danabot | 63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exe
Size

1006KB
MD5

e234765ce130cccdd18b84c36d1396a9
SHA1

af6f1a721bd88574733879bb583da4e1a8c15c1f
SHA256

63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918
SHA512

29aca4c84fec3176919e57efa7fcbdf48ae3c7592d318433fa91e62751b00081f2c89f7aa964c6a6b2ed82a578d121b8ecd0dd1ab544bd944c11400c63fc5272
SSDEEP

24576:YZaRkxQ6gYZ3tPP2vHTH1INlLKJME/94LezAD3kYbXF:YkMVmHTVIvLKJMi9mezAD3zX

Score

10^/10

danabot banker collection discovery persistence spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

12 3460 rundll32.exe
89 3460 rundll32.exe
91 3460 rundll32.exe
100 3460 rundll32.exe

flow	pid	process
12	3460	rundll32.exe
89	3460	rundll32.exe
91	3460	rundll32.exe
100	3460	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\license.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\license..dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\license.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

3460 rundll32.exe
2840 svchost.exe
2384 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3460	rundll32.exe
2840	svchost.exe
2384	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3460 set thread context of 2360 3460 rundll32.exe rundll32.exe

description	pid	process	target process
PID 3460 set thread context of 2360	3460	rundll32.exe	rundll32.exe

Drops file in Program Files directory 49 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_ecc.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\SignHere.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_shared_multi_filetype.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleHandler.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\comment.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\blocklist.xml	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\eula.ini	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\license..dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\organize.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_ecc.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\manifest.json	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_shared_multi_filetype.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\selection-actions2x.png	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-disabled.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\email_all.gif	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4912 4904 WerFault.exe 63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exe

pid	pid_target	process	target process
4912	4904	WerFault.exe	63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0F02FE3B6367A7E9E89BBD4F3DEE0155C46FF088\Blob = 0300000001000000140000000f02fe3b6367a7e9e89bbd4f3dee0155c46ff08820000000010000004b02000030820247308201b0a00302010202083d1b3cb8260a8285300d06092a864886f70d01010b0500304f3115301306035504030c0c4953524720526f6b7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b3009060355040613025553301e170d3230313231393034313231375a170d3234313231383034313231375a304f3115301306035504030c0c4953524720526f6b7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c94f059a3c18e355e88a8e3c8b6bc43fb7c9ae97be414ba39b4197f43c42f2b9c5f2829b977b789bfb9f3538566e992eb2d2b4908de6217d5dafc3a2275249a81191805eb93f2d4aad86a8b053dbb369f004d94ad1467704f0557023658c24a9af356c643b0df2caffd887e0436042d961be1645cad34e66caf333f9275fb9b50203010001a32c302a300f0603551d130101ff040530030101ff30170603551d110410300e820c4953524720526f6b74205831300d06092a864886f70d01010b050003818100126609a25242601eaa8ff2468aceb73828809032fb06e10fdc3933095bab7e5bf36b19e318ff0a82579b12774b4be3e3cda866dba3536f7b88c8203d69bb8923ed4ac16c643d97ebf5d03ede89c7a4f78fe2a6d875faa805cd3c18acb67a7652373c81f6620280b95a28ec09c759e860301a479317bf80103a0534f986a0a04a	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0F02FE3B6367A7E9E89BBD4F3DEE0155C46FF088	rundll32.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

svchost.exerundll32.exe

pid	process
2840	svchost.exe
2840	svchost.exe
3460	rundll32.exe
3460	rundll32.exe
3460	rundll32.exe
3460	rundll32.exe
3460	rundll32.exe
3460	rundll32.exe
3460	rundll32.exe
3460	rundll32.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe
2840	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 3460 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2360 rundll32.exe
3460 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	3460	rundll32.exe

pid	process
2360	rundll32.exe
3460	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exerundll32.exesvchost.exe

