Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
19-12-2022 03:52
General
-
Target
ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe
-
Size
214KB
-
MD5
dbac1e546c31e01df2df4b2ebee2f2b5
-
SHA1
f7837f0e02f5c0e7f3dd5ad86ee9946e1a6c81d1
-
SHA256
ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3
-
SHA512
59772e87a7b596dda7afb9895fa00c5eaaacc423c8260f6c9bbca1b5218cc48424e12fb6c2d810252fbad8a8217b9d642c99dcb1d43c15d3a5228cd3cf9054e7
-
SSDEEP
3072:WwUBO36L+Zj21WClRB4cRO0BZyGiyctNRAtOba+3QnBtjcbImdzmuX:nUBNL+x21j9xRO0BZ/ct03BtjcbXF
Malware Config
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 34 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 28 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 30 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe"C:\Users\Admin\AppData\Local\Temp\ac3cbbc36a7a5c9f551aca322dc0e19578d12a9bca3346cc5ff298e811f1b0f3.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F4A6.exeC:\Users\Admin\AppData\Local\Temp\F4A6.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239583⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 5362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4136 -ip 41361⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\adobexmp.dll",lUxJRkc=2⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeXMP.dllFilesize
726KB
MD50f536e1f347779fd1cc2b12558f03478
SHA174afc3b03677823d7d73085c80875ffdf354318c
SHA25655fb45f06175a002f3fb18289a920f529504dc158f53a28c1fe7fa4f6005ece1
SHA512d031fda74866e28330c7a3b407ccb9328eb30e7ec0286e9644139c0a17e4e78858b4e11a96b0df010efcb0434ed86620e4645a5603759418bfefb30de7c477c5
-
C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeXMP.dllFilesize
726KB
MD50f536e1f347779fd1cc2b12558f03478
SHA174afc3b03677823d7d73085c80875ffdf354318c
SHA25655fb45f06175a002f3fb18289a920f529504dc158f53a28c1fe7fa4f6005ece1
SHA512d031fda74866e28330c7a3b407ccb9328eb30e7ec0286e9644139c0a17e4e78858b4e11a96b0df010efcb0434ed86620e4645a5603759418bfefb30de7c477c5
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.shared.Office.x-none.msi.16.x-none.xmlFilesize
719KB
MD5e9f03f8b71cac83b7d16ef685cabd0d0
SHA1c5057520e0a65340360219618632037e7c0c474a
SHA256fff80dc60d751bc2ff8c3085b5c338bc3f149a0e71976c3d82f30a0d43d284db
SHA5121703ea88d9e8cd768308c246812cdd0d2a733a28e0beb039d019c1efd190ee05f9d045e280de7a75578d4282c161e768a48aebf8d97e58bfc7357cadbd5f208a
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xmlFilesize
2KB
MD5db0acdbf49f80d3f3b0fb65a71b39341
SHA112c6d86ba5f90a1e1d2b4b4ec3bd94fc9f1296ae
SHA256f8a8635147117201638a6a4dfa8dcd5b4506cbee07f582001d2a92da434a231f
SHA5123d4e7547c8186164aa3fb7f08a50e6b065d536ca5ec8bc216c9dfd34c98e7c58c64ebcb39077fbd46370bc42b504acf769c6b3c7387cb98ec209087d4d46d784
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe.xmlFilesize
827B
MD5cf7d0dd53bde6261338a343a4a92c3f5
SHA1f5326546a46c8a7d2400d743fca320a166331757
SHA256df0af4b8242dcab107aab8d00add27b9797c00002669ff953667869abb6c77c6
SHA5129cf52da12c7e703fefff7a5295b7475d95a568d050b210a7b53470dad257793257a4242c89fb00fa22c7319c8be96144b193ec1e51c4d3a751af6765a6935148
