Analysis
-
max time kernel
1801s -
max time network
1772s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
27-10-2022 12:22
General
-
Target
ChromeSetup.exe
-
Size
260KB
-
MD5
318048af42c5a515d00f888051759aee
-
SHA1
08f02dd5f433599e79b4af8492d764b6cc20ae1d
-
SHA256
5e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a
-
SHA512
6b7876110f32d6a92b241f6f95dcc2a1cb85c7604091cc88208a6c4c734ee940685c43e1bd69f8d8152d0b3257447e7ddac41ccd3088afed88cccb5bdb33904e
-
SSDEEP
3072:1XKqvYc10U0hP/6m1h45PssEZL6zXBPRga25dZRsX+Iw3mi03zbu/T0K/:xVH/2P/6m1astL6zXAnOcmi03vu0U
Malware Config
Extracted
danabot
172.86.120.215:443
213.227.155.103:443
103.187.26.147:443
172.86.120.138:443
-
embedded_hash
BBBB0DB8CB7E6D152424535822E445A7
-
type
loader
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 19 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 48 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 40 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 28 IoCs
-
Suspicious use of FindShellTrayWindow 11 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"C:\Users\Admin\AppData\Local\Temp\ChromeSetup.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\AFC.exeC:\Users\Admin\AppData\Local\Temp\AFC.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\agentactivationruntimestarter.exeC:\Windows\system32\agentactivationruntimestarter.exe2⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 203273⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x510 0x50c1⤵
-
C:\Users\Admin\AppData\Roaming\bauwsjhC:\Users\Admin\AppData\Roaming\bauwsjh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\bauwsjhC:\Users\Admin\AppData\Roaming\bauwsjh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\bauwsjhC:\Users\Admin\AppData\Roaming\bauwsjh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AFC.exeFilesize
1.3MB
MD55bca63386bbada2c021da12fae6e0a2b
SHA19ac800c5c720e0c4f6a21fdb27211c4a9a875452
SHA256b09c865208a4ae4f0960b5acc8229e7964a5c237cc0dd3de82137c65afcd91be
SHA512957f2cc397158d9784fb4c45349f16597c28837064a40b7865c291a29acf1cb2d21334efe5bb5e861f98cc1453d800ac0f60bc28d6b1aaed89d2b6463f376339
-
C:\Users\Admin\AppData\Local\Temp\AFC.exeFilesize
1.3MB
MD55bca63386bbada2c021da12fae6e0a2b
SHA19ac800c5c720e0c4f6a21fdb27211c4a9a875452
SHA256b09c865208a4ae4f0960b5acc8229e7964a5c237cc0dd3de82137c65afcd91be
SHA512957f2cc397158d9784fb4c45349f16597c28837064a40b7865c291a29acf1cb2d21334efe5bb5e861f98cc1453d800ac0f60bc28d6b1aaed89d2b6463f376339
-
C:\Users\Admin\AppData\Local\Temp\Dhfteep.tmpFilesize
3.3MB
MD59ee66bd586450c037b6a14eed557a159
SHA16218331454c5204349b259ea260dd2161ce41371
SHA256d9cf31419401bed1796f49f2daea2f9eea468c3643ab9086ba61d24e3283db0f
SHA512eabdb81f278abe54088740b4139ca6d5b8cf99c014102128b9c3ebebf51b163d6ba0b06a066de1eeb33199c2a475c0ce585c102b7684ce2d086b493f842ee8a8
-
C:\Users\Admin\AppData\Roaming\bauwsjhFilesize
260KB
MD5318048af42c5a515d00f888051759aee
SHA108f02dd5f433599e79b4af8492d764b6cc20ae1d
SHA2565e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a
SHA5126b7876110f32d6a92b241f6f95dcc2a1cb85c7604091cc88208a6c4c734ee940685c43e1bd69f8d8152d0b3257447e7ddac41ccd3088afed88cccb5bdb33904e
-
C:\Users\Admin\AppData\Roaming\bauwsjhFilesize
260KB
MD5318048af42c5a515d00f888051759aee
SHA108f02dd5f433599e79b4af8492d764b6cc20ae1d
SHA2565e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a
SHA5126b7876110f32d6a92b241f6f95dcc2a1cb85c7604091cc88208a6c4c734ee940685c43e1bd69f8d8152d0b3257447e7ddac41ccd3088afed88cccb5bdb33904e
-
C:\Users\Admin\AppData\Roaming\bauwsjhFilesize
260KB
MD5318048af42c5a515d00f888051759aee
SHA108f02dd5f433599e79b4af8492d764b6cc20ae1d
SHA2565e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a
SHA5126b7876110f32d6a92b241f6f95dcc2a1cb85c7604091cc88208a6c4c734ee940685c43e1bd69f8d8152d0b3257447e7ddac41ccd3088afed88cccb5bdb33904e
-
C:\Users\Admin\AppData\Roaming\bauwsjhFilesize
260KB
MD5318048af42c5a515d00f888051759aee
SHA108f02dd5f433599e79b4af8492d764b6cc20ae1d
SHA2565e6d3484c5770834dc03309b785959ccaa241eb25abc5fb42dd49e4210c4c98a
SHA5126b7876110f32d6a92b241f6f95dcc2a1cb85c7604091cc88208a6c4c734ee940685c43e1bd69f8d8152d0b3257447e7ddac41ccd3088afed88cccb5bdb33904e
-
memory/2072-148-0x0000000000710000-0x0000000000713000-memory.dmpFilesize
12KB
-
memory/2072-153-0x0000000000750000-0x0000000000753000-memory.dmpFilesize
12KB
-
memory/2072-146-0x0000000000000000-mapping.dmp
-
memory/2072-152-0x0000000000750000-0x0000000000753000-memory.dmpFilesize
12KB
