danabot | 054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2022 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exe
Size

1004KB
MD5

1a8e406d5c8ee2782bef58cedc387bca
SHA1

d8f8eb4a2245e0688d031f511a04c0d219f94356
SHA256

054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db
SHA512

72f216529ec432d525e1843cfaf77f0109a37e429042d0f19ea2acd3ecacdd5728d8410de2c76c1e20b39ee060f693ad1827dce83f75deb043692d9d06b8b6a9
SSDEEP

24576:xIx3Z40aPvEYPgLOI8Z1R1ZEvyTA+7DPKMbUAbkznKYbXF:KJuvrg6I8dhA+3hUYkrJX

Score

10^/10

danabot banker collection discovery persistence spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

12 3016 rundll32.exe
15 3016 rundll32.exe
92 3016 rundll32.exe
94 3016 rundll32.exe

flow	pid	process
12	3016	rundll32.exe
15	3016	rundll32.exe
92	3016	rundll32.exe
94	3016	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aic_file_icons_retina_thumb_new\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\aic_file_icons_retina_thumb_new.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aic_file_icons_retina_thumb_new\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

3016 rundll32.exe
3192 svchost.exe
3952 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3016	rundll32.exe
3192	svchost.exe
3952	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3016 set thread context of 3540 3016 rundll32.exe rundll32.exe

description	pid	process	target process
PID 3016 set thread context of 3540	3016	rundll32.exe	rundll32.exe

Drops file in Program Files directory 47 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\eBook.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_new.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\blocklist.xml	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapter.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\open_original_form.gif	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_filetype_xd.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\RTC.der	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\comment.svg	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\open_original_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\StandardBusiness.pdf	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\download.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ScCore.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\widevinecdmadapter.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_highcontrast.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\duplicate.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\duplicate.svg	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

728 5028 WerFault.exe 054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exe

pid	pid_target	process	target process
728	5028	WerFault.exe	054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\268A374B716F89DC7288151E71599DD7161B843F	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\268A374B716F89DC7288151E71599DD7161B843F\Blob = 030000000100000014000000268a374b716f89dc7288151e71599dd7161b843f20000000010000006e0200003082026a308201d3a0030201020208663daf275d47fb37300d06092a864886f70d01010b0500305a3122302006035504030c1942616c74696d6f7265204365626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3230313231383232333232305a170d3234313231373232333232305a305a3122302006035504030c1942616c74696d6f7265204365626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d0030818902818100a2f2757ba7052ca0dae8b6f3d454199ec4f19130ee012811718a4aefef3655593a98211ff4895b6c9a7d9d4a71f3e0f1ace6f9eecab392f2948db1f26187e2b4bcb23d00a44e326d12c3ea516278a3ca1721772867d0cce320c278fa8a8b73a802dce8794d451b7613f2d166778bced62c6b11c50a67bf560a56578b2a46763d0203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821942616c74696d6f7265204365626572547275737420526f6f74300d06092a864886f70d01010b05000381810054f55bcbe40c6a6c72c281503e8549d5bdc5ce235d367ae6829fc05d5e3a7451c759fa45a8c16b89007b2b4b912441382794e6a53e539b9698af826ef534cb2a015d802707537fb362b75019fc3db41747c641f80777fb11067f6bbf3db5ca66edea39f6de863691f815f33f5042b98ab724fc61bb92337d3fa4f1ffda963af8	rundll32.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

svchost.exerundll32.exe

pid	process
3192	svchost.exe
3192	svchost.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3016	rundll32.exe
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe
3192	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 3016 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3540 rundll32.exe
3016 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	3016	rundll32.exe

pid	process
3540	rundll32.exe
3016	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exerundll32.exesvchost.exe

