danabot | 216d1e4e78931e29ee5230f138e65449185fdd1979713a337eaac8591b7fd152

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

216d1e4e78931e29ee5230f138e65449185fdd1979713a337eaac8591b7fd152.exe
Size

214KB
MD5

add9e0006f8120c1bf13bee5181a74b7
SHA1

27c31ee11cd85cca5c77a9666c520a224b821a85
SHA256

216d1e4e78931e29ee5230f138e65449185fdd1979713a337eaac8591b7fd152
SHA512

d1f19281705658272372873b86651ae3f977565362f34d2c7645c22efa0f37910cc4f6dacbc5358b00ee0991cd9178477b52ff09730a61286a2f029186597d1b
SSDEEP

3072:z/gA6sLirHaRVoXuV9weWQI0NvOKfFXO9OlfgnHaNRAtOba+JHt5fjcbImdzmuX:zTNLirmtV9we9ICIIM6023fjcbXF

Score

10^/10

danabot smokeloader backdoor banker discovery trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4596-133-0x00000000006F0000-0x00000000006F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

40 2764 rundll32.exe
47 2764 rundll32.exe
59 2764 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

C6B0.exe

pid process

376 C6B0.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2764 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2764 set thread context of 4560 2764 rundll32.exe rundll32.exe

flow	pid	process
40	2764	rundll32.exe
47	2764	rundll32.exe
59	2764	rundll32.exe

pid	process
376	C6B0.exe

pid	process
2764	rundll32.exe

description	pid	process	target process
PID 2764 set thread context of 4560	2764	rundll32.exe	rundll32.exe

Drops file in Program Files directory 27 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pages_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Updater.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\nppdf32.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\MyriadCAD.otf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\eula.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\CollectSignatures.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviewers.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\sendforsignature.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\64BitMAPIBroker.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-72x72-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-72x72-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Measure.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Compare_R_RHP.aapp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3224 376 WerFault.exe C6B0.exe

pid	pid_target	process	target process
3224	376	WerFault.exe	C6B0.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

216d1e4e78931e29ee5230f138e65449185fdd1979713a337eaac8591b7fd152.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	216d1e4e78931e29ee5230f138e65449185fdd1979713a337eaac8591b7fd152.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	216d1e4e78931e29ee5230f138e65449185fdd1979713a337eaac8591b7fd152.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	216d1e4e78931e29ee5230f138e65449185fdd1979713a337eaac8591b7fd152.exe

Checks processor information in registry 2 TTPs 27 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000093557d26100054656d7000003a0009000400efbe6b55586c935585262e00000000000000000000000000000000000000000000000000c4ff9c00540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2720

pid	process
2720

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

216d1e4e78931e29ee5230f138e65449185fdd1979713a337eaac8591b7fd152.exe

pid	process
4596	216d1e4e78931e29ee5230f138e65449185fdd1979713a337eaac8591b7fd152.exe
4596	216d1e4e78931e29ee5230f138e65449185fdd1979713a337eaac8591b7fd152.exe
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720
2720

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2720
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

216d1e4e78931e29ee5230f138e65449185fdd1979713a337eaac8591b7fd152.exe

pid process

4596 216d1e4e78931e29ee5230f138e65449185fdd1979713a337eaac8591b7fd152.exe

pid	process
2720

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720
Token: SeShutdownPrivilege	2720
Token: SeCreatePagefilePrivilege	2720

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4560 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2720
2720

pid	process
4560	rundll32.exe

pid	process
2720
2720

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

C6B0.exerundll32.exe

description	pid	process	target process
PID 2720 wrote to memory of 376	2720		C6B0.exe
PID 2720 wrote to memory of 376	2720		C6B0.exe
PID 2720 wrote to memory of 376	2720		C6B0.exe
PID 376 wrote to memory of 2764	376	C6B0.exe	rundll32.exe
PID 376 wrote to memory of 2764	376	C6B0.exe	rundll32.exe
PID 376 wrote to memory of 2764	376	C6B0.exe	rundll32.exe
PID 2764 wrote to memory of 4560	2764	rundll32.exe	rundll32.exe
PID 2764 wrote to memory of 4560	2764	rundll32.exe	rundll32.exe
PID 2764 wrote to memory of 4560	2764	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\216d1e4e78931e29ee5230f138e65449185fdd1979713a337eaac8591b7fd152.exe
"C:\Users\Admin\AppData\Local\Temp\216d1e4e78931e29ee5230f138e65449185fdd1979713a337eaac8591b7fd152.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4596

C:\Users\Admin\AppData\Local\Temp\C6B0.exe
C:\Users\Admin\AppData\Local\Temp\C6B0.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23979
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 472
2⤵
- Program crash
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 376 -ip 376
1⤵
PID:212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2124

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:4092

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\eula.dll",JgocMQ==
2⤵
PID:3184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\eula.dll
Filesize
726KB

