Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/12/2022, 07:49

General

  • Target

    file.exe

  • Size

    214KB

  • MD5

    94ce7e3bc61e8f5825b3416dccd1c481

  • SHA1

    699b3330bbcdb08df4e5ee3c4e2343b33bb957bd

  • SHA256

    451ec0852088a55084102632e636204feef0989fabe57dc0cb602c4173dc48fa

  • SHA512

    1caf1d8d4ebdf2caafa092484d03653823c85e394531cea2e00937f5b38c75fe17b1ba86d810bdc6f95f0e5b0d8f6b21afdad260f278331e211095262649f8e9

  • SSDEEP

    6144:Lf25OL4bdsVV2jEjxrxwRGgg3CwVpU0VB:Lf2AUxsVVQEjxfvSwVqO

Malware Config

Extracted

Family

danabot

C2

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes
  • embedded_hash

    8F56CD73F6B5CD5D7B17B0BA61E70A82

  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 24 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3928
  • C:\Users\Admin\AppData\Local\Temp\C9EC.exe
    C:\Users\Admin\AppData\Local\Temp\C9EC.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3804
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20209
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:2816
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 480
      2⤵
      • Program crash
      PID:1348
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3804 -ip 3804
    1⤵
      PID:4940
    • C:\Users\Admin\AppData\Roaming\uiidtww
      C:\Users\Admin\AppData\Roaming\uiidtww
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:2568
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2108
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:2976

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files (x86)\MSBuild\Microsoft\license..dll

                Filesize

                2.4MB

                MD5

                5ca5707a8b51e7d74370eb290de91a8d

                SHA1

                ea53e90aafbcb923baecb6d6da7faa8efd3e2e0b

                SHA256

                6f78d195080c2d192a329d1725c2be7a0d770fd4c918b3d51613ee7829471100

                SHA512

                0aa1386fa0b4ce677ea2b11c2c6ed2df72c74a853c8e15d8d4e331f95364764adc8b046c02fd5dddd8b042a07c37ed75c3eb1f0b7e5201fb10711ef077370097

              • C:\Program Files (x86)\MSBuild\Microsoft\license..dll

                Filesize

                2.4MB

                MD5

                5ca5707a8b51e7d74370eb290de91a8d

                SHA1

                ea53e90aafbcb923baecb6d6da7faa8efd3e2e0b

                SHA256

                6f78d195080c2d192a329d1725c2be7a0d770fd4c918b3d51613ee7829471100

                SHA512

                0aa1386fa0b4ce677ea2b11c2c6ed2df72c74a853c8e15d8d4e331f95364764adc8b046c02fd5dddd8b042a07c37ed75c3eb1f0b7e5201fb10711ef077370097

              • C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\C2RManifest.officemui.msi.16.en-us.xml

                Filesize

                122KB

                MD5

                35acff0f35559eac959647a7501385f7

                SHA1

                28e052e01fe4e0eac3eab461385460eff7efe271

                SHA256

                2669d714f126be033270a9f2919d6152f45c5bec970dc1ab8da09f41351234c0

                SHA512

                f3fa4e7499e15a63d2503355705eb08d15be0a3736145c3b46cc79a4fcf7e00df871f62af769090aff7692b34d93365cf413be7b86b27a9df0ecb8f481898ed2

              • C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Daowpeywwstdp.tmp

                Filesize

                2.3MB

                MD5

                887acb127f0aa79ae28a71a481d81289

                SHA1

                f108748718844492a56686c53424fbe675359743

                SHA256

                9197f8d53e2e648a22d9e652ae22f5ae91e95bd686b1b4fc5450c9c76fa53f32

                SHA512

                bb142431f89e847578c8a41e27ed40f70d15a5015357efc8b0e4e0a4eaf35f79524070d55a3906fca630caa7a5e78212e46fc45a37748408200bef962751846c

              • C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe.xml

                Filesize

                9KB

                MD5

                996f11041df0526341cebbbd40a98390

                SHA1

                37f652515ef8c662840086d743f7f68d327cce52

                SHA256

                bb39de067132d2ccbb7a3c066743010f070a3c3856f42ccc892da0b40012771e

                SHA512

                6cafa4b3bd8c56d20859a4f8fb7109e3ca4c690d0746b13f9f2eaa19d88bfca469dc45d71fb91f5658f9cd300f285aafb9e212ebd7c1496aadb6046da4e56c03