-
memory/2072-147-0x0000000000700000-0x0000000000703000-memory.dmpFilesize
12KB
-
memory/2072-149-0x0000000000720000-0x0000000000723000-memory.dmpFilesize
12KB
-
memory/2072-150-0x0000000000730000-0x0000000000733000-memory.dmpFilesize
12KB
-
memory/2072-151-0x0000000000740000-0x0000000000743000-memory.dmpFilesize
12KB
-
memory/2404-135-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/2404-134-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/2404-132-0x0000000002E07000-0x0000000002E1C000-memory.dmpFilesize
84KB
-
memory/2404-133-0x0000000002D80000-0x0000000002D89000-memory.dmpFilesize
36KB
-
memory/3440-186-0x0000000000000000-mapping.dmp
-
memory/3848-183-0x000001FD04C50000-0x000001FD04D90000-memory.dmpFilesize
1.2MB
-
memory/3848-188-0x000001FD03280000-0x000001FD034AE000-memory.dmpFilesize
2.2MB
-
memory/3848-181-0x00007FF641876890-mapping.dmp
-
memory/3848-184-0x0000000000F80000-0x000000000119E000-memory.dmpFilesize
2.1MB
-
memory/3848-185-0x000001FD03280000-0x000001FD034AE000-memory.dmpFilesize
2.2MB
-
memory/3848-182-0x000001FD04C50000-0x000001FD04D90000-memory.dmpFilesize
1.2MB
-
memory/3868-201-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/3868-200-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/3868-199-0x0000000002F3A000-0x0000000002F4F000-memory.dmpFilesize
84KB
-
memory/3892-187-0x0000000000000000-mapping.dmp
-
memory/4044-139-0x0000000000000000-mapping.dmp
-
memory/4116-197-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/4116-195-0x0000000002E4A000-0x0000000002E5F000-memory.dmpFilesize
84KB
-
memory/4116-196-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/4128-191-0x0000000002E17000-0x0000000002E2C000-memory.dmpFilesize
84KB
-
memory/4128-192-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/4128-193-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/4132-171-0x0000000000400000-0x0000000000D9C000-memory.dmpFilesize
9.6MB
-
memory/4132-170-0x0000000003410000-0x0000000003550000-memory.dmpFilesize
1.2MB
-
memory/4132-169-0x0000000003410000-0x0000000003550000-memory.dmpFilesize
1.2MB
-
memory/4132-172-0x00000000028D0000-0x000000000338C000-memory.dmpFilesize
10.7MB
-
memory/4132-168-0x00000000028D0000-0x000000000338C000-memory.dmpFilesize
10.7MB
-
memory/4132-174-0x00000000028D0000-0x000000000338C000-memory.dmpFilesize
10.7MB
-
memory/4132-176-0x0000000003410000-0x0000000003550000-memory.dmpFilesize
1.2MB
-
memory/4132-175-0x0000000003410000-0x0000000003550000-memory.dmpFilesize
1.2MB
-
memory/4132-177-0x0000000003410000-0x0000000003550000-memory.dmpFilesize
1.2MB
-
memory/4132-178-0x0000000003410000-0x0000000003550000-memory.dmpFilesize
1.2MB
-
memory/4132-179-0x0000000003410000-0x0000000003550000-memory.dmpFilesize
1.2MB
-
memory/4132-180-0x0000000003410000-0x0000000003550000-memory.dmpFilesize
1.2MB
-
memory/4132-167-0x0000000000000000-mapping.dmp
-
memory/4532-165-0x0000000006320000-0x0000000006460000-memory.dmpFilesize
1.2MB
-
memory/4532-143-0x0000000000400000-0x0000000002D3B000-memory.dmpFilesize
41.2MB
-
memory/4532-173-0x00000000056E0000-0x000000000619C000-memory.dmpFilesize
10.7MB
-
memory/4532-166-0x0000000006320000-0x0000000006460000-memory.dmpFilesize
1.2MB
-
memory/4532-142-0x0000000000400000-0x0000000002D3B000-memory.dmpFilesize
41.2MB
-
memory/4532-145-0x0000000000400000-0x0000000002D3B000-memory.dmpFilesize
41.2MB
-
memory/4532-164-0x0000000006320000-0x0000000006460000-memory.dmpFilesize
1.2MB
-
memory/4532-141-0x0000000004B40000-0x0000000004E0C000-memory.dmpFilesize
2.8MB
-
memory/4532-140-0x000000000326F000-0x0000000003390000-memory.dmpFilesize
1.1MB
-
memory/4532-159-0x0000000006320000-0x0000000006460000-memory.dmpFilesize
1.2MB
-
memory/4532-163-0x0000000006320000-0x0000000006460000-memory.dmpFilesize
1.2MB
-
memory/4532-162-0x0000000006320000-0x0000000006460000-memory.dmpFilesize
1.2MB
-
memory/4532-161-0x0000000006320000-0x0000000006460000-memory.dmpFilesize
1.2MB
-
memory/4532-160-0x0000000006320000-0x0000000006460000-memory.dmpFilesize
1.2MB
-
memory/4532-158-0x00000000056E0000-0x000000000619C000-memory.dmpFilesize
10.7MB
-
memory/4532-157-0x00000000056E0000-0x000000000619C000-memory.dmpFilesize
10.7MB
-
memory/4532-136-0x0000000000000000-mapping.dmp
-
memory/4532-156-0x00000000056E0000-0x000000000619C000-memory.dmpFilesize
10.7MB
-
memory/4532-144-0x0000000000400000-0x0000000002D3B000-memory.dmpFilesize
41.2MB
-
memory/4532-154-0x0000000000400000-0x0000000002D3B000-memory.dmpFilesize
41.2MB