Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2022 14:58
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
214KB
-
MD5
9e19a1bbe97ae7591504a361a540c2e7
-
SHA1
4006adb77aa693e9739909ddbd7d7ad082c935e7
-
SHA256
554f8178fde6f28d1b4d924bf3d5a1385265be6c45cd3b54ed000c6d04ed2940
-
SHA512
a526897f9a98abf1d2c9c40ba45a801577452f9c918fd463e840adbf502bff9ca33e7766fc6a233571ae897cd3686bd7303b6a06fda7cb3364f5ed992dde4c3d
-
SSDEEP
3072:IfOs2LR24RefSQ9o6EgkNOaXFQ5Zthoq2I1g3uRlbTwHOil3lk025PH:m+Lo9B7EgAVWoSu+fwjlVklPH
Malware Config
Extracted
danabot
23.236.181.126:443
123.253.35.251:443
66.85.173.3:443
-
embedded_hash
8F56CD73F6B5CD5D7B17B0BA61E70A82
-
type
loader
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1764-133-0x00000000001F0000-0x00000000001F9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 51 4348 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
FDDD.exehfgcfuipid process 4736 FDDD.exe 4632 hfgcfui -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 4348 rundll32.exe 4348 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1828 4736 WerFault.exe FDDD.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
hfgcfuifile.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hfgcfui Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hfgcfui Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hfgcfui -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exepid process 1764 file.exe 1764 file.exe 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 792 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 792 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
file.exehfgcfuipid process 1764 file.exe 4632 hfgcfui -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 792 Token: SeCreatePagefilePrivilege 792 Token: SeShutdownPrivilege 792 Token: SeCreatePagefilePrivilege 792 -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
FDDD.exedescription pid process target process PID 792 wrote to memory of 4736 792 FDDD.exe PID 792 wrote to memory of 4736 792 FDDD.exe PID 792 wrote to memory of 4736 792 FDDD.exe PID 4736 wrote to memory of 4348 4736 FDDD.exe rundll32.exe PID 4736 wrote to memory of 4348 4736 FDDD.exe rundll32.exe PID 4736 wrote to memory of 4348 4736 FDDD.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1764
-
C:\Users\Admin\AppData\Local\Temp\FDDD.exeC:\Users\Admin\AppData\Local\Temp\FDDD.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
PID:4348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 4802⤵
- Program crash
PID:1828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4736 -ip 47361⤵PID:2120
-
C:\Users\Admin\AppData\Roaming\hfgcfuiC:\Users\Admin\AppData\Roaming\hfgcfui1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FDDD.exeFilesize
2.4MB
MD573d6902d621eaf39531d4115dd5ec524
SHA1e9a1c23b79add277750b5063e67544f599cdbe54
SHA256ca8d37d3714da79fd3a4819840061dc744315738abb6767768ba6adb93f3bc25
SHA512b66ba42c23bc0e125b2dc341984ab3def9e639a4aa250eadf56bf6e4b4b85861f925e992905f9162f19e5e27b046f4d36464fe11b3bda3473b1a7cae7b9dca07
-
C:\Users\Admin\AppData\Local\Temp\FDDD.exeFilesize
2.4MB
MD573d6902d621eaf39531d4115dd5ec524
SHA1e9a1c23b79add277750b5063e67544f599cdbe54
SHA256ca8d37d3714da79fd3a4819840061dc744315738abb6767768ba6adb93f3bc25
SHA512b66ba42c23bc0e125b2dc341984ab3def9e639a4aa250eadf56bf6e4b4b85861f925e992905f9162f19e5e27b046f4d36464fe11b3bda3473b1a7cae7b9dca07
-
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dllFilesize
2.4MB
MD5279bc43461083c34d398cd027e51e0ae
SHA1a378558520cb6ba97aeeb726ab1919085ca83ec5
SHA256296d17d7e249c9b71948e948ccb81763dc02b0e8eff9f4a05cc7481db65b95c5
SHA512487c9ca61d78abdbdb4ba9a2dbc18725a692b51639e846ddd892b77eb0b00d6de33d9a5c8ace46e8ba69698ad791c40eb6482695e0c6c2848f9d89322afcfbb6
-
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dllFilesize
2.4MB
MD5279bc43461083c34d398cd027e51e0ae
SHA1a378558520cb6ba97aeeb726ab1919085ca83ec5
SHA256296d17d7e249c9b71948e948ccb81763dc02b0e8eff9f4a05cc7481db65b95c5
SHA512487c9ca61d78abdbdb4ba9a2dbc18725a692b51639e846ddd892b77eb0b00d6de33d9a5c8ace46e8ba69698ad791c40eb6482695e0c6c2848f9d89322afcfbb6
-
C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dllFilesize
2.4MB
MD5279bc43461083c34d398cd027e51e0ae
SHA1a378558520cb6ba97aeeb726ab1919085ca83ec5
SHA256296d17d7e249c9b71948e948ccb81763dc02b0e8eff9f4a05cc7481db65b95c5
SHA512487c9ca61d78abdbdb4ba9a2dbc18725a692b51639e846ddd892b77eb0b00d6de33d9a5c8ace46e8ba69698ad791c40eb6482695e0c6c2848f9d89322afcfbb6
-
C:\Users\Admin\AppData\Roaming\hfgcfuiFilesize
214KB
MD59e19a1bbe97ae7591504a361a540c2e7
SHA14006adb77aa693e9739909ddbd7d7ad082c935e7
SHA256554f8178fde6f28d1b4d924bf3d5a1385265be6c45cd3b54ed000c6d04ed2940
SHA512a526897f9a98abf1d2c9c40ba45a801577452f9c918fd463e840adbf502bff9ca33e7766fc6a233571ae897cd3686bd7303b6a06fda7cb3364f5ed992dde4c3d
-
C:\Users\Admin\AppData\Roaming\hfgcfuiFilesize
214KB
MD59e19a1bbe97ae7591504a361a540c2e7
SHA14006adb77aa693e9739909ddbd7d7ad082c935e7
SHA256554f8178fde6f28d1b4d924bf3d5a1385265be6c45cd3b54ed000c6d04ed2940
SHA512a526897f9a98abf1d2c9c40ba45a801577452f9c918fd463e840adbf502bff9ca33e7766fc6a233571ae897cd3686bd7303b6a06fda7cb3364f5ed992dde4c3d
-
memory/1764-133-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/1764-132-0x0000000000623000-0x0000000000634000-memory.dmpFilesize
68KB
-
memory/1764-135-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/1764-134-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/4348-148-0x0000000002020000-0x0000000002291000-memory.dmpFilesize
2.4MB
-
memory/4348-145-0x0000000002020000-0x0000000002291000-memory.dmpFilesize
2.4MB
-
memory/4348-147-0x0000000002020000-0x0000000002291000-memory.dmpFilesize
2.4MB
-
memory/4348-141-0x0000000000000000-mapping.dmp
-
memory/4348-154-0x0000000002A50000-0x0000000003175000-memory.dmpFilesize
7.1MB
-
memory/4348-155-0x0000000002A50000-0x0000000003175000-memory.dmpFilesize
7.1MB
-
memory/4632-151-0x0000000000583000-0x0000000000594000-memory.dmpFilesize
68KB
-
memory/4632-152-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/4632-153-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/4736-136-0x0000000000000000-mapping.dmp
-
memory/4736-146-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB
-
memory/4736-140-0x0000000002620000-0x00000000029A5000-memory.dmpFilesize
3.5MB
-
memory/4736-139-0x00000000009F1000-0x0000000000C3C000-memory.dmpFilesize
2.3MB