Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/12/2022, 08:16

General

  • Target

    8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe

  • Size

    214KB

  • MD5

    3c1a4982815bb6549cd30e514e271fd6

  • SHA1

    de2809b05f50c3fa5bebaaa2bee9712724ace615

  • SHA256

    8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b

  • SHA512

    49e05c67daa6cd295d66058d6422925876689c8d1876ec267d06fe1c0af33b485382198c7f65c04ff0d35c35f404ca97a0ff7dd49b6de57e70877c41a447ddf1

  • SSDEEP

    3072:AqMK6lL0BwRYyxiV/lZ39cB9JjN/IHYzKNwz8/g3xod4ROaBG3ERWR3LV:NMtlL0byGZ39UJqH0Qg3Cd4oagU0VB

Malware Config

Extracted

Family

danabot

C2

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes
  • embedded_hash

    8F56CD73F6B5CD5D7B17B0BA61E70A82

  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 22 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe
    "C:\Users\Admin\AppData\Local\Temp\8c2b6a9ecd611098ab7b36a90a6ba13d4e04e5cd833da3830ee603f8924ced0b.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2424
  • C:\Users\Admin\AppData\Local\Temp\D769.exe
    C:\Users\Admin\AppData\Local\Temp\D769.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start
      2⤵
      • Blocklisted process makes network request
      • Sets DLL path for service in the registry
      • Sets service image path in registry
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:4216
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20223
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3140
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 484
      2⤵
      • Program crash
      PID:4848
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 632 -ip 632
    1⤵
      PID:2032
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5076
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:2232
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\msbuild\microsoft\adelrcp.dll",Xz4hQ04=
            2⤵
              PID:3432

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\MSBuild\Microsoft\ADelRCP.dll

                  Filesize

                  2.4MB

                  MD5

                  3a16cbcfa6966c0a644f09430e39efe1

                  SHA1

                  18190824815ae411156806f7aa52b6dbceaa24f1

                  SHA256

                  298ff39ecd80a282c04005eb1f7d6023f31f67b0204e7c88aeb1962768deadd4

                  SHA512

                  61ee3cb35a2dba07ce44f5178761251aa9819370bc506485ac9356543f6ecf72cc4d756fb2d2862960b5810ab3ebe1c0f0a444e3e69cb74543d09cd2f741f985

                • C:\Program Files (x86)\MSBuild\Microsoft\ADelRCP.dll

                  Filesize

                  2.4MB

                  MD5

                  3a16cbcfa6966c0a644f09430e39efe1

                  SHA1

                  18190824815ae411156806f7aa52b6dbceaa24f1

                  SHA256

                  298ff39ecd80a282c04005eb1f7d6023f31f67b0204e7c88aeb1962768deadd4

                  SHA512

                  61ee3cb35a2dba07ce44f5178761251aa9819370bc506485ac9356543f6ecf72cc4d756fb2d2862960b5810ab3ebe1c0f0a444e3e69cb74543d09cd2f741f985

                • C:\Program Files (x86)\MSBuild\Microsoft\ADelRCP.dll

                  Filesize

                  2.4MB

                  MD5

                  3a16cbcfa6966c0a644f09430e39efe1

                  SHA1

                  18190824815ae411156806f7aa52b6dbceaa24f1

                  SHA256

                  298ff39ecd80a282c04005eb1f7d6023f31f67b0204e7c88aeb1962768deadd4

                  SHA512

                  61ee3cb35a2dba07ce44f5178761251aa9819370bc506485ac9356543f6ecf72cc4d756fb2d2862960b5810ab3ebe1c0f0a444e3e69cb74543d09cd2f741f985

                • C:\Program Files (x86)\MSBuild\Microsoft\ADelRCP.dll

                  Filesize

                  2.4MB

                  MD5

                  3a16cbcfa6966c0a644f09430e39efe1

                  SHA1

                  18190824815ae411156806f7aa52b6dbceaa24f1

                  SHA256

                  298ff39ecd80a282c04005eb1f7d6023f31f67b0204e7c88aeb1962768deadd4

                  SHA512

                  61ee3cb35a2dba07ce44f5178761251aa9819370bc506485ac9356543f6ecf72cc4d756fb2d2862960b5810ab3ebe1c0f0a444e3e69cb74543d09cd2f741f985

                • C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\C2RManifest.officemui.msi.16.en-us.xml

                  Filesize

                  122KB

                  MD5

                  35acff0f35559eac959647a7501385f7

                  SHA1

                  28e052e01fe4e0eac3eab461385460eff7efe271

                  SHA256

                  2669d714f126be033270a9f2919d6152f45c5bec970dc1ab8da09f41351234c0

                  SHA512

                  f3fa4e7499e15a63d2503355705eb08d15be0a3736145c3b46cc79a4fcf7e00df871f62af769090aff7692b34d93365cf413be7b86b27a9df0ecb8f481898ed2