description	pid	process	target process
PID 5028 wrote to memory of 3016	5028	054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exe	rundll32.exe
PID 5028 wrote to memory of 3016	5028	054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exe	rundll32.exe
PID 5028 wrote to memory of 3016	5028	054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exe	rundll32.exe
PID 3016 wrote to memory of 3540	3016	rundll32.exe	rundll32.exe
PID 3016 wrote to memory of 3540	3016	rundll32.exe	rundll32.exe
PID 3016 wrote to memory of 3540	3016	rundll32.exe	rundll32.exe
PID 3192 wrote to memory of 3952	3192	svchost.exe	rundll32.exe
PID 3192 wrote to memory of 3952	3192	svchost.exe	rundll32.exe
PID 3192 wrote to memory of 3952	3192	svchost.exe	rundll32.exe
PID 3016 wrote to memory of 5028	3016	rundll32.exe	schtasks.exe
PID 3016 wrote to memory of 5028	3016	rundll32.exe	schtasks.exe
PID 3016 wrote to memory of 5028	3016	rundll32.exe	schtasks.exe
PID 3016 wrote to memory of 4092	3016	rundll32.exe	schtasks.exe
PID 3016 wrote to memory of 4092	3016	rundll32.exe	schtasks.exe
PID 3016 wrote to memory of 4092	3016	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exe
"C:\Users\Admin\AppData\Local\Temp\054658904a19e8864e90f1e125c92530d57a2d911dafa7fd97eb45d8856922db.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3016

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23958
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3540

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5028

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 536
2⤵
- Program crash
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5028 -ip 5028
1⤵
PID:1168

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3536

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\aic_file_icons_retina_thumb_new.dll",XVILWEdMM3M=
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_new.dll
Filesize
726KB

MD5
8d4d06d0653628b0de3c4b99f1270ad5

SHA1
5fb39c8f6f4c0da8020393331777ee7382fd2afa

SHA256
195442d422009dc8a44303f27742419280d6f8f4443dd4f7c04b6faf536718b4

SHA512
0cee06df640d180ffbb40fce9d722bd92e09da7f9a9e2314ec12956921a9e03b1ecbe8d98d3872e5002944797591792f8f907440491e13d35da4ee98120e35cd

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_new.dll
Filesize
726KB

MD5
8d4d06d0653628b0de3c4b99f1270ad5

SHA1
5fb39c8f6f4c0da8020393331777ee7382fd2afa

SHA256
195442d422009dc8a44303f27742419280d6f8f4443dd4f7c04b6faf536718b4

SHA512
0cee06df640d180ffbb40fce9d722bd92e09da7f9a9e2314ec12956921a9e03b1ecbe8d98d3872e5002944797591792f8f907440491e13d35da4ee98120e35cd

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Active.GRL
Filesize
14KB

MD5
fffde3df0d91311b7fe3f9bc8642a9ec

SHA1
50987906817aab51e2cc29fbce47ac5f0936a44e

SHA256
bda9df3591bf7f67d4b31d23cffdcf927da6f00ae1b393f07aea69ba1c4344bc

SHA512
5e0766c25f54b03ca0325966ba059cbfb9cdb0aeae567106583fdff944d67522516acabb9b261e2fd434c1a5af5c5453a09c9dc494008253b0553a993c01d3d3

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.Proof.Culture.msi.16.en-us.xml
Filesize
25KB

MD5
c61439f60c39268b94a18e5d51f0b26e

SHA1
4ee213d4f4438b2fd8841bcb7ee07ca0f4742b3a

SHA256
06bc78753a1130463805f6ee03e1c2fe991e04d14e02ad852e8f857c43e24213

SHA512
88310fcea8cfa7fa1f028d4af3d529ef92cad0002705a5c720e5779cf465555917ac63042d999c575c22889b229e624f3da01525797dd262309d95461b75b45c

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.osmmui.msi.16.en-us.xml
Filesize
10KB

MD5
3ef69b2c0f15e6b97fca1141bc9beb9a

SHA1
421916704e31978eb77421161bb170003a83c1a2

SHA256
f3e25cf6f3fdd2017b76701290ba9599384dd2084111545f6da078502cae29cc

SHA512
cec4a92eb852d731571a4e1098f195b2f3d84a5fde17c5e6ba5d3e7464f2352fe25cb67b051078f0742696b0aa862960e0203c2231df1552534c06539149427d

