danabot | f378d08ccdf697a50548e7d9bd56f102ffadd88f3306b7253f803e3047303829

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2022 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

214KB
MD5

c1be0d5de42908e9a62b94a46dcc17ce
SHA1

c2e3a40bd903682f5b971a5bd7c7af3c88ae0981
SHA256

f378d08ccdf697a50548e7d9bd56f102ffadd88f3306b7253f803e3047303829
SHA512

80be552b2f2de1aed5cd1bb14241dbdd4274bc0a726ab33f42a5fad174d4c33637b74a25c38188bee1080b647ec33499768e20fa119c7d0349832672f78dbb34
SSDEEP

3072:S3Nms4LLuOPZwRop1prfy61HPP7oPUVVEGLSkO8/g3xomDMrG3ERWR3Le:eNmhLLuOPn+gHPSUvEGmkTg3Co5U0V6

Score

10^/10

danabot smokeloader backdoor banker discovery trojan

Malware Config

Extracted

Family

danabot

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes

embedded_hash
8F56CD73F6B5CD5D7B17B0BA61E70A82
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4816-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

44 220 rundll32.exe
45 220 rundll32.exe
58 220 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

D44C.exe

pid process

5092 D44C.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

220 rundll32.exe
220 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 220 set thread context of 932 220 rundll32.exe rundll32.exe

flow	pid	process
44	220	rundll32.exe
45	220	rundll32.exe
58	220	rundll32.exe

pid	process
5092	D44C.exe

pid	process
220	rundll32.exe
220	rundll32.exe

description	pid	process	target process
PID 220 set thread context of 932	220	rundll32.exe	rundll32.exe

Drops file in Program Files directory 31 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libEGL.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adc_logo.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\WindowsMedia.mpp	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Dynamic.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Microsoft.VCLibs.x86.14.00..dll	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\UnifiedShare.aapp	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\AdobePDF417.pmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\UnifiedShare.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\adc_logo.png	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\A12_Spinner_2x.gif	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Edit_R_Full.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\libEGL.dll	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Close.png	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\trash.gif	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Edit_R_Exp_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\review_same_reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\DataMatrix.pmp	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\QuickTime.mpp	rundll32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\create_form.gif	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3696 5092 WerFault.exe D44C.exe

pid	pid_target	process	target process
3696	5092	WerFault.exe	D44C.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000092559606100054656d7000003a0009000400efbe6b55586c92559b062e00000000000000000000000000000000000000000000000000023f1801540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2644

pid	process
2644

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
4816	file.exe
4816	file.exe
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2644
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

file.exe

pid process

4816 file.exe

pid	process
2644

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

932 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2644
2644

pid	process
932	rundll32.exe

pid	process
2644
2644

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

D44C.exerundll32.exe

description	pid	process	target process
PID 2644 wrote to memory of 5092	2644		D44C.exe
PID 2644 wrote to memory of 5092	2644		D44C.exe
PID 2644 wrote to memory of 5092	2644		D44C.exe
PID 5092 wrote to memory of 220	5092	D44C.exe	rundll32.exe
PID 5092 wrote to memory of 220	5092	D44C.exe	rundll32.exe
PID 5092 wrote to memory of 220	5092	D44C.exe	rundll32.exe
PID 220 wrote to memory of 932	220	rundll32.exe	rundll32.exe
PID 220 wrote to memory of 932	220	rundll32.exe	rundll32.exe
PID 220 wrote to memory of 932	220	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4816

C:\Users\Admin\AppData\Local\Temp\D44C.exe
C:\Users\Admin\AppData\Local\Temp\D44C.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20209
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 476
2⤵
- Program crash
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5092 -ip 5092
1⤵
PID:212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1292

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:2708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\Microsoft.VCLibs.x86.14.00..dll
Filesize
2.4MB

MD5
df050d5ae2ba4566328593889ccdcdb3

SHA1
fefff6357484ff384169ec31a083a65ea43056c7

SHA256
deede0c0be3601fff26b8c8c4902f634311b8f7eea6eccf13f76506afa0f7627

SHA512
9f720f71eae76d8421aadabd5e0357bf5da70736623b09fd9bb6d5e0032eef635b4191e58d72311857834b39cbf03f4fd3bd5308d22250c863e9eb42c257327a

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\C2RManifest.Proof.Culture.msi.16.en-us.xml
Filesize
25KB