                • C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmp

                  Filesize

                  2.3MB

                  MD5

                  ca46edae2217279051a3ce83398427e5

                  SHA1

                  576f39dd50f1abe5e35b8a6ea5b8eedeef26154d

                  SHA256

                  f40fa45b6546a80688b10e168815bc7bd4ebd6d8d964305ba797555fc883ba82

                  SHA512

                  7662a2e2fc59aebf99e482227d0c8bedb9a89208013ec3c5b6ed47789ac8b3baebe909bf7e2c3d6eda6ea9bbc80c561d9f673e907d72cd354afe0e0f7def44f4

                • C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe.xml

                  Filesize

                  1KB

                  MD5

                  6c2429d1fdb4a93ebca14340b9fb8fb7

                  SHA1

                  e757fc9e129850598fff1931d496fb7c7b21d4d6

                  SHA256

                  52b30a2b9d6a5c18dd585e3efe81688611b45f649e4e4e2c0543eaaf473f5285

                  SHA512

                  bae2b99779cc2ec27a7fcf132ba66bb698c78b01048630fa22116fda906389be66458523efb9634976455b4063f3002ee781eabdf4abfb78ee295ae74927b228

                • C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe.xml

                  Filesize

                  913B

                  MD5

                  1600f66ce0d9c342eb6a49155a2f8c14

                  SHA1

                  e13fdac3eb45a9d47f965b2f2cf7f2ff4893af07

                  SHA256

                  8dcf324dfacd70d3e32cd9423bf9067f3cbc50929dee5154bdaa531c84a9dc27

                  SHA512

                  ed27ee001fefa4d7ae3ab0fe2cb1059f277692eb0b6fddb6092467ec67cfdacc3db2252e8700095ccaf503e7ca0c7942771614b1b2a0b800fd27daa30ebb5b00

                • C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe.xml

                  Filesize

                  840B

                  MD5

                  424b00848f1ce9633dec58f15c3d43b5

                  SHA1

                  c452da009ae3db8493131a11738975b4aadf928d

                  SHA256

                  21e8f0a4fbf065d15947cff2bea6d9625b8bad7a2969061ada9c240b397aaac9

                  SHA512

                  81be9ca04ef6cc6a6da58e0b79a793c1c959d1f68abff53cefc84b0f8313a88e99c480cd204d42f07a2017fe3712f7cb29bdcba334c0ad061a2bc8fad0ff26b7

                • C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\MicrosoftLync2010.xml

                  Filesize

                  3KB

                  MD5

                  701beb4f8c252fb3c9f5dbdc94648048

                  SHA1

                  556ba20475a502b68b7992454be6c64ab355b4ec

                  SHA256

                  620e27a3746773947ba7ceee99d2b55e4e3cfa32a9164a0185a8cb8b22a55b67

                  SHA512

                  28c76c3d5ebb75797d37965b13cb05f852e25cc3d2558c38b091b82e12b78f268d58f144a0fcac32b30d70e5897ed7c647d4e3584edd2625ba7cdf5c54826faf

                • C:\Users\Admin\AppData\Local\Temp\D769.exe

                  Filesize

                  2.4MB

                  MD5

                  6e10b6107066da8b83187a14c8b68b23

                  SHA1

                  bfe5bb0d1fbd503226abf58fbd88e91e8f17ba05

                  SHA256

                  804a0999f1e0c5a8e083f0a36ccfe7ad8a6ab94a0c77d6ab74175540c990f95e

                  SHA512

                  6f4715008d918f0a940bae3970e072c39b16a6c8fb66f10bc32c4b611c93a437b3475646d0fafa3e814af6d5013a518ba5893c2c984b558f66733b4d03f83461

                • C:\Users\Admin\AppData\Local\Temp\D769.exe

                  Filesize

                  2.4MB

                  MD5

                  6e10b6107066da8b83187a14c8b68b23

                  SHA1

                  bfe5bb0d1fbd503226abf58fbd88e91e8f17ba05

                  SHA256

                  804a0999f1e0c5a8e083f0a36ccfe7ad8a6ab94a0c77d6ab74175540c990f95e

                  SHA512

                  6f4715008d918f0a940bae3970e072c39b16a6c8fb66f10bc32c4b611c93a437b3475646d0fafa3e814af6d5013a518ba5893c2c984b558f66733b4d03f83461

                • C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

                  Filesize

                  2.4MB

                  MD5

                  5f4ea66e5a0558784add458259f7e9c3

                  SHA1

                  11ca8a52f3a8b8ed410a82c4570e1a683a233d77

                  SHA256

                  7f3fde1c0be5b905db2839f85bcc5b406c2a242fa2831f1cb83f4681037bbb26

                  SHA512

                  77afd658be816646a63318de23c930f16b7cc16ad5498d4860a015f7d02587767799841c5ef5d21e17455c7047b936be5e964f1caf24484c23e8ea9cfd7b38ee