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\CiPT0000.001
Filesize
64KB

MD5
08c1446a011937f5608e5f2448443304

SHA1
53e7291e9b33e46a17d9514a6005302e79a36407

SHA256
c10595f1ade2f1adced14a578b437e6958adf631c01a4c167b14b6904eaf2680

SHA512
a7a339940faba59e5a07b715ae39df9de39a4e69913d8d347cd696709a3191483537d1c011a1bea2d5faa222bf768e33dbde5791d04458b7e14a3db494eb6b07

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
843B

MD5
72d7dc9f57f3487a99e2f05c06274c28

SHA1
ba789a0e8174327b30443f5b7131228f4ad40cf0

SHA256
dae20c31fd2cd68389b40f99cb7791c8d79d8d8aca2c417d90713ad6c926471f

SHA512
aa15897d32ee44cbb2a8d9dfbdbf32b7a6885150ca8fb5c715020310385e6f889612f80eb452ec73d444fdf03fef7eb920fe586662c2185c93a695e72d56362c

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe.xml
Filesize
840B

MD5
2528a361d2ecf923788b3f69833696ec

SHA1
38980657507f08069bc9a05ef8ec17da33410c30

SHA256
7b9699e0d489996eaeb9620d5e5b15cb5f523144a8dbf2a73412329711bd6b7c

SHA512
532f760ba48c2051537edea47506efea1ea8204e51dc61173692da9eab58b5a0bd934b7fa2ce07798e9d468acede6a4926b234dcef3ee0685676505079681202

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
829B

MD5
dbe1655cf17f98afe5ba65a18f3b178b

SHA1
1025583f1f3a833449a82c1f2e4b2fc2be18f0c3

SHA256
edc122dcf531bff5e772b1772cddc9a6d6e1166907c2c9e11d9125feed5f10a1

SHA512
54a180fbf0257dc47d1a432fcb4f1c6aa8e2d1950a1d68d4982edfa9e5816e2420e72f181cbdda54287c9d52f41773c29a9ca698c10854c040debbc605b46abb

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftLync2013Win32.xml
Filesize
2KB

MD5
fa5b7d129ddfd18b73d3a4a0b0fb4c87

SHA1
b5e32bd5772cfb50174451d4818670d32088ff85

SHA256
4452719f5b16e474e6ae407fb56f7e68f0308920938d749a4d46cded948c116d

SHA512
99fd882c7f9a333143367e09590b9c71c9aa3957205a2dd26097ae88a54265d7272968ec99c755ef6d7741ff8e690b53492321b42129c990c870beb6322eb034

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
e27187607c97f03ff80dedf9a451fded

SHA1
d7f14f9ccbeb98477175dea13b2e374a6131498d

SHA256
7aac12ce0e0b5c03113531e7c58092e07bab7f81236380eace11cce50e05adab

SHA512
ddaf66c32a16bfcca942c1b1a6daa50522eb2726538dc9da08fdc965f6ae1521e527719d7f166f2fa38edb291249502768af3e6bd9799fee126f7edef9226d30

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\scan_.ico
Filesize
59KB

MD5
a161b3f9fd62c3931fbd79512810cffa

SHA1
a63f1d8945b983356b66819b3aa5b0bd409995e4

SHA256
d3ba9eecc5e87b384242385078846cff82051194887ce2d7343bb7b60e7a26d7

SHA512
f07776d386a39b20e3721b7450248e458ecd6f477197028aa42e2ab6a2731a002170a5415fb02fadac40b1b97acee3b5064ff76606ba2bcc14f7e7b674524299

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\stream.x64.x-none.dat.cat
Filesize
574KB

MD5
13e2674d1e5118dc8547264aa2b8654b

SHA1
60b0f7065882e839d6a80f1263f9f60a8efa26bd

SHA256
320ae5c50698f4553758c71c37135cf390c06f355cfb3b8cc18dae85ead16944

SHA512
b399d85720844dbcb7220b05a186cd0cf46e3307c8afbebbbdcd132be5aa9f936482ba5743764acd12df256a2b2249a0b06ef7365286c66912db02634cd18bda

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\user-48.png
Filesize
617B

MD5
e738274439f0bcf555425a00af9a2f75

SHA1
cf0d5425bda34e865bc73601ac299d425d9064ef

SHA256
191e237f5a862cdbafa4562bebf080680a051d2c07b4f256c9b856f10d63d010

SHA512
2c2c1ccb38d14150dcb89249c3a2ee995e9467fb99ea20cc4819c4a683b50be0753b04264048084ae2611399b56736ca50d7a94dd98bd3dd055f430471188c8d