MD5
c61439f60c39268b94a18e5d51f0b26e

SHA1
4ee213d4f4438b2fd8841bcb7ee07ca0f4742b3a

SHA256
06bc78753a1130463805f6ee03e1c2fe991e04d14e02ad852e8f857c43e24213

SHA512
88310fcea8cfa7fa1f028d4af3d529ef92cad0002705a5c720e5779cf465555917ac63042d999c575c22889b229e624f3da01525797dd262309d95461b75b45c

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmp
Filesize
2.3MB

MD5
38de913ed9391818d62bf45b0153cf43

SHA1
15c061f805e237edcd0d8ddeaa369f60223e70e8

SHA256
30e4b79b7122da9f1ce9160cc970d59a6e1b950392ad7f1b6eb57ae359b5751b

SHA512
871b04ff1cff6f6b175b3759b56dde9255ee70f17824faaaee0d900dd78198d557bfc4693616e73fec9f2f06955e6ace299d1a4d7e4bb4b837c63174b8c521e9

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmp
Filesize
2.3MB

MD5
fa3f7b12e6bea759b10a922012bfecba

SHA1
ff2c854bb3cd9a5f6edef094e1233b8201d15531

SHA256
305150f1e147a0d951a2862da4f35ac0374386e2183a9d31a856d7a657368eb3

SHA512
2174033db5723528598b24a906d1b5855220bb65c6ebbea63f3376a52194f3b214e8a1a3cad36952de15f09f8f38509b629fbb79dae805d90338ae3ba9e5236c

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
843B

MD5
72d7dc9f57f3487a99e2f05c06274c28

SHA1
ba789a0e8174327b30443f5b7131228f4ad40cf0

SHA256
dae20c31fd2cd68389b40f99cb7791c8d79d8d8aca2c417d90713ad6c926471f

SHA512
aa15897d32ee44cbb2a8d9dfbdbf32b7a6885150ca8fb5c715020310385e6f889612f80eb452ec73d444fdf03fef7eb920fe586662c2185c93a695e72d56362c

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe.xml
Filesize
5KB

MD5
1944801cae061223e36fcce6aed6bfba

SHA1
b465c53f3e6ae74fac368f36cbfc5842ce085e14

SHA256
b903a7f4408a27d0b7a7c6316d04952508d67058216dffeca4293c9352727959

SHA512
82b0e3b1105a5d802839c3ea78b4e2dd800b819ee678d016b2f47203ceb27a638d195909ec1d0efbf46edbf910409d7ab4a05146fc902ef335b36bf14339498f

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
Filesize
913B

MD5
be48ed7a27efec1cfe2fff47cd7487cf

SHA1
ac37f431251640b5dbe93fc68d97265a22cb68ba

SHA256
49300e653a9546101b9d906d9782250976b92aaa7f6d92b561f130d5ac6c856f

SHA512
4e86e8ac7a21465ef728d6f0c4949394d0145e119886b152b27bce6be4108e784e4f6224937f064741f0dfcdc4d9f9bec6933c30e0b5225a7458154316cd14cb

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
827B

MD5
cf7d0dd53bde6261338a343a4a92c3f5

SHA1
f5326546a46c8a7d2400d743fca320a166331757

SHA256
df0af4b8242dcab107aab8d00add27b9797c00002669ff953667869abb6c77c6

SHA512
9cf52da12c7e703fefff7a5295b7475d95a568d050b210a7b53470dad257793257a4242c89fb00fa22c7319c8be96144b193ec1e51c4d3a751af6765a6935148

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
15KB

MD5
c73eeb9dedd94a612969e003260e6341

SHA1
0451277183bad12e3179c12c0a14694fab52bc8d

SHA256
1ee54a9294af6727770aff79f2c901cd40ca23dfb4803788042aada54146e355

SHA512
d78542d9c74efeac1d925d9d05c691c5543d04e6b671a5ef160f0fafc3b4444d327cf37206d78f43b607f817b6545cb9673b85d713b8c59d0c97103aee55245a

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MicrosoftInternetExplorer2013.xml
Filesize
3KB

MD5
39809802833d898662c89d1d8ae84404

SHA1
d58f9d9ee2bd76ef129e48266cf94b72a28d0bb5

SHA256
30224904419fbc821d52e4e78ceed00115c5a74aa3581b89dc5026223194171a

SHA512
907515f52c1c2e88862a2d1ce5fb2554eae5accd0c6bf0ce64ff011e9d62f1c06160118890e749e601338abb7d29498b4fe28ce8b5ed35a79c412349aa9e7b95