description	pid	process	target process
PID 4904 wrote to memory of 3460	4904	63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exe	rundll32.exe
PID 4904 wrote to memory of 3460	4904	63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exe	rundll32.exe
PID 4904 wrote to memory of 3460	4904	63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exe	rundll32.exe
PID 3460 wrote to memory of 2360	3460	rundll32.exe	rundll32.exe
PID 3460 wrote to memory of 2360	3460	rundll32.exe	rundll32.exe
PID 3460 wrote to memory of 2360	3460	rundll32.exe	rundll32.exe
PID 2840 wrote to memory of 2384	2840	svchost.exe	rundll32.exe
PID 2840 wrote to memory of 2384	2840	svchost.exe	rundll32.exe
PID 2840 wrote to memory of 2384	2840	svchost.exe	rundll32.exe
PID 3460 wrote to memory of 3048	3460	rundll32.exe	schtasks.exe
PID 3460 wrote to memory of 3048	3460	rundll32.exe	schtasks.exe
PID 3460 wrote to memory of 3048	3460	rundll32.exe	schtasks.exe
PID 3460 wrote to memory of 1544	3460	rundll32.exe	schtasks.exe
PID 3460 wrote to memory of 1544	3460	rundll32.exe	schtasks.exe
PID 3460 wrote to memory of 1544	3460	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exe
"C:\Users\Admin\AppData\Local\Temp\63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3460

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23958
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2360

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3048

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 536
2⤵
- Program crash
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4904 -ip 4904
1⤵
PID:2080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3852

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\license..dll",WlQGTEo2cVk=
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\license..dll
Filesize
726KB

MD5
66982d00be2fdcfe46bac9cacc6125d9

SHA1
90942c50a41f1545345f30812e9827d415414bb6

SHA256
219939a37ab2cd4ced78a1a680dc0f8a4c48e75588f38f42fc37696ec4aa7d37

SHA512
392608eb27f121e4ab0aa40a39c5f0012d47724e522c1d45fa9e5f8f5134750fcbb00057ea7eb7efc5115a5bdc8ffa3ed3cd27f5c64027f2ca9c267fc00fc73a

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\license..dll
Filesize
726KB

MD5
66982d00be2fdcfe46bac9cacc6125d9

SHA1
90942c50a41f1545345f30812e9827d415414bb6

SHA256
219939a37ab2cd4ced78a1a680dc0f8a4c48e75588f38f42fc37696ec4aa7d37

SHA512
392608eb27f121e4ab0aa40a39c5f0012d47724e522c1d45fa9e5f8f5134750fcbb00057ea7eb7efc5115a5bdc8ffa3ed3cd27f5c64027f2ca9c267fc00fc73a

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\EventStore.db
Filesize
60KB

MD5
d116da1d8d0375f0a1bdf0f9783c24c4

SHA1
d3b94d410a541db1a1523d36882781893897812b

SHA256
f4743c3cfddb5ebcfa812790ab5f6ae1afe61c8575f3b9c74a2febb398dd177f

SHA512
c6cb425064a05e4b262fa49446be4312e743cba7506fba86bf98535884d2cf9823545378ee9b2493ca820821eaea6eda6924c0f793b00d0ac5b29cae9604989c

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe.xml
Filesize
4KB

MD5
7eb2ff3e6ad26430b3d7c1d86bd55042

SHA1
3c1f961bb1317b63fa454d1938e2dfab8fa518be

SHA256
1469f5b82db4cb94fdb24580efe2cf3d30a9bc94ee4d4378b6cce50674999e1a

SHA512
89d6f1ae647cb3e3fc2cd8b1657f22e0fb023bff68482d159f61a6d1f8dd97b6c6d4e9c9edde989963e97740371a1dbd45b5f0524532c81cd082636e5d971e13

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
249f961c5a56eec98bae71f4c457b35e

SHA1
e5b54b10086ba94bd3bfe2dd9ee9252ff40d0332

SHA256
fbbdfce3ff2c1b3f0111a999127bef9bf60f82941b3e492abf09d9094255b37b

SHA512
cabcb592b0f4bb8212b6ef9566ed4897e8320af803331465b44a9e07a77e88382a9b21eb9a420a033fa40c6504c0202c7947a0d26b55ee8d0d647e70f5f21fa4

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\device.png
Filesize
43KB

MD5
7051c15362866f6411ff4906403f2c54

SHA1
768b062b336675ff9a2b9fcff0ce1057234a5399

SHA256
609824cc9c4f6c26c529ea3eb6f112c1a7c74d5ed58e25b6f9d88dce5944626a

SHA512
5fcbb98b9f421ee9884b8e927774de3d60043401b2f746f7af6aa059fa8a7c48f00ec3c2437f8e6687e0c328d0d2c79427d5ab5eed0805aa9e2a8b12a6418f08

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\overlay.png
Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\settings.ico
Filesize
66KB