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe.xmlFilesize
827B
MD5ded8a0ae2ade3e3cab8bfbfea00b969f
SHA173752c78795a78ef3b742ad41737959e6f51ee42
SHA256ffc4b3afeec6909f2b6e167d903c624448bb8b5e3540142a0a762953dc758c85
SHA5123c687dd555e18bfc59bc544bcaae9f27d7eae55aae62c8f6517e263052f72d1679b097cc02faa6514a3a03619b23910ba78af3b3955cf3fe79d2c1f7e8aca72a
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe.xmlFilesize
6KB
MD5e2a07f037256d69937145aea357735fe
SHA107ce3d26f68b90604543f441bf75f57fbf6f5f99
SHA2560f20839ad81a013e9700e22a629e7284a5b817adff6d992d4b761b6875ace257
SHA512f78e8d10675b7c8d3fd8af0780fb979c1cca6b5ccfd1422529d7837f34f9973dc26a174f4b86587f7a1e1dbe1a3fe59cc0342379332a2e726a41c180a0dbad7d
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe.xmlFilesize
839B
MD55ddffd275e173019cb301fe2c96a2f3f
SHA10303cebf14f4304d93733426aee485e4bf7efe29
SHA256d1e768a7bb7a5851697a2a5bec63670c9d90b72d1f77169ef231c265b9cb8272
SHA512e92f31f56dc2f5dfa0963978239303d2c5755b5bfa363910f18e5168703d3ddfc506ad522915b90f9d489997a66a3db780762e750a658ac7835b75d8d299684a
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2010Win64.xmlFilesize
71KB
MD5490d1e0a28234dcd02db60d5a87f0691
SHA16edc0f7aa19150b49df1b96b5c6bbee036c0ef7a
SHA25606ce8cb39081cd09df95911494f46ae85b27e37e4f83aa9c80b887bf69e87e22
SHA5120ea4a0b0030371c031de694df115a284fa2d3a7697071072e2a7d83afbb60201313787e4d537a6111ba716e78d9dcfcac523633e2667bc00bbe1b125fb6641eb
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftWordpad.xmlFilesize
1005B
MD5576da3ac22d84c085a753ad324e5af0f
SHA11ce9245047e7da3eb4e81356434ca190fe4f924f
SHA256214762acb145e4bbfabd685705707097bd5f5b8dc739c1c18b200d50c5c2f303
SHA512dde20be02f91f438350752ff98bc6cd21dd9f2cb057fcc3f08d90ea889a69e0bb3e7f7a8fb554a7767d5a3ab74de3e8c090943730e5e197b07304221c2a8b9c0
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmpFilesize
2.3MB
MD536a068f159f8ae55adc63f0975cec4d4
SHA1e322c81421d95276ce177a2fd01707d8cd310766
SHA2560042ad34cdb3ff75fc99cc2425f89117483d41b09b2de20a1f316132c22b38f5
SHA512000403f7655b7c14875e4111b6d41c38f2d114f4f12cb1d704582e913a4bbf2a43f8bb38569015e53090cfeb9a7cb395905f7c7f3698d47799550aa0426378e2
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\TELEMETRY.ASM-WINDOWSSQ.jsonFilesize
53B
MD56b5c875287b25d64563bd7c830621b66
SHA1df0c4dcbbf3ce6706cae126955b4fcb88be0694a
SHA2569d45f7e6114d2088ab05423697cafedc0a9926f785358cb2faddc4f1e45b193d
SHA512608b92078a9082b4bfe2b066891127713cfd4329d8b26a3747b672c19e41e25242f60153517227a04a3f2b355805584cd4fe2f2dece45b1cd5dfc814a486d229
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\resource.xmlFilesize
1KB
MD509e877cc25ec3ade6e0d56000025e7ae
SHA1fef683c766926d84804867a6a711c200e2ceb406
SHA256995f07448661dec2389b445cbe054e4fce31d07bed2f3f9f4bc94ee9a875fc92
SHA51202b7ed4cba2f3b153f055c51b24eb4a7ca9cec136274a00fcc2efebd21ad410d826d92b0113229e2817930a6a84dfa27e809290cb0522535202116c24ac8f1a3
-
C:\Users\Admin\AppData\Local\Temp\F4A6.exeFilesize
1006KB
MD5e234765ce130cccdd18b84c36d1396a9
SHA1af6f1a721bd88574733879bb583da4e1a8c15c1f
