cc901c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	c044ffcbac6f16c4322deb7957cc901c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c044ffcbac6f16c4322deb7957cc901c.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c044ffcbac6f16c4322deb7957cc901c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	c044ffcbac6f16c4322deb7957cc901c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	c044ffcbac6f16c4322deb7957cc901c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	c044ffcbac6f16c4322deb7957cc901c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	c044ffcbac6f16c4322deb7957cc901c.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6A10940E767206D48FB0ACA5DF9B70B36449525F	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6A10940E767206D48FB0ACA5DF9B70B36449525F\Blob = 0300000001000000140000006a10940e767206d48fb0aca5df9b70b36449525f2000000001000000220200003082021e30820187a003020102020759e22665cea1ff300d06092a864886f70d01010b0500302f312d302b06035504030c244d6963726f736f667420526f6f7420436572746966696361746520417574686e72697479301e170d3230313031303039323433355a170d3234313030393039323433355a302f312d302b06035504030c244d6963726f736f667420526f6f7420436572746966696361746520417574686e7269747930819f300d06092a864886f70d010101050003818d0030818902818100c731328bef8c3f6902b50db90c8bf5204936edacb06ab0ca445371f2a36e9599fd757fb7f1f282b066f2ccf89a5807b020410a6f9d90ab6eb3e2b9d20493b93b9af1c4c9df8dc0c6c9e8e4f5a5d6291b362d6c070527838de062352b0c0f9445dc5661c9e2f9d09af2ddbda1f88f5e0f0e0aea4d331201dce8bb89a60d9304e90203010001a3443042300f0603551d130101ff040530030101ff302f0603551d110428302682244d6963726f736f667420526f6f7420436572746966696361746520417574686e72697479300d06092a864886f70d01010b05000381810061564c555c7ccc31ade56869722bd7523dda703b3c32edec31f41564809428db7180decddc6c731c7b841b969734e3bc15dbf07cf03e30988baadaa7be7ee8e372aa8592c04a2b2bf5a3dd437fde2761b1e34e8ca226f8c3806e60b146891d3e5e500dee1540c4fb6bdb2853a7a72936ad7be6d02398ede489a34aacda87def5	rundll32.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe
372	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4008	svchost.exe
Token: SeShutdownPrivilege	4008	svchost.exe
Token: SeCreatePagefilePrivilege	4008	svchost.exe
Token: SeDebugPrivilege	372	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
372	rundll32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 1048	3940	c044ffcbac6f16c4322deb7957cc901c.exe	81
PID 3940 wrote to memory of 1048	3940	c044ffcbac6f16c4322deb7957cc901c.exe	81
PID 3940 wrote to memory of 1048	3940	c044ffcbac6f16c4322deb7957cc901c.exe	81
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 2756	3940	c044ffcbac6f16c4322deb7957cc901c.exe	94
PID 3940 wrote to memory of 372	3940	c044ffcbac6f16c4322deb7957cc901c.exe	102
PID 3940 wrote to memory of 372	3940	c044ffcbac6f16c4322deb7957cc901c.exe	102
PID 3940 wrote to memory of 372	3940	c044ffcbac6f16c4322deb7957cc901c.exe	102
PID 3940 wrote to memory of 372	3940	c044ffcbac6f16c4322deb7957cc901c.exe	102

C:\Users\Admin\AppData\Local\Temp\c044ffcbac6f16c4322deb7957cc901c.exe
"C:\Users\Admin\AppData\Local\Temp\c044ffcbac6f16c4322deb7957cc901c.exe"
1⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\SysWOW64\agentactivationruntimestarter.exe
  C:\Windows\system32\agentactivationruntimestarter.exe
  2⤵
  PID:1048
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:2756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 592
  2⤵
  - Program crash
  PID:2476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 884
  2⤵
  - Program crash
  PID:2464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 960
  2⤵
  - Program crash
  PID:2864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 896
  2⤵
  - Program crash
  PID:4076
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x51c
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3940 -ip 3940
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3940 -ip 3940
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 216 -p 3940 -ip 3940
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3940 -ip 3940
1⤵
PID:2292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sepawuaopqtypsq.tmp