MD5
a632695ecdbbd30249d0c73df6422860

SHA1
40117d63b35a93b7c11b47909f055cfc9785f652

SHA256
af2b86671ea18653258cd104c386f0940f8b5accdd244ea6525136b3e26118f4

SHA512
383a45d60366b59238413d07b23adfa97046f144c370a9c6bd46558495bd866765a36e1442f30846e248e8f8482f9a2f4b7ac920ffc7243b8095c637f969fc29

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\eula.dll
Filesize
726KB

MD5
a632695ecdbbd30249d0c73df6422860

SHA1
40117d63b35a93b7c11b47909f055cfc9785f652

SHA256
af2b86671ea18653258cd104c386f0940f8b5accdd244ea6525136b3e26118f4

SHA512
383a45d60366b59238413d07b23adfa97046f144c370a9c6bd46558495bd866765a36e1442f30846e248e8f8482f9a2f4b7ac920ffc7243b8095c637f969fc29

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml
Filesize
2KB

MD5
e52262399745fe981a7fba69c55f09dc

SHA1
795a06836db2ead992013b55d2d5a87420be43e7

SHA256
838e2cd11573dfcbb74c47621b30c5a7b62b2a063a41282a8e117b7b8fd5ebbc

SHA512
4b146141538edc8428d0bb0c8f314e3cc2f87e9888a82471f5c870a0779655944f8cfc34f5bc7bb2769d08d3ef3bac2cdf4f428d970bc1b480bce722a3b0291e

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.office32mui.msi.16.en-us.xml
Filesize
16KB

MD5
ada34b241139f06addc86a9e8d1108f0

SHA1
909a92a4e970ae4edcfc365a119d4f4410b0bcf6

SHA256
3069814db0a03ed2ce383cb97739d07545d3b67a2b532d9c07d0d5aa3c6a4f3a

SHA512
2797c6087798660773cfa65f002a4232d75c8b8f787deb12364af683653b41de411ca2de54be1aa86356ba3b6203775c9afaedd513ad33c26f273047f87537a0

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.osmuxmui.msi.16.en-us.xml
Filesize
10KB

MD5
220ae72aa2505c9276da2056b7e34936

SHA1
6dfb0f4fd5c0d25062d3d1235fc20358560fdb89

SHA256
afc37ba57fac36ba151953b67619dbbb985f58122f4ebe07f15b312b5bdf004c

SHA512
cab8485458b9870015f037fc6c8279018bf212d36ba01181bdb90970473a4b5aaeb9708e36eb21c8e6c1301dbdca630b29c8b3a6fa82fa14fb04bc65d235debd

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
1KB

MD5
6c2429d1fdb4a93ebca14340b9fb8fb7

SHA1
e757fc9e129850598fff1931d496fb7c7b21d4d6

SHA256
52b30a2b9d6a5c18dd585e3efe81688611b45f649e4e4e2c0543eaaf473f5285

SHA512
bae2b99779cc2ec27a7fcf132ba66bb698c78b01048630fa22116fda906389be66458523efb9634976455b4063f3002ee781eabdf4abfb78ee295ae74927b228

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
855B

MD5
dae188e1f4d8d97d8d65164eb0dda551

SHA1
78b54e226446825c56d15a19a3ed4b587a8842a2

SHA256
5bae5febdf75a2fe0b73791d603c7c9ac5de0d00dffc909b5dbc86bcd6dd15f2

SHA512
941d94c42572abcb937258e99a5d1b520c9f85ce741e81e81e7a299287ae9e8fb763fdc70b661a812c780f4b6997b84c8147791ac56f1510a87966c68ab23b22

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
Filesize
829B

MD5
87abe99363b16041e32b8a146eb53617

SHA1
b1f3f3c3939f2331dee213e480f4a4d0c753f72a

SHA256
7c8df7b34fca6387a15cbc0d6f591624a5a28bf513f71eb1077d55f1b448d856

SHA512
091ffae18e7cf41237b1039964cb4c3116275edfa34b198bbb9a0b258a99bf3b62b420fb22d747788a889f2306c30f0dc00566c432d4b2bb2e410a9e7dc69e44

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
53346ec4f13a7629bd742e9981451ea9

SHA1
b1cc7d6fa78f979ed129d9588172099acfdd5d32

SHA256
9e428bd6772aba4b6969ab67fe9515c9ebd6c99b2ff3262e30e0b27180e52cd0

SHA512
7a62c9d1a5116d32f8c73f33df223424b27d0a435e9780f63bb59402dd19274a233bffa4477f2f7f45685ccef62402181fc73df4d7f8c3135264ea410c2b567b

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
53346ec4f13a7629bd742e9981451ea9

SHA1
b1cc7d6fa78f979ed129d9588172099acfdd5d32

SHA256
9e428bd6772aba4b6969ab67fe9515c9ebd6c99b2ff3262e30e0b27180e52cd0

SHA512
7a62c9d1a5116d32f8c73f33df223424b27d0a435e9780f63bb59402dd19274a233bffa4477f2f7f45685ccef62402181fc73df4d7f8c3135264ea410c2b567b

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\edbres00002.jrs
Filesize
64KB