MD5
4896c2ad8ca851419425b06ec0fd95f2

SHA1
7d52e9355998f1b4487f8ef2b1b3785dec35d981

SHA256
1160a3a774b52f07453bde44755fbf76a8b1534c5ade19402f05857c249056b3

SHA512
271f40a273bc98738d450a8585cc84d097d88bbb6417fd20b4417d31b4e19b1b8fe860d044f70a3e4096588b9615c8cc588b1cab651ab1b4320d7ce1d74eb8f2

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\stream.x64.x-none.dat.cat
Filesize
574KB

MD5
13e2674d1e5118dc8547264aa2b8654b

SHA1
60b0f7065882e839d6a80f1263f9f60a8efa26bd

SHA256
320ae5c50698f4553758c71c37135cf390c06f355cfb3b8cc18dae85ead16944

SHA512
b399d85720844dbcb7220b05a186cd0cf46e3307c8afbebbbdcd132be5aa9f936482ba5743764acd12df256a2b2249a0b06ef7365286c66912db02634cd18bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\license..dll
Filesize
726KB

MD5
66982d00be2fdcfe46bac9cacc6125d9

SHA1
90942c50a41f1545345f30812e9827d415414bb6

SHA256
219939a37ab2cd4ced78a1a680dc0f8a4c48e75588f38f42fc37696ec4aa7d37

SHA512
392608eb27f121e4ab0aa40a39c5f0012d47724e522c1d45fa9e5f8f5134750fcbb00057ea7eb7efc5115a5bdc8ffa3ed3cd27f5c64027f2ca9c267fc00fc73a

Download Submit
memory/1544-169-0x0000000000000000-mapping.dmp

Download
memory/2360-150-0x0000000000AA0000-0x0000000000CB9000-memory.dmp

Filesize
2.1MB

Download
memory/2360-148-0x000001B2E7840000-0x000001B2E7980000-memory.dmp

Filesize
1.2MB

Download
memory/2360-149-0x000001B2E7840000-0x000001B2E7980000-memory.dmp

Filesize
1.2MB

Download
memory/2360-151-0x000001B2E5E70000-0x000001B2E609A000-memory.dmp

Filesize
2.2MB

Download
memory/2360-147-0x00007FF6D4B66890-mapping.dmp

Download
memory/2384-167-0x0000000003E40000-0x0000000004565000-memory.dmp

Filesize
7.1MB

Download
memory/2384-166-0x0000000003E40000-0x0000000004565000-memory.dmp

Filesize
7.1MB

Download
memory/2384-164-0x0000000000000000-mapping.dmp

Download
memory/2840-157-0x0000000003C30000-0x0000000004355000-memory.dmp

Filesize
7.1MB

Download
memory/2840-170-0x0000000003C30000-0x0000000004355000-memory.dmp

Filesize
7.1MB

Download
memory/2840-156-0x0000000003C30000-0x0000000004355000-memory.dmp

Filesize
7.1MB

Download
memory/3048-168-0x0000000000000000-mapping.dmp

Download
memory/3460-142-0x00000000044C0000-0x0000000004600000-memory.dmp

Filesize
1.2MB

Download
memory/3460-152-0x0000000005770000-0x0000000005E95000-memory.dmp

Filesize
7.1MB

Download
memory/3460-141-0x00000000044C0000-0x0000000004600000-memory.dmp

Filesize
1.2MB

Download
memory/3460-143-0x00000000044C0000-0x0000000004600000-memory.dmp

Filesize
1.2MB

Download
memory/3460-140-0x00000000044C0000-0x0000000004600000-memory.dmp

Filesize
1.2MB

Download
memory/3460-139-0x0000000005770000-0x0000000005E95000-memory.dmp

Filesize
7.1MB

Download
memory/3460-138-0x0000000005770000-0x0000000005E95000-memory.dmp

Filesize
7.1MB

Download
memory/3460-144-0x0000000004539000-0x000000000453B000-memory.dmp

Filesize
8KB

Download
memory/3460-132-0x0000000000000000-mapping.dmp

Download
memory/3460-146-0x00000000044C0000-0x0000000004600000-memory.dmp

Filesize
1.2MB

Download
memory/3460-145-0x00000000044C0000-0x0000000004600000-memory.dmp

Filesize
1.2MB

Download
memory/4904-136-0x0000000002460000-0x0000000002575000-memory.dmp

Filesize
1.1MB

Download
memory/4904-135-0x0000000002275000-0x000000000234B000-memory.dmp

Filesize
856KB

Download
memory/4904-137-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download