SHA25663d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918
SHA51229aca4c84fec3176919e57efa7fcbdf48ae3c7592d318433fa91e62751b00081f2c89f7aa964c6a6b2ed82a578d121b8ecd0dd1ab544bd944c11400c63fc5272
-
C:\Users\Admin\AppData\Local\Temp\F4A6.exeFilesize
1006KB
MD5e234765ce130cccdd18b84c36d1396a9
SHA1af6f1a721bd88574733879bb583da4e1a8c15c1f
SHA25663d486cb71ed442bd9e4c7df930cdaf57b801664439e740df984b95acf0ad918
SHA51229aca4c84fec3176919e57efa7fcbdf48ae3c7592d318433fa91e62751b00081f2c89f7aa964c6a6b2ed82a578d121b8ecd0dd1ab544bd944c11400c63fc5272
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
\??\c:\program files (x86)\windowspowershell\modules\adobexmp.dllFilesize
726KB
MD50f536e1f347779fd1cc2b12558f03478
SHA174afc3b03677823d7d73085c80875ffdf354318c
SHA25655fb45f06175a002f3fb18289a920f529504dc158f53a28c1fe7fa4f6005ece1
SHA512d031fda74866e28330c7a3b407ccb9328eb30e7ec0286e9644139c0a17e4e78858b4e11a96b0df010efcb0434ed86620e4645a5603759418bfefb30de7c477c5
-
memory/2424-179-0x0000000000000000-mapping.dmp
-
memory/3208-155-0x000001E556BE0000-0x000001E556D20000-memory.dmpFilesize
1.2MB
-
memory/3208-158-0x000001E555210000-0x000001E55543A000-memory.dmpFilesize
2.2MB
-
memory/3208-154-0x00007FF709626890-mapping.dmp
-
memory/3208-161-0x000001E555210000-0x000001E55543A000-memory.dmpFilesize
2.2MB
-
memory/3208-157-0x000001E556BE0000-0x000001E556D20000-memory.dmpFilesize
1.2MB
-
memory/3208-159-0x0000000000F30000-0x0000000001149000-memory.dmpFilesize
2.1MB
-
memory/3556-156-0x0000000005099000-0x000000000509B000-memory.dmpFilesize
8KB
-
memory/3556-147-0x00000000046F0000-0x0000000004E15000-memory.dmpFilesize
7.1MB
-
memory/3556-160-0x00000000046F0000-0x0000000004E15000-memory.dmpFilesize
7.1MB
-
memory/3556-140-0x0000000000000000-mapping.dmp
-
memory/3556-152-0x0000000005020000-0x0000000005160000-memory.dmpFilesize
1.2MB
-
memory/3556-151-0x0000000005020000-0x0000000005160000-memory.dmpFilesize
1.2MB
-
memory/3556-150-0x0000000005020000-0x0000000005160000-memory.dmpFilesize
1.2MB
-
memory/3556-153-0x0000000005020000-0x0000000005160000-memory.dmpFilesize
1.2MB
-
memory/3556-149-0x0000000005020000-0x0000000005160000-memory.dmpFilesize
1.2MB
-
memory/3556-146-0x00000000046F0000-0x0000000004E15000-memory.dmpFilesize
7.1MB
-
memory/3556-148-0x0000000005020000-0x0000000005160000-memory.dmpFilesize
1.2MB
-
memory/4136-145-0x0000000000400000-0x0000000000523000-memory.dmpFilesize
1.1MB
-
memory/4136-144-0x0000000002300000-0x0000000002415000-memory.dmpFilesize
1.1MB
-
memory/4136-143-0x0000000002224000-0x00000000022FA000-memory.dmpFilesize
856KB
-
memory/4136-137-0x0000000000000000-mapping.dmp
-
memory/4312-165-0x0000000003970000-0x0000000004095000-memory.dmpFilesize
7.1MB
-
memory/4312-178-0x0000000003970000-0x0000000004095000-memory.dmpFilesize
7.1MB
-
memory/4856-133-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/4856-136-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/4856-135-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/4856-134-0x0000000002190000-0x0000000002199000-memory.dmpFilesize
36KB
-
memory/5056-176-0x0000000000000000-mapping.dmp