MD5
fcd6bcb56c1689fcef28b57c22475bad

SHA1
1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

SHA256
de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

SHA512
73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\user.bmp
Filesize
588KB

MD5
908fa2dfb385771ecf5f8b2b3e7bff16

SHA1
1255fa1edbd2dbbcab6d9eb9f74b7d6783697a58

SHA256
60ff5131dba68a8ffe7ba0475bf3e192b432e1969e5ac52d7f217f6935f4035d

SHA512
573c9fde441fb8debaa44b6fa2d3763c3dc4714497089b82bedc8ef0720eea4a907f75cffb1c0ec4a77ac89cfecbef8e6182a2a8fea5b51a2e91920ceaad5f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6B0.exe
Filesize
1006KB

MD5
e234765ce130cccdd18b84c36d1396a9

SHA1
af6f1a721bd88574733879bb583da4e1a8c15c1f

SHA256
63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918

SHA512
29aca4c84fec3176919e57efa7fcbdf48ae3c7592d318433fa91e62751b00081f2c89f7aa964c6a6b2ed82a578d121b8ecd0dd1ab544bd944c11400c63fc5272

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6B0.exe
Filesize
1006KB

MD5
e234765ce130cccdd18b84c36d1396a9

SHA1
af6f1a721bd88574733879bb583da4e1a8c15c1f

SHA256
63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918

SHA512
29aca4c84fec3176919e57efa7fcbdf48ae3c7592d318433fa91e62751b00081f2c89f7aa964c6a6b2ed82a578d121b8ecd0dd1ab544bd944c11400c63fc5272

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\eula.dll
Filesize
726KB

MD5
a632695ecdbbd30249d0c73df6422860

SHA1
40117d63b35a93b7c11b47909f055cfc9785f652

SHA256
af2b86671ea18653258cd104c386f0940f8b5accdd244ea6525136b3e26118f4

SHA512
383a45d60366b59238413d07b23adfa97046f144c370a9c6bd46558495bd866765a36e1442f30846e248e8f8482f9a2f4b7ac920ffc7243b8095c637f969fc29

Download Submit
memory/376-143-0x00000000022E0000-0x00000000023F5000-memory.dmp

Filesize
1.1MB

Download
memory/376-136-0x0000000000000000-mapping.dmp

Download
memory/376-144-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/376-142-0x0000000002209000-0x00000000022DF000-memory.dmp

Filesize
856KB

Download
memory/2764-148-0x0000000004F60000-0x00000000050A0000-memory.dmp

Filesize
1.2MB

Download
memory/2764-149-0x0000000004F60000-0x00000000050A0000-memory.dmp

Filesize
1.2MB

Download
memory/2764-145-0x0000000004770000-0x0000000004E95000-memory.dmp

Filesize
7.1MB

Download
memory/2764-156-0x0000000004FD9000-0x0000000004FDB000-memory.dmp

Filesize
8KB

Download
memory/2764-139-0x0000000000000000-mapping.dmp

Download
memory/2764-152-0x0000000004F60000-0x00000000050A0000-memory.dmp

Filesize
1.2MB

Download
memory/2764-159-0x0000000004770000-0x0000000004E95000-memory.dmp

Filesize
7.1MB

Download
memory/2764-146-0x0000000004770000-0x0000000004E95000-memory.dmp

Filesize
7.1MB

Download
memory/2764-147-0x0000000004F60000-0x00000000050A0000-memory.dmp

Filesize
1.2MB

Download
memory/2764-150-0x0000000004F60000-0x00000000050A0000-memory.dmp

Filesize
1.2MB

Download
memory/2764-151-0x0000000004F60000-0x00000000050A0000-memory.dmp

Filesize
1.2MB

Download
memory/3184-173-0x0000000000000000-mapping.dmp

Download
memory/3184-176-0x0000000003CB0000-0x00000000043D5000-memory.dmp

Filesize
7.1MB

Download
memory/3184-177-0x0000000003CB0000-0x00000000043D5000-memory.dmp

Filesize
7.1MB

Download
memory/4092-164-0x00000000035E0000-0x0000000003D05000-memory.dmp

Filesize
7.1MB

Download
memory/4092-163-0x00000000035E0000-0x0000000003D05000-memory.dmp

Filesize
7.1MB

Download
memory/4560-158-0x000001B5F09C0000-0x000001B5F0BEA000-memory.dmp

Filesize
2.2MB

Download
memory/4560-157-0x00000000005D0000-0x00000000007E9000-memory.dmp

Filesize
2.1MB

Download
memory/4560-155-0x000001B5F0870000-0x000001B5F09B0000-memory.dmp

Filesize
1.2MB

Download
memory/4560-154-0x000001B5F0870000-0x000001B5F09B0000-memory.dmp

Filesize
1.2MB

Download
memory/4560-153-0x00007FF687836890-mapping.dmp

Download
memory/4596-132-0x00000000007C8000-0x00000000007D9000-memory.dmp

Filesize
68KB

Download
memory/4596-135-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4596-134-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4596-133-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download