Overview

overview

10

Static

static

77fc32d4fc...f4.exe

windows7-x64

10

77fc32d4fc...f4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2022 21:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    77fc32d4fcce645af017a158d936157812dff7acdf3058aeab34be951ac84af4.exe

  • Size

    215KB

  • MD5

    08fa9f1d8984a00ec5a564ce52d06270

  • SHA1

    dac36d9e45a67b34031cd5a8bd0a6dd15f092f8e

  • SHA256

    77fc32d4fcce645af017a158d936157812dff7acdf3058aeab34be951ac84af4

  • SHA512

    a554bbae4276248478b56f5d4109a9123407962bb3dd057dcaa7ad752e5c053e12f985017c4f247c9d226037430dfcc3d961068d35e215cc39b28f4901b5e5cf

  • SSDEEP

    3072:s2ESpLpExX43R5ubvqLsb+2QGqRI8cHNRAtOba+GfQ4pgSjcbImdzmuX:bEGLpWX5q3j00JDpgSjcbXF

Score
10/10
danabotsmokeloaderbackdoorbankerdiscoverytrojan

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 22 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\77fc32d4fcce645af017a158d936157812dff7acdf3058aeab34be951ac84af4.exe
    "C:\Users\Admin\AppData\Local\Temp\77fc32d4fcce645af017a158d936157812dff7acdf3058aeab34be951ac84af4.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3444
  • C:\Users\Admin\AppData\Local\Temp\E38F.exe
    C:\Users\Admin\AppData\Local\Temp\E38F.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1824
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14124
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:2180
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 464
      2⤵
      • Program crash
      PID:2960
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1824 -ip 1824
    1⤵
      PID:4476
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4944
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:4844

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\WindowsPowerShell\Modules\PDDom.dll
          Filesize

          192KB

          MD5

          fc9b7e971c4bb752447873199c7e2d5a

          SHA1

          fff41d68007d223e9831d93a1ca0c4821013e1a4

          SHA256

          aed9ccac76f7aaf258ce235c0bd79f60896a55427710920b5825eceb680fc140

          SHA512

          0d857aa714ec15d0b055ffc0b2e4f2d9fdd5da408966b7d6d79ca58749ec25453e8583628493956b641c1fc7a309191592435539281a1e1a8d96fdfdf60d08a7

          Download Submit

        • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
          Filesize

          128KB

          MD5

          cc7744828f74339403844fe2dca39763

          SHA1

          2635c50f9d3f03352aea8b73fa1ea0403f3943d1

          SHA256

          d7107a01c25207b446f95c1fb79888925147d2f427d3526687e0606f625b7710

          SHA512

          baf715a4bdf74b88454ba2b27b3c54ae6664cde36d5eac262bc44c1c5320a34e03fb2fbfc9b5ddc0eb2181b45b4b6811de7c9dd64997e5b8ba6625f174c35779

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\E38F.exe
          Filesize

          1.1MB

          MD5

          b37a57c505e70d01d3b135a7a578652d

          SHA1

          558ff0476094928488e2104c30f7d51526842f98

          SHA256

          36cfa0e234d289738ca43878f695c4ed58de0e2db30edb6521d96c881ab14c7f

          SHA512

          62aa6d56c0dec7b43b9c44e60c68b4e56173e4910828f07e9769b2c19621eb1cc7ae6ef76509e56136622c90cd8b8510b28b4c4d5a528100691a1a279c2b1d9d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\E38F.exe
          Filesize

          1.1MB

          MD5

          b37a57c505e70d01d3b135a7a578652d

          SHA1

          558ff0476094928488e2104c30f7d51526842f98

          SHA256

          36cfa0e234d289738ca43878f695c4ed58de0e2db30edb6521d96c881ab14c7f

          SHA512

          62aa6d56c0dec7b43b9c44e60c68b4e56173e4910828f07e9769b2c19621eb1cc7ae6ef76509e56136622c90cd8b8510b28b4c4d5a528100691a1a279c2b1d9d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
          Filesize

