Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2022, 01:52
Static task
static1
Behavioral task
behavioral1
Sample
ed88f99cb724c580196970b97eb273445332a1474c7268e2204dd520e94c819e.exe
Resource
win10v2004-20221111-en
General
-
Target
ed88f99cb724c580196970b97eb273445332a1474c7268e2204dd520e94c819e.exe
-
Size
214KB
-
MD5
8cd4c1669b141798086884abc4ece7e3
-
SHA1
27f9d39dfd0ce2519d39e0c65afa5baf128c9968
-
SHA256
ed88f99cb724c580196970b97eb273445332a1474c7268e2204dd520e94c819e
-
SHA512
66341fe01d4b94d6f17c8b8731bd01185ce1cc1042cfe5c23068e4cc78d98f3f4398be4038e5af745843069eac1b5ffc0db29532c534219055ddccff57645b80
-
SSDEEP
3072:ESPmiQTLAYZwRxna9A8B0CgEvxvu2hkuM5o8/g3xoeVd0G3ERWR3LV:5Pm/TLAYfG8rxv4hjg3Ce3lU0VB
Malware Config
Extracted
danabot
23.236.181.126:443
123.253.35.251:443
66.85.173.3:443
-
embedded_hash
8F56CD73F6B5CD5D7B17B0BA61E70A82
-
type
loader
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/4620-133-0x00000000001F0000-0x00000000001F9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
flow pid Process 45 4892 rundll32.exe 47 4892 rundll32.exe 53 4892 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4032 DC99.exe -
Loads dropped DLL 1 IoCs
pid Process 4892 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3732 4032 WerFault.exe 88 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ed88f99cb724c580196970b97eb273445332a1474c7268e2204dd520e94c819e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ed88f99cb724c580196970b97eb273445332a1474c7268e2204dd520e94c819e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ed88f99cb724c580196970b97eb273445332a1474c7268e2204dd520e94c819e.exe -
Checks processor information in registry 2 TTPs 25 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4620 ed88f99cb724c580196970b97eb273445332a1474c7268e2204dd520e94c819e.exe 4620 ed88f99cb724c580196970b97eb273445332a1474c7268e2204dd520e94c819e.exe 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found 2720 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2720 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4620 ed88f99cb724c580196970b97eb273445332a1474c7268e2204dd520e94c819e.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 2720 Process not Found Token: SeCreatePagefilePrivilege 2720 Process not Found Token: SeShutdownPrivilege 2720 Process not Found Token: SeCreatePagefilePrivilege 2720 Process not Found -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2720 wrote to memory of 4032 2720 Process not Found 88 PID 2720 wrote to memory of 4032 2720 Process not Found 88 PID 2720 wrote to memory of 4032 2720 Process not Found 88 PID 4032 wrote to memory of 4892 4032 DC99.exe 89 PID 4032 wrote to memory of 4892 4032 DC99.exe 89 PID 4032 wrote to memory of 4892 4032 DC99.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed88f99cb724c580196970b97eb273445332a1474c7268e2204dd520e94c819e.exe"C:\Users\Admin\AppData\Local\Temp\ed88f99cb724c580196970b97eb273445332a1474c7268e2204dd520e94c819e.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4620
-
C:\Users\Admin\AppData\Local\Temp\DC99.exeC:\Users\Admin\AppData\Local\Temp\DC99.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
PID:4892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 4802⤵
- Program crash
PID:3732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4032 -ip 40321⤵PID:212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD50bb2b15ca73128dbc816ea4ed583119c
SHA117d05964d9208ca1a27fd007ad5f41752cfa893e
SHA256295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8
SHA512d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375
-
Filesize
2.4MB
MD50bb2b15ca73128dbc816ea4ed583119c
SHA117d05964d9208ca1a27fd007ad5f41752cfa893e
SHA256295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8
SHA512d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375
-
Filesize
2.4MB
MD54e629d34e97bc2e57c57094904123106
SHA193fda5a141847275ba03e15a14aa454a77f46d4a
SHA2562768bf43714000e0e689a4da2d9ed12b9d376751e1b5d85bb11fbd36fd08daf7
SHA512c82315cdc0c825c65529dc3237a458aaa440cb5e696fb3d4ea59077fed2e9b2778f8a7dcbbf3db8c97bdf70a00a6ef3e832be944193c097aa491380bd1f1ebaa
-
Filesize
2.4MB
MD54e629d34e97bc2e57c57094904123106
SHA193fda5a141847275ba03e15a14aa454a77f46d4a
SHA2562768bf43714000e0e689a4da2d9ed12b9d376751e1b5d85bb11fbd36fd08daf7
SHA512c82315cdc0c825c65529dc3237a458aaa440cb5e696fb3d4ea59077fed2e9b2778f8a7dcbbf3db8c97bdf70a00a6ef3e832be944193c097aa491380bd1f1ebaa