Overview

overview

10

Static

static

ac3cbbc36a...f3.exe

windows7-x64

10

ac3cbbc36a...f3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2022 03:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe

  • Size

    214KB

  • MD5

    dbac1e546c31e01df2df4b2ebee2f2b5

  • SHA1

    f7837f0e02f5c0e7f3dd5ad86ee9946e1a6c81d1

  • SHA256

    ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3

  • SHA512

    59772e87a7b596dda7afb9895fa00c5eaaacc423c8260f6c9bbca1b5218cc48424e12fb6c2d810252fbad8a8217b9d642c99dcb1d43c15d3a5228cd3cf9054e7

  • SSDEEP

    3072:WwUBO36L+Zj21WClRB4cRO0BZyGiyctNRAtOba+3QnBtjcbImdzmuX:nUBNL+x21j9xRO0BZ/ct03BtjcbXF

Score
10/10
danabotsmokeloaderbackdoorbankerdiscoverytrojan

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 28 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe
    "C:\Users\Admin\AppData\Local\Temp\ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4856
  • C:\Users\Admin\AppData\Local\Temp\F4A6.exe
    C:\Users\Admin\AppData\Local\Temp\F4A6.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4136
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:3556
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23958
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3208
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        3⤵
          PID:2424
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 536
        2⤵
        • Program crash
        PID:980
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4136 -ip 4136
      1⤵
        PID:3644
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:2732
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe -k LocalService
          1⤵
            PID:4312
            • C:\Windows\SysWOW64\rundll32.exe
              "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\adobexmp.dll",lUxJRkc=
              2⤵
                PID:5056

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeXMP.dll
              Filesize

              726KB

              MD5

              0f536e1f347779fd1cc2b12558f03478

              SHA1

              74afc3b03677823d7d73085c80875ffdf354318c

              SHA256

              55fb45f06175a002f3fb18289a920f529504dc158f53a28c1fe7fa4f6005ece1

              SHA512

              d031fda74866e28330c7a3b407ccb9328eb30e7ec0286e9644139c0a17e4e78858b4e11a96b0df010efcb0434ed86620e4645a5603759418bfefb30de7c477c5

              Download Submit

            • C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeXMP.dll
              Filesize

              726KB

              MD5

              0f536e1f347779fd1cc2b12558f03478

              SHA1

              74afc3b03677823d7d73085c80875ffdf354318c

              SHA256

              55fb45f06175a002f3fb18289a920f529504dc158f53a28c1fe7fa4f6005ece1

              SHA512

              d031fda74866e28330c7a3b407ccb9328eb30e7ec0286e9644139c0a17e4e78858b4e11a96b0df010efcb0434ed86620e4645a5603759418bfefb30de7c477c5

              Download Submit

            • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml
              Filesize

              719KB

              MD5

              e9f03f8b71cac83b7d16ef685cabd0d0

              SHA1

              c5057520e0a65340360219618632037e7c0c474a

              SHA256

              fff80dc60d751bc2ff8c3085b5c338bc3f149a0e71976c3d82f30a0d43d284db

              SHA512

              1703ea88d9e8cd768308c246812cdd0d2a733a28e0beb039d019c1efd190ee05f9d045e280de7a75578d4282c161e768a48aebf8d97e58bfc7357cadbd5f208a

              Download Submit

            • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml
              Filesize

              2KB

              MD5

              db0acdbf49f80d3f3b0fb65a71b39341

              SHA1

              12c6d86ba5f90a1e1d2b4b4ec3bd94fc9f1296ae

              SHA256

              f8a8635147117201638a6a4dfa8dcd5b4506cbee07f582001d2a92da434a231f

              SHA512

              3d4e7547c8186164aa3fb7f08a50e6b065d536ca5ec8bc216c9dfd34c98e7c58c64ebcb39077fbd46370bc42b504acf769c6b3c7387cb98ec209087d4d46d784

              Download Submit

            • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
              Filesize

              827B

              MD5

              cf7d0dd53bde6261338a343a4a92c3f5

              SHA1

              f5326546a46c8a7d2400d743fca320a166331757

              SHA256

              df0af4b8242dcab107aab8d00add27b9797c00002669ff953667869abb6c77c6

              SHA512

              9cf52da12c7e703fefff7a5295b7475d95a568d050b210a7b53470dad257793257a4242c89fb00fa22c7319c8be96144b193ec1e51c4d3a751af6765a6935148