          797KB

          MD5

          24925b25552a7d8f1d3292071e545920

          SHA1

          f786e1d40df30f6fed0301d60c823b655f2d6eac

          SHA256

          9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

          SHA512

          242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
          Filesize

          797KB

          MD5

          24925b25552a7d8f1d3292071e545920

          SHA1

          f786e1d40df30f6fed0301d60c823b655f2d6eac

          SHA256

          9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

          SHA512

          242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

          Download Submit

        • \??\c:\program files (x86)\windowspowershell\modules\pddom.dll
          Filesize

          797KB

          MD5

          e82256d2c2593cec2d0839ccf81cfc0b

          SHA1

          520012aed2e09acfa0fa144a369aeb1eeba9a5b6

          SHA256

          4249561ba1e56dcc05d5910eb9bf1913bf4b5947f636e855421e5f7eb622f3e0

          SHA512

          b71538a697ea0454dec3e01d60c5060a93bb3b9081afdfbb0e7a3f4b68fcddc12b94efbfef66350bf58153848f0a39a5ecc2b2102b6759d08fdb59132689a744

          Download Submit

        • memory/676-146-0x00000000033B0000-0x00000000033C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-164-0x00000000086E0000-0x00000000086F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-141-0x00000000033B0000-0x00000000033C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-142-0x00000000033B0000-0x00000000033C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-143-0x00000000033B0000-0x00000000033C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-144-0x00000000033B0000-0x00000000033C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-145-0x00000000033B0000-0x00000000033C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-165-0x00000000031E0000-0x00000000031F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-147-0x00000000033B0000-0x00000000033C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-148-0x00000000033B0000-0x00000000033C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-149-0x00000000033B0000-0x00000000033C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-150-0x00000000033B0000-0x00000000033C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-151-0x00000000033B0000-0x00000000033C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-152-0x00000000033B0000-0x00000000033C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-153-0x00000000033C0000-0x00000000033D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-154-0x00000000086E0000-0x00000000086F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-155-0x00000000086E0000-0x00000000086F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-156-0x00000000031E0000-0x00000000031F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-140-0x00000000033B0000-0x00000000033C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-139-0x00000000033B0000-0x00000000033C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-138-0x00000000033B0000-0x00000000033C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-163-0x00000000086E0000-0x00000000086F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-137-0x00000000033B0000-0x00000000033C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/676-136-0x00000000033B0000-0x00000000033C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1824-167-0x0000000002330000-0x0000000002460000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1824-157-0x0000000000000000-mapping.dmp

          Download

        • memory/1824-166-0x0000000002237000-0x0000000002326000-memory.dmp

          Filesize

          956KB

          Download

        • memory/1824-168-0x0000000000400000-0x0000000000531000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1924-175-0x0000000005819000-0x000000000581B000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1924-177-0x0000000005819000-0x000000000581B000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1924-170-0x0000000004FB0000-0x00000000056D5000-memory.dmp

          Filesize

          7.1MB

          Download

        • memory/1924-169-0x0000000004FB0000-0x00000000056D5000-memory.dmp

          Filesize

          7.1MB

          Download

        • memory/1924-171-0x00000000057A0000-0x00000000058E0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1924-172-0x00000000057A0000-0x00000000058E0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1924-173-0x00000000057A0000-0x00000000058E0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1924-174-0x00000000057A0000-0x00000000058E0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1924-160-0x0000000000000000-mapping.dmp

          Download

        • memory/1924-176-0x00000000057A0000-0x00000000058E0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1924-178-0x00000000057A0000-0x00000000058E0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1924-184-0x0000000004FB0000-0x00000000056D5000-memory.dmp

          Filesize

          7.1MB

          Download

        • memory/2180-179-0x00007FF798A16890-mapping.dmp

          Download

        • memory/2180-180-0x000001634CFD0000-0x000001634D110000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2180-181-0x000001634CFD0000-0x000001634D110000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2180-182-0x0000000000320000-0x0000000000539000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2180-183-0x000001634B600000-0x000001634B82A000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/3444-132-0x0000000000608000-0x0000000000619000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3444-135-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

          Download

        • memory/3444-134-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

          Download

        • memory/3444-133-0x0000000002190000-0x0000000002199000-memory.dmp

          Filesize

          36KB

          Download