              • C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe.xml

                Filesize

                8KB

                MD5

                53e4d87ce4e7b6a4c5b2d84c60a70984

                SHA1

                ad381e6e2d67970b34c356259fa86fa8c3c1de78

                SHA256

                8e5dd7465c39d653c1ba79e4b154321413b4f3dd7b62f485848a5122fbb868b6

                SHA512

                2f984aa666cc9458450a6215d333ca3be4ba04a711d2bf4f257fca4e28007b25d0801cacdcd02f8f0b8d9f6f867a89478dd023faf672a88b95eda65091a03b71

              • C:\ProgramData\{1671AAA7-B856-DB35-F1BA-0081C45B4B58}\resource.xml

                Filesize

                1KB

                MD5

                66963736ebb1e54dc596701206eaed3f

                SHA1

                18bc8dfc779d407398af193f3d265ff93f253bc2

                SHA256

                fd5f68b59aa2b3e80b1a3d97b1dc5028e0fb512d26003fffce146209fedc814b

                SHA512

                96aef899ecfb48d1df6e8c7655d59fb80b3c65f18857692894598b78c14b5587433d5f58a2d9bbd74d635956a9e6f1948916bd354e6d438450f37ec11cc3b598

              • C:\Users\Admin\AppData\Local\Temp\C9EC.exe

                Filesize

                2.4MB

                MD5

                0bb2b15ca73128dbc816ea4ed583119c

                SHA1

                17d05964d9208ca1a27fd007ad5f41752cfa893e

                SHA256

                295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8

                SHA512

                d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375

              • C:\Users\Admin\AppData\Local\Temp\C9EC.exe

                Filesize

                2.4MB

                MD5

                0bb2b15ca73128dbc816ea4ed583119c

                SHA1

                17d05964d9208ca1a27fd007ad5f41752cfa893e

                SHA256

                295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8

                SHA512

                d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375

              • C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

                Filesize

                2.4MB

                MD5

                2f2aafdd0fbd8d5e72ebee47f37fdf52

                SHA1

                b0c823f7b2f8a567672dff368017ab7bbdf4aad1

                SHA256

                3d95cd18fa999b60a32edcc761100f6fdb276c68f23dadc03c7173de7c6594c0

                SHA512

                f835ba1691110d744220202c11c9fcdaac7724b1018e1c3931a2407569ea5351c72dc33ec34e1f2c0c6691debcc40d0f7d3719dc83ac00fdf14fb095c4636525

              • C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

                Filesize

                2.4MB

                MD5

                2f2aafdd0fbd8d5e72ebee47f37fdf52

                SHA1

                b0c823f7b2f8a567672dff368017ab7bbdf4aad1

                SHA256

                3d95cd18fa999b60a32edcc761100f6fdb276c68f23dadc03c7173de7c6594c0

                SHA512

                f835ba1691110d744220202c11c9fcdaac7724b1018e1c3931a2407569ea5351c72dc33ec34e1f2c0c6691debcc40d0f7d3719dc83ac00fdf14fb095c4636525

              • C:\Users\Admin\AppData\Roaming\uiidtww

                Filesize

                214KB

                MD5

                94ce7e3bc61e8f5825b3416dccd1c481

                SHA1

                699b3330bbcdb08df4e5ee3c4e2343b33bb957bd

                SHA256

                451ec0852088a55084102632e636204feef0989fabe57dc0cb602c4173dc48fa

                SHA512

                1caf1d8d4ebdf2caafa092484d03653823c85e394531cea2e00937f5b38c75fe17b1ba86d810bdc6f95f0e5b0d8f6b21afdad260f278331e211095262649f8e9

              • C:\Users\Admin\AppData\Roaming\uiidtww

                Filesize

                214KB

                MD5

                94ce7e3bc61e8f5825b3416dccd1c481

                SHA1

                699b3330bbcdb08df4e5ee3c4e2343b33bb957bd

                SHA256

                451ec0852088a55084102632e636204feef0989fabe57dc0cb602c4173dc48fa

                SHA512

                1caf1d8d4ebdf2caafa092484d03653823c85e394531cea2e00937f5b38c75fe17b1ba86d810bdc6f95f0e5b0d8f6b21afdad260f278331e211095262649f8e9