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml
Filesize
3KB

MD5
1a3168a15983b890b16390a23a89a02e

SHA1
d56ce16d88d79159a27c2d1cd3770dc56d897ebe

SHA256
334782208e9520975f597b19a273fcc6f3a8a7caffd2e4fb22213f6b957f4946

SHA512
f2be33992fd70d90eb94973c19924229bb70da4ce21c9777cfccbf56b0635452b382d2846afe2b0cc80a83d3b6a2c855557855cfb22fc681d182b2b605daa668

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Policy.vpol
Filesize
444B

MD5
9efac978d2adae06f8aa2408df220268

SHA1
61b158f2f99663631b037e970461be3238a84302

SHA256
b798f6c4bba8fe6fd7f4a7bf5f599d6de87ca2684d20487704573d1cf51e04d7

SHA512
534b2bda4bbc3e724444f4aee3b55a000dcef6d3a57e7c6e44bf588b1bc643b7a46e5e4823d835ee695d47e5ae680fcec9f21590c88e960603af5a795c1ec0b2

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\SmsInterceptStore.jfm
Filesize
16KB

MD5
25367ac011cf6be75ac0f88835d008a3

SHA1
14c631e08ac81359ea4a05bab4409a9fda1a9579

SHA256
765c7f04ae4c6b8ff1d644fd3c3b00a046f4e9cdfe3516ac568316a17f93cff2

SHA512
27ec56a47e7338532c000282fd494ccf6311f16a547b96524c5aa9aa8a96cc825c1b5204deff08cbfe414e8ed4a5daf9c255a4f3762d0d465691a21a7061d796

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\msoutilstat.etw.man
Filesize
111KB

MD5
c1e8b625377c75454266f9d172d2f77d

SHA1
68ee3ac1b685d68bfdc434f430b6158a98073807

SHA256
7847e5ba06ca0a834454a3c62ec343dcaa4339e6ef2ed5bd42e460ade5331628

SHA512
1f04e28609f08a8616c7d1ebecfa6949f1eb939b29386365e72d4263dfd13fe81d036c8f9fce41f18b1e008f47b76c7278a00a770542411f751641fe7d756d21

Download Submit
C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\settings.ico
Filesize
66KB

MD5
4896c2ad8ca851419425b06ec0fd95f2

SHA1
7d52e9355998f1b4487f8ef2b1b3785dec35d981

SHA256
1160a3a774b52f07453bde44755fbf76a8b1534c5ade19402f05857c249056b3

SHA512
271f40a273bc98738d450a8585cc84d097d88bbb6417fd20b4417d31b4e19b1b8fe860d044f70a3e4096588b9615c8cc588b1cab651ab1b4320d7ce1d74eb8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\D44C.exe
Filesize
2.4MB

MD5
48ad5d3d9fca6ac790392cb17626c439

SHA1
7c82d7fbeb2351cd88eaf3b4782d0612e564ec4a

SHA256
d0fc9d579acc772729a961dea697ce8133a5c71cca139990215f7b09cc54f049

SHA512
e829509d92643a8e2fbf29edebbf1feadfa2dd568b6530bd215852cc774071da1977a9d960b0c73603e4fbc633efccfd7d62f1277aebed0430d2a7c148c2d129

Download Submit
C:\Users\Admin\AppData\Local\Temp\D44C.exe
Filesize
2.4MB

MD5
48ad5d3d9fca6ac790392cb17626c439

SHA1
7c82d7fbeb2351cd88eaf3b4782d0612e564ec4a

SHA256
d0fc9d579acc772729a961dea697ce8133a5c71cca139990215f7b09cc54f049

SHA512
e829509d92643a8e2fbf29edebbf1feadfa2dd568b6530bd215852cc774071da1977a9d960b0c73603e4fbc633efccfd7d62f1277aebed0430d2a7c148c2d129

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
df93e55355767e9cdc7f7dc1849e0dc7

SHA1
3560d1a073469b4d15076b2025bfb5e3c0b3796a

SHA256
2367856d3b293c2bcd89ad5e748bc06fba227b03d6dbee5452a68dfcaa8711c9

SHA512
68d21207060740e80d27950004465ca768bb33a5d1e44078456b0d0f71e474afe82be1d03e5cbb302df734e7ada93c126a14d751314a3c42f2ed1c2dd59dfe79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
df93e55355767e9cdc7f7dc1849e0dc7

SHA1
3560d1a073469b4d15076b2025bfb5e3c0b3796a

SHA256
2367856d3b293c2bcd89ad5e748bc06fba227b03d6dbee5452a68dfcaa8711c9

SHA512
68d21207060740e80d27950004465ca768bb33a5d1e44078456b0d0f71e474afe82be1d03e5cbb302df734e7ada93c126a14d751314a3c42f2ed1c2dd59dfe79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll
Filesize
2.4MB