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\utc.app.json.bk
Filesize
95KB

MD5
2d87169429f9ee44c1ed0a6f32b57af4

SHA1
94570d47bbaad857b4a9e192f7b8d01e29e05520

SHA256
3a4b950f26a8783c90a26ecdbf66e4b780d3b760e921fd69961f4b469e48d319

SHA512
90def0773e7d83410b814d55af12e8b40dba81c5af8e598359818c0c456b29e6db7c83e2284628c7a1831e0121ebda82f4759b98a1ffd2a493cc99dd83633f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\aic_file_icons_retina_thumb_new.dll
Filesize
726KB

MD5
8d4d06d0653628b0de3c4b99f1270ad5

SHA1
5fb39c8f6f4c0da8020393331777ee7382fd2afa

SHA256
195442d422009dc8a44303f27742419280d6f8f4443dd4f7c04b6faf536718b4

SHA512
0cee06df640d180ffbb40fce9d722bd92e09da7f9a9e2314ec12956921a9e03b1ecbe8d98d3872e5002944797591792f8f907440491e13d35da4ee98120e35cd

Download Submit
memory/3016-135-0x0000000000000000-mapping.dmp

Download
memory/3016-144-0x0000000004960000-0x0000000004AA0000-memory.dmp

Filesize
1.2MB

Download
memory/3016-152-0x0000000004170000-0x0000000004895000-memory.dmp

Filesize
7.1MB

Download
memory/3016-139-0x0000000004170000-0x0000000004895000-memory.dmp

Filesize
7.1MB

Download
memory/3016-141-0x0000000004960000-0x0000000004AA0000-memory.dmp

Filesize
1.2MB

Download
memory/3016-140-0x0000000004170000-0x0000000004895000-memory.dmp

Filesize
7.1MB

Download
memory/3016-146-0x0000000004960000-0x0000000004AA0000-memory.dmp

Filesize
1.2MB

Download
memory/3016-142-0x0000000004960000-0x0000000004AA0000-memory.dmp

Filesize
1.2MB

Download
memory/3016-143-0x0000000004960000-0x0000000004AA0000-memory.dmp

Filesize
1.2MB

Download
memory/3016-145-0x0000000004960000-0x0000000004AA0000-memory.dmp

Filesize
1.2MB

Download
memory/3192-176-0x0000000003DE0000-0x0000000004505000-memory.dmp

Filesize
7.1MB

Download
memory/3192-156-0x0000000003DE0000-0x0000000004505000-memory.dmp

Filesize
7.1MB

Download
memory/3192-169-0x0000000003DE0000-0x0000000004505000-memory.dmp

Filesize
7.1MB

Download
memory/3540-149-0x0000000000630000-0x0000000000849000-memory.dmp

Filesize
2.1MB

Download
memory/3540-150-0x00000160822B0000-0x00000160823F0000-memory.dmp

Filesize
1.2MB

Download
memory/3540-148-0x00000160822B0000-0x00000160823F0000-memory.dmp

Filesize
1.2MB

Download
memory/3540-147-0x00007FF68FFA6890-mapping.dmp

Download
memory/3540-151-0x00000160808D0000-0x0000016080AFA000-memory.dmp

Filesize
2.2MB

Download
memory/3952-170-0x0000000000000000-mapping.dmp

Download
memory/3952-172-0x0000000004840000-0x0000000004F65000-memory.dmp

Filesize
7.1MB

Download
memory/3952-173-0x0000000004840000-0x0000000004F65000-memory.dmp

Filesize
7.1MB

Download
memory/4092-175-0x0000000000000000-mapping.dmp

Download
memory/5028-134-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/5028-138-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/5028-133-0x0000000002440000-0x0000000002555000-memory.dmp

Filesize
1.1MB

Download
memory/5028-174-0x0000000000000000-mapping.dmp

Download
memory/5028-132-0x0000000002365000-0x000000000243B000-memory.dmp

Filesize
856KB

Download