              • \??\c:\program files (x86)\msbuild\microsoft\license..dll

                Filesize

                2.4MB

                MD5

                5ca5707a8b51e7d74370eb290de91a8d

                SHA1

                ea53e90aafbcb923baecb6d6da7faa8efd3e2e0b

                SHA256

                6f78d195080c2d192a329d1725c2be7a0d770fd4c918b3d51613ee7829471100

                SHA512

                0aa1386fa0b4ce677ea2b11c2c6ed2df72c74a853c8e15d8d4e331f95364764adc8b046c02fd5dddd8b042a07c37ed75c3eb1f0b7e5201fb10711ef077370097

              • memory/1304-159-0x0000000003E70000-0x0000000003FB0000-memory.dmp

                Filesize

                1.2MB

              • memory/1304-148-0x0000000003680000-0x0000000003DA5000-memory.dmp

                Filesize

                7.1MB

              • memory/1304-149-0x0000000003680000-0x0000000003DA5000-memory.dmp

                Filesize

                7.1MB

              • memory/1304-150-0x0000000003E70000-0x0000000003FB0000-memory.dmp

                Filesize

                1.2MB

              • memory/1304-151-0x0000000003E70000-0x0000000003FB0000-memory.dmp

                Filesize

                1.2MB

              • memory/1304-146-0x0000000000400000-0x0000000000671000-memory.dmp

                Filesize

                2.4MB

              • memory/1304-145-0x0000000000400000-0x0000000000671000-memory.dmp

                Filesize

                2.4MB

              • memory/1304-167-0x0000000003680000-0x0000000003DA5000-memory.dmp

                Filesize

                7.1MB

              • memory/1304-163-0x0000000003EE9000-0x0000000003EEB000-memory.dmp

                Filesize

                8KB

              • memory/1304-156-0x0000000003E70000-0x0000000003FB0000-memory.dmp

                Filesize

                1.2MB

              • memory/1304-157-0x0000000003E70000-0x0000000003FB0000-memory.dmp

                Filesize

                1.2MB

              • memory/1304-158-0x0000000003E70000-0x0000000003FB0000-memory.dmp

                Filesize

                1.2MB

              • memory/1304-147-0x0000000003680000-0x0000000003DA5000-memory.dmp

                Filesize

                7.1MB

              • memory/2568-155-0x0000000000400000-0x000000000045F000-memory.dmp

                Filesize

                380KB

              • memory/2568-154-0x0000000000693000-0x00000000006A4000-memory.dmp

                Filesize

                68KB

              • memory/2568-166-0x0000000000400000-0x000000000045F000-memory.dmp

                Filesize

                380KB

              • memory/2816-165-0x000001799FCB0000-0x000001799FEDA000-memory.dmp

                Filesize

                2.2MB

              • memory/2816-162-0x000001799FB50000-0x000001799FC90000-memory.dmp

                Filesize

                1.2MB

              • memory/2816-161-0x000001799FB50000-0x000001799FC90000-memory.dmp

                Filesize

                1.2MB

              • memory/2816-164-0x0000000000840000-0x0000000000A59000-memory.dmp

                Filesize

                2.1MB

              • memory/2976-171-0x0000000001500000-0x0000000001771000-memory.dmp

                Filesize

                2.4MB

              • memory/2976-178-0x0000000001E60000-0x0000000002585000-memory.dmp

                Filesize

                7.1MB

              • memory/2976-172-0x0000000001500000-0x0000000001771000-memory.dmp

                Filesize

                2.4MB

              • memory/3804-143-0x00000000026D0000-0x0000000002A55000-memory.dmp

                Filesize

                3.5MB

              • memory/3804-144-0x0000000000400000-0x0000000000791000-memory.dmp

                Filesize

                3.6MB

              • memory/3804-142-0x0000000000AD7000-0x0000000000D22000-memory.dmp

                Filesize

                2.3MB

              • memory/3928-135-0x0000000000400000-0x000000000045F000-memory.dmp

                Filesize

                380KB

              • memory/3928-134-0x0000000000400000-0x000000000045F000-memory.dmp

                Filesize

                380KB

              • memory/3928-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

                Filesize

                36KB

              • memory/3928-132-0x0000000000543000-0x0000000000554000-memory.dmp

                Filesize

                68KB