              Download Submit

            • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
              Filesize

              827B

              MD5

              ded8a0ae2ade3e3cab8bfbfea00b969f

              SHA1

              73752c78795a78ef3b742ad41737959e6f51ee42

              SHA256

              ffc4b3afeec6909f2b6e167d903c624448bb8b5e3540142a0a762953dc758c85

              SHA512

              3c687dd555e18bfc59bc544bcaae9f27d7eae55aae62c8f6517e263052f72d1679b097cc02faa6514a3a03619b23910ba78af3b3955cf3fe79d2c1f7e8aca72a

              Download Submit

            • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe.xml
              Filesize

              6KB

              MD5

              e2a07f037256d69937145aea357735fe

              SHA1

              07ce3d26f68b90604543f441bf75f57fbf6f5f99

              SHA256

              0f20839ad81a013e9700e22a629e7284a5b817adff6d992d4b761b6875ace257

              SHA512

              f78e8d10675b7c8d3fd8af0780fb979c1cca6b5ccfd1422529d7837f34f9973dc26a174f4b86587f7a1e1dbe1a3fe59cc0342379332a2e726a41c180a0dbad7d

              Download Submit

            • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
              Filesize

              839B

              MD5

              5ddffd275e173019cb301fe2c96a2f3f

              SHA1

              0303cebf14f4304d93733426aee485e4bf7efe29

              SHA256

              d1e768a7bb7a5851697a2a5bec63670c9d90b72d1f77169ef231c265b9cb8272

              SHA512

              e92f31f56dc2f5dfa0963978239303d2c5755b5bfa363910f18e5168703d3ddfc506ad522915b90f9d489997a66a3db780762e750a658ac7835b75d8d299684a

              Download Submit

            • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2010Win64.xml
              Filesize

              71KB

              MD5

              490d1e0a28234dcd02db60d5a87f0691

              SHA1

              6edc0f7aa19150b49df1b96b5c6bbee036c0ef7a

              SHA256

              06ce8cb39081cd09df95911494f46ae85b27e37e4f83aa9c80b887bf69e87e22

              SHA512

              0ea4a0b0030371c031de694df115a284fa2d3a7697071072e2a7d83afbb60201313787e4d537a6111ba716e78d9dcfcac523633e2667bc00bbe1b125fb6641eb

              Download Submit

            • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftWordpad.xml
              Filesize

              1005B

              MD5

              576da3ac22d84c085a753ad324e5af0f

              SHA1

              1ce9245047e7da3eb4e81356434ca190fe4f924f

              SHA256

              214762acb145e4bbfabd685705707097bd5f5b8dc739c1c18b200d50c5c2f303

              SHA512

              dde20be02f91f438350752ff98bc6cd21dd9f2cb057fcc3f08d90ea889a69e0bb3e7f7a8fb554a7767d5a3ab74de3e8c090943730e5e197b07304221c2a8b9c0

              Download Submit

            • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
              Filesize

              2.3MB

              MD5

              36a068f159f8ae55adc63f0975cec4d4

              SHA1

              e322c81421d95276ce177a2fd01707d8cd310766

              SHA256

              0042ad34cdb3ff75fc99cc2425f89117483d41b09b2de20a1f316132c22b38f5

              SHA512

              000403f7655b7c14875e4111b6d41c38f2d114f4f12cb1d704582e913a4bbf2a43f8bb38569015e53090cfeb9a7cb395905f7c7f3698d47799550aa0426378e2

              Download Submit

            • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\TELEMETRY.ASM-WINDOWSSQ.json
              Filesize

              53B

              MD5

              6b5c875287b25d64563bd7c830621b66

              SHA1

              df0c4dcbbf3ce6706cae126955b4fcb88be0694a

              SHA256

              9d45f7e6114d2088ab05423697cafedc0a9926f785358cb2faddc4f1e45b193d

              SHA512

              608b92078a9082b4bfe2b066891127713cfd4329d8b26a3747b672c19e41e25242f60153517227a04a3f2b355805584cd4fe2f2dece45b1cd5dfc814a486d229

              Download Submit

            • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\resource.xml
              Filesize

              1KB

              MD5

              09e877cc25ec3ade6e0d56000025e7ae

              SHA1

              fef683c766926d84804867a6a711c200e2ceb406

              SHA256

              995f07448661dec2389b445cbe054e4fce31d07bed2f3f9f4bc94ee9a875fc92

              SHA512

              02b7ed4cba2f3b153f055c51b24eb4a7ca9cec136274a00fcc2efebd21ad410d826d92b0113229e2817930a6a84dfa27e809290cb0522535202116c24ac8f1a3

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\F4A6.exe
              Filesize