Filesize
3.3MB

MD5
8b9c0f72deaf2ee06e7441209cbe4ffb

SHA1
34912f3c7f4285d85497c96e95c33e5d6a597c97

SHA256
1e7242ac7c025b87636e59c07e3601f1bbf5894ce0b23709405b6fefbca4dabe

SHA512
db8fb980b6331f494fea8dd4adf6d8724c9ad1a7a2048c6d91e49d9e81fc83700c1195854efc5dcbe2b3aef8d94b5f0ddd7ae8910f40b9cdab017e381f855cd7

Download Submit
memory/372-166-0x0000000003420000-0x0000000003EE3000-memory.dmp

Filesize
10.8MB

Download
memory/372-165-0x0000000003420000-0x0000000003EE3000-memory.dmp

Filesize
10.8MB

Download
memory/372-164-0x0000000000E80000-0x0000000001824000-memory.dmp

Filesize
9.6MB

Download
memory/372-163-0x0000000003EF0000-0x0000000004030000-memory.dmp

Filesize
1.2MB

Download
memory/372-162-0x0000000003EF0000-0x0000000004030000-memory.dmp

Filesize
1.2MB

Download
memory/372-161-0x0000000003420000-0x0000000003EE3000-memory.dmp

Filesize
10.8MB

Download
memory/372-160-0x0000000000000000-mapping.dmp

Download
memory/1048-133-0x0000000000000000-mapping.dmp

Download
memory/2756-141-0x0000000000790000-0x0000000000794000-memory.dmp

Filesize
16KB

Download
memory/2756-142-0x00000000007A0000-0x00000000007A4000-memory.dmp

Filesize
16KB

Download
memory/2756-143-0x00000000007B0000-0x00000000007B4000-memory.dmp

Filesize
16KB

Download
memory/2756-144-0x00000000007C0000-0x00000000007C4000-memory.dmp

Filesize
16KB

Download
memory/2756-145-0x00000000007D0000-0x00000000007D4000-memory.dmp

Filesize
16KB

Download
memory/2756-146-0x00000000007D0000-0x00000000007D4000-memory.dmp

Filesize
16KB

Download
memory/2756-139-0x0000000000000000-mapping.dmp

Download
memory/2756-140-0x0000000000780000-0x0000000000784000-memory.dmp

Filesize
16KB

Download
memory/3940-154-0x0000000003D50000-0x0000000003E90000-memory.dmp

Filesize
1.2MB

Download
memory/3940-158-0x0000000003D50000-0x0000000003E90000-memory.dmp

Filesize
1.2MB

Download
memory/3940-151-0x0000000003D50000-0x0000000003E90000-memory.dmp

Filesize
1.2MB

Download
memory/3940-152-0x0000000003D50000-0x0000000003E90000-memory.dmp

Filesize
1.2MB

Download
memory/3940-153-0x0000000003D50000-0x0000000003E90000-memory.dmp

Filesize
1.2MB

Download
memory/3940-149-0x0000000003080000-0x0000000003B43000-memory.dmp

Filesize
10.8MB

Download
memory/3940-155-0x0000000003D50000-0x0000000003E90000-memory.dmp

Filesize
1.2MB

Download
memory/3940-156-0x0000000003D50000-0x0000000003E90000-memory.dmp

Filesize
1.2MB

Download
memory/3940-157-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3940-150-0x0000000003080000-0x0000000003B43000-memory.dmp

Filesize
10.8MB

Download
memory/3940-148-0x0000000003080000-0x0000000003B43000-memory.dmp

Filesize
10.8MB

Download
memory/3940-159-0x0000000003D50000-0x0000000003E90000-memory.dmp

Filesize
1.2MB

Download
memory/3940-132-0x00000000024BC000-0x00000000025DA000-memory.dmp

Filesize
1.1MB

Download
memory/3940-138-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3940-137-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3940-136-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3940-135-0x0000000000400000-0x00000000006CE000-memory.dmp

Filesize
2.8MB

Download
memory/3940-134-0x00000000025E0000-0x00000000028A2000-memory.dmp

Filesize
2.8MB

Download
memory/3940-167-0x0000000003080000-0x0000000003B43000-memory.dmp

Filesize
10.8MB

Download