MD5
df93e55355767e9cdc7f7dc1849e0dc7

SHA1
3560d1a073469b4d15076b2025bfb5e3c0b3796a

SHA256
2367856d3b293c2bcd89ad5e748bc06fba227b03d6dbee5452a68dfcaa8711c9

SHA512
68d21207060740e80d27950004465ca768bb33a5d1e44078456b0d0f71e474afe82be1d03e5cbb302df734e7ada93c126a14d751314a3c42f2ed1c2dd59dfe79

Download Submit
\??\c:\program files (x86)\msbuild\microsoft\microsoft.vclibs.x86.14.00..dll
Filesize
2.4MB

MD5
df050d5ae2ba4566328593889ccdcdb3

SHA1
fefff6357484ff384169ec31a083a65ea43056c7

SHA256
deede0c0be3601fff26b8c8c4902f634311b8f7eea6eccf13f76506afa0f7627

SHA512
9f720f71eae76d8421aadabd5e0357bf5da70736623b09fd9bb6d5e0032eef635b4191e58d72311857834b39cbf03f4fd3bd5308d22250c863e9eb42c257327a

Download Submit
memory/220-149-0x00000000039E0000-0x0000000004105000-memory.dmp

Filesize
7.1MB

Download
memory/220-148-0x0000000002680000-0x00000000028F1000-memory.dmp

Filesize
2.4MB

Download
memory/220-155-0x00000000041D0000-0x0000000004310000-memory.dmp

Filesize
1.2MB

Download
memory/220-156-0x00000000041D0000-0x0000000004310000-memory.dmp

Filesize
1.2MB

Download
memory/220-157-0x00000000041D0000-0x0000000004310000-memory.dmp

Filesize
1.2MB

Download
memory/220-150-0x00000000039E0000-0x0000000004105000-memory.dmp

Filesize
7.1MB

Download
memory/220-151-0x00000000039E0000-0x0000000004105000-memory.dmp

Filesize
7.1MB

Download
memory/220-154-0x00000000041D0000-0x0000000004310000-memory.dmp

Filesize
1.2MB

Download
memory/220-161-0x0000000004249000-0x000000000424B000-memory.dmp

Filesize
8KB

Download
memory/220-147-0x0000000002680000-0x00000000028F1000-memory.dmp

Filesize
2.4MB

Download
memory/220-143-0x0000000002680000-0x00000000028F1000-memory.dmp

Filesize
2.4MB

Download
memory/220-164-0x00000000039E0000-0x0000000004105000-memory.dmp

Filesize
7.1MB

Download
memory/220-153-0x00000000041D0000-0x0000000004310000-memory.dmp

Filesize
1.2MB

Download
memory/220-152-0x00000000041D0000-0x0000000004310000-memory.dmp

Filesize
1.2MB

Download
memory/220-139-0x0000000000000000-mapping.dmp

Download
memory/932-158-0x00007FF730316890-mapping.dmp

Download
memory/932-160-0x0000024A22DB0000-0x0000024A22EF0000-memory.dmp

Filesize
1.2MB

Download
memory/932-163-0x0000024A213E0000-0x0000024A2160A000-memory.dmp

Filesize
2.2MB

Download
memory/932-162-0x0000000000FF0000-0x0000000001209000-memory.dmp

Filesize
2.1MB

Download
memory/932-159-0x0000024A22DB0000-0x0000024A22EF0000-memory.dmp

Filesize
1.2MB

Download
memory/2708-181-0x00000000020C0000-0x00000000027E5000-memory.dmp

Filesize
7.1MB

Download
memory/2708-179-0x00000000020C0000-0x00000000027E5000-memory.dmp

Filesize
7.1MB

Download
memory/2708-180-0x00000000020C0000-0x00000000027E5000-memory.dmp

Filesize
7.1MB

Download
memory/2708-167-0x0000000000400000-0x0000000000671000-memory.dmp

Filesize
2.4MB

Download
memory/4816-132-0x00000000006E3000-0x00000000006F4000-memory.dmp

Filesize
68KB

Download
memory/4816-135-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4816-134-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4816-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/5092-146-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/5092-145-0x0000000002650000-0x00000000029D5000-memory.dmp

Filesize
3.5MB

Download
memory/5092-144-0x0000000000A59000-0x0000000000CA4000-memory.dmp

Filesize
2.3MB

Download
memory/5092-136-0x0000000000000000-mapping.dmp

Download