              1006KB

              MD5

              e234765ce130cccdd18b84c36d1396a9

              SHA1

              af6f1a721bd88574733879bb583da4e1a8c15c1f

              SHA256

              63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918

              SHA512

              29aca4c84fec3176919e57efa7fcbdf48ae3c7592d318433fa91e62751b00081f2c89f7aa964c6a6b2ed82a578d121b8ecd0dd1ab544bd944c11400c63fc5272

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\F4A6.exe
              Filesize

              1006KB

              MD5

              e234765ce130cccdd18b84c36d1396a9

              SHA1

              af6f1a721bd88574733879bb583da4e1a8c15c1f

              SHA256

              63d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918

              SHA512

              29aca4c84fec3176919e57efa7fcbdf48ae3c7592d318433fa91e62751b00081f2c89f7aa964c6a6b2ed82a578d121b8ecd0dd1ab544bd944c11400c63fc5272

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
              Filesize

              726KB

              MD5

              6ea8a6cc5fed6c664df1b3ef7c56b55d

              SHA1

              6b244d708706441095ae97294928967ddf28432b

              SHA256

              2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

              SHA512

              4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
              Filesize

              726KB

              MD5

              6ea8a6cc5fed6c664df1b3ef7c56b55d

              SHA1

              6b244d708706441095ae97294928967ddf28432b

              SHA256

              2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

              SHA512

              4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

              Download Submit

            • \??\c:\program files (x86)\windowspowershell\modules\adobexmp.dll
              Filesize

              726KB

              MD5

              0f536e1f347779fd1cc2b12558f03478

              SHA1

              74afc3b03677823d7d73085c80875ffdf354318c

              SHA256

              55fb45f06175a002f3fb18289a920f529504dc158f53a28c1fe7fa4f6005ece1

              SHA512

              d031fda74866e28330c7a3b407ccb9328eb30e7ec0286e9644139c0a17e4e78858b4e11a96b0df010efcb0434ed86620e4645a5603759418bfefb30de7c477c5

              Download Submit

            • memory/2424-179-0x0000000000000000-mapping.dmp

              Download

            • memory/3208-155-0x000001E556BE0000-0x000001E556D20000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/3208-158-0x000001E555210000-0x000001E55543A000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/3208-154-0x00007FF709626890-mapping.dmp

              Download

            • memory/3208-161-0x000001E555210000-0x000001E55543A000-memory.dmp

              Filesize

              2.2MB

              Download

            • memory/3208-157-0x000001E556BE0000-0x000001E556D20000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/3208-159-0x0000000000F30000-0x0000000001149000-memory.dmp

              Filesize

              2.1MB

              Download

            • memory/3556-156-0x0000000005099000-0x000000000509B000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3556-147-0x00000000046F0000-0x0000000004E15000-memory.dmp

              Filesize

              7.1MB

              Download

            • memory/3556-160-0x00000000046F0000-0x0000000004E15000-memory.dmp

              Filesize

              7.1MB

              Download

            • memory/3556-140-0x0000000000000000-mapping.dmp

              Download

            • memory/3556-152-0x0000000005020000-0x0000000005160000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/3556-151-0x0000000005020000-0x0000000005160000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/3556-150-0x0000000005020000-0x0000000005160000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/3556-153-0x0000000005020000-0x0000000005160000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/3556-149-0x0000000005020000-0x0000000005160000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/3556-146-0x00000000046F0000-0x0000000004E15000-memory.dmp

              Filesize

              7.1MB

              Download

            • memory/3556-148-0x0000000005020000-0x0000000005160000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/4136-145-0x0000000000400000-0x0000000000523000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/4136-144-0x0000000002300000-0x0000000002415000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/4136-143-0x0000000002224000-0x00000000022FA000-memory.dmp

              Filesize

              856KB

              Download

            • memory/4136-137-0x0000000000000000-mapping.dmp

              Download

            • memory/4312-165-0x0000000003970000-0x0000000004095000-memory.dmp

              Filesize

              7.1MB

              Download

            • memory/4312-178-0x0000000003970000-0x0000000004095000-memory.dmp

              Filesize

              7.1MB

              Download

            • memory/4856-133-0x0000000000560000-0x0000000000660000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4856-136-0x0000000000400000-0x000000000045F000-memory.dmp

              Filesize

              380KB

              Download

            • memory/4856-135-0x0000000000400000-0x000000000045F000-memory.dmp

              Filesize

              380KB

              Download

            • memory/4856-134-0x0000000002190000-0x0000000002199000-memory.dmp

              Filesize

              36KB

              Download

            • memory/5056-176-0x0000000000000000-mapping.dmp

              Download