                • C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

                  Filesize

                  2.4MB

                  MD5

                  5f4ea66e5a0558784add458259f7e9c3

                  SHA1

                  11ca8a52f3a8b8ed410a82c4570e1a683a233d77

                  SHA256

                  7f3fde1c0be5b905db2839f85bcc5b406c2a242fa2831f1cb83f4681037bbb26

                  SHA512

                  77afd658be816646a63318de23c930f16b7cc16ad5498d4860a015f7d02587767799841c5ef5d21e17455c7047b936be5e964f1caf24484c23e8ea9cfd7b38ee

                • \??\c:\program files (x86)\msbuild\microsoft\adelrcp.dll

                  Filesize

                  2.4MB

                  MD5

                  3a16cbcfa6966c0a644f09430e39efe1

                  SHA1

                  18190824815ae411156806f7aa52b6dbceaa24f1

                  SHA256

                  298ff39ecd80a282c04005eb1f7d6023f31f67b0204e7c88aeb1962768deadd4

                  SHA512

                  61ee3cb35a2dba07ce44f5178761251aa9819370bc506485ac9356543f6ecf72cc4d756fb2d2862960b5810ab3ebe1c0f0a444e3e69cb74543d09cd2f741f985

                • memory/632-139-0x0000000000B4E000-0x0000000000D99000-memory.dmp

                  Filesize

                  2.3MB

                • memory/632-142-0x0000000000400000-0x0000000000791000-memory.dmp

                  Filesize

                  3.6MB

                • memory/632-146-0x0000000000400000-0x0000000000791000-memory.dmp

                  Filesize

                  3.6MB

                • memory/632-140-0x0000000002680000-0x0000000002A05000-memory.dmp

                  Filesize

                  3.5MB

                • memory/2232-178-0x0000000002160000-0x0000000002885000-memory.dmp

                  Filesize

                  7.1MB

                • memory/2232-167-0x0000000001800000-0x0000000001A71000-memory.dmp

                  Filesize

                  2.4MB

                • memory/2232-175-0x0000000002160000-0x0000000002885000-memory.dmp

                  Filesize

                  7.1MB

                • memory/2232-168-0x0000000001800000-0x0000000001A71000-memory.dmp

                  Filesize

                  2.4MB

                • memory/2232-174-0x0000000002160000-0x0000000002885000-memory.dmp

                  Filesize

                  7.1MB

                • memory/2424-132-0x0000000000842000-0x0000000000853000-memory.dmp

                  Filesize

                  68KB

                • memory/2424-135-0x0000000000400000-0x0000000000460000-memory.dmp

                  Filesize

                  384KB

                • memory/2424-134-0x0000000000400000-0x0000000000460000-memory.dmp

                  Filesize

                  384KB

                • memory/2424-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

                  Filesize

                  36KB

                • memory/3140-158-0x0000023A8B5E0000-0x0000023A8B720000-memory.dmp

                  Filesize

                  1.2MB

                • memory/3140-161-0x0000023A8B730000-0x0000023A8B95A000-memory.dmp

                  Filesize

                  2.2MB

                • memory/3140-160-0x00000000002A0000-0x00000000004B9000-memory.dmp

                  Filesize

                  2.1MB

                • memory/3140-159-0x0000023A8B5E0000-0x0000023A8B720000-memory.dmp

                  Filesize

                  1.2MB

                • memory/3140-163-0x0000023A8B730000-0x0000023A8B95A000-memory.dmp

                  Filesize

                  2.2MB

                • memory/3432-181-0x0000000002490000-0x0000000002701000-memory.dmp

                  Filesize

                  2.4MB

                • memory/3432-182-0x0000000002490000-0x0000000002701000-memory.dmp

                  Filesize

                  2.4MB

                • memory/4216-156-0x0000000004020000-0x0000000004160000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4216-145-0x0000000000400000-0x0000000000671000-memory.dmp

                  Filesize

                  2.4MB

                • memory/4216-148-0x0000000003830000-0x0000000003F55000-memory.dmp

                  Filesize

                  7.1MB

                • memory/4216-147-0x0000000000400000-0x0000000000671000-memory.dmp

                  Filesize

                  2.4MB

                • memory/4216-162-0x0000000003830000-0x0000000003F55000-memory.dmp

                  Filesize

                  7.1MB

                • memory/4216-155-0x0000000004020000-0x0000000004160000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4216-154-0x0000000004020000-0x0000000004160000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4216-153-0x0000000004020000-0x0000000004160000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4216-152-0x0000000004020000-0x0000000004160000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4216-151-0x0000000004020000-0x0000000004160000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4216-150-0x0000000003830000-0x0000000003F55000-memory.dmp

                  Filesize

                  7.1MB

                • memory/4216-149-0x0000000003830000-0x0000000003F55000-memory.dmp

                  Filesize

                  7.1MB